The Evolving Role of SOC Reports: Anticipating the Development of SOC for Vendor Supply Chains
SOC reports have a long history of evolving to reflect various changing factors and risks in the world of business.
As of April 2017, for example, the American Institute of CPAs (AICPA) decided to change the SOC acronym’s underlying meaning. Therefore, SOC now stands for “System and Organization Controls” but originally stood for “Service Organization Controls.” The full name now better reflects the broad umbrella of coverage that the suite of reports provides for businesses that engage service organizations. Further, as Accounting Today notes, the SOC suite increasingly means more things to more people while providing more options than ever before.
SOC for Cybersecurity was recently added to the SOC family to address the increasing pressures for organizations to demonstrate their commitment to addressing the continually increasing cybersecurity threats. The AICPA developed a reporting framework to support cybersecurity risk management.
The AICPA never stops exploring new ways to help organizations protect their data assets and internal technology.
Vendor Supply Chains: Could They Be the Next Addition to the SOC Reporting Family?
Like any other business consideration these days, vendor supply chains are fraught with risks. In part, the reason for increased risks involve the increasingly complex nature of supply chains.
PYMNTS.com notes that “the growing complexity of international supply chains inevitably adds complexity to risk mitigation and increases risk exposure to all players involved. This trend is evolving rapidly, and corporate buyers are examining threats from all angles.”
Some vendor supply chain organizations are, for example, installing third-party applications and software for companies that leave them open to vulnerabilities in that software. It also opens them up to the responsibility of protecting any data assets to which they have access with their client organization. Both parties are taking a leap of faith that leaves both open to risk.
Some user entities working with vendor supply chain companies are currently doing their best to manage the risk without a governing body officially guiding them with the following strategy as one example:
- Ensuring that all software for the vendor supply chain company—whether SaaS, a commercial brand, open source or as part of a third-party library—complies with the user organization’s security policies. These companies are working closely with vendors to ensure compliance.
- Seeking third-party organizations or auditing teams to analyze and attest to the security of the vendor supply chain’s internal controls and systems.
These workarounds definitely help these organizations work together in harmony, but everyone will benefit from an official set of rules and guidelines from the AICPA with its official SOC for Vendor Supply Chains, once completed.
How Can You Manage Your Organization’s Vendor Supply Chains Until the AICPA Develops Its SOC for Vendor Supply Chains?
While you patiently await the AICPA’s internal controls report on a vendor’s manufacturing processes for customers of manufacturers and distributors to better understand the cybersecurity risk in their supply chains, you may need some direct guidance.
Our team at I.S. Partners, LLC., is always anxiously awaiting official word from the AICPA to learn more about its take on SOC for Vendor Supply Chains. In the meantime, we can certainly help you understand and mitigate the risks at hand to hold you over until we can begin performing official SOC reports on this matter.