Compliance Regulatory Overview: Sarbanes-Oxley

Lesson 1 of 7

The Sarbanes-Oxley Act of 2002 aims to protect investors by improving the accuracy and reliability of corporate disclosures. The legislation, often referred to as SOX, amends mail and wire fraud infractions with harsher punishments and imposes fines and prison sentences of up to 20 years for anyone who knowingly alters or destroys a record or document with the intent to obstruct an investigation. While most provisions of the act focus on financial records, they were clearly not meant to stop there. For example, during an investigation, discovery requests can be submitted to IT departments. In addition, such requests could require access to all e-mail communication.

Data retention policies and procedures

Sarbanes-Oxley requires that strict records retention policies and procedures must be in place, but it does not specify a specific data storage format. It does require corporate officers to institute internal controls on their information to ensure completeness, correctness, and quick access. One exception to the specifics: accounting firms are specifically mentioned in Sarbanes-Oxley. The act calls for accounting firms that audit publicly-traded companies to keep related audit documents for no less than seven years after the completion of an audit. Violators can face fines of up to $10 million and 20 years in prison.

Quick data retrieval

Quick data retrieval is another requirement under Sarbanes-Oxley, and it's just a good idea anyway. After all, if your company is subpoenaed, do you really want to make your legal team wait three days for IT to be able to pull the right records, or do you want the team to be able to immediately begin crafting a defense?

Section 404 of Sarbanes-Oxley is also known as the internal control provision of the act. Under Section 404 of Sarbanes-Oxley, publicly traded companies must have policies and controls in place to secure, document, and process material information dealing with their financial results. Compliance date for Section 404 of Sarbanes-Oxley for certain smaller companies: Under the SEC's March 2 extension, non-accelerated filers (and foreign private issuers filing annual reports on Form 20-F or 40-F) must begin to comply with the internal control over financial reporting requirements for their first fiscal year ending on or after July 15, 2006.

For a comprehensive list of Sarbanes-Oxley resources, including free downloads, see page two.

Sarbanes-Oxley resources

• Download: 48 questions you need to answer for Sarbanes-Oxley compliance (according to the auditors)
  From Ernst and Young, a firm that works with companies to help them address critical business issues, comes this list of the 48 questions that need to be answered in order to gauge a company's compliance with the Sarbanes-Oxley act.
• Download: Sarbanes-Oxley: IT pros may not like it but they still need to comply
  Here is a chapter from AIIM's Information Nation Warrior: Information Management Compliance Boot Camp that shows how IT professionals can demonstrate responsiveness and good faith in making their IT infrastructure compliant with Sarbanes-Oxley and other regulations.
• Discussion: Sarbanes-Oxley: How is it affecting your IT department?
  There seems to be a wide range of experiences with Sarbanes-Oxley. Some IT pros say that they've always got at least one person from their IT department assigned to help auditors access data for compliance with Sarbanes-Oxley and other regulations. However, other IT pros seem like they've scarcely heard of Sarbanes-Oxley and didn't realize that it has implications for their company and their IT department. Read what some TechRepublic members are saying about where they stand with Sarbanes-Oxley compliance.
• Report: Sarbanes-Oxley could threaten security
  Security group says law may lead to a "compliance-based approach rather than a risk-based approach," compromising information security. Get more details in this CNET News.com story.
• Sarbanes-Oxley and its affect on storage compliance systems
  This article discusses the primary provisions of the Sarbanes-Oxley Act that affect storage systems. Scott Lowe gives an overview and describes some storage products that offer special compliance features.
• This summary of Sarbanes-Oxley on the AICPA site outlines how the act protects investors by improving the accuracy and reliability of corporate disclosures.
• Section 404 of the Sarbanes-Oxley Act
  Section 404 is also known as the internal control provision of the Sarbanes-Oxley act. This section states that publicly traded companies must have policies and controls in place to secure, document, and process material information dealing with their financial results.
• Document retention: The IT manager's changing role
  This classic article includes information on how to do a benefits analysis, knowing what needs to be archived, and how to set up a solid team for the job.
• Discussion: Sarbox has taken over my life
  TechRepublic member maecuff is not on friendly terms with the Sarbanes-Oxley act and it implementation: "My shop is somewhat small, and somewhat loose. It's been a nightmare. I spend at least 50% of my time on sarbox issues." Take a look at some of the "gaps" the auditors have found in her organization.
• What Sarbanes-Oxley means for IT managers
  The Sarbanes-Oxley Act holds the management in charge of corporate disclosures accountable for its actions. It also offers IT managers guidance on what data they need to retain. Read this classic article for a brief look at the Act and how it affects IT managers.
• Tips to help IT managers write Sarbanes-Oxley test plans
  Here are some of the basics to help you create the test plans needed to certify that your company has appropriate IT controls in place for compliance.
• Sarbanes-Oxley Act/PCAOB Implementation Central
  This page on the AICPA Web site includes background documents, as well as guidance and tools for implementing Sarbanes-Oxley.
• The Sarbanes-Oxley Act Community Forum
  This interactive community portal is designed to facilitate the exchange of information among those seeking to comply with the requirements of Sarbanes-Oxley.

White papers and Webcasts

• Sustainable IT Compliance
  In this white paper from Active Reasoning, learn how to create an automated and sustainable IT compliance program that reduces the time and resources spent on your next audit.
• Primary Response and the Sarbanes-Oxley Act
  This white paper from Sana Software deals with how intrusion prevention software can help companies meet specific goals toward Sarbanes-Oxley compliance.
• Employee Morale & the Hidden Costs of SOX Compliance
  How do your Sarbanes-Oxley compliance efforts benchmarks against your competitors? Download the 2005 compliance report whitepaper now.
• Understanding E-mail Regulatory Issues
  Download this TechRepublic Webcast, sponsored by Sophos, to learn what you need to know about today's regulatory landscape and how it pertains to enterprise e-mail.
• Gain Competitive Advantage While Sustaining Sarbanes-Oxley Compliance
  Watch this Hewlett-Packard and Gartner Webcast on Sarbanes-Oxley, which features a presentation by a Gartner analyst and the story of Hewlett-Packard's Sarbanes-Oxley compliance journey.

Vendors

• ExpenseWatch.com (SOX Compliance Module)
• Approva (Awareness Library)
• OpenPages (SOX Express 3.1)
• Actuate (BIRT)
• Concur (Expense Service)
• GreenPages (Compliance Solutions)

Course list

• Lesson 1: Sarbanes-Oxley
• Lesson 2: HIPAA
• Lesson 3: Gramm-Leach-Bliley
• Lesson 4: FERPA
• Lesson 5: US Patriot Act
• Lesson 6: European legislation
• Lesson 7: What's next?

Sign up for the Compliance Regulatory Overview series

If you haven't subscribed to this series, automatically sign up today to receive the entire Compliance Regulatory Overview series in your inbox.

We want your feedback