The Sarbanes-Oxley Act – what on earth is that?
It’s the name of a piece of US compliance legislation, with global implications, which was signed off in 2002 and is soon to ‘go live’ with the intention of preventing financial malpractice and accounting scandals such as the Enron debacle. It’s becoming known as SOX or SarbOx or SOA.
In fact, anything BUT ‘the Sarbanes-Oxley Act’, right? I can see why…
Indeed. The Sarbanes-Oxley Act is a bit of a mouthful, though it could be worse. It’s also known as the Public Company Accounting Reform and Investor Protection Act. The shorter moniker comes from the names of Senator Paul Sarbanes and Representative Michael Oxley who are credited as the main architects of the Act.
And when is this all going to happen?
The straightforward answer is 15 November, 2004. That is the date on which the Act comes into effect. But in truth companies should have been working on their compliance issues for quite some time. This isn’t just a case of flicking a switch at 10 minutes to midnight on 14 November.
So they should be looking at this now?
Companies should have started looking at their SOX issues some time ago – but many are still just waking up to the challenge. According to Margaret Brooks, director of strategic business development and SOX specialist at Computer Associates, finance departments ‘get it’ but “a lot of CIOs don’t know what’s going to hit them”.
That’s a bit harsh isn’t it?
Well, one anonymous US CIO certainly concurred. “I feel like a bad storm’s coming and I don’t know what it is or when it’s going to hit,” he said at a recent industry event. It’s certainly fair to state that it’s an issue which relies heavily on IT and that sense of panic is not unique. Many companies are now aware of the spectre of SOX hanging over them without having a handle on what it is and what they have to do to ensure ‘compliance’.
So in a nutshell, what does it all involve?
The Act covers a whole range of governance issues – many covering the types of trade that are allowed within a company, with an emphasis upon keeping everything above board. For example, the Act forbids personal loans to officers and directors. Disgraced former WorldCom boss Bernie Ebbers had taken considerable loans from his company shortly before it became the next corporate scandal to rock the US, post-Enron. Other measures regulate the responsibilities of audit committees sent in to check the health of companies’ compliance. The Act also offers protection to ‘whistleblowers’ (for more specific details, see the links at the bottom of this article).
While much of this is common sense and achievable, the actual challenge of SOX is ensuring it is observed and that compliance can be demonstrated and accurately monitored and reported. The most common area of focus is the archiving of all communications and the creation of transparent and auditable systems for recording transactions, dealings and any kind of business correspondence. This should mean traders can’t contact one another, or analysts, ‘on the sly’ and deals can’t be ‘lost in the muddy waters of business’. Applications such as IM are also being singled out as areas that need to be secured and made clearly accountable.
Kailash Ambwani, CEO of secure IM provider FaceTime, believes IM is “mission critical” to most major financial institutions but he said: “These guys don’t have in place the necessary security, accountability, logging or archiving to make those IM sessions compliant.”
That is something that will have to change by 15 November.
So every file, every email, every IM, every phone call is going to have to be recorded?
That’s been a lot of people’s gut reaction, according to Mark Ellis, CA’s director of storage and information management, but it’s not quite so extreme. Many companies just assume as long as they do that they will be compliant with that aspect of SOX – which is true, if a little na