SOC for Supply Chain provides a reporting framework for software vendors

In March 2020, the shipped version of SolarWinds Orion, a security monitoring software, was revealed to be infected with malware. These types of attacks are a pervasive risk and remind us of how our growing reliance on vendor-provided software and devices demands transparency and security. Fortunately, there is a reporting framework to monitor exposure to these risks.

The American Institute of Certified Public Accounts (AICPA) developed the System and Organization Control (SOC) for Supply Chain reporting framework for software vendors to provide an independent assessment of their security controls when developing software products. This framework is part of the AICPA’s broader SOC reporting portfolio which includes:

• SOC 1 — Reports on controls relevant to financial reporting

• SOC 2: reports on controls relating to security, availability, processing integrity, confidentiality or privacy

• SOC for cybersecurity: reporting on an entity’s cybersecurity risk management program

• SOC for supply chain: reports on controls relating to security, availability, processing integrity, confidentiality or confidentiality in a production, manufacturing or distribution system

SOC reports must be issued by independent auditors, usually certified public accountants, and are issued under the AICPA’s Statement of Standards for Attestation Engagements (SSAE). SOC reports are designed to provide user entities, customers, customers, and service organization stakeholders with reasonable assurance that internal controls are properly presented, adequately designed, and operating effectively.

The description criteria developed by the AICPA for each type of SOC establishes the requirements for determining whether the system description is fairly presented. Additionally, the description criteria provide a guideline as the service organization develops a description of the system that will ultimately be included in the final SOC report.

Trading tips:6 tax-saving tips to help you manage your tax bill for 2021 and beyond

For sale?:Small business owners should consider these options if they are looking to sell

The determination that controls are adequately designed and operating effectively is based on the control objectives, SOC 1, or the AICPA Trust Services Criteria (TSC) for all other SOC reports. The control objectives are based on the processes performed by the service organization that would be significant to the user entity’s financial reporting processes. The TSCs consist of relevant criteria for:

• Security

• Availablity

• Processing integrity

• Privacy

• Privacy

The result of a SOC is an attestation report, not a certification.

The review conducted as part of the Supply Chain SOC focuses on the service organization’s system(s) and controls for producing, manufacturing, or distributing their products. This can include physical, intellectual, or electronic products, but the primary use case is for service organizations that provide information technology software, applications, and devices.

The SOC for Supply Chain includes two criteria frameworks: Descriptive Criteria and TSCs. The description criteria become the basis for the system description and should include:

• Type of goods produced, manufactured or distributed by the service organization

• Performance, production, manufacturing and distribution commitments

• Incidents impacting the ability of the service company to meet its commitments

• Risks to achieving service organization commitments

• Information on system components, inputs and limits

• Controls to meet applicable TSC

• Controls to be implemented by product users

• Any controls to be put in place by the service organization’s suppliers

An attestation report titled “Independent Auditor’s Report” is issued to communicate the results of the SOC for Supply Chain Engagement. The independent auditor expresses an opinion on the fairness of the presentation and the effectiveness of the operation of the controls. The opinions that may be provided are unqualified, qualified or adverse, such as an audit opinion on financial statements. The report is limited in its distribution to the management of the service organization and to user entities.

Understanding your vulnerability is key to taking the right mitigation measures. If you are simply looking to understand the impact of vendor supplied products or if you produce sensitive devices, professional readiness assessment services can help you identify control gaps between your current state and the SOC reporting framework for supply chain.

For more information about SOC reporting in Massachusetts, contact Joel Eshleman at [email protected] or 717-857-2611. For more information about CliftonLarsonAllen LLP, visit

Comments are closed.