A follow-up question I would ask is: does your entity actually require a vendor to maintain SOX compliance? For example, would you expect a vendor to provide annual proof of SOX compliance? I have seen due diligence questionnaires reference specific standards (like SOX) because if a vendor is compliant, then it also indicates that they have internal controls, data security policies, reporting standards, etc., in place as an organization. Some ways I have observed to make the questionnaire a little more flexible to different vendor's terminology/understanding is to either to break down the standard into specific questions or make a reference such as, "the vendor deploys adequate controls reasonably similar to XYZ Industry Standard. If yes, please identify the applicable standard."