A SOC for Supply Chain report can help reveal a business’s vulnerabilities

Joel Eshleman

May 19, 2022 at 5:25 PM·3 min read

In March 2020, it was brought to light that the delivered version of SolarWinds Orion, a security monitoring software, was infected with malware. These types of attacks are an ever-present risk and a reminder of how our ever-increasing reliance on vendor-supplied software and devices requires transparency and security. Fortunately, there is a reporting framework that can monitor exposure to these risks.

The American Institute of Certified Public Accounts (AICPA) developed the System and Organization Control (SOC) for Supply Chain reporting framework for software vendors to provide an independent assessment of their security controls in developing software products. This framework is part of the AICPA’s larger SOC reporting portfolio that includes:

• SOC 1 — Reporting on controls relevant to financial reporting

• SOC 2 — Reporting on controls relevant to security, availability, processing integrity, confidentiality, or privacy

• SOC for Cybersecurity — Reporting on an entity’s cybersecurity risk management program

• SOC for Supply Chain — Reporting on controls relevant to security, availability, processing integrity, confidentiality, or privacy in a production, manufacturing, or distribution system

SOC reports must be issued by independent auditors, typically certified public accountants, and are issued under the AICPA’s Statement on Standards for Attestation Engagements (SSAE). The SOC reports are designed to provide user entities, clients, customers, and stakeholders of the service organization reasonable assurance that internal controls are fairly presented, adequately designed, and operating effectively.

The description criteria developed by the AICPA for each SOC type establishes the requirements for determining if the description of the system is fairly presented. Additionally, the description criteria provide a guideline as the service organization develops a description of the system that will ultimately be included in the final SOC report.

Business tips: 6 tax saving tips to help manage your tax liability for 2021 and beyond

For sale?: Small business owners should consider these options if they're looking to sell

The determination that controls are adequately designed and operating effectively is based on control objectives, SOC 1, or the AICPA’s Trust Services Criteria (TSC) for all other SOC reports. The control objectives are based on those processes performed by the service organization that would be significant to the user entity’s financial reporting processes. The TSCs consist of the criteria relevant to:

• Security

• Availability

• Processing integrity

• Confidentiality

• Privacy

The result of a SOC is an attestation report, not a certification.

The examination conducted under SOC for Supply Chain is focused on the service organization’s system(s) and controls for producing, manufacturing, or distributing their product. This may include physical, intellectual, or electronic products — but primary use case is around service organizations that provide software, applications, and information technology devices.

The SOC for Supply Chain includes two criteria frameworks: description criteria and TSCs. The description criteria become the basis for description of the system and must include:

• Type of goods produced, manufactured, or distributed by the service organization

• Performance, production, manufacturing, and distribution commitments

• Incidents that impact the service organization’s ability to meet its commitments

• Risks to achieve the service organization’s commitments

• Information on the components, input, and boundaries of the system

• Controls to meet the applicable TSC

• Controls to be implemented by the users of the product

• Any controls to be implemented by suppliers to the service organization

An attestation report titled “Independent Auditor’s Report” is issued to communicate the results of the SOC for Supply Chain engagement. The independent auditor provides an opinion on the fairness of presentation and the operating effectiveness of controls. The opinions that can be provided are unqualified, qualified, or adverse, similar to a financial statement audit opinion. The report is limited in its distribution to management of the service organization and user entities.

Understanding your vulnerability is critical in taking the correct mitigating steps. If you are just delving into understanding impact of vendor-supplied products or produce sensitive devices, professional readiness assessment services can assist in identifying control gaps between your current state and the SOC for Supply Chain reporting framework.

For more information on SOC reports in Massachusetts, contact Joel Eshleman at joel.eshleman@CLAconnect.com or 717-857-2611. For more information on CliftonLarsonAllen LLP, visit CLAconnect.com.

This article originally appeared on The Patriot Ledger: SOC for Supply Chain provides reporting framework for software vendors

Yahoo Finance
The FDIC change that leaves wealthy bank depositors with less protection
Affluent Americans may want to double-check how much of their bank deposits are protected by government-backed insurance. The rules governing trust accounts just changed.
Yahoo Sports
Former NBA guard Darius Morris dies at 33
Former NBA guard Darius Morris has died at the age of 33. He played for five teams during his four NBA seasons. Morris played college basketball at Michigan.
Yahoo Sports
No one was airing Angel Reese and Kamilla Cardoso's WNBA preseason debuts, so an X user livestreamed it
The quality was choppy, but it was better than what the WNBA had.
Yahoo Sports
2024 NFL Draft grades: Denver Broncos earn one of our lowest grades mostly due to one pick
Yahoo Sports' Charles McDonald breaks down the Broncos' 2024 draft.
Yahoo Sports
NFL Power Rankings, draft edition: Did Patriots fix their offensive issues?
Which teams did the best in the NFL Draft?
Yahoo Sports
NFL Draft grades for all 32 teams | Zero Blitz
Jason Fitz and Frank Schwab join forces to recap the draft in the best way they know how: letter grades! Fitz and Frank discuss all 32 teams division by division as they give a snapshot of how fans should be feeling heading into the 2024 season. The duo have key debates on the Dallas Cowboys, New York Giants, New Orleans Saints, Los Angeles Rams, New England Patriots, Las Vegas Raiders and more.
Yahoo Sports
New details emerge in alleged gambling ring behind Shohei Ohtani-Ippei Mizuhara scandal
It turns out the money was going from Ohtani's bank account to an illegal bookie to ... casinos.
Yahoo Sports
Formula 1: Miami Grand Prix sends cease and desist letter to prevent Donald Trump fundraiser during race
Race organizers say they'll revoke a Trump fundraiser's suite license if he holds an event for the former president on Sunday at the race.
Yahoo Sports
Kentucky Derby: Mystik Dan wins in three-horse photo finish, outruns favorite Fierceness in stunning upset
The 150th Kentucky Derby produced yet another magnificent two-minute spectacle.
Yahoo Sports
Bulls' Lonzo Ball picks up $21.4 million option for 2024-25 season amid knee concerns
Ball hasn't played since the 2021-22 season.
Yahoo Sports
Anthony Edwards' arrival should have the Nuggets — and the entire league — on high alert
The Timberwolves' rising superstar led Minnesota to a Game 1 victory over Denver, then reminded the world that he's 22, not 23 ... yet.
Yahoo Finance
CVS stock plunges after earnings numbers one analyst 'did not even believe'
CVS warns it could cede Medicare Advantage market share as reimbursement rates pressure the company.
Yahoo Sports
The best QBs for 2024 fantasy football according to our analysts
The Yahoo Fantasy football analysts reveal their first quarterback rankings for the 2024 NFL season.
Yahoo Sports
Diana Taurasi’s trash-talking, in-your-face ways may be a bit of a shock to new WNBA fans
Caitlin Clark fans beware: You never know what the 20-year veteran might say … or do.
Yahoo Sports
Canelo Álvarez and Oscar De La Hoya erupt in heated exchange ahead of title bout with Jaime Munguía
Canelo Álvarez is set to defend his title against undefeated Jaime Munguía on Saturday in Las Vegas.
Autoblog
Why did Musk ax the Supercharger team?
Elon Musk’s decision to dismiss much of Tesla’s Supercharger team this week came as a shock. A look at possible reasons why he did it.
Yahoo Sports
Caitlin Clark catches fire from 3 in WNBA preseason debut; Arike Ogunbowale's late heroics send Wings past Fever
Caitlin Clark’s WNBA preseason debut went much like her senior year at Iowa. She hit a bunch of 3s and did so in front of a sold-out crowd.
Yahoo Sports
Ex-Florida State QB and 1999 Fiesta Bowl starter Marcus Outzen dies at 46
The Seminoles lost 23-16 to Tennessee in the first-ever BCS title game.
Yahoo Sports
UFC 301: Alexandre Pantoja survives bloody wounds and bad advice to retain flyweight belt vs. Steve Erceg
A challenger with less than a year of UFC experience gave Pantoja plenty of problems. And wounds.
Yahoo News
2nd Boeing whistleblower found dead. Here's a timeline of the company's mounting problems.
This is the second Boeing whistleblower to die in the last two months.

News

Life

Entertainment

Finance

Sports

New on Yahoo

A SOC for Supply Chain report can help reveal a business’s vulnerabilities

Recommended Stories

The FDIC change that leaves wealthy bank depositors with less protection

Former NBA guard Darius Morris dies at 33

No one was airing Angel Reese and Kamilla Cardoso's WNBA preseason debuts, so an X user livestreamed it

2024 NFL Draft grades: Denver Broncos earn one of our lowest grades mostly due to one pick

NFL Power Rankings, draft edition: Did Patriots fix their offensive issues?

NFL Draft grades for all 32 teams | Zero Blitz

New details emerge in alleged gambling ring behind Shohei Ohtani-Ippei Mizuhara scandal

Formula 1: Miami Grand Prix sends cease and desist letter to prevent Donald Trump fundraiser during race

Kentucky Derby: Mystik Dan wins in three-horse photo finish, outruns favorite Fierceness in stunning upset

Bulls' Lonzo Ball picks up $21.4 million option for 2024-25 season amid knee concerns

Anthony Edwards' arrival should have the Nuggets — and the entire league — on high alert

CVS stock plunges after earnings numbers one analyst 'did not even believe'

The best QBs for 2024 fantasy football according to our analysts

Diana Taurasi’s trash-talking, in-your-face ways may be a bit of a shock to new WNBA fans

Canelo Álvarez and Oscar De La Hoya erupt in heated exchange ahead of title bout with Jaime Munguía

Why did Musk ax the Supercharger team?

Caitlin Clark catches fire from 3 in WNBA preseason debut; Arike Ogunbowale's late heroics send Wings past Fever

Ex-Florida State QB and 1999 Fiesta Bowl starter Marcus Outzen dies at 46

UFC 301: Alexandre Pantoja survives bloody wounds and bad advice to retain flyweight belt vs. Steve Erceg

2nd Boeing whistleblower found dead. Here's a timeline of the company's mounting problems.