Since we have approximately 4 more months until the Sarbanes-Oxley Act (SOX) will be applied to all publicly traded businesses, I’d like to give everyone a little refresher course. Although it won’t apply to most of our clients, the act proves to be a solid compliance guideline for any company. Due to the trickling effects of larger businesses and the tightening of requirements from lenders and such, it’s not a bad thing to follow.
SOX Compliance Summary
– protect investors and creditors of public companies
– Publicly traded corporations with larger than $75 Million in Public Equity (expires Dec 2009)
– Documents and files pertaining to financial statement generation (atleast 5 years)
Section 404 – Requires management to report on the effectiveness of their internal financial controls and for outside auditors to attest to the management reports.
Section 802 – Makes it a criminal violation to alter, destroy, mutilate, conceal or make a false entry in a record, document or tangible object with the intent to impede, obstruct or influence any investigation or bankruptcy matter.
Section 1107 – Provides criminal penalties for retaliation related to an employee’s whistle blowing activities.
Section 301 – Requires the independence of audit committees.
Section 302 – Mandates that CEOs and financial officers certify financial statements.
Section 406 – Requires public companies to disclose whether they have adopted a code of ethics governing the behavior of senior financial officers.
General Business Process recommendations:
– Segregation of duties
– Establish a policy of archival and backup (onsite and offsite)
– Have independent party review books on a regular basis (CPA)
– Have good documented procedures
– Review Financial data using reports
– Setup user accounts with only necessary priviledges
– Implement audit trails
– Backup regularly (minimum retention time of 3 periods)
Sarbanes-Oxley regulations require that an audit trail of log files and all pertinent documentation must be retained for five years. SOX defines which records are to be stored and for how long, focusing specifically on retention of audit and accounting records that relate to the generation of financial statement that will be submitted to shareholders and the SEC. Both paper and electronic versions of this documentation must be retained. SOX does not, however, specify how they are to be stored — best practices for data protection, disaster recovery and storage management pertain. That means the impact of Sarbanes-Oxley can be felt by nearly every component of IT operations, including messaging, storage, virtualization and even networking, so long as financial data or activity occurs on them. In turn, IT must be able to produce electronic records of these audit trails for compliance audits.
The IT departments of all public companies must be aware of the key requirements of SOX, including log management, backups and all relevant electronic communications. New platforms for communication enabled by Web 2.0 technologies like blogs, wikis and social networking are introducing all-new compliance headaches, as gigabytes of data are generated through messaging and sharing. If it pertains to finance and accounting, enterprise IT professionals must track and archive it for the inevitable visit by a compliance auditor looking for log files. Increasingly, compliance officers are using event log management software to track key moments where data enters or exits an enterprise, like email systems or the addition or departure of employees with access to sensitive financial data.