- A supply chain is only as strong as the business with the weakest controls.
- Arthur Piper November 07, 2019
Organizations that build and use complex systems are exposed to two key risks: 1) malware can be injected into components at the bottom of the supply chain where transparency tends to be lowest; and 2) poor-quality counterfeit products can slip into a system because of cost-cutting pressures.
Internal auditors can suggest processes to reduce such supply chain risk, and insist their organizations follow procedures established by the U.S. National Institute of Standards and Technology (NIST), such as NIST 800-161 that deals specifically with IT procurement and supply chain management, and also International Organization for Standardization (ISO) standards such as ISO 27000 dealing with information security.
“Installing a standards-based process will help you understand what you are buying, because you can demand to see everything that is going on at any level of the supply chain,” he explains. “It will be documentation — not a physical examination of the actual activity — but that documentation will not be available otherwise.”