The American Institute of CPAs will begin offering SOC for Supply Chain, a new assurance framework this month, to help business clients have more confidence around the viability of their global supply chain in the midst of threats like the coronavirus.
SOC for Supply Chain builds on the AICPA’s earlier SOC 1, SOC 2, SOC 3 and SOC for Cybersecurity frameworks that allow CPAs to provide auditing, reporting and assurance services. SOC originally stood for “service organization controls,” but now means “system and organization controls.” The AICPA has also evolved the concept of SOC reports over the years. The original SOC 1 reports covered internal controls over financial reporting, but have evolved to encompass other areas like cybersecurity and now supply chain management.
“SOC 1 specifically takes a look at a system and the controls within the system that enable an organization to provide reliable financial statements,” said Mimi Blanco-Best, AICPA associate director of attestation methodology and guidance. “We refer to those as systems of internal control over financial reporting, distinct from SOC 2. SOC 2 is also for service organizations, but the controls that we look at in SOC 2 engagements are much broader than just the system used to provide reliable financial reporting. Instead we’re looking at the system that is used to provide services to the users, to the customers,. Within those systems we can be looking at the security controls, controls over availability, processing integrity, or confidentiality. Finally, if the service organization collects personally identifiable information, PII, we can also be engaged to look at the privacy controls over for maintaining the privacy of that PII. We also have a SOC for Cybersecurity and we just came out with a SOC for Supply Chain.”
The new service will provide companies with reports that will give them more assurance around issues that could be holding up their supply chain, particularly in terms of cybersecurity and availability of products and components. Besides changing the meaning of SOC from “service organization controls” to “system and organization controls,” the AICPA has also begun moving away from numbering the various forms of SOC to giving it names like SOC for Cybersecurity and SOC for Supply Chain.
“We look at the systems that are used to provide services to customers,” said Blanco-Best. “In this case, we’re focusing on products. It’s really manufacturers, producers or even in some cases distribution companies, so systems that are used to manufacture, produce or distribute products. Those products can be tangible or tangible, but it’s the distinction between a product vs. a service, although the controls, the things that we would expect the systems to have in place, are really similar. The way that those controls are implemented are different in a manufacturing environment than they would be, for example, in an ADP environment that provides payroll services to its customers. But other than that, they’re pretty much the same thing.”
Factors in the supply chain could be the impact of the coronavirus or the availability of crucial parts like airbags in automobiles.
“We may not have experienced the coronavirus before, but we’ve experienced shortages in the marketplace before,” said Blanco-Best. “There were very few manufacturers of airbags, and the manufacturers found they couldn’t get airbags quickly enough. We try to help management understand the risks, and based on those risks, they need to have controls in place to make sure those risks are mitigated.”
SOC for Supply Chain builds upon the earlier frameworks in allowing CPAs to provide assurance around a company’s controls, especially as they relate to technology. “Technological advances have made organizations around the world ever so much more connected than they ever were before,” said Blanco-Best. “As that began to happen, organizations recognized that anytime they did business with another company, there were certain risks introduced in their company. They started being more aware of third-party risks, somebody outside of your organization who may have controls, or may not have controls.”
SOC reports can help clients provide readily available answers to their suppliers and customers who have questions about the extent of those outside risks, she noted. “Organizations like service organizations that provided services started getting inundated with questionnaires from their customers saying, ‘I know you process payroll for us. But what do your controls look like? How do I know that the information I give you is processed correctly? How do I know that all of the information I give you is processed? How do I know that what comes out includes everything I gave you? What kind of controls do you have over unauthorized users being able to get into your system and changing somebody’s personal data. Can one of your employees access the system and steal our employees’ personal information that we’ve given you?’” she said.
“They got inundated with these 200-page questionnaires that wanted very detailed answers to questions like this because those organizations wanted to know that their employee information that they’re giving to a third party is still secured, even when they give it to that third party,” she added. “That’s kind of when SOC 2 was born as a response to that service organization to say, ‘You can provide all your customers with this one report. Maybe it’s not going to answer 100 percent of the questions that they might have, but it’s likely to answer 90 percent of them or more. Hopefully that will save your time and effort in having to report individually to all of these questionnaires. And if your customer needs more information than what’s in the SOC report, clearly they can still contact you for it.”
SOC for Supply Chain is geared specifically to questions about the supply chain. “The exact same thing started happening with manufacturers and producers, and their suppliers and their customers,” said Blanco-Best. “Suppliers, how do I know I can rely on you? What kind of controls do you have in place? In case there’s a fire or business interruption, how quickly could you get up and running again if there was a problem on your end. The risks are different, but the fact is the company needs to identify those as risks and have some controls in place to mitigate it. The same kind of thing started happening and that’s when the AICPA thought we could help manufacturers and producers solve that problem just like we did for service organizations. To me, it’s really all about third party risk management, and it’s a way to make those efforts easier for organizations that have these reports.”
While CPAs can provide the financial expertise to make such assessments, they are likely to need some technology experts on staff at their firms as well. “Keep in mind that a CPA like me who just has a financial statement background couldn’t go out and do that,” said Blanco-Best. “However, I could work with a group of CPAs who are IT people. They might not even be CPAs. They may just be IT people. We could all be on an engagement team and we could provide a SOC 2, say, for a company because our team would have all of the skills and qualifications that we need to do the work. From my end, it would be how much evidence do I need to gain to give an opinion? What does that look like? From their position, it would be we can actually perform the procedures that we need to understand whether these controls are operating effectively, or are designed effectively.”
