AICPA Releases New Assurance Report for Supply Chain Risk Management
On March 1, 2020, the American Institute of CPAs (AICPA) issued the SOC for Supply Chain assurance report framework that is intended to provide insight and transparency into a supplier’s systems and operations. This framework allows suppliers to report on controls over a manufacturing, production or distribution system. This report provides the ability to communicate to stakeholders (customers, business partners, owners, boards, etc.) relevant information about how suppliers are managing their risks to help ensure they are achieving their system commitments and requirements.
A supplier, as defined by the AICPA in the SOC for Supply Chain guide, is “an individual or business (and its employees) that provides products (such as raw materials, components, or other goods) or services to a producer, manufacturer, or distributor (an entity). A service provider, for example, is a specific type of supplier that provides services to an entity.”
The reality is almost everything we purchase, consume or use to run a business is supported by suppliers. These entities that keep our engines running and allow us to enjoy many aspects of our lives or grow our business pose some level of risk to our well-being and ability to sustain growth. A business must be able to source what it needs, when it is needed. This could include employees, access to capital, inputs for products or customers, just to name a few. The dependency on suppliers creates additional complexity for managing risk, so companies are increasingly interested in:
- Understanding how the supplier is managing risks that affect the supplier’s production, manufacturing or distribution of goods
- Comparing system commitments and requirements to the contractual obligations and customer needs
- Learning about the supplier’s production, manufacturing or distribution process to better understand the risks to the customer when doing business with the supplier
- Understanding the information security controls implemented by the supplier to gain confidence the supplier is sufficiently managing access to the systems and data
Outsourcing risk and responsibility allows a business to scale, but just because risk has been transferred to a supplier does not mean the business is off the hook for managing the risk. Evaluating and monitoring suppliers and contingency planning for supplier failure are still management’s responsibility. Supplier failures can have a dramatic effect on a company’s ability to:
- Provide products that meet the principal product performance specifications
- Meet delivery and quality commitments and requirements
- Meet production, manufacturing or distribution commitments and requirements
Currently, there are a few options available to a company trying to gain insight into its suppliers’ systems and controls in place to achieve their system commitments and requirements. Management can obtain information directly from the supplier, perform site visits or other internal audit procedures or obtain certificates (such as ISO) if available.
The SOC for Supply Chain report provides a unique and valuable addition to stakeholders and the market by including an opinion from an independent third party on whether controls were designed appropriately to help ensure commitments and requirements are achieved and whether those controls operated effectively over a 12-month period.
The AICPA is hoping to provide additional value through this framework by including a common set of criteria to allow for better comparability, reduce the communication and compliance burden for organizations by allowing one report to communicate information needed by stakeholders and allow for flexibility to report on companies of different sizes and industries.
For more information, reach out to your BKD Trusted Advisor™ or use the Contact Us form below.