ASP storing PDF's... 203



  • Adobe PDF’s are certified as compliant with SOX (under certain conditions). We are an ASP. If one of our clients (who is publically held) wants to store those (financial) documents on our servers, do we need to be compliant also? I have heard some dicussions that would indicate that we need to be b/c we would be serving that publically held company, but as I understand it, Adobe’s PDF are cetified under the act and people are even allowed to e-mail them around unsecured so I would think that we need not be compliant as long as we include something in our licensing agreement about what is allowed (for our clients to do) and what is not. Thanks for any insight.



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • If the company you are providing services to has identified any Key Controls related to your services, they will ask you to provide a report certifying that your systems are reliable. This is known as a SAS70 report and many ASPs are being asked for them by their clients.
    Guess who provides (and of course charges for) the SAS 70? Yes, the same audit firms that are filling their pockets and rubbing their hands in glee at what they are earning for SOX work.
    However, one thing that SHOULD happen as a result of SOX is that the emphasis of audit work should turn from external to internal - for the smartest companies at least. Because if you have good controls and a good internal audit dept, the external auditors won’t be able to justify high fees for very long.



  • Sorry - forgot to add in my last post.
    Not correct to assume any document type is ‘compliant for SOX’. SOX is about CONTROLS not documents. Just because it’s not easy to make changes to a pdf file doesn’t mean it can’t be changed. In most companies somewhere there is a copy of Acrobat which can be used to author/change documents. If there is free access to this then there is no control at all with respect to it being a pdf.
    Controls are all about how a document is created/used /checked/maintained/accessed/changed, if this is a document the company wishes to include in its KCs, then it needs to establish controls over that document. It doesn’t matter if it’s pdf xls or doc or anything else.



  • Sorry, I meant digitally signed PDF’s. These are NOT alterable (well they are but the alteration can be detected of course, with many other caveats like key length and computing power).
    I really appreciate your help. Sorry I didn’t get to this earlier, I was distracted by 1 million things that were going on.



  • Please don’t get confused.
    There is no sox requirement like a software certificate or using digital signatures or similar.
    If your comany is not affected by sox directly there’s nothing you have to do. Another thing is to satisfy you customers. If they need to comply with sox they’re likely to request something which shows, that you have controls in place which prevents that their financial data isn’t altered with.
    But that can be dealt with in terms of a detailed service level agreement, or granting your customers the right to perform their own audits at your site or having you ordering an ext. auditor to perform such audits (SAS70).
    But what’s the best solution for your situation depends on your individual situation.


Log in to reply