Skip to content

SOX and ITIL covering your Sarbanes-Oxley bases

June 13, 2008

As a result of the corporate management and accounting scandals of 2000 to 2002, the corporate accountability bill sponsored by Senator Paul Sarbanes and Representative Michael Oxley was passed into law in 2002. In general it contains a number of provisions that impose obligations on public corporations designed to ensure transparency of operations and accountability. These provisions are designed to address specific business processes, and ensure that auditable records are retained. Because records and transactions today are heavily digitized, the result is a considerable impact upon the IT environment, particularly in storage processes. Although the principal targets are financial documents and financial reporting, it is clear that the overflow effect will be to include an ever-increasing variety of materials that may be used to support those materials.

The Securities Exchange Commission (SEC) required publicly traded companies with market capitalization over $75 million to meet major Sarbanes-Oxley compliance directives by November 15th of 2004, with smaller companies having until July 15th 2005 to comply. One study has suggested that large and medium-sized companies will spend upwards of $2 billion through 2005 to become Sarbanes-Oxley compliant. Other estimates put the figure at $6 billion by 2007 on storage infrastructure alone.

The immediate impact of the Act within the storage area is in its Title VII, Section 802, which provides penalties for destruction, alteration or falsification of records, and prohibits destruction of corporate audit records. The records covered are as broadly defined as any that may be required in a federal investigation or bankruptcy proceeding. While financial records are the principle interest, other records such as communications regarding transactions and documents relating to projects may also fall within the Act’s purview.

The effect upon storage processes is that all documents must now be protected against wilful deletion, alteration or destruction, with the burden of proof on the corporation to prove that alterations have not taken place. Documents that are relevant to an audit or review need to be retained for a period of seven years; because the scope of a review cannot be determined in advance, this could potentially include communications, project documents, memos, plans, specifications, and pronouncements.

While traditional data backup and storage processes have been targeted toward speed, efficiency, and disaster recovery, the new provisions require an additional level of archival management, including capability to search through vast numbers of records for relevant data as well as insuring the integrity of data storage. Saving e-mail correspondence also becomes critical, though this has often been previously overlooked. As with other documents, e-mail must be stored in a way that is accessible, in this case, including attachments. Storage must be unalterable, and it must include all relevant e-mail, while at the same time excluding the millions of spam messages and viruses whose addition would create an impossible burden.

In addition to the specific impact areas, Title IV, Section 404 of Sarbanes-Oxley – Management Assessment of Internal Controls – requires verification that appropriate infrastructure is in place. This imposes a requirement to audit IT systems, including storage, to ensure data security and integrity. The audit procedures are generally based on formalized frameworks, the most common of which are COSO (The Committee of Sponsoring Organizations of the Treadway Commission) for financial reporting and COBIT (Control Objectives for Information and Related Technology) for IT management. As companies move from the “quick fix” solutions required to meet immediate compliance requirements, Section 404 is becoming increasingly important. In addition to imposing a burden, however, this can be used as an opportunity for strengthening procedures and ensuring that data storage is sufficiently robust to meet external auditing standard

Advertisements
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: