Lesson 1 of 7
The Sarbanes-Oxley Act of 2002 aims to protect investors by
improving the accuracy and reliability of corporate disclosures. The
legislation, often referred to as SOX, amends mail and wire fraud infractions
with harsher punishments and imposes fines and prison sentences of up to 20
years for anyone who knowingly alters or destroys a record or document with the
intent to obstruct an investigation. While most provisions of the act focus on
financial records, they were clearly not meant to stop there. For example,
during an investigation, discovery requests can be submitted to IT departments.
In addition, such requests could require access to all e-mail communication.
Data retention policies and procedures
Sarbanes-Oxley requires that strict records retention
policies and procedures must be in place, but it does not specify a specific
data storage format. It does require corporate officers to institute internal
controls on their information to ensure completeness, correctness, and quick
access. One exception to the specifics: accounting firms are specifically
mentioned in Sarbanes-Oxley. The act calls for accounting firms that audit
publicly-traded companies to keep related audit documents for no less than
seven years after the completion of an audit. Violators can face fines of up to
$10 million and 20 years in prison.
Quick data retrieval
Quick data retrieval is another requirement under
Sarbanes-Oxley, and it’s just a good idea anyway. After all, if your company is
subpoenaed, do you really want to make your legal team wait three days for IT
to be able to pull the right records, or do you want the team to be able to
immediately begin crafting a defense?
Section 404 of Sarbanes-Oxley is also known as the internal
control provision of the act. Under Section 404 of Sarbanes-Oxley, publicly
traded companies must have policies and controls in place to secure, document,
and process material information dealing with their financial results. Compliance date for Section 404 of Sarbanes-Oxley for certain smaller companies: Under the SEC’s March 2 extension, non-accelerated filers (and foreign private issuers filing annual reports on Form 20-F or 40-F) must begin to comply with the internal control over financial reporting requirements for their first fiscal year ending on or after July 15, 2006.
For a comprehensive list of Sarbanes-Oxley resources,
including free downloads, see page two.
Sarbanes-Oxley resources
- Download: 48 questions
you need to answer for Sarbanes-Oxley compliance (according to the
auditors)
From Ernst and Young, a firm that works with companies to help them
address critical business issues, comes this list of the 48 questions that
need to be answered in order to gauge a company’s compliance with the
Sarbanes-Oxley act. - Download: Sarbanes-Oxley:
IT pros may not like it but they still need to comply
Here is a chapter from AIIM’s
Information Nation Warrior:
Information Management Compliance Boot Camp that shows how IT
professionals can demonstrate responsiveness and good faith in making
their IT infrastructure compliant with Sarbanes-Oxley and other
regulations. - Discussion:
Sarbanes-Oxley: How is it affecting your IT department?
There seems to be a wide range of experiences with Sarbanes-Oxley. Some IT
pros say that they’ve always got at least one person from their IT
department assigned to help auditors access data for compliance with
Sarbanes-Oxley and other regulations. However, other IT pros seem like
they’ve scarcely heard of Sarbanes-Oxley and didn’t realize that it has
implications for their company and their IT department. Read what some
TechRepublic members are saying about where they stand with Sarbanes-Oxley
compliance. - Report:
Sarbanes-Oxley could threaten security
Security group says law may lead to a “compliance-based approach
rather than a risk-based approach,” compromising information security.
Get more details in this CNET News.com story. - Sarbanes-Oxley
and its affect on storage compliance systems
This article discusses the primary provisions of
the Sarbanes-Oxley Act that affect storage systems. Scott Lowe gives an
overview and describes some storage products that offer special compliance
features. - This summary
of Sarbanes-Oxley on the AICPA site outlines how the act protects
investors by improving the accuracy and reliability of corporate
disclosures. - Section
404 of the Sarbanes-Oxley Act
Section 404 is also known as the internal control provision of the
Sarbanes-Oxley act. This section states that publicly traded companies
must have policies and controls in place to secure, document, and process
material information dealing with their financial results. - Document retention:
The IT manager’s changing role
This classic article includes information on how
to do a benefits analysis, knowing what needs to be archived, and how to
set up a solid team for the job. - Discussion:
Sarbox has taken over my life
TechRepublic member maecuff is not on friendly terms with the
Sarbanes-Oxley act and it implementation: “My shop is somewhat small,
and somewhat loose. It’s been a nightmare. I spend at least 50% of my time
on sarbox issues.” Take a look at some of
the “gaps” the auditors have found in her organization. - What Sarbanes-Oxley
means for IT managers
The Sarbanes-Oxley Act holds the management in charge of corporate
disclosures accountable for its actions. It also offers IT managers guidance on what data they need to retain. Read
this classic article for a brief look at the Act and how it affects IT
managers. - Tips to help IT
managers write Sarbanes-Oxley test plans
Here are some of the basics to help you create
the test plans needed to certify that your company has appropriate IT
controls in place for compliance. - Sarbanes-Oxley Act/PCAOB Implementation
Central
This page on the AICPA Web site includes background documents, as well as
guidance and tools for implementing Sarbanes-Oxley. - The Sarbanes-Oxley Act
Community Forum
This interactive community portal is designed to facilitate the exchange
of information among those seeking to comply with the requirements of Sarbanes-Oxley.
White papers and Webcasts
- Sustainable
IT Compliance
In this white paper from Active Reasoning, learn how to create an
automated and sustainable IT compliance program that reduces the time and
resources spent on your next audit. - Primary
Response and the Sarbanes-Oxley Act
This white paper from Sana
Software deals with how intrusion prevention software can help companies
meet specific goals toward Sarbanes-Oxley compliance. - Employee
Morale & the Hidden Costs of SOX Compliance
How do your Sarbanes-Oxley compliance efforts
benchmarks against your competitors? Download the 2005 compliance report
whitepaper now. - Understanding
E-mail Regulatory Issues
Download this TechRepublic Webcast, sponsored by
Sophos, to learn what you need to know about today’s regulatory landscape
and how it pertains to enterprise e-mail. - Gain
Competitive Advantage While Sustaining Sarbanes-Oxley Compliance
Watch this Hewlett-Packard and Gartner Webcast on Sarbanes-Oxley, which
features a presentation by a Gartner analyst and the story of Hewlett-Packard’s
Sarbanes-Oxley compliance journey.
Vendors
- ExpenseWatch.com
(SOX Compliance Module) - Approva
(Awareness Library) - OpenPages
(SOX Express 3.1) - Actuate (BIRT)
- Concur
(Expense Service) - GreenPages (Compliance Solutions)
Course list
- Lesson 1: Sarbanes-Oxley
- Lesson
2: HIPAA - Lesson
3: Gramm-Leach-Bliley - Lesson
4: FERPA - Lesson
5: US Patriot Act - Lesson
6: European legislation - Lesson
7: What’s next?
Sign up for the Compliance Regulatory Overview series
If you haven’t subscribed to this series, automatically sign up today to receive the entire Compliance Regulatory Overview series in your inbox.
We want your feedback
Lesson 1 on Sarbanes-Oxley was: