Due to rapid technological advancement, the production, manufacture, or distribution of products often involves a high level of interdependence and connectivity between an entity and (a) organizations that supply raw materials or components for the manufacturing process (suppliers) and (b) the entity’s customers and business partners. These relationships are often considered part of the supply chain.
As used in this post, a supplier is an individual or business (and its employees) that provides products (such as raw materials, components, or other goods) or services to a producer, manufacturer, or distribution company (an entity). A service provider, for example, is a specific type of supplier that provides services to an entity.
Although these relationships may increase revenues, expand market opportunities, and reduce costs for the entity, they also result in additional risks to the suppliers, customers, and business partners with whom the entity does business. Accordingly, those suppliers, customers, and business partners are responsible for identifying, evaluating, and addressing the additional risks as part of their supply chain risk management programs. These risks may threaten the entity’s ability to do the following:
- Provide products that meet the principal product performance specifications.
- Meet delivery and quality commitments and requirements.
- Meet production, manufacturing, or distribution commitments and requirements.
A SOC for Supply Chain report is the result of an attestation engagement in which a CPA firm examines and opines on whether (a) the description of the entity’s system that produces, manufactures, or distribute products (the description of the system or description) presents the system that was designed and implemented in accordance with the description criteria and (b) the controls stated in the description, which are necessary to provide reasonable assurance that the entity achieved its principal system objectives, were effective based on the applicable trust services criteria.
The objective of the SOC for Supply Chain reporting framework is to provide a means by which manufacturers, producers, and distribution companies can communicate useful information about their systems and the controls within the systems to customers and business partners. CPAs can examine and report on such information, thereby increasing the confidence that customers and business partners can place in the information.
Intended Users of a SOC for Supply Chain Report
A SOC for Supply Chain report is designed to provide information about a system that produces, manufactures, or distributes products and the effectiveness of controls within that system (that is, controls related to one or more of the applicable trust services categories of security, availability, processing integrity, confidentiality, or privacy) that are necessary to provide reasonable assurance that the entity’s principal system objectives were achieved. The report is designed to provide users with information they may use to identify, assess, and manage the risks that arise from their relationships with the entity.
A SOC for Supply Chain report is intended for use by those who have sufficient knowledge and understanding of the entity, the products it produces, manufactures, and distributes, and the system that produces, manufactures, or distributes them.
In a SOC for Supply Chain report, the following intended users are presumed to have the knowledge identified above:
- Business customers, including immediate customers or similar business entities further down the supply chain, that do the following:
- Use the system’s products as components of their production and manufacturing systems (for example, production machinery)
- Use the system’s products as inputs to their products (for example, computers used in automobiles)
- Use the system’s products as a part of their service delivery (for example, IV bags used by a hospital)
- Resell the products
- Rely on a physical distribution system for products used as inputs to products
Business customers need information about the entity’s system, including the nature and effectiveness of controls within that system, to understand the entity’s controls and to determine whether those controls, in addition to their own controls, are sufficient to mitigate their business risks.
- Business partners that:
- are dependent on the entity for sales of the business partners’ goods or
- license the use of the business partners’ intellectual property to the entity.
Business partners may include affiliated organizations that are customers or suppliers of the entity. Business partners need information about the entity’s system and the controls within that system to manage and assess the risks associated with doing business with the entity.
Intended users may also include entity personnel, practitioners providing services to the entity’s customers and business partners, and regulators.
Contents of the SOC for Supply Chain Report
A SOC for Supply Chain examination results in the issuance of a SOC for Supply Chain report. The SOC for Supply Chain report includes four key components:
1. Entity management’s description of the system the entity uses to produce, manufacture, or distribute products in accordance with the description criteria
2. Entity management’s assertion about whether, in all material respects,
-
- the description of the entity’s system is presented in accordance with the description criteria and
-
- the controls stated in the description, which are necessary to provide reasonable assurance that the entity achieved its principal system objectives, were effective throughout the period, based on the applicable trust services criteria
3. The practitioner’s opinion about whether, in all material respects,
-
- the description of the entity’s system is presented in accordance with the description criteria and
-
- the controls stated in the description, which are necessary to provide reasonable assurance that the entity achieved its principal system objectives, were effective throughout the period, based on the applicable trust services criteria
4. The practitioner’s description of the procedures performed and the results thereof (this component is optional)
Defining the System to Be Examined
The subject matter of the examination revolves around the system and related controls that the entity has designed, implemented, and operated to manufacture, produce, or distribute goods. The examination is flexible in terms of addressing any of the following:
- A system and controls that an entity uses to produce, manufacture, or distribute a physical (for example, an airplane engine) or intangible product (for example, a commercial off-the-shelf [COTS] application)
- Systems and controls that an entity uses to operate a production line
- Systems and controls that an entity uses to produce, manufacture, or distribute goods produced or manufactured within a specific facility or physical plant
Entity management is responsible for identifying the specific subject matter to be examined, which includes identifying the components of the system and the boundaries of the system to be examined. Entity management is also responsible for establishing its principal system objectives and selecting the trust services category or categories to be addressed by the examination, as well as selecting the period of time to be addressed.
Selecting the Trust Services Category or Categories to Be Addressed by the Examination
In addition to identifying the components of the system, it is also necessary to consider which trust services category or categories are to be addressed by the examination. The trust services criteria are used to measure the effectiveness of controls in a SOC for Supply Chain examination. The examination can address any or all of the trust services categories of security, availability, processing integrity, confidentiality, or privacy. In most cases, the examination would address the category or categories that would best meet the information needs of intended users. Which category or categories are addressed in the description is often determined by considering the commitments the entity makes to its customers and business partners.
Because of increased dependence on technology and concerns about cybersecurity risks, security is likely to be addressed in most examinations performed using the trust services criteria. Often, customers and business partners of an entity are also interested in the effectiveness of controls over availability because such controls may be integral to meeting their commitments. For instance, a customer that relies on airbags manufactured by the entity is likely to want information about the processes and controls the entity has designed and implemented and operates to achieve the availability commitments it makes to its customers. For those reasons, a SOC for Supply Chain examination that addresses both security and availability is likely to meet the information needs of intended users as a group.
In some cases, intended users may also be interested in the processing integrity of the system the entity uses to produce, manufacture, or distribute goods, including the processing integrity of the components of that system (for example, hardware, tooling, software, and information). Processing integrity addresses system controls that mitigate the risk that the entity’s system objectives will not be achieved because of failures in the production process.
When an entity uses proprietary customer information or personal information in the production process, intended users may also be interested in controls over that information. In this case, an examination that also addresses confidentiality or privacy may best meet users’ needs.
The trust services criteria relate to the following five categories:
- Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, or privacy of information or systems and affect the entity’s ability to achieve its objectives.
- Availability. Information and systems are available for operation and use to achieve the entity’s objectives.
- Processing integrity (over the provision of services or the production, manufacturing, or distribution of goods). System processing is complete, valid, accurate, timely, and authorized to achieve the entity’s objectives. (In a SOC for Supply Chain examination, the term processing integrity relates to production integrity. In other words, processing is complete, valid, accurate, timely, and authorized to produce, manufacture, or distribute goods that meet the products’ specifications.)
- Confidentiality. Information designated as confidential is protected to achieve the entity’s objectives.
- Privacy. Personal information is collected, used, retained, disclosed, and disposed of to achieve the entity’s objectives.
Description Criteria
The description criteria are used by entity management when preparing the description of the entity’s system and by the practitioner when evaluating the description. Applying the description criteria in actual situations requires judgment. The description criteria are as follows:
- DC1: The types of goods produced, manufactured, or distributed by an entity
- DC2: The principal product performance specifications, commitments, and requirements and production, manufacturing, or distribution commitments and requirements (principal system objectives)
- DC3: For identified system incidents that were the result of controls that were not effective or otherwise resulted in a significant failure in the achievement of one or more of the entity’s principal system objectives during the period addressed by the description the following information:
- Nature of each incident
- Timing surrounding the incident
- Extent (or effect) of the incident and its mitigation and remediation
- DC4: Risks that may have a significant effect on the entity’s ability to achieve its principal system objectives
- DC5: Relevant information about the system that produces, manufactures, or distributes the products, including the following:
- Components of the system, to include
- infrastructure,
- software,
- people,
- procedures, and
- data
- Significant inputs used by the system (raw materials and other inputs)
- Boundaries of the system, when necessary to prevent users from misunderstanding the system being described
- Components of the system, to include
- DC6: The applicable trust services criteria and the related controls designed to provide reasonable assurance that the entity’s principal system objectives were achieved
- DC7: If a customer’s controls are necessary, in combination with controls at the entity, to provide reasonable assurance that the entity’s principal system objectives would be achieved, those complementary customer controls
- DC8: If a supplier’s controls are necessary, in combination with controls at the entity, to provide reasonable assurance that the entity’s principal system objectives are achieved, those complementary supplier controls or CSCs
- DC9: Any specific applicable trust services criterion that is not relevant to the system and the reasons why it is not relevant
- DC10: Significant changes during the period addressed by the description to the entity’s system and controls that are relevant to the achievement of the entity’s principal system objectives
The Practitioner’s Opinion in a SOC for Supply Chain Examination
At the conclusion of the examination, the practitioner opines on whether (a) the description presents the system that was designed and implemented in accordance with the description criteria, in all material respects, and (b) the controls stated in the description, which are necessary to provide reasonable assurance that the entity achieved its principal system objectives, were effective throughout the period, based on the applicable trust services criteria.