Subscribe to Disclose
Ralf Hofstetter
Director, Trust & Transparency Solutions, Competence Centre for Attestations, PwC Switzerland
Global supply chain risks have grown in line with increasing complexity and digital interconnectivity. The American Institute of Certified Public Accountants (AICPA) has reacted by publishing a reporting standard for risk management of supply chains. However, manufacturing industry, retailers and customers are yet to tackle this issue properly. This could be set to change, as especially companies with international production and distribution structures will have to respond to the demand for greater transparency in the supply chain.
The world of products and services is thoroughly globalised. The internet of things, digitalisation and automation of processes have made the manufacture and distribution of goods increasingly interconnected. This has brought manufacturing, supplying and retailing companies closer together and closer to their customers. Which is why supply chains have become more fragile.
This fragility becomes evident when the supply chain is disrupted, for example during the global lockdowns following the outbreak of the pandemic in the spring of 2020 or when the Suez Canal was blocked by the container ship Ever Given in the spring of 2021. On 17 March 2000, a lightning strike knocked out a fabrication line of silicon wafers at Royal Philips Electronics in New Mexico. Chip manufacture for thousands of smartphones was affected, which pushed one of the market leaders at the time out of the market.
Events such as these shine a light on risks in the supply chain that were previously thought to be unimportant. Such events lengthen supply lead times and it usually takes a period of 6 to 12 months for the system to stabilise again. Virtually overnight there are shortages of raw materials, semi-manufactured goods, components and spare parts or there is no alternative to a monopoly supplier. Procurement bottlenecks are still widespread. At least in the coming months they will likely continue to pose a challenge, especially to companies with international supply chains.
The pandemic-induced leap forward in digitalisation has also brought virtual risks into play, for example from cyber attacks, including the theft of business-sensitive information on production cycles, company offices, transactions and sales or – worse still – the misuse of sensitive customer information. Moreover, distributed production is increasingly common in product manufacturing. Businesses have become much more aware of supply chain risks and thus of the need for greater transparency in the supply chain since the outbreak of the pandemic.
The American Institute of Certified Public Accountants (AICPA) has responded to these challenges and published a framework for reporting on the risk management of supply chains: System and Organisation Controls (SOC) for Supply Chain. This standard gives both the manufacturing and retail industry and their customers a practical tool to communicate the processes, structures, risks and controls of supply chains in a more transparent way.
The SOC supply chain report works in the same way as the established report types1 SOC 1, SOC 2 and SOC 3. The reporting entities are required to describe the control processes and structures in their supply chains based on the detailed description criteria DC300. Companies must also demonstrate that the internal controls are effective on the basis of the trust services criteria (TSC). These criteria document how the risks of security, availability, integrity, confidentiality and/or data privacy can be mitigated. Auditors also apply TSC criteria in an SOC 2 examination.
The SOC report for the supply chain is an effective instrument for manufacturing, sales and supplier organisations and their clientele in several different ways.
To date very few SOC reports for the supply chain are being requested and thus corresponding assurance engagements performed. This is surprising, since both the market environment and standard setters have made clear that supply chain risks are becoming more pressing and companies can no longer ignore them, as the examples we have mentioned demonstrate.
1The SOC 1 report type examines the controls at a service organisation relevant to internal controls over financial reporting (ICFR). A type I report is a report as of a specified date, while a type II report examines the effectiveness of controls throughout a specified period. An SOC 2 report provides information on internal controls relevant to security, availability, processing integrity, confidentiality and/or privacy. The report can be in either type I or type II format. As with SOC 2, the SOC 3 report type relates to internal controls of security, availability, integrity and confidentiality and/or privacy. An SOC 3 report does not contain any information on the individual controls that were examined and the results. This report type is usually intended for general use by a variety of different addressees.
The more complex a supply chain, the bigger the risks. Once-in-a-century events such as the pandemic with repeated lockdowns have made supply chain risks even more salient. AICPA has launched the SOC report for the supply chain in response. However, the benefits and information which such reporting can provide for all concerned are not yet being seen in practice. Only a few customers are asking their suppliers in Switzerland to provide an SOC report or requesting an independent examination from their auditors. However, the desire for assurance that supply chains are sustainably secure is growing all the time. The new SOC report gives companies an elegant way to update their risk and quality management, put the reliability of their value chain on an even more secure footing and strengthen confidence through transparency.