AICPA’s System and Organization Control (SOC) report is reshaping industry resilience, and businesses need to know how to navigate it.
By David Barton, Managing Director, UHY Advisors
Supply chains were pushed to their breaking point through the global COVID-19 pandemic, and geopolitical tensions, economic instability, and increasing cybersecurity concerns continue to threaten the global supply chain. As a result, supply chains are evolving and becoming more complex in an effort to prevent a situation similar to what we have seen from 2020-2022.
Understanding the fragility of our supply chain and its vulnerability to cyberattacks, the American Institute of Certified Public Accountants (AICPA) recognized the need for members of the supply chain to have a better understanding of controls in place within supply chains. With this goal in mind, the AICPA created the System and Organization Control (SOC) for Supply Chain framework to allow companies to communicate information about their processes and controls to detect, prevent, and respond to supply chain risks. In order to better understand the importance of supply chain controls, it’s crucial to understand the emerging trends that are reshaping the supply chain.
The digitization of certain areas of supply chain management will open many new doors in terms of capability and efficiency but will also leave organizations vulnerable to data breaches and cyberattacks.
One such attack is the software supply chain attack, where a cyber threat actor infiltrates a software vendor’s network and uses malicious code to compromise the software before the vendor can send the software to customers. That compromised software then corrupts the customer’s data or network. The SolarWinds/Orion attack in 2020 was the first highly publicized software supply chain attack. More recent examples include Okta and GitHub.
The SOC for Supply Chain Report will benefit organizations by allowing them to understand the controls in place and the risks involved when partnering with certain entities.
Created for companies to communicate information about their processes and controls to detect, prevent, and respond to supply chain risks, the SOC for Supply Chain Report is similar to a SOC 2® report. Unlike the other SOC Reports, it is specifically intended for companies that produce, manufacture or distribute products.
The SOC for Supply Chain report is an independent third-party attestation of Management’s assertion regarding compliance with AICPA Trust Services Criteria. The report includes Management’s description of the organization’s system and controls, an assertion by Management regarding the system and the effectiveness of controls, and a practitioner’s opinion regarding the accuracy and completeness of Management’s assertion.
As organizations look to avoid the risks of fragile supply chains by utilizing digital transformation, diversifying their suppliers, and forming new relationships, it is imperative that they know the risks upon entering into new relationships. Having access to relevant data will allow organizations to make informed decisions on the entities they partner with and have the reassurance that controls are in place to protect sensitive information. Risk mitigation will be a vital component of any supply chain strategy. Having a SOC for Supply Chain Report will help identify some of those risks and determine the best mitigation strategies for them.
David Barton is a Managing Director with UHY Advisors and is the practice leader of the Technology, Risk & Compliance practice focused on information technology. He has over 30 years of practical experience in information systems and technology risk and controls.
Tune in to hear from Chris Brown, Vice President of Sales at CADDi, a leading manufacturing solutions provider. We delve into Chris’ role of expanding the reach of CADDi Drawer which uses advanced AI to centralize and analyze essential production data to help manufacturers improve efficiency and quality.