SOC for Supply Chain is Finally Here! What is It and What Do I Do Now?

Supply chains for manufacturers, producers, and distribution companies have been pushed to their limits, if not broken, during the current pandemic. Even during a normal business environment, managing a complex network of vendors, products, and services poses significant, complex challenges that could threaten the success of your organization or any organization within your supply chain.

 

In March 2020, the American Institute of CPAs (“AICPA”) released a new risk reporting framework, “SOC for Supply Chain”, to help your organization, your suppliers, and your customers identify and manage supply chain risks.

 

What is the SOC for Supply Chain Framework?

 

At a high level, SOC for Supply Chain is a voluntary framework, created by the AICPA, that might be the most efficient approach for your organization to:

 

• Communicate information to your customers about your manufacturing, production, and/or distribution systems and the effectiveness of your controls to mitigate supply chain risks; and
• Obtain information from your suppliers to gain an understanding of the risks of doing business with them.

 

Prior to SOC for Supply Chain, most organizations would typically rely on a variety of non-standard and other sources to obtain an understanding of supply chain risks – information provided by the supplier themselves, the organization’s internal auditor findings from assessments performed at each (or key) suppliers, or other programs such as from the International Organizations for Standardization (“ISO”) certification.

 

The SOC for Supply Chain is one of three frameworks within the AICPA’s suite of System and Organization Controls (“SOC”) services:

 

• SOC 1®, SOC 2® and SOC 3®address system controls at service organizations;
• SOC for Cybersecurity addresses organization-wide cybersecurity controls within any type of organization; and
• SOC for Supply Chain addresses controls related to manufacturing, production and distribution procedures.

 

SOC for Supply Chain is a comprehensive framework that culminates in an assurance report from an independent CPA firm. The following section describes the contents and purpose of each section of the report.

 

Components of the SOC for Supply Chain Report

 

The SOC for Supply Chain report is the key deliverable from the framework. This report provides information that is intended to be shared with your suppliers and business partners, and includes the following components:

 

• Management’s Description – A description of your system for manufacturing, producing or distributing a good or set of related goods. The description is designed to provide system-specific information about your organization’s objectives, risks, and the processes and controls implemented and operated to address those risks.
• Management’s Assertion – Your assertion about whether the description is presented in accordance with the AICPA’s description criteria and whether the controls presented in your description were effective to provide reasonable assurance of achieving your organization’s objectives based on the AICPA’s trust services criteria.
• The CPA’s Opinion – The CPA’s opinion on your description and on the effectiveness of controls within your system to achieve your organization’s objectives.

 

What are the Benefits of SOC for Supply Chain?

 

The SOC for Supply Chain framework provides your organization with a formal process for identifying and managing the risks that have potential to result in lost revenue, lost customers, additional costs, and wasted time. Additionally, SOC for Supply Chain examination and report provides many other benefits, such as:

 

• Encourages your personnel to follow best practices that align with your leadership’s governance and risk management approach;
• Addresses the manufacturing, production, and/or distribution requirements imposed by your current and prospective customers and business partners; and
• Provides your organization with a competitive advantage by giving your customers and business partners the confidence that your organization has the right systems and controls in place to mitigate and manage supply chain risk.

 

Summary

 

The SOC for Supply Chain framework released by the AICPA in March 2020 is a powerful tool that can be implemented by manufacturers, producers, and distribution companies to affect positive changes within your organization and throughout your supply chain. SOC for Supply Chain provides a formal approach to comprehensively, efficiently, and effectively identify and manage supply chain risks that threaten the business goals and objectives of your organization and your customers.

 

For more information on SOC for Supply Chain, please contact FGMK. Michael Becker is a Director that leads FGMK’s Risk & Controls practice with a primary focus on SOC services, and Michael Fenske is a Managing Director who co-leads the management consulting practice which includes supply chain services.

 

The summary information in this document is being provided for education purposes only. Recipients may not rely  on this summary other than for the purpose intended, and the contents should not be construed as accounting, tax, investment, or legal advice. We encourage any recipients to contact the authors for any inquiries regarding the contents. FGMK (and its related entities and partners) shall not be responsible for any loss incurred by any person that relies on this publication.

 

About FGMK

 

FGMK is a leading professional services firm providing assurance, tax and advisory services to privately held businesses, global public companies, entrepreneurs, high-net-worth individuals and not-for-profit organizations. FGMK is among the largest accounting firms in Chicago and one of the top ranked accounting firms in the United States. For over 50 years, FGMK has recommended strategies that give our clients a competitive edge. Our value proposition is to offer clients a hands-on operating model, with our most senior professionals actively involved in client service delivery.