My apologies. I started to reply yesterday and got sidetracked.
Here's my view. I'm not a lawyer, auditor, or regulatory reviewer. Your job is to be compliant with SOX auditing. From an auditor. You should work with them to explain what you do, show how you know this happens, and adjust your work based on their findings. SOX compliance (or GDPR, PCI, HIPAA, etc.) isn't about every pedantic thing a technical person can think of to change/lose/steal/etc. data. It's about adhering to the regulation in a way that the auditor agrees with. Like a CPA with taxes, they are more on the hook than you are if there is a government review.
When I went through SOX audits, they were like ISO audits. It wasn't that we had to have perfect data or security or anything. We had to know what we did, prove we knew it, and have records. This is about knowing how your systems work, how you modify/change/etc. them, and showing you have records of those efforts.
As noted above, you are responsible for showing how things work. If user A mis-enters data, you need to show that you return that data to User B correctly, as per your system. If you aggregate data, and you can't use SUM correctly, that's not your fault, but the fact that you show where the formula was written, tested, deployed, signed off on is enough (usually). What can't happen is changes going outside of your (meaning org's) prototcols that are audited and recorded.
If your vendor doesn't process data correctly, that's on them. What you are responsible for dealing with are your issues. You have security in place to know who put data in, who got it out, and what they did. If it's manipulated by IT systems, that's on you. If a user does this in Excel on their laptop, that's on them. They should have records showing which versions of the XLS with the formulas were used for reporting. Same for your systems. What was the code used to process data at that time. This usually means records of deployment, of the actual code, who made the decision.
This whole thing wasn't about reporting bad information. We know that happens. This is about people being able to willfully misreport data outside of auditor knowledge. Enron got execs thrown in jail, and auditors that conspired with them. Anderson auditing was broken up after this.
Know what you do with data, and prove it. Those are the real guidelines.