No discussion of disaster recovery (DR) and compliance issues would
be complete without looking at the Sarbanes-Oxley
Act of 2002
(SOX). Originally designed to help avoid the irregular
accounting situations made famous by companies like Enron, SOX was passed in
2002 to outline strict guidelines for financial reporting and disclosure for
all public companies in the United States. The passage of this act affects much
more than your financial reporting, however.

Primarily, SOX details what must be reported from a financial
view of your corporation, and when those reports must be made. It also details
guidelines for internal compliance operations to ensure that these reports can be
created on time and accurately. The SOX requirements have serious implications
for your DR planning.

What SOX says

SOX clearly states a harsh set of
fines and other punishments for failure to comply with the law; however, it
doesn’t offer any leeway when it comes to being unable to meet your
requirements due to a disaster or other data-loss event. You must be able to
file your reports and have the data to back them up, no matter what else may be
going on in the organization or its data center. While I’m fairly sure massive
disasters like the hurricanes in the Gulf Coast region would mitigate some of
the punishments due to SOX violation, there is no guarantee that this would be
allowed. The bottom line is that even in the case of large-scale disasters,
your company could be held liable if you cannot meet the requirements of the

The section of the SOX Act (see page
45 of this PDF
) that most pertains to your DR plan is Sec. 404, Management
Assessment of Internal Controls. It stipulates that the organization should
“state the responsibility of management for establishing and maintaining
an adequate internal control structure” and “contain an assessment,
as of the end of the most recent fiscal year of the issuer, of the
effectiveness of the internal control structure and procedures of the issuer
for financial reporting.”

What SOX means

Much like HIPAA, SOX does not spell out specific kinds of
technology that you must employ or give requirements about how often backups
are made, where they should be stored, etc. All of those decisions are left up
to you, but you must document the policies and procedures you put in place to
safeguard your data and make sure it’s available for reporting on an annual
basis. Covering all the gaps could mean implementing new systems—hardware and
software—that puts a sizable dent in your budget. It is this expense that’s
heating up the SOX debate right now. The SEC is prepared to create a huge
loophole that opponents say would gut the Act and basically exempt
80 percent of all public companies from having to get their internal controls
validated by an auditor

Tips in your inbox

How well can your organization deal with an emergency? The Disaster Recovery newsletter helps you protect your valuable data.

Automatically sign up today!

Preparation for DR in light of SOX has two primary parts. The
first is putting systems in place to completely protect all financial and other
data required to meet the reporting regulations and to archive the data to meet
future requests for clarification of those reports. The second is to clearly
and expressly document all these procedures so that in the event of a SOX
audit, the auditors clearly see that the DR plan exists and will appropriately protect
the data.

On the surface, this sounds pretty straight-forward. You no
doubt have already begun DR planning, and therefore are already looking to
protect this data, but the complexity of the Act means that you’ll need to
speak with internal and possibly external counsel in order to figure out
exactly which data is the most crucial. In addition, many companies are using
intricate software packages to make sure they are in compliance with SOX, and
therefore these new systems will need to immediately become part of your DR

SOX DR planning is definitely a series of hurdles that every
publicly traded company must overcome. There is little or no “wiggle room”
here, as the government agencies responsible for enforcement are definitely
still remembering previous debacles in accounting and will be unlikely to show
any mercy to you or your DR plan if reports cannot be filed on time.