In March 2020, it was brought to light that the delivered version of SolarWinds Orion, a security monitoring software, was infected with malware. These types of attacks are an ever-present risk and a reminder of how our ever-increasing reliance on vendor-supplied software and devices requires transparency and security. Fortunately, there is a reporting framework that can monitor exposure to these risks.
The American Institute of Certified Public Accounts (AICPA) developed the System and Organization Control (SOC) for Supply Chain reporting framework for software vendors to provide an independent assessment of their security controls in developing software products. This framework is part of the AICPA’s larger SOC reporting portfolio that includes:
• SOC 1 — Reporting on controls relevant to financial reporting
• SOC 2 — Reporting on controls relevant to security, availability, processing integrity, confidentiality, or privacy
• SOC for Cybersecurity — Reporting on an entity’s cybersecurity risk management program
• SOC for Supply Chain — Reporting on controls relevant to security, availability, processing integrity, confidentiality, or privacy in a production, manufacturing, or distribution system
SOC reports must be issued by independent auditors, typically certified public accountants, and are issued under the AICPA’s Statement on Standards for Attestation Engagements (SSAE). The SOC reports are designed to provide user entities, clients, customers, and stakeholders of the service organization reasonable assurance that internal controls are fairly presented, adequately designed, and operating effectively.
The description criteria developed by the AICPA for each SOC type establishes the requirements for determining if the description of the system is fairly presented. Additionally, the description criteria provide a guideline as the service organization develops a description of the system that will ultimately be included in the final SOC report.
The determination that controls are adequately designed and operating effectively is based on control objectives, SOC 1, or the AICPA’s Trust Services Criteria (TSC) for all other SOC reports. The control objectives are based on those processes performed by the service organization that would be significant to the user entity’s financial reporting processes. The TSCs consist of the criteria relevant to:
• Processing integrity
The result of a SOC is an attestation report, not a certification.
The examination conducted under SOC for Supply Chain is focused on the service organization’s system(s) and controls for producing, manufacturing, or distributing their product. This may include physical, intellectual, or electronic products — but primary use case is around service organizations that provide software, applications, and information technology devices.
The SOC for Supply Chain includes two criteria frameworks: description criteria and TSCs. The description criteria become the basis for description of the system and must include:
• Type of goods produced, manufactured, or distributed by the service organization
• Performance, production, manufacturing, and distribution commitments
• Incidents that impact the service organization’s ability to meet its commitments
• Risks to achieve the service organization’s commitments
• Information on the components, input, and boundaries of the system
• Controls to meet the applicable TSC
• Controls to be implemented by the users of the product
• Any controls to be implemented by suppliers to the service organization
An attestation report titled “Independent Auditor’s Report” is issued to communicate the results of the SOC for Supply Chain engagement. The independent auditor provides an opinion on the fairness of presentation and the operating effectiveness of controls. The opinions that can be provided are unqualified, qualified, or adverse, similar to a financial statement audit opinion. The report is limited in its distribution to management of the service organization and user entities.
Understanding your vulnerability is critical in taking the correct mitigating steps. If you are just delving into understanding impact of vendor-supplied products or produce sensitive devices, professional readiness assessment services can assist in identifying control gaps between your current state and the SOC for Supply Chain reporting framework.
For more information on SOC reports in Massachusetts, contact Joel Eshleman at [email protected] or 717-857-2611. For more information on CliftonLarsonAllen LLP, visit CLAconnect.com.
This article originally appeared on The Patriot Ledger: SOC for Supply Chain provides reporting framework for software vendors