Digital Signatures 2609



  • Hello
    I was wondering if someone could help me. I am currently looking at introducing a paperless system in my company as part of a process improving intiative. I have found a piece of software that converts my spool file Purchase Order into Adobe PDF. I am now looking to use a digital signature with this to send out to my vendors.
    I have been working with a vendor software programmer to not only sign the P.O. pdf but also to automatically save the purchase order to a drive, auto email to vendor cc the user who generated the PO with the signed copy of the purchase order.
    In terms of SOX, what would i have to look at? The programmer is using SecureBlackBox to program the digital signature to the standard of either PKCS7 or PKCS12 file formats.



  • I have been reading up on other posts for digital signatures and it looks a runner.
    Could i explain my the to-be process that i am trying to create.

    • Purchase Officers release AS400 spool file outq called PDFING (only purchase officers have access to this)
    • PDFING is a piece of software that resides on a webserver (access restricted), what it does it run a service that will split spool file containing purchase orders, create them as pdf and sends them as attachments to a onsite purchasing email address that only the approvers have access to. The pdfs are password protected when created by the software so the vendor will eventually be only able to print.
    • Then my purchasing approver logs into the email address and opens the pdf purchase order attachment on the email.(only approver have access to this email address)
    • The approver once happy with the purchase order will click approve order. This will digitally sign the purchase order (only approver have a public and private key along with a certificate to digitally sign the P.O.) save the puchase order to a network drive(resricted acces). extract the following: vendor # and username from the spoolfile, relate them to email address and create an email.
    • The approver then clicks send for the P.O. to go to the vendors email address.
      Could anyone tell me if any SOX implications look likely here?


  • Hi Rocky - If done correctly, digital signatures and electronic timestamps are actually superior techniques. You can touch base with your SOX auditors to see what concerns or recommendations they may have.
    Below are some initial ideas for digital signatures:
    ā€“ It should be tamper-proof
    ā€“ It should only available for authorized personnel and business processes
    ā€“ It should be something the recipients will accept and be comfortable with in the conduct of doing business
    ā€“ You may need checks-and-balances plus autonomy controls (approvals) in the work flow as part of our financial control system
    As SOX 404 is broad for a number of different industries, it will be somewhat silent on this topic. However, many firms required to meet SOX requirements successfully use these modern conventions.
    You might also find some guidelines in these links:
    http-and-#58;//www.google.com/search?hl=en-and-q=sarbanes-oxley digital signatures
    http-and-#58;//www.google.com/search?hl=en-and-q=digital signature controls
    http-and-#58;//www.google.com/search?hl=en-and-q=digital signature best practices
    Good luck šŸ™‚



  • Thanks harry
    I have someone who will program the digital signatures to my specifications. As well as creating the digital signatures, the application automates a few other things like saving the file to a specific location everytime it is signed fo filing purposes.
    Would SOX be swayed with the programming language used to do this i.e. SecureBlackBox eldos.com (which i am looking to use)
    or a bigger name program Verisign which i do not think has the functionality to automate the process.
    I am interested to hear the steps taken by any other user who has installed digital signatures in their company and what validation and testing they used.
    Thanks


Log in to reply