The manufacture and sale of products along with associated services are now more complex and networked than ever. This is due to various reasons, including the Internet of Things (IoT) and the digitisation of processes. New technologies and organisational forms have brought manufacturers, suppliers, trading firms, business partners and customers from all over the world closer together.
The outbreak of the pandemic has highlighted the fact that the vulnerability of networked and globalised supply chains has been growing for years – largely unnoticed by the general public. Digitalisation is accelerating this trend. The main risks include not only the availability of raw materials, semi-finished goods and products, or reliance upon monopoly providers, but increasingly extend to data protection violations and cyber attacks. For one thing, the risk from products with IoT connectivity is already high. For another, the pandemic has triggered a huge push towards digitalisation, and given cyber criminals new targets for the fraudulent use of company secrets or sensitive information on production cycles, locations, transactions and deliveries, for instance. Thus it comes as no surprise that there are now more calls for greater transparency in the supply chain.
To meet this need, in March 2020 AICPA introduced a new framework with criteria for voluntary reporting on system and organisational controls for the supply chain in a corresponding SOC report. These criteria can be applied across sectors and provide an institutionalised, auditable framework for the disclosure of risk management for supply chains.
As is the case with other SOC reports, companies must describe the supply chain, their systems and the operational processes. A catalogue of criteria (DC300) is used as the basis for this description. The report also includes extensive evidence of the implementation and effectiveness of internal controls in accordance with the AICPA ‘Trust Services Criteria’ (TSP), so as to minimise the risks associated with security, availability, integrity, trust and data protection. The TSP criteria are the same as those used in a SOC2 audit.
Using the SOC report for the supply chain, manufacturers, producers, sales organisations and their customers, business partners and auditors can prove that tools and internal controls are established for identifying, assessing, addressing and minimising major supply chain risks.
The model of the ‘one-off assessment for multiple reporting’ helps to reduce the number of independent queries from existing or potential customers and to avoid multiple audits by manufacturers or other users with the same suppliers.
The audit for a SOC report for the supply chain is one of the most complex and time-consuming kinds of audit. Yet this type of report is an important communication tool for providing assurance that products and information within the supply chain are secure and available. It means a company can create maximum transparency throughout its entire value chain and strengthen the valuable trust that customers and business partners place in it and its brand.
Since the pandemic, risks in the supply chain have become more apparent to business, politics and the general public. Yet only a few customers in Switzerland ask their suppliers to provide a SOC report for the supply chain and instruct their auditors to carry out an independent assessment. This could be about to change. Firstly, radical changes are being made to national and international legislation at all levels. Added to this, the need for greater security in the supply chain is becoming more and more important. SOC reporting on supply chains gives forward-looking companies a risk-based road map for further developing risk and quality management as well as compliance processes, and enables them to take a more targeted approach to addressing the main risks in the value chain.
Anyone doing business of any magnitude has to rely on other people – which means trusting someone else to deliver what they say they will. Attestations from an independent party help build trust in outsourced services by creating transparency.