Is Word document-comparison software SOX compliant?
Is there any Sarbanes-Oxley issue with using document-comparison software to compare an original unsigned contract in Word (.doc format) to a signed contract (returned in .tif format)?
The short answer is: Ask your auditor. The long answer is: I'm not sure. I can see why it wouldn't be a problem from a theoretical perspective. After all, the main point of the Sarbanes-Oxley Act (SOX)
is to ensure executives can, with certainty, assert that their financial records are accurate. Certainly, there are cases where financially relevant contracts will regularly be passed back and forth between organizations and legal departments, and other groups will want to know if unapproved changes were made. This can be particularly challenging with contracts that are more then a couple of pages long, not to mention those that are hundreds or thousands of pages long, which is not unheard of. Given this situation, document-comparison tools would likely be accepted by auditors in a general sense.
Where this question gets interesting is in the details. As a security practitioner, I'd want to have a much deeper understanding of how the software you reference works. Comparing two files of the same format is a relatively straightforward proposition, However, comparing multiple formats becomes a much more challenging issue, which gets even more interesting when one of those formats is an image.
In order to compare the text from a .doc (or .docx) to a .tif, it's necessary to do some sort of optical character recognition (OCR) and then compare it to the text in the .doc(x) file. This is, to say the least, not the easiest thing to do. So before I'd sign off on this, I'd want a strong assurance from the vendor that the tool is actually capable of performing the necessary comparisons so that I would be comfortable telling a CEO or CFO they can rely on such a technology. Similarly, I know a lot of other auditors that would need the same level of confidence. So, to summarize: Ask your auditor.
For more information:Does SOX provision email archiving? Read more.
Get more information on internal audits for Sarbanes Oxley and internal IT support.
This was first published in August 2009