17 Feb Guide to Sarbanes Oxley Compliance
Navigating Sarbanes Oxley
Sarbanes Oxley Compliance seems like a difficult concept, but at its core it is simple to explain. For all of its complexities and sophistication, a substantial portion of the global financial markets are based on one simple concept – trust. Without at least some level of trust in the global stock exchanges and the companies that populate those exchanges, the whole system breaks down. After all, would you invest your money into an investment that you didn’t trust?
Enter the Sarbanes-Oxley Act of 2002. The Sarbanes-Oxley act was created and passed in response to a serious of financial scandals at companies like Enron and Arthur Anderson, two companies that no longer exists and which grossly misstated financial results to Wall Street, which resulted in many investors losing their capital an causing significant distrust of financial systems. Sarbanes Oxley, or SOX as it’s commonly known, was enacted for good reason, namely to compel public corporations to validate and attest to their financials as stated in their quarterly and annual reports.
The Challenge of Sarbanes Oxley Compliance
But Sarbanes Oxley compliance entails much more than the requirement for a few signatures. SOX compliance requires data to back up those signatures, which in turn creates a range of data retention and compliance requirements for IT staffs to deal with. And for many public companies, those requirements can be difficult to keep pace with.
Like a lot of other regulatory statutes, SOX doesn’t specify exactly how companies should achieve compliance, but rather leaves it up to them to achieve compliance via whatever methods work. SOX merely defines what kind of data is required for compliance, and how long those records need to be retained. But even then, the requirements are far-reaching; companies that are subject to SOX are essentially required to keep all relevant business records for at least five years, and they must maintain the security and integrity of that data during that time. And because some companies didn’t take the pre-SOX reporting requirements seriously enough, SOX non-compliance has teeth, with penalties ranging from fines to imprisonment.
Understanding IT’s role in SOX Compliance
For the most part, the data retention requirements in SOX are more or less straightforward. In essence, SOX requires IT to create and maintain a repository for SOX-related financial and business records. And in addition to the need for a data archive, there are additional requirements around the handling of that data, such as:
- Financial and business data must maintain a level of security and integrity such that it can’t be destroyed, altered or falsified.
- That data, as noted above, must be stored for a period of not less than 5 years, preferably using the same guidelines that public accountants follow.
- Specific records, as defined by SOX, must be retained. The list of documentation is quite extensive, and includes not only financial records but communications and other supporting documentation. Where those records are to be located within a given corporation, of course, is up to that company’s IT organization to determine.
IT organizations, then, are tasked with locating, retaining, and securing this data. And that’s where the challenge arises – the data itself isn’t terribly complex in terms of any single document, but in most public companies it’s a question of scale. There are simply so many documents, located in so many potential places, that complexity arises just from the coordination and classification of that data.
Developing a SOX Compliance Program
SOX compliance won’t be achieve by taking a casual approach. As noted above, the scale of the data to be archived, the complexity in determining which data needs to be archived, and the need to secure that data requires a consistent, professional approach.
Classifying Your Data
Data classification is normally the first step, whereby relevant data is identified, along with it’s location and sources. Depending on the size of the company, this can be challenging in an of itself, and typically involves the coordination of different groups within the company, such as legal, finance, business operations and IT.
Once the right data is identified, there are a number of tools that can aid with the automation of data classification and discovery, so that new data is identified as it’s created, and is automatically retained. But in order for those tools to be effective, they need to be ‘trained’ and refined in order to consistently identify the right data.
Securing Important Data
Closely associated with data classification efforts is the crafting of security policies and controls related to the management of that data once it’s identified. Again, the SOX standard doesn’t explicitly direct you as to what controls need to be implemented, only that the correct end result of data security and integrity is achieved.
To that end, you’ll probably need to look at various security controls in areas such as data encryption, logging, and identity and access management, to name a few. You’ll need to be able to show that the data that was retained was controlled and accessed only by those people and systems with a legitimate need for access, and you need to be able to confirm the integrity of the data under management.
With all of the focus given to data classification and security, one component is often overlooked – data management. While SOX spells out what kind of data must be retained, the actual amount and form of that data can vary dramatically from company to company. Just as no two companies do business the exact same way, so to the tools they use often vary, and different business processes will create different amounts and types of data.
That’s why it’s critical to involve data storage and management experts in your SOX compliance efforts early and often. Depending on the size of your company, data volumes can range from challenging to truly monstrous. The right data storage expertise can help you find tools to compress, manage and store massive amounts of data in a cost-effective way.
Finding the Right Staff
The biggest issue with Sarbanes Oxley compliance, like many requirements, lies in the amount of coordination and time it takes to achieve compliance. And, like a lot of regulatory initiatives, Sarbanes Oxley compliance comes with it’s own set of nuances and details that are hard to identify for those unfamiliar with the standard.
That’s why it’s key to identify IT professionals that can blend general IT expertise with specific experience in Sarbanes Oxley compliance initiatives. In fact, many public companies maintain entire compliance and audit-support staffs that are explicitly and exclusively tasked with maintaining compliance. Smaller companies may not have that luxury, but the requirement doesn’t take corporate resources into account.
The key is to identify the right amount and experience level required for your company. A trusted Remember, Sarbanes Oxley compliance can be a difficult and complex process, but it doesn’t have to be. And with the right partners and resources, you can manage your compliance and business objectives simultaneously and successfully.