WOLF & CO Insights AICPA Issues New SOC Report for Supply Chain Management

AICPA Issues New SOC Report for Supply Chain Management

Written by: Joanna M. Fialli

COVID-19 has forced organizations to take a second look at their heavy dependence on vendors and partners to provide products and services to customers. With supply shortages caused by the pandemic, companies are dealing with the ramifications of resource and risk mismanagement—leading to disruptions in the ability to produce, distribute, and provide necessary products and services. These missteps can harm your organization’s reputation, and result in monetary loss as your customers seek out alternative providers. It’s important that your organization properly manages your supply chain to avoid these downfalls, and comprehensively oversees your vendor risk management processes to mitigate and prevent potential supply shortages.

The American Institute of Certified Public Accountants (AICPA) attempted to address this question by designing an assurance report called System and Organization Controls (SOC) for Supply Chain. This report leverages the trust services principles (e.g. security, availability, confidentiality, processing integrity, and privacy) with customized criteria to demonstrate the controls implemented to manage supply chain risks. The report details an organization’s service commitments, risk management program, third-party oversight program, monitoring controls, and other control areas relevant to purchasers of a service or product. These quality assurance reports can be used to ease concerns around supply chain mismanagement and accurately portray commitment towards maintaining service obligations.

SOC for Supply Chain: How Does it Work?

Organizations interested in pursuing SOC for Supply Chain should ensure proper controls are in place before engaging this report. Your organization should first complete a readiness assessment where a consultant evaluates your control environment against the trust services criteria. Your organization will receive feedback on the maturity of your controls, as well as identify potential gaps that will need to be analyzed and closed prior to undergoing the formal audit process.

Once these gaps are addressed, you should consider a Type I audit, where a service auditor will test the design and implementation of your controls. Many organizations prefer to start with a Type I audit, as it provides greater flexibility in the testing procedures and helps prepare you for a Type II audit.

The Type II audit is a more comprehensive SOC report that covers a designated period of time to provide assurance over control design, implementation, and operating effectiveness. The testing procedures for a Type II audit are more rigid, as your auditor will be required to follow formal sampling standards.

Upon the completion of a Type I or Type II audit, your auditor will issue the SOC for Supply Chain report that you can share with your customers and business partners.


The frequent disruptions in supply caused by the pandemic have left many organizations unable to fulfill their commitments to customers. Manage your risk, mitigate gaps, and revamp your client and vendor relationships by engaging the new AICPA SOC for Supply Chain. This report will differentiate your organization from your peers by demonstrating your commitment to protect customers and partners from any potential issues in the supply chain.