AICPA Introduces Audit and Risk Reporting Framework for Supply Chains
New SOC examination coincides with heightened concern about operational resilience and geopolitical factors; Shared Assessments looks at third-party risk in M&A
Friday, April 3, 2020
By Jeffrey Kutler
The coronavirus crisis put a spotlight on global supply chains and the havoc that can result from any weak or disabled link between source and destination. As if on cue, the American Institute of Certified Professional Accountants (AICPA) has launched SOC for Supply Chain, the newest of its System and Organization Controls frameworks for audit and risk reporting.
It is not, however, an instant or overnight development, but rather is an extension of a series that has emerged and been refined over a decade or longer. Third-party assurances are common across the entire SOC suite, which began with SOC 1 for internal control over financial reporting, Mimi Blanco-Best, AICPA associate director - attestation methodology and guidance, points out.
After SOC 1 came two other frameworks for CPAs to deliver internal control reports on service organizations: SOC 2 (trust services criteria relating to security, availability and processing Integrity in handling users' data, as well as confidentiality and privacy); and SOC 3 (like the SOC 2 criteria, but less detailed and available to be distributed to outside parties).
SOC for Cybersecurity can assist any type of organization in communicating “relevant and useful information about the effectiveness of their cybersecurity risk management programs” and “help senior management, boards of directors, analysts, investors and business partners gain a better understanding of organizations' efforts,” according to the AICPA website.
Finally, SOC for Supply Chain is described as a “market-driven, flexible, and voluntary reporting framework [that] helps organizations communicate certain information about the supply chain risk management efforts and assess the effectiveness of system controls that mitigate those risks.”
Allowing for Uniqueness
The reporting frameworks have complementary elements and are applied in a variety of ways, because risk profiles, assessments and controls can be unique to any given organization. As thorough and timely as a SOC for Cybersecurity report might be, it addresses third-party issues differently than does SOC for Supply Chain, which targets a “manufacturing, production or distribution system and the effectiveness of controls that mitigate supply chain risks,” AICPA said in a March 12 announcement.
“Supply chain risk can be different from cybersecurity risk, and with different controls,” Blanco-Best explains.
Blanco-Best described the latest framework as “a vital step in helping companies that manufacture, produce or distribute products explain how they are managing risks in their supply chains. We believe investors, boards, audit committees, customers and business partners will see tremendous value in gaining a better understanding of how those companies are managing their supply chain risks. Combined with the CPA's opinion, this will increase stakeholders' confidence in a company's due care and diligence.”
As a whole, the SOC suite serves as “a critical step to enabling a transparent, consistent, market- and business-based mechanism for companies to effectively communicate with key stakeholders on how they're managing third party risks, including those related to cybersecurity and supply chain,” AICPA says.
A supply chain examination is seen as economically beneficial, improving risk assessment so that a company can focus on business growth. It can be emblematic of good governance and provide a competitive edge by giving stakeholders “confidence that an organization has the right systems and controls in place to mitigate and manage supply chain risk.”
“Today's supply chains are highly sophisticated and complex, there is often a high level of interdependence and connectivity between them, which increases an organization's vulnerability to risk,” Amy Pawlicki, AICPA vice president - assurance and advisory innovation, said in a statement. “Our new SOC for Supply Chain framework can help an organization assess risk, understand the effectiveness of its controls and identify shortfalls.”
SOC 2 Uptake
SOC 2 certifications have proven to be a “gold standard” in recent years, Blanco-Best says. Firms ranging from Deloitte to KPMG to Coalfire have advertised relevant resources and services, and achievement of SOC 2 certification has been trumpeted as an imprimatur by financial technology companies like Tora in the investment management market and digital asset innovators BitGo and Gemini Trust Co.
“Simply saying you are secure is not the same as demonstrating you are secure to an independent third party,” Gemini head of risk Yusuf Hussain said in a January blog. “We feel that everyone should require these standards for any cryptocurrency exchange and custodian they use. Going forward, we will be completing a SOC 2 type 2 on an annual basis.”
Announcing Digital Asset Holdings' completion of SOC 2 type 2 on March 5, chief security officer Edward Newman said: “Protecting client and corporate data and the integrity of our products and services is a top priority . . . Through industry-standard security examinations and certifications, we are demonstrating our continued focus to meet the security requirements of all of our customers across multiple sectors. Successfully completing the SOC 2 examination shows our ongoing commitment to security for customer and corporate data, and the products and services we develop.”
Type 2 is a report on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls over a specified time period. Type 1 reflects the management description and suitability of controls' design as of a specified date.
At the Policy Level
Supply chain risk - along with third-party and outsourcing variations - has an ever higher profile as a policy and regulatory concern. The U.K. Financial Conduct Authority, for example, included “the importance of outsourcing and other third-party service provision” among the operational resilience issues covered in a December 2019 consultation paper.
The Basel, Switzerland-based Bank for International Settlements, in an April 1 bulletin on dollar funding costs, cited supply chain implications, saying that the current crisis differs from 2008's “and requires policies that reach beyond the banking sector to final users. These businesses, particularly those enmeshed in global supply chains, are in constant need of working capital, much of it in dollars. Preserving the flow of payments along these chains is essential if we are to avoid further economic meltdown.”
Supply chains can be pathways for business volatility, says Sandor Boyson, research professor and founding co-director of the Supply Chain Management Center at the University of Maryland's Robert H. Smith School of Business. In a recent article on the coronavirus impact, he wrote: “The situation requires government and industry to act now to protect the supply chain that provides food, medicine and other necessary goods. The outbreak already has caused supply chain disruptions for about three-quarters of U.S. companies surveyed by the Institute for Supply Management.”
With Chinese industrial capacity starting to recover, Boyson outlined “three steps to protect U.S. supply chain continuity”: Restore global production, especially in China, as quickly as possible to serve critical industries; preserve operations of U.S. hubs by deploying a “supply chain command post” and “coronavirus war room” to ensure business continuity of ports, airports and highways; and ensure delivery of needed food and medical/health supplies to home-bound and vulnerable populations.
“An organization is only as strong as its weakest link, and third parties have typically been a key area of vulnerability,” says Cyber Risk Grows as COVID-19 Spreads, an article by Paul Mee and Rico Brandenburg of Oliver Wyman. Challenges facing third-party suppliers and vendors will be “amplified by disrupted cash flows, lower level of preparedness to address the heightened risks, and/or high pressure in meeting evolving customer needs amid supply chain challenges. It will be important for an organization to communicate and have visibility into its third-party vendors' security status to understand their increased security risk.”
Among the Oliver Wyman partners' mainly cyber- and information-security-focused recommendations:
“React quickly to this 'new normal' by re-assessing risks and ensuring that detection, response, and mitigation efforts are aligned accordingly. Review the security status of the most critical third-party suppliers and vendors and be prepared to strengthen oversight. Tighten security controls across the highest-risk areas and apply tactical controls to mitigate increased insider threats by rogue or naÏve employees . . . The weight given to these actions will vary depending on the criticality of the organization to the citizens and security of a nation, the operating model, distribution, technology, and culture of this organization plus several other idiosyncratic factors, weaknesses, and exposures.”
Risks in M&A
Elsewhere, the multi-industry, member-driven Shared Assessments Program for third-party risk assurance, which offers two certification programs for professionals in the field, has produced a report on best practices to improve merger-and-acquisition outcomes. Third-party risk management (TPRM) “is agile enough to be used in M&A and allows for examination of a degree of incremental risk that may otherwise be overlooked. This level of examination identifies a wider range of risks deeper in the supply chain than is typically achieved in M&A due diligence,” Shared Assessments said in a March 24 announcement.
In a Shared Assessments survey of 185 risk professionals, 51% had been involved in an M&A situation, and of those, only 38% discovered substantial compliance gaps and due-diligence risks long before deals closed.
“Now more than ever, it is crucial to evaluate M&A targets for both operational risks and for resilience against external threats,” said Shared Assessments chief executive officer David J. Perez. “Due diligence teams must look at both the known risks such as business operations, and a new and broader set of technological, human resources, cyber and physical security, and business continuity issues.”
The organization said that in addition to business operations, TPRM programs evaluate potential target organizations' exposure to risks and impact of climate change, insider malfeasance, money laundering, human trafficking issues, and sourcing issues stemming from political upheaval or public health crises. The programs also support “less obvious merger environment concerns, such as security and fraud issues that can increase as a result of heightened organizational uncertainty and employee stress.”
Coalfire ISO, an assessment arm of Colorado-based cyber risk advisory company Coalfire, said it has been accredited for auditing and certification of an organization's Privacy Information Management System (PIMS) under the international ISO 27701 standard. This follows Coalfire's launch last September of readiness assessment and certification audit services for the transition from the legacy ISO 27001 Information Security Management System (ISMS) standard, extending confidentiality, integrity and availability principles as they have been influenced by the European Union General Data Protection Regulation and California Consumer Privacy Act.
“Risk management practices must evolve to respond to the expansion of data collection throughout the course of ordinary business activities. Leading organizations should seek opportunities to build trust with data subjects and challenge the perspective that compliance is a cost rather than a differentiator for the business,” David Forman, managing principal, ISO Assurance at Coalfire, said in a March 19 announcement.
"Our organization has followed the developments of ISO 27701, its acceptance by supervisory authorities, and the creation of supporting accreditation programs since its draft release as ISO 27552,” Forman added. “Working with [ANSI National Accreditation Board], we are pleased to have played a role in this landmark alignment for the benefit of not only thousands of multinational organizations, but also for the protection of millions of consumers."
He said that ISO 27701 “bridges the gap between assurance programs and the developing requirements for data privacy. This standard provides a framework for integrating the traditionally separated information security and privacy functions within an organization and serves as an inflection point for benchmarking data processing activities.”