Audit & Compliance
Decision
An auditor, assessor, certification body, customer-assurance team, or internal control owner needs to decide whether supply-chain-security controls are operating and whether evidence supports the claim.
What Can Go Wrong
- Requirements are translated into policy statements but not operational evidence.
- Evidence exists but is not tied to the product, lifecycle stage, or control being assessed.
- Supplier assertions are accepted as audit evidence without verification.
- Standards references are used without explaining role, scope, or limits.
- Evidence is not retained long enough for audit, renewal, or incident review.
Good Practice
Audit and compliance work should connect a need to a control, a control to evidence, and evidence to a verification method. It should distinguish between compliance needs, assurance expectations, and technical implementation mechanisms.
What To Ask For
Questions to ask suppliers
- What artifacts show that the relevant control, process, or assurance claim operated for this product or service?
- Which artifacts can be shared with auditors or assessors, and under what confidentiality constraints?
- How are exceptions, expired evidence, and remediation commitments documented?
Questions to ask internally
- What requirement, control, or assurance expectation is being assessed?
- What evidence would demonstrate operation, not just policy intent?
- Who owns the response when the evidence does not support the claim?
Questions to ask assessors / auditors
- Is the evidence traceable to a requirement, control, lifecycle stage, and product or supplier scope?
- Can evidence origin, completeness, and retention be reviewed consistently?
- Are interpretive mappings clearly separated from formal compliance claims?
Questions to ask implementers
- What control evidence can be generated automatically instead of assembled manually during audit?
- How will evidence be retained with source, date, scope, and verification metadata?
- What dashboards, repositories, or reports help auditors review evidence efficiently?
Evidence And Artifacts
Useful evidence may include supplier records, audit reports, control attestations, SBOM/xBOM artifacts, vulnerability records, update records, attestation results, lifecycle-state logs, repair records, transfer records, and decommissioning records.
Weak / Better / Stronger Answers
Weak answer: The organization says it follows supply-chain-security best practices.
Better answer: The organization maps practices to policies, owners, and review cadence.
Stronger answer: The organization provides evidence for specific controls, explains how it was verified, identifies lifecycle coverage, and cites sources for standards or framework mappings.
Lifecycle Stages
Audit may cover design, sourcing, manufacturing, provisioning, acceptance, operation, update, repair, transfer, or decommissioning. The lifecycle stage should be explicit.
Standards And Technologies
Governance references may explain why a requirement exists. Evidence models may explain what artifact is useful. Technical standards may help produce or verify evidence. Keep these roles separate.