Tracie Berardi, Program Manager, CISQ
Managing Supply Chain Software Risk
The American Institute of Certified Public Accountants (AICPA) is the world’s largest member association representing the accounting profession with over 400,000 members in 143 countries.
AICPA produces the System and Organization Controls (SOC) standards used by CPAs and audit firms to certify that an organization has proper risk management controls in place. The most commonly used SOC standard today, SOC 2 — SOC for Service Organizations: Trust Services Criteria, has become a widely accepted tool to manage service provider risk. The SOC 2 report provides information on a service provider’s processes and controls to help customers to evaluate the risks of doing business with the service provider. With the increased reliance on third-party service providers to conduct business functions, organizations don’t want to do business with vendors who they believe are at risk.
Available SOC standards include SOC 1, SOC 2, SOC 3, SOC for Cybersecurity, and a new SOC for Supply Chain.
AICPA released the SOC for Supply Chain report in March 2020 and the press release contains links to more information. This framework is used by service providers to report on controls in place for producing, manufacturing and distributing goods in the supply chain. This includes IT, software, and technology services delivered to other organizations. The aim of this framework is to mitigate cybersecurity risk and software risk in the supply chain.
AICPA produced reference material for the SOC for Supply Chain report that includes the mention of software quality standards for certifying software in the supply chain to reduce software risk.The automatable standards developed by CISQ for measuring structural quality (Security, Reliability, Performance Efficiency, and Maintainability) are referenced in the context of software assurance and are critical to evaluating technology services and reducing software risk.
We believe supply chains will continue to be more and more software-intensive, both in the contents of the physical products being produced or delivered, and in the operation of the supply chain itself. Software presents a growing risk factor to global supply chains that needs to be audited and controlled. This new SOC from the audit industry is an important step towards ascertaining safety in all forms of physical supply chains.