This blog is part of our ongoing SOC Insight series. Each piece focuses on a different area of trust and transparency and aims to answer the questions that are important to your business. Learn how system and organization controls (SOC) for supply chain can help your organization meet stakeholder needs.
Largely due to rapid technological advancements such as the internet of things (IoT) and automation, producing and distributing products has become more complex and interconnected. Also thanks to those technologies, the relationships between entities that manufacture or produce goods (“user entities”) and their suppliers, distributors and business partners (“suppliers”) have become more intertwined. While in many ways—such as more efficient processes and access to better technology—this interconnectivity is a good thing, it also means the potential for supply chain risk continues to increase.
Cyber breaches, for example, are among the top supply chain concerns. The possibility of malware in components, hardware or devices that suppliers sell and install or implement at user entities poses a significant risk. Additionally, manufactured products with IoT connectivity, such as built-in GPS for cars, increase the risk of cyberattacks or hijacking. Suppliers themselves may be at risk of an attack that exposes trade secrets or other sensitive information related to production cycles, locations or supplies. Furthermore, increasing regulatory requirements such as the FDA’s Good Manufacturing Practices (GMP) and the North American Electric Reliability Corporation’s Critical Infrastructure Protection Standard #13 regulation over Cyber Security - Supply Chain Risk Management (NERC CIP-13) are also placing pressure on supply chains to protect their operations.
To meet the growing need to address these risks, the AICPA recently released new guidance for reporting on controls related to supply chains, including a new SOC report. Completing this new report can provide assurance to user entities around the security and availability of products and information from suppliers within the supply chain. It offers user entities a window into a supplier's processes and the controls in place to mitigate risks. While SOC for Supply Chain is industry agnostic, the utilities, automotive and pharmaceuticals sectors are the driving force behind the report because they have been advancing their oversight of suppliers within the supply chain to manage emerging risks related to their production processes.
Suppliers that complete a SOC for Supply Chain report can potentially gain a competitive advantage, providing user entities transparency into the processes and controls in place to protect supply chain activities. The report can reduce the number of independent inquiries and data requests from user entities that suppliers might receive. It may also serve to lessen the burden of existing requests from user entities, or eliminate new requests, which then allows suppliers more time to focus on their core business and manage their customer relationships. By providing all this information in one place, suppliers can provide assurance to multiple user entities with one document.
SOC for Supply Chain is still new, so here are a few considerations for both user entities and suppliers as they begin exploring this report:
What’s included in a SOC for Supply Chain report? As with other SOC reports, suppliers must provide a description of their system and processes. Due to the unique aspects of supply chain, a specific set of description criteria (DC300) was developed to help outline the key aspects of the supplier’s operational processes. In this case, the description details how the supplier’s system produces, manufactures or distributes products and how that system was designed and implemented based on a standard set of criteria.
The description also includes details on the supplier controls within the system and how they can provide reasonable assurance that the supplier’s principal system objectives were achieved based on the applicable trust services criteria.
When completed, the reports can then be distributed by suppliers to any user entities who may be asking questions about controls related to security (including those related to cyber issues), availability, processing integrity and other covered areas in order to provide assurance on the design and operation of controls in place at the supplier. This “assess once, report many” model helps to alleviate multiple reviews by manufacturers, or other users, that may be using the same supplier.
While regulations and customer requirements in industry sectors continue to evolve with the changing risk landscape, the reporting framework underlying SOC for Supply Chain sits on a foundation of tried and true assurance over key aspects of a company’s operational processes and related controls. The criteria that are used to support SOC reporting (including SOC for Supply Chain) have been mapped to industry-leading frameworks in key risk areas, such as cyber risk, and should continue to provide a clear and consistent roadmap for companies as they mature their risk management and oversight processes. User entities looking for ways to enhance their risk management programs within the supply chain can use the SOC for Supply Chain solution to drive a consistent method of evaluating and reporting on controls in place across their suppliers while helping to manage key risks in the manufacturing process.