Key insights
- Increased technology and automation may lead to more efficiency and interconnectedness, but it also raises the potential for supply chain risk.
- SOC for Supply Chain reports allow organizations to demonstrate their security control environment and monitor business risks that may be introduced through vendor-supplied software.
- Organizations that manage supply chain risk with a SOC for Supply Chain report could enjoy a competitive advantage by having solid risk controls in place.
- SOC for Supply Chain may be a particular benefit for businesses that produce software products or raw materials, and to those who manufacture products or distribute them across a network.
Enhance processing integrity with effective internal controls.
In March 2020, it was brought to light that the delivered version of SolarWinds Orion, a security monitoring software, was infected with malware. These types of attacks are an ever-present risk and are a reminder of how our ever-increasing reliance on vendor-supplied software and devices requires transparency and security. Fortunately, there is a reporting framework that can monitor exposure to these risks.
The American Institute of Certified Public Accounts (AICPA) developed the System and Organization Control (SOC) for Supply Chain reporting framework for software vendors to provide an independent assessment of their security controls in developing software products. This framework is part of the AICPA’s larger SOC reporting portfolio that includes:
- SOC 1 — Reporting on controls relevant to financial reporting
- SOC 2 — Reporting on controls relevant to security, availability, processing integrity, confidentiality, or privacy
- SOC for Cybersecurity — Reporting on an entity’s cybersecurity risk management program
- SOC for Supply Chain — Reporting on controls relevant to security, availability, processing integrity, confidentiality, or privacy in a production, manufacturing, or distribution system
What is the SOC reporting framework?
SOC reports must be issued by independent auditors, typically certified public accountants, and are issued under the AICPA’s Statement on Standards for Attestation Engagements (SSAE). The SOC reports are designed to provide user entities, clients, customers, and stakeholders of the service organization reasonable assurance that internal controls are fairly presented, adequately designed, and operating effectively.
The description criteria developed by the AICPA for each SOC type establishes the requirements for determining if the description of the system is fairly presented. Additionally, the description criteria provide a guideline as the service organization develops a description of the system that will ultimately be included in the final SOC report.
The AICPA developed the SOC for Supply Chain reporting framework for software vendors to provide an independent assessment of their security controls in developing software products.
The determination that controls are adequately designed and operating effectively is based on control objectives, SOC 1, or the AICPA’s Trust Services Criteria (TSC) for all other SOC reports. The control objectives are based on those processes performed by the service organization that would be significant to the user entity’s financial reporting processes. The TSCs consist of the criteria relevant to:
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy
The result of a SOC is an attestation report, not a certification.
What is the scope of a SOC for Supply Chain?
The examination conducted under SOC for Supply Chain is focused on the service organization’s system(s) and controls for producing, manufacturing, or distributing their product. This may include physical, intellectual, or electronic products — but primary use case is around service organizations that provide software, applications, and information technology devices.
The SOC for Supply Chain includes two criteria frameworks: description criteria and TSCs. The description criteria become the basis for description of the system and must include:
- Type of goods produced, manufactured, or distributed by the service organization
- Performance, production, manufacturing, and distribution commitments
- Incidents that impact the service organization’s ability to meet its commitments
- Risks to achieve the service organization’s commitments
- Information on the components, input, and boundaries of the system
- Controls to meet the applicable TSC
- Controls to be implemented by the users of the product
- Any controls to be implemented by suppliers to the service organization
The TSCs consist of the criteria relevant to security, availability, processing integrity, confidentiality, and privacy. The SOC for Supply Chain requires that the security criteria form the TSC be included and the other four (4); availability, processing integrity, confidentiality, and privacy are optional based on the applicability to the product provided.
What is the result of SOC for Supply Chain?
An attestation report titled “Independent Auditor’s Report” is issued to communicate the results of the SOC for Supply Chain engagement. The independent auditor provides an opinion on the fairness of presentation and the operating effectiveness of controls. The opinions that can be provided are unqualified, qualified, or adverse, like a financial statement audit opinion. The independent auditor also discloses individual testing deviations that do not individually or in aggregate impair the service organization’s ability to meet the criteria. The report is limited in its distribution to management of the service organization and user entities.
How we can help
Understanding your vulnerability is critical in taking the correct mitigating steps. If you are just delving into understanding impact of vendor-supplied products or produce sensitive devices, our readiness assessment services can assist in identifying control gaps between your current state and the SOC for Supply Chain reporting framework.