Can software be _and_quot;SOX compliant_and_quot;? 2542



  • Hi,
    I work for a company that provides administration software to insurance companies. We often get requests that our software be ‘SOX compliant’.
    My position has been that we (the software and software company) are not SOX compliant - that burden falls to the insurance company. If they choose, the insurance company can flow through requirements driven by their need to be SOX compliant - but those are company compliance requirements, not SOX compliance requirements.
    Do you agree?
    If not, is there an independent SOX compliance authority?
    Thanks
    Lloyd



  • There is no such thing as SOX compliant software.
    The Sarbanes-Oxley Act is a U.S. act that created an oversight board that checks the quality of the work of auditors of companies that access the U.S. public capital markets. In addition, the Sarbanes-Oxley Act requires the management of such companies to assess the effectiveness of their internal control over financial reporting and the auditor to audit the effectiveness of the internal control over financial reporting.
    Software that produces accounting data is relevant for internal control over financial reporting. But neither the Act itself, nor the implementing regulations of the SEC or the relevant PCAOB auditing standard no. 5 on auditing internal control over financial reporting specify specific requirements that software has to fullfill.
    In my opinion, SOX compliancy is a marketing gag that software marketing departments and consultants speak of to impress uninformed customers.



  • I would interpret the question to mean ‘does the software have proper security settings to help prevent SOD and unauthorized access’.
    From a user perspective, if we have critical software that does not have the capability to limit user access to only the areas a specific user needs, then we have to go out of our way to develop compensating controls and test those controls for operating effectiveness as part of our SOX work.
    In reality, we would probably purchase less capable software with proper security controls built in than more capable software that did not have those controls.



  • I agree with the good comments above … A vendor can claim that software helps meet SOX requirements but the SEC does not certify any software to that affect.



  • I would also add that even the best software systems are capable of being implemented in a non-compliant way 😉



  • I agree with the good comments above … A vendor can claim that software helps meet SOX requirements but the SEC does not certify any software to that affect.
    Absolutely.
    Denis, Cicero said also that ‘The strictest law often causes the most serious wrong’. Did he also have to comply with something similar to SOX… something like Lucius Sergius Catilina Act?



  • He did say that.
    He also said that ‘Politicians are not born, they are excreted’ :lol:



  • :lol: :lol: :lol:


Log in to reply