SOC for Supply Chain Management

The American Institute of Certified Public Accountants (AICPA) recently introduced SOC for Supply Chain reports to help organizations identify, assess, and address supply chain risks. SOC for Supply Chain reports help organizations identify, assess, and address supply chain risks. These examinations or “audits” emphasize the importance of supply chain risk management in an increasingly complex and globalized economy.

Below is an overview of the SOC for Supply Chain audit process along with answers to commonly asked questions.

Who Needs a SOC for Supply Chain Report?

Companies with a complex multinational supply chain are under higher scrutiny than ever, and the pressure to meet distribution, manufacturing, and production commitments is never-ending. A SOC for Supply Chain report is a relatively simple step to take to ensure your business is meeting the highest industry standards. A SOC for Supply Chain report from a reputable firm builds trust and confidence with customers, serving as a market differentiator for companies seeking to appeal to a broad range of high value customers.

What Does a SOC for Supply Chain Report Cover?

SOC for Supply Chain reports cover one or more Trust Services Categories defined by the AICPA – security, availability, processing integrity, confidentiality, and privacy. SOC examinations always include security, while availability, processing integrity, confidentiality, and privacy can be added separately based on the specific software or services provided and the expectations of your customers. Our Risk Assurance & Advisory Team can also help you identify the categories that make the most sense for your organization.


Trust Services Categories
Security of a System

Protection of systems against unauthorized access; disclosure of information; compromise of availability, integrity, confidentiality, or privacy; or other risks impacting the ability to support customer and meet company objectives

Availability of a System

Accessibility of systems in accordance with customer contracts and service level agreements

Processing Integrity of a System

Complete, accurate, timely, and authorized system processing

Confidentiality of Information Processed by a System that Produces, Manufactures, or Distributes Products

Protection of confidential information in accordance with laws and customer requirements

Privacy of Information Processed by a System that Produces, Manufactures, or Distributes Products

Collection, use, retention, disclosure, and disposal of information in accordance with privacy policies, laws, and customer requirements

Similar to SOC 2 reports, SOC for Supply Chain reports are restricted in their use and can be issued to current and prospective customers, business partners, and other stakeholders. Organizations leverage SOC for Supply Chain reports to communicate the effectiveness of their supply chain risk management program, building trust and confidence in the market.