What is This SOX Thing I Keep Hearing About?
The Sarbanes-Oxley Act, which owes its moniker to the two members of Congress who drafted it, is the core piece of legislation designed to protect shareholders that came out of early 21st century scandals relating to the financial reporting perpetrated by such former giants as Enron and Worldcom. In addition to changing accounts receivable rules, SOX, as its is known in shorthand, requires all public corporations to maintain copies of their financial records for 5 years.
Keep Your SOX Clean!
There are three sections that directly affect a company's IT management:
Sec. 802(a) "Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both."
This rule is rigidly enforced, as the frantic document shredding that went on at Enron added years to the investigation.
Sec. 802(a)(1) "Any accountant who conducts an audit of an issuer of securities to which section 10A(a) of the Securities Exchange Act of 1934 (15 U.S.C 78j-1(a)) applies, shall maintain all audit or review workpapers for a period of 5 years from the end of the fiscal period in which the audit or review was concluded."
Anything related to financial records and audits must be stored, accessible and unaltered for the full five-year period. This covers electronic documents as well.
Sec. 802(a)(2) "The Securities and Exchange Commission shall promulgate, within 180 days, such rules and regulations, as are reasonably necessary, relating to the retention of relevant records such as workpapers, documents that form the basis of an audit or review, memoranda, correspondence, communications, other documents, and records (including electronic records) which are created, sent, or received in connection with an audit or review and contain conclusions, opinions, analyses, or financial data relating to such an audit or review."
So essentially, every document, physical or electronic, must be maintained, stored and accessible for five years. Anyone who has ever upgraded their office software, or even stored electronic documents over time knows that they can either degrade, or will not be compatible with newer versions of the software.
The IT Headache
The SOX mandates that all IT infrastructure have the capability to access and display data related to information under its jurisdiction up to 5 years old. In the IT world, we know that most technology can become outdated in less than three years, to designing back-wards compatibility up to five years back can be a significant cost burden to larger corporations that routinely upgrade their systems. It is no longer possible to just unplug and toss a obselete records-keeping system in the trash without transferring 5 years worth of data into an easily accessed enviroment.
What to Do?
The provisions for Sarbanes Oxley computer disposal make it impractical to store financial data on separate computers for all but the smallest public corporations. Storing your data this way means that as each machine is retired, the company will have to invest significant man-hours going through hundreds of machines and extracting the data before moving it to another repository. Old machines cannot just be thrown away before all relevant data has been extracted.
If your company saves all data into a network, then the problem of going through hundreds of hard drives is removed. However, whenever there is a server upgrade, the same problem crops up again, albeit at a lower frequency, but on a larger scale, as the last 5 years worth of data would have to be removed and safeguarded before every upgrade. However, whether the company in question keeps all its records on its CFO's desktop or on its server, there is always the risk of a breakdown, viral infection, or even a fire that would destroy these records. One inexpensive way to store old data in non-networked companies would be to keep one older machine running on an open-source OS and keep the old data there. The free office programs available for such operating systems have great backwards compatibility, ensuring that records would still be readable 5 years later.
How to Ensure Compliance
To hedge against a catastrophic loss of data, the best protection is to exercise some form of redundancy in record keeping. If a corporation maintains different offices, then keeping an offline database in other offices will hedge against both software infection and damaging disasters such as a fire or flood. Another solution that is cheaper and could work equally well for smaller corporations is to purchase some online memory in a cloud. The benefits of a cloud server include low maintenance costs, no need to upgrade, and the records will be maintained offsite, protecting the data from loss due to natural disaster. This is a much better solution for smaller firms with a single office, as maintaining Sarbanes Oxley redundancy in a corporate officer's home is risky, as the data could be accessed by unauthorized parties fairly easily.
4 Tips to Stay in the Ballpark
- Only store data on widely used programs that support backwards compatibility.
- Keep a separate memory bank where old records are stored for 5 years.
- Do not throw away computers without thoroughly checking the hard drive.
- Maintain duplicate records that cannot be easily accessed by third parties.
Even if your company is not venturing into the dark side of accounting, establishing a track record of obeying Sarbanes Oxley computer privacy disposal requirements will increase investor confidence over time, and that adds much more real value to a company than bogus profit and loss statements!