Supply Chain Expertise and Technology Blog by TMC, a division of C.H. Robinson

Does Your TMS Provider Offer an SOC Report?

TMS SOC Report

When evaluating an investment in a transportation management system (TMS), shippers rightly do a deep dive into what supply chain returns they can expect. But there is another set of requirements that is attracting more interest from shippers: The need for compliance and controls around IT and financial reporting.

Service providers, including those that offer TMS technology, must demonstrate that they have the proper controls in place to protect their customers’ data, accurately process and report on transactions, and reach promised performance levels.

A way for providers to meet these demands is to offer a Service Organization Control (SOC) Report. This is an internal control report on the service. The report provides information that shippers can use to assess and address the risks associated with an outsourced TMS solution.

The provider obtains this report by completing an audit carried out by an independent certified audit firm. These firms must adhere to the audit standards set forth by the American Institute of Certified Public Accountants.

Why is this type of assessment becoming more important in the TMS market? Because TMS solutions are business information hubs, and as such, affect a shipper’s control over financial reporting and the security of the IT systems that support global operations. SOC Reports offer shippers a way to build trust and confidence in this technology.

A lot of time, effort, and diligence go into developing an SOC assessment and report. But the work pays off both in terms of the information it provides and the opportunity for providers to assess and improve their TMS offerings.

There are three types of SOC Reports: SOC 1, SOC 2, and SOC 3. The first one looks at the system’s internal controls over financial reporting. SOC 2 focuses on areas such as IT security and availability. Data warehousing, cloud computing, and data processing are examples of activities that might fall under this umbrella. The SOC 3 report is a less detailed version of the SOC 2 document that is used as a general-use report, whereas SOC 1 and 2 reports are restricted-use reports.

TMC has successfully completed its first SOC 1 audit with a Big Four auditing firm, and is currently preparing to undergo an SOC 2 audit.

The audits occur annually, and require a great deal of work. It’s a complex process that includes planning, scoping, testing, and document generation that takes nearly a year to complete from initial preparation to the issuing of a report.

The final Service Auditor’s Report contains opinions on three possible levels. An Unqualified Opinion verifies that the system meets the objectives of the control environment, as shown by tests of the processes and practices involved. TMC was awarded this Opinion by its SOC 1 auditor. The other two levels are Qualified (aspects of the system did not meet the control objectives), and Adverse (the system deviates from the control goals).

As can be appreciated, such a detailed analysis provides a comprehensive profile of the TMS control environment. Shippers can refer to this information when assessing an existing third party TMS provider relationship, or when evaluating prospective relationships. For the provider, the exercise highlights service gaps, and gives a detailed road map for continuous improvement.

The 2008 financial meltdown and high-profile cases of computer data hacking have raised awareness of the need to ensure that information systems and financial processes are robust and adequately protected. Recent developments, such as the growth of cloud computing, have reinforced these concerns.

In our experience, SOC queries are now appearing more frequently in the sales discovery and RFP process—an indication that more shippers are looking to verify the integrity of the service provider’s processes and the TMS technology that support those processes. Another indication of these demands is that service contracts are now more likely to include language that pertains to IT and financial controls.

TMS service providers that embrace these changes rather that viewing them as a threat can improve their services, give customers the assurances they need, and enhance their competiveness.

We believe that it is now incumbent on providers to offer this type of credential.

If you’re working to partner with a TMS service provider, have you asked them for an SOC report?