With the severity of COVID-19’s impact around the world, there has been a marked increase in the need for critical resources and supplies. Unfortunately, not all suppliers were prepared for such a spike in demand. The pandemic has caused severe disruptions to global supply chains, making it difficult for companies to keep goods flowing through distribution networks.
These disruptions are already impacting how people live their everyday lives. Grocery stores have been unable to meet customer demand, selling out of items such as produce, canned foods, and paper products (most notably toilet paper). Hospitals and healthcare providers have been unable to obtain sufficient coronavirus test kits to properly identify how many people are infected.
In times of uncertainty, it’s more important than ever for manufacturers, suppliers and distributors to have a well-defined and secure supply chain process that considers the effectiveness of their internal controls environment to mitigate risks. Fortunately, the new Service Organization Control (SOC) for Supply Chain reporting framework allows organizations to do just that.
Why SOC for Supply Chain
The new SOC for Supply Chain framework was published by the American Institute of Certified Public Accountants (AICPA) on March 12. It provides a risk management framework that allows manufacturers, suppliers and distributors to evaluate the effectiveness of their internal controls environment to mitigate and address the critical supply chain risks identified in their specified environment and industry.
The same Trust Services Criteria most organizations are familiar with from SOC 2 reports (Security, Confidentiality, Availability, Processing Integrity and Privacy) are also used to evaluate the effectiveness of the company’s internal controls environment to address identified supply chain risks.
SOC for Supply Chain Benefits
Several benefits are gained for a given manufacturer, supplier or distributor in completing a SOC for Supply Chain audit. The audit will help an organization to:
- Identify key risks in the company’s supply chain process
- Evaluate how secure the supply chain process is including the effectiveness of the internal controls environment to mitigate and address the key risks in the supply chain process
- Identify control gaps and remediate to reduce risk to an acceptable level
- Demonstrate and communicate the effectiveness of the company’s supply chain process and controls to stakeholders and customers, both existing and prospective
- Share a final attestation report with a variety of audiences, including entity management, business partners, customers, investors, and other relevant stakeholders
Sections of a SOC for Supply Chain Report
Like a SOC 2 report, a SOC for Supply Chain report can cover multiple areas depending on the scope of the assessment. In most instances, the final attestation report will include the following:
- Company Management Assertion: A company’s affirmation that its supply chain processes, procedures and internal controls environment meet the requirements of the description criteria and effectiveness of the internal controls environment laid out by the scope of the audit.
- Service Auditor’s Opinion: The service auditor attests that the company’s description meets the description criteria requirements and effectiveness of the internal controls environment laid out by the scope of the audit.
- Company’s Description of System: A detailed explanation of the people, procedures, technologies and systems used in support of the company’s supply chain process as well as a narrative of the internal controls in place regarding key risks within the supply chain.
- Results of Testing Internal Controls: A summary of the controls tested, the test procedures performed and the results of those tests. These controls must meet each of the requirements within the Trust Services Criteria included in the scope of the audit.
The auditing process can be a challenging experience for a company that has not taken steps to prepare ahead of time. With the right preparation, however, there should be no surprises when the auditor arrives. Preliminary steps companies can take to prepare for an audit include:
- Performing a risk assessment around the company’s supply chain process
- Defining and documenting key supply chain processes, policies, and procedures
- Defining, documenting, evaluating, updating, and assigning responsibility for the internal controls environment that supports securing the supply chain process
- Preparing system description based on the SOC for Supply Chain description criteria
- Completing a readiness assessment with a third-party security and compliance audit assessment vendor to identify potential controls gaps
Secure Your Summit
As one of the few globally recognized security and compliance partners that are a licensed CPA firm, accredited ISO certification body, a certified HITRUST assessor firm and accredited FedRAMP 3PAO, A-LIGN has the experience and capabilities to help your organization prepare for and complete a SOC for Supply Chain audit. Some of our key services offered include:
- Readiness Assessment Report: Current controls are assessed against relevant Trust Services Criteria, new controls are identified through additional inquiries and testing, further gaps are identified and recommendations are provided to assist in meeting the new criteria.
- Type 1 SOC for Supply Chain Report: A full assessment evaluating how secure your supply chain process is, including testing your internal controls environment to determine whether the design (Type 1) of those controls meets the requirements laid out by the Trust Services Criteria at a specific point in time.
- Type 2 SOC for Supply Chain Report: A full assessment evaluating how secure your supply chain process is, including testing your internal controls environment to determine whether the design (Type 1) of those controls meets the requirements laid out by the Trust Services Criteria over a designated period.
With COVID-19 creating more uncertainty in supply chains around the world, its vital companies provide reassurance their supply chain is secure to their trusted partners and customers. Meeting the latest industry compliance standards is an essential part of earning that trust.
For more information on how A-LIGN can help you elevate your preparation for a SOC for Supply Chain audit, contact our team by emailing [email protected] or calling 888-702-5446.