Lesson 1 of 7

The Sarbanes-Oxley Act of 2002 aims to protect investors by
improving the accuracy and reliability of corporate disclosures. The
legislation, often referred to as SOX, amends mail and wire fraud infractions
with harsher punishments and imposes fines and prison sentences of up to 20
years for anyone who knowingly alters or destroys a record or document with the
intent to obstruct an investigation. While most provisions of the act focus on
financial records, they were clearly not meant to stop there. For example,
during an investigation, discovery requests can be submitted to IT departments.
In addition, such requests could require access to all e-mail communication.

Data retention policies and procedures

Sarbanes-Oxley requires that strict records retention
policies and procedures must be in place, but it does not specify a specific
data storage format. It does require corporate officers to institute internal
controls on their information to ensure completeness, correctness, and quick
access. One exception to the specifics: accounting firms are specifically
mentioned in Sarbanes-Oxley. The act calls for accounting firms that audit
publicly-traded companies to keep related audit documents for no less than
seven years after the completion of an audit. Violators can face fines of up to
$10 million and 20 years in prison.

Weekly tips in your inbox

For weekly information on a variety of subjects related to IT compliance, including regulations outlined by Sarbanes-Oxley, HIPAA, and e-mail, sign up for TechRepublic’s free Compliance Issues newsletter.

Automatically sign up today!

Quick data retrieval

Quick data retrieval is another requirement under
Sarbanes-Oxley, and it’s just a good idea anyway. After all, if your company is
subpoenaed, do you really want to make your legal team wait three days for IT
to be able to pull the right records, or do you want the team to be able to
immediately begin crafting a defense?

Section 404 of Sarbanes-Oxley is also known as the internal
control provision of the act. Under Section 404 of Sarbanes-Oxley, publicly
traded companies must have policies and controls in place to secure, document,
and process material information dealing with their financial results. Compliance date for Section 404 of Sarbanes-Oxley for certain smaller companies: Under the SEC’s March 2 extension, non-accelerated filers (and foreign private issuers filing annual reports on Form 20-F or 40-F) must begin to comply with the internal control over financial reporting requirements for their first fiscal year ending on or after July 15, 2006.

For a comprehensive list of Sarbanes-Oxley resources,
including free downloads, see page two.

Sarbanes-Oxley resources

  • Download: 48 questions
    you need to answer for Sarbanes-Oxley compliance (according to the

    From Ernst and Young, a firm that works with companies to help them
    address critical business issues, comes this list of the 48 questions that
    need to be answered in order to gauge a company’s compliance with the
    Sarbanes-Oxley act.
  • Download: Sarbanes-Oxley:
    IT pros may not like it but they still need to comply

    Here is a chapter from AIIM’s
    Information Nation Warrior:
    Information Management Compliance Boot Camp
    that shows how IT
    professionals can demonstrate responsiveness and good faith in making
    their IT infrastructure compliant with Sarbanes-Oxley and other
  • Discussion:
    Sarbanes-Oxley: How is it affecting your IT department?

    There seems to be a wide range of experiences with Sarbanes-Oxley. Some IT
    pros say that they’ve always got at least one person from their IT
    department assigned to help auditors access data for compliance with
    Sarbanes-Oxley and other regulations. However, other IT pros seem like
    they’ve scarcely heard of Sarbanes-Oxley and didn’t realize that it has
    implications for their company and their IT department. Read what some
    TechRepublic members are saying about where they stand with Sarbanes-Oxley
  • Report:
    Sarbanes-Oxley could threaten security

    Security group says law may lead to a “compliance-based approach
    rather than a risk-based approach,” compromising information security.
    Get more details in this CNET News.com story.
  • Sarbanes-Oxley
    and its affect on storage compliance systems

    This article discusses the primary provisions of
    the Sarbanes-Oxley Act that affect storage systems. Scott Lowe gives an
    overview and describes some storage products that offer special compliance
  • This summary
    of Sarbanes-Oxley
    on the AICPA site outlines how the act protects
    investors by improving the accuracy and reliability of corporate
  • Section
    404 of the Sarbanes-Oxley Act

    Section 404 is also known as the internal control provision of the
    Sarbanes-Oxley act. This section states that publicly traded companies
    must have policies and controls in place to secure, document, and process
    material information dealing with their financial results.
  • Document retention:
    The IT manager’s changing role

    This classic article includes information on how
    to do a benefits analysis, knowing what needs to be archived, and how to
    set up a solid team for the job.
  • Discussion:
    Sarbox has taken over my life

    TechRepublic member maecuff is not on friendly terms with the
    Sarbanes-Oxley act and it implementation: “My shop is somewhat small,
    and somewhat loose. It’s been a nightmare. I spend at least 50% of my time
    on sarbox issues.” Take a look at some of
    the “gaps” the auditors have found in her organization.
  • What Sarbanes-Oxley
    means for IT managers

    The Sarbanes-Oxley Act holds the management in charge of corporate
    disclosures accountable for its actions. It also offers IT managers guidance on what data they need to retain. Read
    this classic article for a brief look at the Act and how it affects IT
  • Tips to help IT
    managers write Sarbanes-Oxley test plans

    Here are some of the basics to help you create
    the test plans needed to certify that your company has appropriate IT
    controls in place for compliance.
  • Sarbanes-Oxley Act/PCAOB Implementation

    This page on the AICPA Web site includes background documents, as well as
    guidance and tools for implementing Sarbanes-Oxley.
  • The Sarbanes-Oxley Act
    Community Forum

    This interactive community portal is designed to facilitate the exchange
    of information among those seeking to comply with the requirements of Sarbanes-Oxley.

White papers and Webcasts


Course list

  • Lesson 1: Sarbanes-Oxley
  • Lesson
    2: HIPAA
  • Lesson
    3: Gramm-Leach-Bliley
  • Lesson
    4: FERPA
  • Lesson
    5: US Patriot Act
  • Lesson
    6: European legislation
  • Lesson
    7: What’s next?

Sign up for the Compliance Regulatory Overview series

If you haven’t subscribed to this series, automatically sign up today to receive the entire Compliance Regulatory Overview series in your inbox.

We want your feedback

Lesson 1 on Sarbanes-Oxley was:

 Very helpful
 Somewhat helpful
 Not helpful