SOC for Supply Chain

Manufacturers, producers, and distribution companies must manage a complex network of plants, service providers, and suppliers to operate efficiently and meet commitments to customers. At the same time, the threats to and vulnerabilities of each supplier in the chain have increased significantly. When a supply chain is disrupted, the organization is at risk of failing to meet production or delivery commitments it has made to its customers.

Causes of disruption to supply chains include the following:

  • Weather and other natural disasters (such as hurricanes or tornadoes) in a geographic area that is home to a supplier’s facility
  • Threat of war or military action in a geographic area that is home to a supplier’s plant
  • The lack of financial well-being of a key supplier or shipper
  • Wide-spread diseases (such as SARS, MERS, or the COVID-19 coronavirus) that can affect the entire supply chain


For these reasons, an organization’s ability to achieve its objectives is increasingly dependent on events, processes, and controls that are not visible to the organization and are often beyond its control, such as controls at the suppliers. Manufacturers, producers, and distribution companies are looking for visibility across their complex supply chain networks to better understand the risks of doing business with suppliers and the controls the suppliers have in place to mitigate those risks.

The failure to manage these risks appropriately can result in:

  • reputational damage,
  • loss of intellectual property,
  • disruption of key business operations,
  • fines and penalties,
  • litigation and remediation costs, and
  • exclusion from strategic markets.


This is why supply chain risk management has become such a significant issue to many organizations and their stakeholders. Suppliers are also increasingly interested in communicating how they manage the production and distribution risks in their own systems as a way of reassuring the organizations with whom they do business.

Organizations can use the SOC for Supply Chain report to communicate to stakeholders relevant information about their supply chain risk management efforts and the processes and controls they have in place to detect, prevent, and respond to supply chain risks.  A SOC for Supply Chain report enables a CPA to examine and report on management-prepared system information and on the effectiveness of controls within the system, thereby increasing the confidence that stakeholders may place in such information.

Components of the SOC for Supply Chain reporting framework

The SOC for Supply Chain reporting framework provides three key sets of information that, taken together, are intended to meet the objectives discussed previously.

1. Management's assertion.

As with all SOC reports, an assertion is provided by management. Management makes an assertion about whether the description is

presented in accordance with the description criteria and whether the controls presented in the description were effective to provide reasonable assurance of achieving the organization’s objectives based on the trust services criteria.

2. The CPA's opinion.

The second component is a CPA’s opinion on the description and on the effectiveness of controls within the system to achieve the organization’s objectives.

3. Management’s description.

The last component is a management-prepared narrative description of the manufacturer, producer, or distribution company’s system for producing a good or set of related goods. Of course, BRC will assist the organization’s management in preparing this description. The description is designed to provide system-specific information about the organization’s objectives, risks, and the processes and controls implemented and operated to address those risks.

The description provides the context needed to enable customers and business partners to understand the conclusions management expresses in its assertion (see item [2]) and by the CPA in the CPA’s opinion (see [3]) about the effectiveness of the controls included in the organization’s description of its system.



Let’s get started today.  BRC is ready to help your organization demonstrate the maturity of its Supply Chain risk management program.  Contact Ben Hunter III, CPA/CITP, CISA, CRISC, CDPSE, CISM at (336).294.4494 ( to get started on a SOC for Supply Chain today.


Ben Hunter

Ben Hunter, III CISO, Advisory Services Principal, CPA/CITP, CISA, CRISC, CDPSE, CISM

Ben is the Chief Information Security Officer for BRC and is a Principal in our Firm’s Risk Advisory Services Practice. He specializes in Cybersecurity and Information Technology Audits and Assessments. Ben began his cybersecurity career in the US Marine Corps. After becoming a Certified Public Accountant, he continued his cybersecurity and IT Audit training […]