AICPA proposes guidance for new System and Organization Controls (SOC) for Supply Chain report

The American Institute of Certified Public Accountants (AICPA) released an exposure draft which proposes new guidance for the creation of SOC for Supply Chain assurance examination and report. The exposure draft proposes new criteria for use in preparation and evaluation of a description of an entity’s production, manufacturing or distribution system in an examination. Increased demand from management to gain insight into potential vendor supply chain risks in the market is driving the development of this new attest service. The SOC for Supply Chain report could provide useful information about the risks that threaten the achievement of the organization’s supply chain commitments and controls in place to mitigate those risks.

Why is this important?

There is significant connection between entities that produce, manufacture or distribute products and their suppliers, customers and business partners. With the growth in technological development as part of the supply chain process, these risks are increasing rapidly. For example, a manufacturer may make widgets used in the production of an automobile. The automobile manufacturer needs information about the widget manufacturer’s security, availability and processing integrity of their system(s) used to manufacture the widget and the relevant controls within the applicable system(s). The proposed SOC for Supply Chain report could provide useful information for the automobile manufacturer to better understand and manage supply chain risks, including cybersecurity risks, arising from their business relationship. As an example, a cybersecurity attack on the widget manufacturer’s system could result in a significant impact on the automobile manufacturer.

Intended users of the report

The proposed report is intended to provide information to the following users:

  • Business customers – this includes immediate customers or similar business entities further down the supply chain.
  • Business partners – this may include affiliated organizations that are customers or suppliers.
  • Non-regulatory, standard-setting bodies consisting of business customers or partners that represent their membership (industry consortiums).
  • Others – prospective customers or business partners

Steps to take now

The AICPA is seeking comments on the nature and extent of information and disclosures contained in the exposure draft. The full exposure draft can be found on the AICPA’s website, here. The comment period for the draft ends Feb. 28, 2019.

For more information on this topic, or to learn how Baker Tilly SOC specialists can help you, contact our team.