Stack of white papers
Article

AICPA proposes guidance for new System and Organization Controls (SOC) Supply Chain report

The American Institute of Certified Public Accountants (AICPA) released an exposure draft which proposes new guidance for the creation of SOC for Supply Chain assurance examination and report The exposure draft proposes new criteria for use in preparation and evaluation of a description of an entity’s production, manufacturing or distribution system in an examination. Increased demand from management to gain insight into potential vendor supply chain risks in the market is driving the development of this new attest service. The SOC for Supply Chain report could provide useful information about the risks that threaten the achievement of the organization’s supply chain commitments and controls in place to mitigate those risks.

SOC basics

A SOC r eport is intended to provide user entities of an organization with attestation over the design and operating effectiveness of the reporting entity’s controls. The current SOC reports available include:

SOC 1 reports on controls at a service organization relevant to user entities’ internal control over financial reporting.

SOC 2® reports on technology and/or operational controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy.

SOC 3 is a general use SOC 2 report.

SOC for Cybersecurity reports on controls within an entity’s cybersecurity risk management program.

Why is this important?

There is significant connection between entities that produce, manufacture or distribute products and their suppliers, customers and business partners. With the growth in technological development as part of the supply chain process, these risks are increasing rapidly. For example, a manufacturer may make widgets used in the production of an automobile. The automobile manufacturer needs information about the widget manufacturer’s security, availability and processing integrity of their system(s) used to manufacture the widget and the relevant controls within the applicable system(s). The proposed SOC for Supply Chain report could provide useful information for the automobile manufacturer to better understand and manage supply chain risks, including cybersecurity risks, arising from their business relationship. As an example, a cybersecurity attack on the widget manufacturer’s system could result in a significant impact on the automobile manufacturer.

Intended users of the report

The proposed report is intended to provide information to the following users:

  • Business customers – this includes immediate customers or similar business entities further down the supply chain.
  • Business partners – this may include affiliated organizations that are customers or suppliers.
  • Non-regulatory, standard-setting bodies consisting of business customers or partners that represent their membership (industry consortiums).
  • Others – prospective customers or business partners

Steps to take now

The AICPA is seeking comments on the nature and extent of information and disclosures contained in the exposure draft. The full exposure draft can be found on the AICPA’s website, here. The comment period for the draft ends Feb. 28, 2019.

For more information on this topic, or to learn how Baker Tilly SOC specialists can help you, contact our team.

Wayfair technology
Next up

What the Wayfair ruling means for technology firms