Sarbes-Oxley Act

Introduction to Sarbanes-Oxley Act.

The Sarbanes-Oxley (also known as SOX) was passed in 2002, and is seen by many as a solution to prevent future high profile financial scandals, such as Enron and WorldCom from reoccurring. Sox protects shareholders and the general public from accounting errors and fraudulent practices within enterprises.

The SOX Act was signed on July 30, 2002 and introduced highly significant legislative changes to financial practices and corporate governance regulations. The act is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliancies and publishes rules for requirements. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records. Instead, it defines which records are to be stored and for how long. The legislation not only affects the financial side of corporations, but also affects the IT departments whose job it is to store a corporation's electronic records. The Sarbanes-Oxley Act states that all business records, including electronic records and electronic messages, must be saved for not less than five years.

The consequences for non-compliance to the act may be fines, imprisonment, or both. IT departments are increasingly faced with the challenge of creating and maintaining corporate records archives in a cost-effective fashion that satisfies the requirements put forth by legislation.

There are three sections of Sarbanes-Oxley that affect the management of electronic records:

Section 802(a): Dealing with the destruction, alteration, or falsification of business records.

Section 802(a)(1): Defining the retention period for records storage using the same guidelines set for public accountants.

Section 802(a)(2): The type of business records that need to be stored, including all business records and communications, including electronic communications.

The Sarbanes-Oxley Act states that all publicly traded U.S. companies have until November 15, 2004 to comply with the guidelines of Section 404.

Sarbanes-Oxley and Information Technology.

SOX considers that a company's internal controls are related to the automated business management software and hardware platforms they operate on. Any reports created using such packages should assume information technology-related risks and controls. According to Protiviti, an internal audit and risk consulting firm, IT processes affected by Section 404 include:

Security administration,

Application-change control,

data management and disaster recovery,

data center operations,

and asset management.

Asset management relates to the proper accounting for hardware and software acquisition, deployment, and retirement. Rather, companies have been dealing with regulatory compliance issues. This would require heightened involvement by the SEC, the Public Company Accounting Oversight Board, and potentially courts. It is extremely important that companies create well-drafted contracts that outline roles and responsibilities. IT professionals who are affiliated with the accounting practices need to understand the business concepts and be cautious of giving advice. In return, accounting firms with technology practices are taking a great cautious approach.

To be on the safe side, Edward Hill, director in charge of IT audit services for Menlo Park of California-based Protiviti says, "There should be a control expert versus someone who is more experienced in the financial applications themselves". Mr. Hill also states that Menlo Park of Protiviti need to specifically word within their contracts that it is management's responsibility for ensuring compliances under Section 404. IT challenges include verifying that information held in systems worldwide is correct and that controls are in place to prevent staff from accessing unauthorized data. Firms will have to show an audit trail of changes to their IT systems.

The technology that is needed to comply with SOX to manage records and monitor business activity, business processes and corporate performance could give firms a nice return on investment. Software vendors may or may not introduce guarantee disclaimers. One example of this is Protiviti working with PeopleSoft to develop control tools that incorporate best practices, which will help significantly with SOX compliance.

Cost of Compliance.

According to AMR Research Inc. of Boston, compliance with Sarbanes-Oxley costs a lot more than most may think. The average company spends about $1 million in SOX costs per $1 billion in revenues just to organize everything for its auditors. This is an annual event just like tax preparations but is more complicated. Approva Corp, a Vienna, VA based company puts out a product to assist with this task. The company says that its software BizRights 2.1 is based on real rules, written by real auditors and works with any SAP installation. In early 2005, Approva will add PeopleSoft's applications to its auditing process. Prices are said to start at $100,000 for this software. Although this price does seem much, it is still cheaper than doing the auditing yourself.

Are you ready to comply?

Complying with Sarbanes-Oxley Act presents number of obstacles. The Ziff Davis Media Inc. produced a survey to qualify IT executives about compliance problems. They reduced their initial 600 respondents to about 200 whose companies are required to comply with SOX and who were knowledgeable about their compliance efforts. The most predictable picture is of those who are CIOs of large companies.

According to Ziff Davis, these CIOs tend to be the most confident about their compliance efforts simply because they have the budget needed, and the IT systems and financial plans are in place to guarantee their success. Smaller companies share some of these qualities but are the ones who say they probably won't be compliant by the deadline.

...