Compliance Regulatory Overview: Sarbanes-Oxley

This lesson is part one of a seven-part series on IT regulatory compliance. Part one deals with the Sarbanes-Oxley Act of 2002: who it affects, what failure to comply could mean to your organization, and best practices for meeting the regulation.

Lesson 1 of 7

The Sarbanes-Oxley Act of 2002 aims to protect investors by improving the accuracy and reliability of corporate disclosures. The legislation, often referred to as SOX, amends mail and wire fraud infractions with harsher punishments and imposes fines and prison sentences of up to 20 years for anyone who knowingly alters or destroys a record or document with the intent to obstruct an investigation. While most provisions of the act focus on financial records, they were clearly not meant to stop there. For example, during an investigation, discovery requests can be submitted to IT departments. In addition, such requests could require access to all e-mail communication.

Data retention policies and procedures

Sarbanes-Oxley requires that strict records retention policies and procedures must be in place, but it does not specify a specific data storage format. It does require corporate officers to institute internal controls on their information to ensure completeness, correctness, and quick access. One exception to the specifics: accounting firms are specifically mentioned in Sarbanes-Oxley. The act calls for accounting firms that audit publicly-traded companies to keep related audit documents for no less than seven years after the completion of an audit. Violators can face fines of up to $10 million and 20 years in prison.

Weekly tips in your inbox
For weekly information on a variety of subjects related to IT compliance, including regulations outlined by Sarbanes-Oxley, HIPAA, and e-mail, sign up for TechRepublic's free Compliance Issues newsletter.
Automatically sign up today!

Quick data retrieval

Quick data retrieval is another requirement under Sarbanes-Oxley, and it's just a good idea anyway. After all, if your company is subpoenaed, do you really want to make your legal team wait three days for IT to be able to pull the right records, or do you want the team to be able to immediately begin crafting a defense?

Section 404 of Sarbanes-Oxley is also known as the internal control provision of the act. Under Section 404 of Sarbanes-Oxley, publicly traded companies must have policies and controls in place to secure, document, and process material information dealing with their financial results. Compliance date for Section 404 of Sarbanes-Oxley for certain smaller companies: Under the SEC's March 2 extension, non-accelerated filers (and foreign private issuers filing annual reports on Form 20-F or 40-F) must begin to comply with the internal control over financial reporting requirements for their first fiscal year ending on or after July 15, 2006.

For a comprehensive list of Sarbanes-Oxley resources, including free downloads, see page two.

Sarbanes-Oxley resources

  • Download: 48 questions you need to answer for Sarbanes-Oxley compliance (according to the auditors)
    From Ernst and Young, a firm that works with companies to help them address critical business issues, comes this list of the 48 questions that need to be answered in order to gauge a company's compliance with the Sarbanes-Oxley act.
  • Download: Sarbanes-Oxley: IT pros may not like it but they still need to comply
    Here is a chapter from AIIM's Information Nation Warrior: Information Management Compliance Boot Camp that shows how IT professionals can demonstrate responsiveness and good faith in making their IT infrastructure compliant with Sarbanes-Oxley and other regulations.
  • Discussion: Sarbanes-Oxley: How is it affecting your IT department?
    There seems to be a wide range of experiences with Sarbanes-Oxley. Some IT pros say that they've always got at least one person from their IT department assigned to help auditors access data for compliance with Sarbanes-Oxley and other regulations. However, other IT pros seem like they've scarcely heard of Sarbanes-Oxley and didn't realize that it has implications for their company and their IT department. Read what some TechRepublic members are saying about where they stand with Sarbanes-Oxley compliance.
  • Report: Sarbanes-Oxley could threaten security
    Security group says law may lead to a "compliance-based approach rather than a risk-based approach," compromising information security. Get more details in this CNET story.
  • Sarbanes-Oxley and its affect on storage compliance systems
    This article discusses the primary provisions of the Sarbanes-Oxley Act that affect storage systems. Scott Lowe gives an overview and describes some storage products that offer special compliance features.
  • This summary of Sarbanes-Oxley on the AICPA site outlines how the act protects investors by improving the accuracy and reliability of corporate disclosures.
  • Section 404 of the Sarbanes-Oxley Act
    Section 404 is also known as the internal control provision of the Sarbanes-Oxley act. This section states that publicly traded companies must have policies and controls in place to secure, document, and process material information dealing with their financial results.
  • Document retention: The IT manager's changing role
    This classic article includes information on how to do a benefits analysis, knowing what needs to be archived, and how to set up a solid team for the job.
  • Discussion: Sarbox has taken over my life
    TechRepublic member maecuff is not on friendly terms with the Sarbanes-Oxley act and it implementation: "My shop is somewhat small, and somewhat loose. It's been a nightmare. I spend at least 50% of my time on sarbox issues." Take a look at some of the "gaps" the auditors have found in her organization.
  • What Sarbanes-Oxley means for IT managers
    The Sarbanes-Oxley Act holds the management in charge of corporate disclosures accountable for its actions. It also offers IT managers guidance on what data they need to retain. Read this classic article for a brief look at the Act and how it affects IT managers.
  • Tips to help IT managers write Sarbanes-Oxley test plans
    Here are some of the basics to help you create the test plans needed to certify that your company has appropriate IT controls in place for compliance.
  • Sarbanes-Oxley Act/PCAOB Implementation Central
    This page on the AICPA Web site includes background documents, as well as guidance and tools for implementing Sarbanes-Oxley.
  • The Sarbanes-Oxley Act Community Forum
    This interactive community portal is designed to facilitate the exchange of information among those seeking to comply with the requirements of Sarbanes-Oxley.

White papers and Webcasts


Course list

  • Lesson 1: Sarbanes-Oxley
  • Lesson 2: HIPAA
  • Lesson 3: Gramm-Leach-Bliley
  • Lesson 4: FERPA
  • Lesson 5: US Patriot Act
  • Lesson 6: European legislation
  • Lesson 7: What's next?

Sign up for the Compliance Regulatory Overview series

If you haven't subscribed to this series, automatically sign up today to receive the entire Compliance Regulatory Overview series in your inbox.

We want your feedback

Lesson 1 on Sarbanes-Oxley was:

 Very helpful
 Somewhat helpful
 Not helpful