April 28, 2023 Understanding the SOC for Supply Chain Report

AICPA’s System and Organization Control (SOC) report is reshaping industry resilience, and businesses need to know how to navigate it.

By David Barton, Managing Director, UHY Advisors

Supply chains were pushed to their breaking point through the global COVID-19 pandemic, and geopolitical tensions, economic instability, and increasing cybersecurity concerns continue to threaten the global supply chain. As a result, supply chains are evolving and becoming more complex in an effort to prevent a situation similar to what we have seen from 2020-2022.

Understanding the fragility of our supply chain and its vulnerability to cyberattacks, the American Institute of Certified Public Accountants (AICPA) recognized the need for members of the supply chain to have a better understanding of controls in place within supply chains. With this goal in mind, the AICPA created the System and Organization Control (SOC) for Supply Chain framework to allow companies to communicate information about their processes and controls to detect, prevent, and respond to supply chain risks. In order to better understand the importance of supply chain controls, it’s crucial to understand the emerging trends that are reshaping the supply chain.

Emerging Supply Chain Trends

• Cost containment takes priority overgrowth: As the Federal Reserve continues to try to control inflation and the economy feels pressure from those efforts, cost management becomes a top priority, and the supply chain will be one of many areas where business owners look to control costs.
• Big Data, analytics, and automation: These solutions will continue to revolutionize supply chain management but will also require more data and systems to work collaboratively. The emergence of these trends will allow organizations to minimize disruption via digital, agile supply chain management utilizing advanced analytics.
• Becoming more resilient: Diversification of suppliers, production, and transportation processes, and forming nontraditional partnerships will be key to improving resiliency. Supply chains will become more localized, and it will be imperative to respond to adversity faster than the competition and provide excellent customer service.
• Digital supply chains: Leading organizations will utilize digital supply chain capabilities or risk being left behind by more efficient competitors. Successful digitization will require the use of the Internet of Things, and internal and external interfaces like cloud-based networks and process automation. As the digital revolution continues, more and more data will be shared, which can create opportunities for cybercriminals.
• Sustainability and circular supply chains: The days of linear supply chains are gone, companies will look to break down their products and turn them back into their raw material form. A circular supply chain will reduce waste, reduce spending on raw materials and will help ease access of energy, commodities, and rare minerals. 

The digitization of certain areas of supply chain management will open many new doors in terms of capability and efficiency but will also leave organizations vulnerable to data breaches and cyberattacks.

One such attack is the software supply chain attack, where a cyber threat actor infiltrates a software vendor’s network and uses malicious code to compromise the software before the vendor can send the software to customers. That compromised software then corrupts the customer’s data or network. The SolarWinds/Orion attack in 2020 was the first highly publicized software supply chain attack. More recent examples include Okta and GitHub.

The SOC for Supply Chain Report will benefit organizations by allowing them to understand the controls in place and the risks involved when partnering with certain entities.

Details on the SOC for Supply Chain Report

Created for companies to communicate information about their processes and controls to detect, prevent, and respond to supply chain risks, the SOC for Supply Chain Report is similar to a SOC 2® report. Unlike the other SOC Reports, it is specifically intended for companies that produce, manufacture or distribute products.

The SOC for Supply Chain report is an independent third-party attestation of Management’s assertion regarding compliance with AICPA Trust Services Criteria.  The report includes Management’s description of the organization’s system and controls, an assertion by Management regarding the system and the effectiveness of controls, and a practitioner’s opinion regarding the accuracy and completeness of Management’s assertion.

As organizations look to avoid the risks of fragile supply chains by utilizing digital transformation, diversifying their suppliers, and forming new relationships, it is imperative that they know the risks upon entering into new relationships. Having access to relevant data will allow organizations to make informed decisions on the entities they partner with and have the reassurance that controls are in place to protect sensitive information. Risk mitigation will be a vital component of any supply chain strategy.  Having a SOC for Supply Chain Report will help identify some of those risks and determine the best mitigation strategies for them.

David Barton is a Managing Director with UHY Advisors and is the practice leader of the Technology, Risk & Compliance practice focused on information technology. He has over 30 years of practical experience in information systems and technology risk and controls.

Subscribe to Industry Today