EDI Solution Suite

About The EDI Training Academy

The EDI Academy founders entered the EDI arena more than 15 years ago, and have been responsible for successful EDI implementations at companies in many industries.

The EDI Academy provides clients a foundational knowledge of the EDI process, and helps them understand EDI from both a strategic and an implementation perspective.

EDI Academy training classes are taught by highly-qualified EDI professionals with at least 10 years of diverse industry experience ranging from Fortune 500 companies to entrepreneurial startups.

EDI & Industry Compliance

Sarbanes-Oxley

Contributed by the EDI Academy

Sarbanes-Oxley Act of 2002 was created as a response to corporate fraud scandals such as the Enron, Arthur Anderson and WorldCom scandal. All publicly traded companies who are registered with the Securities and Exchange Commission (SEC) must comply with Sarbanes-Oxley.

What Does This Mean for EDI?

EDI falls under the Sarbanes-Oxley (SOX) 404 general computer controls. The following case scenario is how Sarbanes-Oxley works in one organization:

XYZ Company uses an EDI Application: SAMPLE_EDI Server for Windows. The EDI team has a SOX subject matter expert (SME) who mainly performs EDI related tasks only, but, is also responsible for making sure that the EDI application adheres to SOX controls.

The actual Windows server on which SAMPLE_EDI Application lives has three layers that are monitored by the compliance department:

• The operating system layer: The IT Infrastructure department at XYZ Company is responsible for complying with the SOX controls related to the operating system. Tasks such as adding users to the Windows operating system, patching, upgrading, backing up and other typical system operations are conducted by the systems administrator and not the EDI subject matter expert. In order for SAMPLE_EDI Application to work properly the service account must have full administrative privileges in Windows. The systems engineer will create this administrator account and document accordingly.
• The database layer: SAMPLE_EDI Application is a client/server application and is being used with a Microsoft SQL Server database at XYZ Company. In order for SAMPLE_EDI Application to work properly it must have full administrative access to its Database. Again, the EDI subject matter expert is not responsible for adhering to SOX controls in the database layer this is the responsibility of the Corporate Data Base Administrators team.
• The application layer: SAMPLE_EDI Application is in the Application Layer. The EDI subject matter expert is responsible for adhering to all SOX controls related to the application layer. Some of these controls include:
  
  
• User Account Provisioning and De-Provisioning: Every time a user needs to be added, deleted or updated in the SAMPLE_EDI application a standard operating procedure exists for filling out a user request form. This user request form gets approved by IT security and filed. During the audit, the auditor may request to see if any new users were added, updated, deleted and will ask for a user-request form as an artifact.
• System Maintenance: The EDI subject matter expert is responsible for documenting all the patches. The process of receiving new patch notifications must also be documented. For example, the software vendor might offer email notifications of new patches available.
• Change Management: If the EDI team needs to make a change (e.g. to a MAP or an FTP script) a proper change control procedure must be in place. The auditor might scan the system folders and database tables for change related activities and might ask to provide the associated change control documentation. Proper separation of duties must exist in the change control process.
• Operations: The EDI department monitors EDI traffic 24/7. Most EDI activities are stored in the applications audit log. SAMPLE_EDI has a scheduler with all the jobs automated according to a specified schedule. The EDI operations team keeps track of a report of the status of all jobs, how they ran and what their status was. The purpose of this log is to determine any deviations from the original schedule.
• Archiving/Backup: All EDI X12 data is archived for about 7 years. The files are backed up daily several times a day. Eventually they are placed on backup tapes and stored off-site.
• Security: Evidence must exist to prove to the auditors that all EDI related transactions that are sent electronically must be sent via secure via authentication, encryption and access controls.

The above case study is just an example of how one company’s EDI department handles the SOX controls. Typically, every company has their own method of handling SOX controls.

# # #

EZConnect EDI software