This report, the sixth in our series on certification and compliance, covers the Sarbanes-Oxley Act of 2002 (SOX):
- What is SOX?
- Impact on IT Departments and Services
- Financial Data
- Emails as Business Communication
- Retaining and Storing Emails
- Knowing the ropes
What is SOX?
SOX is a set of financial sector laws that was approved by the U.S. Congress in 2002. The purpose of Sarbanes-Oxley is to “protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures,” writes Margaret Rouse of TechTarget. The Securities and Exchange Commission (SEC) enforces the regulations described within the act. So if someone/a group of people wants to do a basic company formation, then they will need to ensure that they are following these regulations or the regulations of their state.
SOX was created following several widely publicized cases of financial fraud – Enron, WorldCom, and Tyco – shortly after the turn of the century. These cases were problematic because they generally corroded the confidence of stockholders. The act, created and proposed by US Congressmen Paul Sarbanes and Michael Oxley, placed stricter parameters on corporations so that they would be held accountable. Any publicly held firm must meet the stipulations of Sarbanes-Oxley.
Impact on IT Departments and Services
This act may sound as if it only impacts the financial staff of a corporation, but tech departments and services that contain company data are implicated as well. The legislation does not describe the manner in which record storage should occur but what types of records must be retained and for what period of time. SOX notes that every record of the business, including emails and documents in digital form, must be kept on file for at least five years. Companies can be fined if they are noncompliant, and guilty executives can be sentenced to prison.
IT specialists are charged with deploying affordable storage systems that fulfill the SOX expectations. Section 802 lists the stipulations that delineate acceptable administration of digital records:
- Rule #1 describes the consequences of deleting, changing, or otherwise manipulating information.
- Rule #2 explains how long records must be saved. Rouse notes, “Best practices indicate that corporations securely store all business records using the same guidelines set for public accountants.”
- Rule #3 discusses what kind of records must be retained, such as emails and financial documents.
Financial Data
Section 302 of SOX notes that all financial reports must be verified by two chief executives, the CFO and the CEO.
“This means that all future financial reporting must be thoroughly verified by management with more acuity than ever before,” stresses John C. Iosub of TechRepublic. Any discrepancy in the financial records can lead to legal complications for the company. As a result, a CFO of a company is expected to take on a lot of responsibilities and accountability for the finances of the organization. In the event of a vacancy in the position of CFO, it might be necessary for businesses to have an outsourced CFO to verify all financial transactions.
Emails as Business Communication
Although most people use their email accounts both for business and personal interaction, the law defines emails fundamentally as business records. All emails and attachments must be saved for five years.
Retaining and Storing Emails
Arthur Andersen used to be one of the five largest accounting companies in the United States, alongside PricewaterhouseCoopers, Deloitte Touche Tohmatsu, Ernst & Young, and KPMG. However, the firm gave up its CPA licenses in 2002, when it received a guilty verdict – eventually overturned by the US Supreme Court – for its auditing of Texas fossil fuels firm Enron. Essentially, the original decision indicated that documents had been shredded that should not have been.
The Andersen incident reminded many organizations that they needed strong record-keeping and record-storing practices. It became clearer that the SEC would not tolerate poor retention and destruction policies when the agency issued settlements totaling $10 million against six companies that were unable or unwilling to provide certain emails.
“A good retention policy cannot be selective-all documents should be saved,” comments Iosub. Everyone working at the company should be familiar with the policy. Any method and format for storage is fine, provided that it is built on strong industry-recognized standards and that the content can be accessed for five years. In fact, printouts of emails could be submitted to a court, but they would not necessarily contain all the information that is needed, e.g. routing details. It’s wise to save everything in its original form.
Email storage is not as simple as it might sound. It takes up a large amount of space. In order to be in compliance with SOX, firms must understand the necessity of saving and storing emails.
Knowing the Ropes
The Sarbanes-Oxley Act didn’t limit itself to affecting public corporations but instead had a ripple effect throughout industry. Iosub notes that companies providing services to those organizations should also be compliant. He argues, finally, that education and open discussion are critical both for compliance and credibility.
We agree with that sentiment, which is why our systems are certified through various third-party standards. SOX is just one set of standards we use. Get a quote today from the hosting company with a plethora of certifications and compliance strategies, including SSAE 16, ISO 9001:2008, ISO 27001:2013, ITIL, HIPAA, FISMA, and Sarbanes-Oxley.
By Kent Roberts
Public Domain Image of Sen. Paul Sarbanes (D–MD) and Rep. Michael G. Oxley (R–OH-4) via Wikipedia