Our process is to take incomming invoices and match them up with approved PO's and Receivors/Packing Slips before inputting into our
SOX Compliance and the PDF Invoice
Answers
Sara
Your question "Is this really what SOX compliance requires?" is key.
If someone decides to apply a standard more stringent than the regulation, that does not mean that is the only way to be compliant.
I would push back on them and ask them if they have chosen secure PDFs as their way to be SOX compliant as opposed to SOX regulations requiring secure PDFs. Then try advising them that you require regular PDFs to support your control requirements and ask them to comply with that:)
I like your document aggregation process-One file with the entire audit trail.
Sara
Here's verbatim feedback from a friend who is Director of Internal Audit for a $1B+ NYSE global company:
"I don’t know what the supplier's control set involves but I have never seen anything like this. I can only assume by sending only secured documents they believe this prohibits the customer from making changes but I assume this is not a well thought out strategy. Also, it could be the suppliers team is just blaming it on SOX…it wouldn't be the first time."
I think that helps your case...
Sara
I have been a past Chief Audit executive who handled all sox compliance. First, SOX does not speak directly to how any process is completed. (Ex: xeroxing, printed invoice, mailed invoice) it speaks to the adequacy of the design and execution of controls. Whatever the supplier is doing is on their end of the system. I'm not sure about the statement "a PDF that cannot be altered" because there are many programs these days that transfer secure PDFs to other documents. The key is what is your company doing to ensure the invoices received are accurate and represent the item ordered. In this case all you need to ensure is that you have adequately validated the invoice payment a,punt to the materials ordered and reconciled any discrepancies. Once the invoice gets to your door, it is now your Control issue that you should be concerned about
I have filmed two sox
Thank you Len and Lynn for your feedback.
Hi Sara,
Try removing the security and password. I have done this and it's a pretty quick process. Do the below steps (this is from Adobe's help site https://helpx.adobe.com/acrobat/using/securing-pdfs-passwords.html) and hit save and it should take effect.
Remove password security
You can remove security from an open PDF if you have the permissions to do so. If the PDF is secured with a server-based security policy, only the policy author or a server administrator can change it.
Open the PDF, then select Tools > Protect > Encrypt > Remove Security.
Your options vary depending on the type of password security attached to the document:
If the document had only a Document Open password, click OK to remove it from the document.
If the document had a permissions password, type it in the Enter Password box, and then click OK. Click OK again to confirm the action.