Skip to content

SOX Impact on IT

June 15, 2008


In general, IT managers need to develop a better understanding of internal controls, understand their company’s Sarbanes-Oxley compliance plan, develop a plan to address IT control elements in the overall plan, and integrate the IT plan into the overall compliance strategy.

Sarbanes-Oxley and other regulatory legislation place a requirement on storage that it should be robust, unalterable, searchable, and exist over a lengthy period of time. This results in a host of consequent considerations affecting every area of storage technology as well as related business processes. Some of these areas are:

  • Reliability. Data must be able to be brought online at any time during a period of seven years or more. Reliability must be high enough to satisfy legal requirements of availability and to ensure that large penalties will not be incurred due to data not being obtainable.

  • Heightened performance. Requirements for storage are dramatically increased due to the need to store a large amount of data, in accessible form, for long periods of time. Automated capture and storage of financial data is of particular importance. E-mail adds to this burden, as messages and message threads are likely to include thousands of items each, with the number of items to account for reaching, potentially, hundreds of millions.

  • Increased security requirements. Security measures must not only prevent data destruction and ensure recovery is possible, but also preclude interference with stored data. This not only affects the backup software, but also the mechanism and media used. Backup data needs to be secured against access just as though it were data in use.

  • Scalability. The amount of managed data required to meet these demands is likely to increase exponentially, particularly for large enterprises with high financial transaction volumes. More data will have to be stored for a longer time each year. To this will also be added a new range of content, such as multimedia, particularly in the form of presentations and recorded videoconferences.

  • Migration options and open standards. These need to be considered to ensure that data stored today will be accessible tomorrow as the organization’s data storage infrastructure evolves. This is particularly important with the growing trend toward software “activation” and limited installation options. For document management products, if the vendor goes out of business and the original application has been removed, stored documents may no longer be accessible.

  • Business processes. All processes relating to storage need to be reviewed and modified to meet the new demands. Auditing procedures for storage must be developed to ensure that it continues to meet reporting requirements, and procedures for access control to stored data need to be put into place. This area, related to Section 404 of Sarbanes-Oxley, is likely to have the largest long-term impact, because it requires business processes involved with storage to be opened to external audit controls.

E-mail storage represents a particularly difficult problem in compliance. It has been estimated that over 50 billion e-mails are sent per year, and this number is climbing. An Osterman Research Survey shows that the average information worker sends and receives over 19,000 e-mail messages each year, and stored messages are growing by 37 percent annually – a percentage established before the more rigorous demands of Sarbanes-Oxley. E-mail has normally been stored online or moved to tape backup in the same manner as ordinary documents. Users are more likely to keep as much as possible online, though over 80 percent is never viewed after 30 days from receipt. This practice grows personal storage requirements, and also makes e-mail more difficult to backup and manage. Even where global backup to tape is possible, The Radicati Group reports that each dollar spent on storage disk space requires an additional $15 in management.

Specific Impact on IT

Sarbanes-Oxley contains a number of provisions of special relevance to IT. The Act specifies that public accounting firms must “prepare and maintain for a period of not less than 7 years, audit work papers and other information related to any audit report, in sufficient detail to support the conclusion reached in such report.” This will inevitably require public companies to maintain backup records. Another specific provision is that it is a crime for “any person to corruptly alter, destroy, mutilate or conceal any document with the intent to impair the object’s integrity or availability for use in an official proceeding or to otherwise obstruct, influence or impede any official proceeding.” This broader statement will force enterprises to store all data because it cannot be determined in advance just which materials might be required in an investigation.

Sections of specific relevance are:

Title I, Section 103: Auditing, quality control, and independence standards and rules.

The company’s auditor must maintain all audit-related records for seven years. While this is specifically targeted at accounting firms, it is also likely to impose similar requirements on public companies whose results are being guaranteed by those accounting firms, which will include all public companies.

Title II, Section 201: Services outside the scope of practice of auditors.

Firms that audit a company’s books cannot also provide IT services. This means that IT services used in recordkeeping can no longer be provided by the auditor.

Title III, Section 301: Public company audit committees

Companies must provide systems or procedures that permit whistleblowers to communicate confidentially with the company’s audit committee.

Title III, Section 302: Corporate responsibility for financial reports

The CEO and CFO must both sign statements verifying completeness and accuracy of financial reports. This makes them personally responsible, and imposes penalties, thus being more effective than a simple fine.

Title IV, Section 404: Management assessment of internal controls

The CEO, CFO, and auditors must all attest to the effectiveness of internal controls for financial reporting.

Title IV, Section 409: Real time issuer disclosures

Companies are required to report changes in financial conditions on a rapid and current basis, for “real-time disclosure.” This makes it necessary to provide facilities for search and retrieval of documents and messages.

Title IV, Section 802: Criminal penalties for altering documents

Companies must ensure that authentic, immutable records are retained, and adequate retention infrastructure is in place.

Similar Recent Legislation

Sarbanes-Oxley represents only the tip of the iceberg when the recent spate of regulations affecting IT procedures is also considered. Sarbanes-Oxley is primarily distinguished from the other regulations by two things. First, it is global, in that it is applied directly to public corporations of all types, and will gradually become a factor to all organizations doing business with them… effectively including most companies of any size. Second, instead of the usual fine, it imposes jail sentences for non-compliance. Many previous regulations have been under-enforced, so companies have grown accustomed to considering whether the rules should be followed on the basis of a compliance cost-versus-risk assessment. Sarbanes-Oxley is different, however, in that executives are unwilling to risk a custodial sentence at any cost.

However, in addition to Sarbanes-Oxley, there are numerous regulations impacting the IT environment, ranging from those focusing upon vertical industries — such as healthcare — to those focusing upon specific corporate activities (generally, finance). Additionally, they exist at all levels of government, from federal down to the municipal level. For this reason, it is important to develop a general compliance strategy, in addition to addressing the requirements of the most prominent regulations.

Among the most important regulations that need to be considered are Sarbanes-Oxley, the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and financial services regulations SEC17a and NASD 3010. All of these require organizations to be able to quickly produce e-mail as a part of the discovery process in litigation, audits, and investigations.

HIPAA, which comes into force in April 2005, requires that all patient information, authorizations, policies, procedures, and contracts with business associates be retained for at least six years. This information must also be stored in a data center that provides minimum guaranteed uptime and high security. The SEC regulation SEC 17 CFR 240, which came into effect in May 2004, requires that all communications between stockbrokers and clients, including e-mail and instant messaging messages, be retained for three years and be easily accessible for the first two years.

The Enterprise Strategy Group (formerly Enterprise Storage Group) has estimated that as many as 15,000 laws and regulations have IT compliance components.

Regulations of this type are now proliferating around the world, as can be seen in


Applies to:

European Data Privacy Directive

Companies doing business in Europe handling Personally Identifiable Information




U.S. businesses handling medical records


Banks and financial services companies doing business in the U.S.

DoD 5015.2 (Standard)

U.S. Department of Defense

U.S Federal Agencies

Business dealing with U.S. Federal Agencies

Public Records Office Standards

Companies doing business in public sectors for various countries

Patriot Act

Companies doing business in the U.S.


U.S. public companies and private foreign issuers

SEC Rule 17a-3/4

U.S. companies engaged in broker-dealer activities

CA Breach Law

U.S. companies doing business in CA handling Personally Identifiable Information

NASD 3010, 3110, NYSE 342

Member companies

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: