EDI Sarbanes-Oxley Act Definition and Meaning
EDI Sarbanes-Oxley Act of 2002 was created as a response to corporate fraud scandals such as the Enron, Arthur Anderson and WorldCom scandal. All publicly traded companies who are registered with the Securities and Exchange Commission (SEC) must comply with EDI Sarbanes-Oxley.
EDI falls under the Sarbanes-Oxley (SOX) 404 general computer controls. The following case scenario is how EDI Sarbanes-Oxley works in one organization:
XYZ Company uses an EDI Application-Gentran Server for Windows. The EDI team has a SOX subject matter expert (SME) who mainly performs EDI-related tasks only, but is also responsible for making sure that the EDI application adheres to SOX controls.
The actual Windows server on which Gentran lives has three layers that are monitored by the compliance department:
- The operating system layer: The IT Infrastructure department at XYZ Company is responsible for complying with the SOX controls related to the operating system. Tasks such as adding users to the Windows operating system, patching, upgrading, backing up and other typical system operations are conducted by the systems administrator and not the EDI subject matter expert. In order for Gentran to work properly the service account must have full administrative privileges in Windows. The systems engineer will create this administrator account and document accordingly.
- The database layer: Gentran is a client/server application and is being used with a Microsoft SQL Server database at XYZ Company. In order for Gentran to work properly, it must have full administrative access to its Database. Again, the EDI subject matter expert is not responsible for adhering to SOX controls in the database layer. This is the responsibility of the Corporate Data Base Administrators team.
- The application layer: Gentran is in the Application Layer. The EDI subject matter expert is responsible for adhering to all SOX controls related to the application layer. Some of these controls include:
- User Account Provisioning and De-Provisioning: Every time a user needs to be added, deleted or updated in the Gentran application a standard operating procedure exists for filling out a user request form. This user request form gets approved by IT security and filed. During the audit, the auditor may request to see if any new users were added, updated, deleted and will ask for a user-request form as an artifact.
- System Maintenance: The EDI subject matter expert is responsible for documenting all the patches. The process of receiving new patch notifications must also be documented. For example, the software vendor might offer email notifications when new patches are available.
- Change Management: If the EDI team needs to make a change (e.g. to a MAP or an FTP script) a proper change control procedure must be in place. The auditor might scan the system folders and database tables for change-related activities and might ask to provide the associated change control documentation. Proper separation of duties must exist in the change control process.
- Operations: The EDI department monitors EDI traffic 24/7. Most EDI activities are stored in the application’s audit log. Gentran has a scheduler with all the jobs automated according to a specified schedule. The EDI operations team keeps track of a report of the status of all jobs, how they ran and what their status was. The purpose of this log is to determine any deviations from the original schedule.
- Archiving/Backup: All EDI X12 data is archived for about 7 years. The files are backed up daily several times a day. Eventually they are placed on backup tapes and stored off-site.
- Security: Evidence must exist to prove to the auditors that all EDI related transactions that are sent electronically must be sent via secure via authentication, encryption and access controls.
The above case study is just an example of how one company’s EDI department handles the EDI Sarbanes-Oxley controls. Typically, every company has their own method of handling EDI Sarbanes-Oxley controls.