SOC for Supply Chain

Demonstrate your organization’s adherence to internal controls that detect, prevent, and respond to supply chain risks with a SOC for Supply Chain examination

Developed by the American Institute of Certified Public Accountants (AICPA), a SOC for Supply Chain examination provides the independent opinion of a CPA on the organization’s description of the system it uses to manufacture, produce, or distribute products, and on the suitability of design and operating effectiveness of a company’s internal controls.

Communicate controls over manufacturing, production, and distribution systems to your partners and customers with an examination from our professionals.

Who Needs a SOC for Supply Chain Examination?

Vendors; suppliers; and production, manufacturing, and distribution companies can benefit from a report.

In general, an examination is an important assessment for two distinct entity types:

  • Manufacturing, production, or distribution companies required by customers to undergo a SOC for Supply Chain examination
  • Vendors or suppliers deemed an important part of an organization’s supply chain that could cause disruptions if operations are compromised

What Are the Benefits of a SOC for Supply Chain Examination?

SOC examinations can support organizations in numerous areas.

Reduce Time and Effort

Many customers or clients rely on manual, time-consuming assessment processes to assess if a vendor or supplier should be added to their supply chain.

A SOC for Supply Chain examination can quickly reduce due diligence efforts by cutting down time-consuming, manual procedures, such as:

  • Information gathering. An organization’s system description provides information on the organization’s security processes or other relevant operations including production, manufacturing, or distribution systems.
  • Site visits. Streamline site visits to the manufacture, production, or distribution facilities to observe physical controls or processes.
  • Questionnaires. Avoid sending lengthy questionnaires about internal controls, which are then assessed by the customer or client.
  • Standard of Comparison. Maintain a standard for organizations when comparing various vendors or suppliers.

Achieve Supply Chain Objectives

A SOC for Supply Chain examination can also help an organization achieve key supply chain objectives, through the following steps:

  • Establish a common set of criteria for disclosures about manufacturing, production, or distribution systems
  • Create a common set of criteria for assessing control effectiveness and design
  • Reduce required communication between organizations related to information about the manufacturing, production, or distribution system
  • Provide a standard for communicating relevant information without being required to disclose trade secrets, patents, or other intellectual property

This can allow organizations to focus resources on strengthening customer and client relations as well as demonstrating compliance through internal controls.

Mitigate Risk

Demonstrate how your organization mitigates or addresses disruptions associated with common operational challenges including:

  • Regulatory or compliance changes
  • Financial health and vitality of a key vendor or supplier
  • Natural disasters or inclement weather
  • Civil unrest, war, or military or governmental action in certain geographical locations where key processes or vendors and suppliers operate
  • Pandemics, health hazards, and disease
  • Changing political climates

How the Process Works

The SOC for Supply Chain report includes four sections:

  • Management’s description of their manufacturing, production, or distribution system
  • Management’s assertion of its system description and controls, and responsibility for the design and operation of internal controls
  • The CPA’s opinion of management’s system description and design and operating effectiveness of internal controls
  • Presentation of management’s controls, how they map to the Trust Services Criteria, and the CPA’s test procedures and results to control tests


Sections one and four discussed above use two sets of criteria to determine a system’s effectiveness. The criteria are designed to allow for maximum applicability and scale for large and small organizations alike.

  • The Description Criteria. Used as the framework for an organization to present a description of their production, manufacturing, or distribution system.
  • The Control Criteria. The Trust Services Criteria are used as the framework to present the internal controls of an organization and how the Trust Services Criteria are met through those controls.

Expansive SOC Experience

Our professionals provide examinations for a range of client types including software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and platforms-as-a-service (PaaS) companies; business intelligence providers; colocation data centers; financial institutions and service companies; third-party administrators; benefits administrators; manufacturing and distribution companies; and more.


Primary Contact