SOC for Supply Chain: The Who, Why, and What

Do you remember the children’s game Telephone? The one where we passed a message from the creator to an endpoint, relying on others within the game to get the message to the finish line completely intact?

That never happened, of course, because it was more fun to witness hilarious changes, but when it comes to the supply chains supporting our business, we’re much more interested in making sure everything gets through undamaged and as we intended it to be.

Which can be difficult, given that production and distribution have become more complex than ever. While technological progress has facilitated a lot of new things, it’s also meant increasing interconnectivity and interdependence. With that comes more potential risks.

If we wondered about how our funny message would change in our games of Telephone, now we’re wondering about potential, harmful cyberattacks, which remain at the forefront of our security concerns. In Telephone, you don’t have to worry about things like weather or global pandemics affecting that chain of delivery, nor do you have to worry about the person who supplied that first word in the game going bankrupt.

But all of these elements present great risk to those of you that rely on others to support your business. If something goes wrong somewhere else, you stand to lose your reputation, money, or even your intellectual property, setting you back in ways you don’t want.

Thankfully, the AICPA expanded their SOC reporting suite with new reporting guidance that can help you with those risks you face as part of a supply chain network–it’s appropriately named SOC for Supply Chain.

In this article, we will dive deeper into what SOC for Supply Chain is, who it’s for, what’s covered within the requirements, and how it can help you. Schellman has provided all the SOC services for almost 20 years, with over 1,200 SOC projects completed in just the last 12 months. Using all our experience, our goal here is to help you understand how this SOC option is designed to meet unique needs that might suit you.

Telephone was child’s play, but your business is not, and this article will help you better understand one of the more specialized compliance options at your fingertips—one that can help you operate more securely.

Who Needs SOC for Supply Chain?

Like we mentioned before, the AICPA created what can be boiled down to a risk management reporting framework designed specifically for producers, manufacturers, and distributors. Unlike its SOC siblings, this assessment is particularly concerned with risks that can disrupt your operations or the operations of your vendors and suppliers .

SOC for Supply Chain will help you identify, evaluate, and mitigate these risks, and you’ll get a report you’re able to provide your prospective customers that will contain relevant information on your production, manufacturing, or distribution system.

We expounded on this in our article on SOC for Cybersecurity: the acronym SOC has been redefined to “System and Organization Controls,” and like SOC for Cybersecurity, SOC for Supply Chain can be used by organizations of any size, in any industry, but of course, was designed for those of you who:

  • Produce raw materials for sale;
  • Produce software products for customer distribution and use (on-premise software)
  • Manufacture components or finished items (e.g. network appliances, Internet of Things (IoT) devices, etc.) from other components / raw materials; or
  • Distribute in some way, including managing all or a significant part of a logistics network.

You might notice that everything mentioned above centers on physical and software products. It’s true that this initiative has taken off among those sectors–industries like pharmaceuticals, automotive, and utilities are very reliant on their suppliers and therefore are very interested in oversight to manage their risk.

If you too use commercial off-the-shelf software in your organization, you should request that your software vendors undergo a SOC for Supply Chain examination and provide you with that report. This will enable you to eliminate any blind spots in your vendor risk assessments related to software.

With that said, if your organization is instead more focused on data or intangible services, while you remain eligible for a SOC for Supply Chain report, you may find that a SOC 2 examination or ISO 27001 certification benefits you more.

Why Should You Complete a SOC for Supply Chain Examination?

If you do have worries regarding your vendors, completing a SOC for Supply Chain assessment can provide assurance regarding the security, availability, confidentiality, processing integrity, or privacy of your products and information from your suppliers within the supply chain. What else can it do for you?

  • It will help you honor your commitments. You probably have production standards to maintain, contractual obligations to keep, and of course, customer privacy expectations to honor. SOC for Supply Chain can help you identify the risks to these so you can counteract them.
  • It will lessen your burden of new inquiries regarding risk. We said before that everyone remains on high alert about security threats, and that means you’re among those getting hammered with questions from prospective vendors or customers about your safeguards and systems. Instead of responding individually, you’ll be able to hand them one document every time–your independently validated SOC for Supply Chain report.
  • It will allow more focus on your core business practices. If you have less inquiries challenging you to prove your security, you have more time and resources available to simply improve your processes or focus more on your business relationships.
  • It will help you gain a competitive advantage. Compliance reports all provide this kind of benefit, but SOC for Supply Chain offers a specific window view into your processes and controls in place to protect supply chain activities. They address very particular worries your stakeholders may have.

No one can outsource their risk entirely, but SOC for Supply Chain can help you understand where you’re vulnerable and then help you manage those areas.

What is Covered in a SOC for Supply Chain Examination?

So what exactly constitutes a SOC for Supply Chain report? What will be evaluated, and how?

To nobody’s surprise, SOC for Supply Chain is entirely focused on the production, manufacturing, or distribution system within a supply chain process–we did say it was uniquely tailored for exactly this purpose. To that point, there are required description criteria specific to the supply chain system as well as required control criteria that you’ll include.

  • Description Criteria: You’ll be asked to describe how your production, manufacturing, or distribution system works, along with the specific associated risks. For example, if you produce off-the-shelf software products or security appliances for your customers to host in their environments, the SOC for Supply Chain report would provide an opportunity for you to describe your processes for building secure software.

    More specifically, there are 10 criteria elements that include the following:
  • The types of goods you produce, manufacture, or distribute;
  • Product specifications, commitments, and requirements as well as those you have for your production, manufacturing, or distribution; and
  • Any previous incidents that resulted in a failure.

    The description criteria can be found in full here.
  • Control Criteria: You will also be asked to identify the controls you have in place to mitigate the risks that may affect your described production, manufacturing, or distribution system. You’ll decide how to do that around your tailored choice of Trust Services Categories (Security, Availability, Processing Integrity, Confidentiality, and Privacy).
    • Depending on the controls criteria you choose and the specifics of your processes, you could be evaluated on several different levels, including:
      • If your products (e.g. on-premise software, security appliances, etc.) still satisfy agreed-upon specifications.
      • If you can keep promised timeframes
      • If you’re protected from physical and logistical risks
      • If you’re in compliance with transportation regulations
      • If you’re positioned to meet delivery commitments
      • If you are prepared to meet confidentiality and privacy requirements (e.g., intellectual property of a supplier)
    • Important Note: SOC for Supply Chain will not serve as a warranty for your actual products produced, and is not intended to address financial performance.

Next Steps for your SOC for Supply Chain Examination

SOC for Supply Chain was designed to address the needs and risks of organizations that have an increased interdependence on suppliers and distributors, including software companies. Now you understand how it can help you and your vendors mitigate specific risks areas.

Technology may have made doing business with one another easier, but SOC for Supply Chain presents an opportunity to ease the security worries that come with that.

We would love to speak with you and pin down exactly how this examination can help you reduce your own vendor due diligence. But if you’d prefer to exploring your other SOC options to ensure you choose the best one for you, read our articles that will explain all the basics for your benefit.


About the Author

Jordan Hicks

Jordan Hicks is the Content Manager at Schellman. In addition to maintaining Schellman's editorial calendar and its relevant processes, she is also responsible for the editing and revising of all written copy within the firm, as well as creating original content for publication.

More Content by Jordan Hicks
Previous Flipbook
ZS Associates Case Study
ZS Associates Case Study

Establishing a CCF to Achieve Compliance Efficiency

Next Video
SOC 2 vs SOC 3 - Either, Neither, or Both?
SOC 2 vs SOC 3 - Either, Neither, or Both?