Even if you have not yet gone through a Sarbanes-Oxley (SOX) compliance review, you surely have heard much about how time-consuming and laborious it is. Most folks complain loudly and often about having to go through this arduous task.
When called in to assist a customer with this process, I now arrive with my “SOX First Aid Kit.” With it I attempt to change their mood by explaining how I have brought some essential items to help them. My kit contains red pens, Tylenol, Excedrin Migraine, Pepto-Bismol, burn cream, tweezers (to extract pesky data), “transparency” tape, small bottles of gin, whisky and scotch, and even a nice pair of red socks! The kit puts smiles on their faces and then I commiserate with them about how the regulations do not seem to be clear and how everyone is confused about what is required.
Now that I have lightened their mood and listened to their complaints, I mention that, despite all the pain, many companies have found benefits from the process. I point out that the review of their system development process, access security and internal controls may uncover some problems areas. Therefore, the remediation process (where problem areas are addressed) can actually help them strengthen the data accuracy and integrity of their systems, something all IS Managers support.
For those of you not familiar with the SOX compliance review, the major tasks mandated by the Act include:
• Documentation of the financial reporting process (including the methodology used for system development and enhancements);
• Assessment of the risks and effectiveness of internal controls (Section 404 of the Act);
• Testing of controls; and then,
• Remediation of problem areas uncovered during the review.
So how do your EDI processes fare when examined under the SOX light? For most companies, EDI is one of the newer systems, and therefore, contains better controls than their legacy systems. In addition, the security and encryption methods used to transport EDI transactions have always provided a high level of assurance and confidence in the data. As a result, the EDI processes of a company usually pass the Sarbanes-Oxley review with flying colors.
However, one area you may want to examine is the use of FTP for EDI transport. If it is entirely within your control, you may pass the SOX test. If trading partners can access your system to pull data or push it to you, take a careful look at your security controls.
And so I tell my customers, do not fear a SOX audit in the EDI area! While I probably have not convinced them to embrace and welcome the Sarbanes-Oxley review process, at least I hope they now understand how it may help them improve their system controls and showcase the strengths of their EDI processes.