more-arw search

Q&A Forum

SOX Compliance and the PDF Invoice

Our process is to take incomming invoices and match them up with approved PO's and Receivors/Packing Slips before inputting into our accounting system. This is all done electronically and PDFs are combined to create one document for clean/clear tracking and saving. One of our suppliers is sending secured PDFs that we cannot change or combine with any other documents. They explained to us that this is a SOX Compliance issue. Is this really what SOX compliance requires? Our issue is that we strive to be paper-free, but to get the documents merged we have to print their invoice to re-scan and then combine for our records. I do not have this issue with any of my other suppliers, some of which are also publicly held and I would guess be required to follow the same requirements.


Len Green
Title: Performance Improvement Consultant and E..
Company: Haygarth Consulting LLC
LinkedIn Profile
(Performance Improvement Consultant and ERP Strategist, Haygarth Consulting LLC) |


Your question "Is this really what SOX compliance requires?" is key.
If someone decides to apply a standard more stringent than the regulation, that does not mean that is the only way to be compliant.

I would push back on them and ask them if they have chosen secure PDFs as their way to be SOX compliant as opposed to SOX regulations requiring secure PDFs. Then try advising them that you require regular PDFs to support your control requirements and ask them to comply with that:)

I like your document aggregation process-One file with the entire audit trail.

Len Green
Title: Performance Improvement Consultant and E..
Company: Haygarth Consulting LLC
LinkedIn Profile
(Performance Improvement Consultant and ERP Strategist, Haygarth Consulting LLC) |

Here's verbatim feedback from a friend who is Director of Internal Audit for a $1B+ NYSE global company:

"I don’t know what the supplier's control set involves but I have never seen anything like this. I can only assume by sending only secured documents they believe this prohibits the customer from making changes but I assume this is not a well thought out strategy. Also, it could be the suppliers team is just blaming it on SOX…it wouldn't be the first time."

I think that helps your case...

Lynn Fountain
Title: MBA CGMA CRMA, Past Chief Audit Executiv..
Company: Business Consultant
LinkedIn Profile
(MBA CGMA CRMA, Past Chief Audit Executive, Business Consultant) |


I have been a past Chief Audit executive who handled all sox compliance. First, SOX does not speak directly to how any process is completed. (Ex: xeroxing, printed invoice, mailed invoice) it speaks to the adequacy of the design and execution of controls. Whatever the supplier is doing is on their end of the system. I'm not sure about the statement "a PDF that cannot be altered" because there are many programs these days that transfer secure PDFs to other documents. The key is what is your company doing to ensure the invoices received are accurate and represent the item ordered. In this case all you need to ensure is that you have adequately validated the invoice payment a,punt to the materials ordered and reconciled any discrepancies. Once the invoice gets to your door, it is now your Control issue that you should be concerned about

I have filmed two sox webinars for Proformative on the requirements of sox.

Sara Voight
Title: Controller
Company: Critical Signal Technologies, Inc
(Controller, Critical Signal Technologies, Inc) |

Thank you Len and Lynn for your feedback.

Ross Anderson, CPA, MBA
Title: Controller
Company: TFS Capital
(Controller, TFS Capital) |

Hi Sara,

Try removing the security and password. I have done this and it's a pretty quick process. Do the below steps (this is from Adobe's help site and hit save and it should take effect.

Remove password security

You can remove security from an open PDF if you have the permissions to do so. If the PDF is secured with a server-based security policy, only the policy author or a server administrator can change it.

Open the PDF, then select Tools > Protect > Encrypt > Remove Security.

Your options vary depending on the type of password security attached to the document:

If the document had only a Document Open password, click OK to remove it from the document.
If the document had a permissions password, type it in the Enter Password box, and then click OK. Click OK again to confirm the action.


Get Free Membership

By signing up, you will receive emails from Proformative regarding Proformative programs, events, community news and activity. You can withdraw your consent at any time. Contact Us.

Business Exchange

Browse the Business Exchange to find information, resources and peer reviews to help you select the right solution for your business.

Learn more

Contribute to Community

If you’re interested in learning more about contributing to your Proformative community, we have many ways for you to get involved. Please email [email protected] to learn more about becoming a speaker or contributing to the blogs/Q&A Forum.