A new way to manage supply chain risk – Introducing the AICPA SOC for Supply Chain report

Jeff Cook, SOC Director, Coalfire

With the continuation of its System and Organization Controls (SOC) suite of services (SOC 2®, SOC for Cybersecurity, etc.), the American Institute of Certified Public Accountants (AICPA) has released a new report format that focuses on manufacturing and distribution supply chains. The AICPA’s SOC for Supply Chain framework helps these organizations communicate their processes and controls to support their supply chain risk management, as well as to detect, prevent, and respond to supply chain risks. Organizations can also use SOC for Supply Chain reports to help understand and manage their external risks (including cybersecurity) that are typically related to their vendor or distribution networks.

Why is a SOC for Supply Chain report relevant?

Manufacturers, producers, and distribution companies must manage a complex network of industrial plants, service providers, and suppliers to operate efficiently and meet commitments to customers.  When exploring the need for a SOC for Supply Chain report, organizations must consider the risks to the supply chain that may cause problems in their system or their vendors/suppliers’ systems.  Here are a few examples of the risks related to the supply chain from both internal (the manufacturer, producer, distributor) and external (the vendor or supplier) points of view:

Internal Risks

  • Loss of data (including both proprietary company data and customer data)
  • Inappropriate access to production control systems
  • Failure to meet production, distribution and delivery, or other commitments

External Risks

  • Natural disasters or wide-spread disease, which could halt production
  • Negative financial impact (including loss of revenue)

The failure to manage these risks can result in reputational damage, loss of intellectual property, disruption of business, penalties or fines from regulatory agencies, or loss of market share.
Due to the reciprocal nature of relationships with suppliers, organizations are responsible for understanding the risks of conducting business with suppliers and for designing, implementing, and operating controls to mitigate those risks. Organizations should confirm the following information:

  • The supplier’s objectives for the production, manufacturing, or distribution of goods compared to customer needs.
  • The risks identified by a supplier that affect production, manufacturing, or distribution of goods.
  • The controls that the supplier has implemented to mitigate risks.
  • The information security controls implemented by the supplier or business partner when IT connectivity is required.

A comprehensive knowledge of this information will help an organization to more effectively integrate security controls with the supplier, and overall allow for a better understanding of the risks of conducting business with the supplier.

What are the benefits of a SOC for Supply Chain report?

For organizations to understand the supplier-related risks mentioned previously, they need to gather a variety of information from numerous sources, including:

  • Supplier-provided information
  • Procedures that were performed by the supplier’s internal audit functions
  • Site visits, inspections, and other procedures performed by the organizations themselves and/or their auditors

The SOC for Supply Chain report offers an efficient way for organizations to understand the systems and controls of their suppliers by collating the information needed in one formalized document. The primary objective of a SOC for Supply Chain report is to provide a way for manufacturers, producers, and distribution companies, as well as vendors/suppliers, to efficiently and effectively communicate useful information about their systems and related controls to customers and business partners.
Like a SOC 2 report, a SOC for Supply Chain report provides a description of the system an organization uses to manufacture, produce, or distribute products, as well as an opinion (from the independent examiner) on the effectiveness of the controls within that system.

How does the SOC for Supply Chain report differ from a SOC 2 report?

This table shows similarities and differences of SOC for Supply Chain and SOC 2 reports:

 

SOC 2

SOC for Supply Chain

Types of organization(s)

Provides a service to user entities (service organizations)

Produces, manufactures, or distributes products

Examination report at the system level

The system that provides the service(s)

The system that produces, manufactures, or distributes products

Report purpose

Provides information about controls within the service organization’s system to support user entities’ evaluations of their own systems of internal control

Provides information about controls within the system to enable organizations to better understand and manage the risks arising from business relationships with their supplier and distribution networks

Intended users

Service organization management and specified parties that have sufficient knowledge and understanding of the service organization and its system

Entity management and specified parties that have sufficient knowledge and understanding of the entity and its system

Professional standards and guidance used

SSAE 18
AICPA SOC 2 Guide

SSAE 18
AICPA SOC for Supply Chain Guide

Responsible party

Service organization management

Entity management

Restricted or general use

Restricted to service organization management and users of the system that have sufficient understanding of the system, criteria, risks, etc.

Restricted to entity management and users that have sufficient understanding of the system, criteria, risks, etc.

Subject matter of the assertion and examination

 

Description of the service organization’s system based on the description criteria

Description of the entity’s production, manufacturing, or distribution system based on the description criteria

Suitability of design and operating effectiveness of controls stated in the description to provide reasonable assurance that the service organization achieved its service commitments and system requirements based on the applicable trust services criteria

Suitability of design and operating effectiveness of controls stated in the description to provide reasonable assurance that the entity achieved its principal system objectives based on the applicable trust services criteria

Criteria for the examination

 

AICPA Description Criteria Section 200

AICPA Description Criteria Section 300

AICPA TSP section 100, Trust Services Criteria (to evaluate the design and operational effectiveness of controls related to Security, Availability, Processing Integrity, Confidentiality, or Privacy)

AICPA TSP section 100, Trust Services Criteria (to evaluate the design and operational effectiveness of controls related to Security, Availability, Processing Integrity, Confidentiality, or Privacy)

Contents of the report

  • Description of the service organization’s system
  • Written assertion by service organization management
  • Service auditor’s (CPA) report that contains an opinion on the subject matter
  • Description of the service auditor’s tests of controls and the results of the tests
  • Description of the entity's production, manufacturing, or distribution system
  • Written assertion by entity management
  • Practitioner’s (CPA) report that contains an opinion on the subject matter
  • Description of the practitioner's tests of controls and the results of the tests

 

What to do if you’re an organization seeking a SOC for Supply Chain report?

If your organization would benefit from a SOC for Supply Chain report, be sure to engage professionals who understand the various supply chain risks for manufacturers and distributors and how those risks can best be mitigated. Make sure they are well-versed in AICPA standards and reports, helping to ensure that you receive a high-quality technical analysis (including security), and also top-quality reports that will satisfy both your organization’s needs and the needs of your customers and business partners.
 
For more information about our SOC solutions please visit: https://www.coalfire.com/Solutions/Audit-and-Assessment/SOC-and-SSAE-18

Jeff Cook

Author

Jeff Cook — SOC Director, Coalfire

Recent Posts

Post Topics

Archives

Tags

Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS
Top