> Since > early 2004, > there is a E.U. (European Union) rule that allows companies > to do this, on > condition that the EDI environment follows certain conditions : > - the system has to be certified guarantying that messages can't be > modified anymore as soon as they have been send > - the systems have to be able to reproduce exactly the same > message at any > given time (for a certain period) > > Surely the same rules apply in the US, and/or are on the > requirements list > of your major customers. > > Would it be possible to explain us : > - how your process of electronic invoicing is working (in the > case where > you don't send paper copies) > - what types of certifications are applied / required > - what types of additional controls have been installed. "
We have addressed much of this in our SOX (Sarbanes-Oxley) certification. Since the invoice is most certainly part of the order-to-cash cycle, we have implemented the following controls: 1) No direct unaudited access to production files. Note the word "unaudited." If we need to make a change, and we sometimes do, we have an audit trail that shows what was changed and why. Our SOP is also set up to change only a copy of the data; the original data is maintained in a secure archive for 7 years. Case in point: I had to add a vendor number to an invoice today that was inadvertently left off due to other data issues. The customer only accepts EDI invoices, so sending paper invoices and POD is out. I retrieved a copy of the data, added the elements to the IT1 segment for the missing items, and submitted the invoice again. The paperwork, naturally, took me longer to fill out than the invoice. Cest la vie. 2) No direct unaudited access to the PROGRAM that we use to transmit data to our VAN. The reason is that we can actually use this communications program to transmit any data, so we need to maintain control over this utility as well. 3) We are audited on a quarterly basis by an internal audit team and on an annual basis by our external SOX auditors. If anyone is looking for the kind of certification the EU wants, it'll probably be found in IT compliance and governance procedures. [Non-text portions of this message have been removed] ------------------------ Yahoo! Groups Sponsor --------------------~--> <font face=arial size=-1><a href="http://us.ard.yahoo.com/SIG=12h3fjc1f/M=362335.6886445.7839731.1510227/D=groups/S=1705005582:TM/Y=YAHOO/EXP=1122929847/A=2894361/R=0/SIG=13jmebhbo/*http://www.networkforgood.org/topics/education/digitaldivide/?source=YAHOO&cmpgn=GRP&RTP=http://groups.yahoo.com/";>In low income neighborhoods, 84% do not own computers. At Network for Good, help bridge the Digital Divide!</a>.</font> --------------------------------------------------------------------~-> . Please use the following Message Identifiers as your subject prefix: <SALES>, <JOBS>, <LIST>, <TECH>, <MISC>, <EVENT>, <OFF-TOPIC> Access the list online at: http://groups.yahoo.com/group/EDI-L Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/EDI-L/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
