Paperless - silly question 2301



  • Hi
    I have just started working for a company that is SOX compliant (my first time having to deal with SOX). It seems that we are obsessed with paper. Is there a big SOX rule that says you CANNOT accept e-mailed or electronic purchase orders?? The argument here is that we can only accept originals because then we see original signature.
    This seems a little old school with all the technology available.
    Any advise you can offer would be much, much appreciated,
    Thanks



  • Welcome to the board.
    There actually are no SOX rules as to any specific controls. SOX just requires that you select a control framework (most choose COSO), document and test your controls and opine on the effectiveness of your controls within your chosen framework. Controls will vary based on your specific business processes. It is really up to management as to what controls are identified for each process.
    Good luck in your efforts to enhance your processes by utilizing current technology.



  • No, there is not a requirement that hard copy PO’s be used as evidence in assessing operating effectiveness. I was testing controls at one our subs just last week and used electronic PO’s in my samples.
    Furthermore, e-mail can be used as evidence of approval when testing controls, as long as there is sufficient information within the e-mail to satisfy the control objective.



  • I also want to concur with the advice above. Some ideas:

    • Actually, I feel that well-designed electronic controls are SUPERIOR to paper based controls (that could be forged or altered more easily)
    • Paper is difficult to retain (for 7 years) for SOX purposes and to quickly find or reference.
    • Also, for DR or Business Continuity purposes paper can be backed up without oblibirating more forests and making copies.
    • Ensure time-stamps, security, autonomy levels are other key safeguards are designed into the electronic process
    • Paper handling creates burecracy, extra unneeded expense, and delays in customer service.
    • Ensure that oversight and checking take place (as an example, think of the unchecked USD7B loss by a French bank - see link below)
      http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=2289


    • Actually, I feel that well-designed electronic controls are SUPERIOR to paper based controls (that could be forged or altered more easily)

    I agree with all of the comments.
    As to this particular one, anything that can be produced on most paper can be Photoshop ed or duplicated. Even color signatures can be replicated using color printers.
    As indicated, electronic signatures would be more reliable and would represent a digital signature of the authorization.
    In either case, the information could be stored or imaged to remove the need to retain the physical paper. This would allow for a more accurate retention and more space. 😉



    • Actually, I feel that well-designed electronic controls are SUPERIOR to paper based controls (that could be forged or altered more easily)

    I would also agree with that provided we say CAN BE rather than ARE. There are obviously a new set of challenges around setting this up and providing appropriate security, etc. But in principle the ability to provide non-repudiation is a great plus.



  • Just adding my thoughts here. In a recent auditor review of a reconciliation the auditors gave the business the following options:

    1. Print off the original rec showing differences and print off the final cleared rec, signed as evidence of review. (Reasons for differences could be in a reviewer comments section of the original, signed by reviewer)
    2. Save the original rec electronically with cells locked down, save final version electronically and evidence reviews by way of emails between preparer and reviewer.
      I’m still confused about the locking down cells bit as whoever locks it can just as easily unlock it. Personally I think forging paper evidence requires more effort and time than altering electronic evidence and therefore paper evidence is probably better.


  • I would also agree with that provided we say CAN BE rather than ARE. There are obviously a new set of challenges around setting this up and providing appropriate security, etc. But in principle the ability to provide non-repudiation is a great plus.
    I concur with Denis, as there are no absolutes 🙂 … In some cases, a hybrid approach of using both paper and electronic timestamp controls are used by many companies. For example, saving an actual paper copy of a vendor invoice saved might provide better accountability than someone logging an entry on the data base.
    Audit control systems are all about design . The ability to reduce any tampering through good security is vital. A locked down electronic control system and good audit trails are certainly important.
    Still, I’ve worked for a prior company that designed ‘paper intensive’ controls in the SOX area. For example, we had to physically print the report and mail to the comptroller’s area in addition to storing it in a locked down e-library that we couldn’t change.
    Below might be slightly improved wording:
    Actually, I feel that well-designed electronic controls are usually SUPERIOR to paper based controls -and-#40;that could be forged or altered more easily-and-#41;



  • I’m still confused about the locking down cells bit as whoever locks it can just as easily unlock it. Personally I think forging paper evidence requires more effort and time than altering electronic evidence and therefore paper evidence is probably better.
    True - Neither paper or electronic control systems are bullet-proof. You always need checks and balances in the design of any control system. For example, ADMIN accounts can potentially change information, including electronic timestamps. Mitigating controls might include:

    • Corporate policies (e.g., ADMINS will be terminated for unauthorized tampering)
    • Audit trails might be enhanced via Operating System event logging
    • Sensitive control systems need to be audited frequently (think of the recent French bank USD7B losses where there was too much trust was placed in a single individual, without proper checks and balances).
    • Even in an electronically designed system, you can save the paper copy in an electronic format as well. For example, we also use imaging technology to scan in documents for permanent retention (rather than using paper copies).


  • Thank you all for your comments
    I am all for a paperless environment - I have had the luxury of working in a paperless office and I loved it - I am all about efficiency and paper handling is not efficient (in most cases).
    I appreciate your help and advice - and now am on to the task of trying to convince others that paper isnt always best 😄
    Thanks again.


Log in to reply