Organizations are responsible for understanding the risks of doing business with suppliers and for designing, implementing, and operating controls to mitigate those risks due to their dependence on suppliers. As a result, manufactures, producers, and distributors ("organizations") are now taking a deeper dive into supply chain risk management and suppliers are exploring more on how they effectively optimize risk and communicate it to their business partners.
Risks
Capacity constraints and bottlenecks
Production stoppage and demand volatility
Inability to meet quality standard requirements
Political and economic instability
Loss of data
Transport or cargo loss
Impact
Causes
In response to this the AICPA developed a framework for reporting on the controls over a manufacturing, production, or distribution system. This enables organizations to communicate to stakeholders’ relevant information about supply chain risk management, its process, and the controls implemented to prevent, detect, and respond to supply chain risks.
# 1
Supply Chain Risk
The first step in addressing supply chain risk is to identify and understand the risks the organization faces from doing business with suppliers. Once risks have been assessed and prioritized based on an organization's risk tolerance level, organizations would then leverage that information to design and implement operating controls to optimize those risks.
Areas to consider:
Understand the risks identified by the supplier that impact their output.
Analyze and evaluate the alignment between the supplier's objectives and consumer demand.
Understand a supplier's process, risks, and controls around constraints, bottlenecks, and their ability to meet demand.
Information security controls implemented by the supplier or business partner when establishing IT connectivity with a supplier or business partner, in order to more effectively integrate the security controls of the two entities.
# 2
SOC Supply Chain Report
The objective of the SOC for Supply Chain reporting framework is to provide organizations with an avenue to communicate insightful information about their systems and the related controls to customers and business partners.
Components
Management’s description of their production, manufacturing, or distribution system.
Management's assertion of its system description and responsibility for the design and operation of internal controls.
A CPA’s opinion on the description and on the effectiveness of controls within the system to achieve the organization’s objectives.
Criteria
Two sets of criteria are used to determine a system’s effectiveness:
Description Criteria - Description criteria to be used by management when preparing a description of its system. The description criteria were publicly exposed in 2019 and finalized in March 2020.
Control Criteria - The Trust Services Criteria are used as the framework to present the internal controls of an organization and how the Trust Services Criteria are met through those controls. These criteria use the 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, or Privacy.
Key Benefits
Increased efficiency by reducing the time spent performing manual procedures such as:
Coordinating and performing on-site visits to evaluate processes and observe controls.
Performing walkthroughs to complete lengthy questionnaires.
Researching operational information to understand the process.
Organizations can strengthen their supply chain risk management function through standardization, while strengthening customer and client relationships as well as demonstrate compliance through internal controls by:
Reducing the information burden on organizations through the use of a common set of description criteria that is used in the report.
Assessing control effectiveness using the common criteria.
Reducing the communication and compliance burden on organizations by reducing the amount of information requests from customers.
Providing a standard for communicating relevant information without being required to disclose trade secrets, patents, or other intellectual property.
Maintaining a standard for organizations to leverage when comparing various vendors or suppliers that could be used to track the progress of the organization’s supply chain efforts over time and to benchmark those efforts against other organizations.
Through reporting on the internal control environment, risk assessment process, and information and communication systems while monitoring controls and internal control design, implementation, and operating effectiveness an organization can demonstrate how it responds to and addresses the risks related to:
Financial health and vitality of a key vendor or supplier
Civil unrest, war, military or governmental action in certain geographical locations where key processes or vendors and suppliers operate
Natural disasters
Pandemics, health hazards, and disease
# 3
Takeaway
Generally, a SOC Supply Chain report is beneficial to manufactures, producers, distributors, and vendors or suppliers. The reports are generally done to determine whether or not the partnership introduces risk to their operations. To assess whether the examination is necessary, organizations should understand the organization’s role in the supply chain, in providing goods and services to customers or clients and consumer demand. Organizations can also engage a CPA to discuss if a SOC for Supply Chain Examination could reduce the level of effort on vendor or supplier due diligence or when providing requested information to customers.
Comments