Sarbanes-Oxley: 7 Years of Shaping Compliance and Technology

The Sarbanes-Oxley Act of 2002 (SOX) can be considered the most significant compliance standard of our time.  Since the passing of the legislation 7  years ago, companies have had to rethink the way they use technology to store company data. This transformation has been anything but an easy ride for companies today, and has significantly impacted the role of the CIO within an organization.


SOX changed how businesses operate, which led to a need for comprehensive information. We live in an age of information and compliance—CEOs, CFOs and CIOs now understand that information is the lifeblood of a company. Non-compliance with SOX is now a federal crime and can result in punishment of up to 20 years in prison.  CIOs are now dealing with increased pressures to implement a successful records managements and storage strategy. In addition, senior managers and industry analysts have an increased awareness of the importance of records management. 


CIOs and IT managers are now working hand-in-hand with business executives to ensure compliance. Additionally, CEOs are experts in risk analysis as it applies to business. Now CIOs and CEOs must carefully weigh the costs and benefits of implementing strategies that take into account the new requirements of the act. As the necessity for compliance becomes more urgent, a renewed interest in records management solutions and the hiring of professional record managers becomes more prevalent.


SOX and Compliance Technology: Now and Then

Today, companies have a high-level of concern regarding data management and compliance.  This hasn’t always been the case.  U.S. companies, in the wake of SOX passing 7 years ago, were left struggling to determine which types of data needed to be archived in order to comply with the new regulations.  In an effort to comply with SOX, most companies adopted a “store everything” approach—leading to increased storage costs and unmanaged records.  Storing all data that flowed through the company proved to be an unsuccessful way to manage company records and comply with increasing regulations.


 Companies today are under close scrutiny and pressure to comply with SOX, resulting in a complete transformation of their data storage processes and a switch to more efficient and secure methods.  Complying with the act requires that companies produce, on request, authentic and reliable records in a timely fashion.


 In today’s stormy economic climate, companies need to understand how to avoid unnecessary costs and make the most out of the IT investments by using data management systems that not only meet compliance needs but provide a competitive advantage.   Leading companies are using their compliance efforts to strengthen corporate governance, expand internal accountability, increase oversight into their corporate practices, and increase the independence of their external auditors. Companies that plan and strive for long-term sustained compliance will ultimately increase efficiency, improve business and IT alignment and reduce associated IT costs. Through this alignment, and effective risk management, companies can begin to move toward true IT governance.


Complying with SOX through Records Management

Meeting the requirements of the Sarbanes-Oxley Act can provide indisputable benefits for organizations. Critical to meeting SOX requirements is a records management system. Managing records, regardless of their format, is enabled by a records management system that can support the application of appropriate business rules, such as naming and filing standards, retention policies and cross referencing. Defining such a system is not an insurmountable task but one that requires resources, training, a culture for sustaining organizational change, and a fully supportive CEO.


Records management is not simply about the collection of paper or other physical objects. It is about applying philosophies and business rules to the management of information as dictated by legislative, audit, quality, regulatory and corporate requirements to maintain and preserve access to corporate information. Many organizations make the mistake of treating paper and electronic documents as separate entities, primarily because of their format.


However, avoiding the management of digital records is not an option. The cost of not implementing records management can result in the collapse of an organization, huge fines, imprisonment, loss of investment funds and loss of jobs.


An effective implementation of records management is not a simple or isolated process. It demands significant business process change and re-engineering. It requires a thorough analysis of how an organization conducts business. Likewise, it requires recognition at the most senior level that records management is pivotal to the entire information management structure. Changes should begin by analyzing business processes to identify activities and transactions, and to show where records occur. Records critical to an organization, regardless of format, application or jurisdictional area in which they are produced, must be classified; security and access controls applied, and retention policies developed. At the same time, internal, legal and regulatory requirements must be considered. These decisions must be made before records are created.


Some industries have already embraced modern records management, as evidenced from the adoption of products such as HP TRIM software.  By using solutions such as HP TRIM software, companies can reduce compliance risk while increasing information security, data integrity and organizational productivity. Companies that have modern records management practices have a powerful business reason for doing so. In the private sector, these organizations include pharmaceutical companies, healthcare organizations and utilities where there may be significant penalties for failing to meet legislative requirements.


The increase of regulation from the Sarbanes-Oxley Act has forced companies to not only rethink their records management solutions, but also it has forced them to transform their data security solutions. The increase in compliance requirements and privacy restrictions means security is no longer an option, but a requirement for organizations of all sizes–big and small. 


Storage Security and Sarbanes-Oxley

Storage security, in addition to records management, has become critical as organizations of all sizes are being forced to collaborate and manage large amounts of business sensitive data for compliance. The possibility of data loss, both from confidentiality and availability perspectives, is detrimental for organizations, particularly in today’s business climate. Beyond legal ramifications, the financial and reputational costs of data breaches can be irreparable.


Storage solutions are evolving with dynamic business demands and now offer improved storage security features to enable customers to mitigate risk. Data encryption for both disk and tape, combined with key management ensures business’ critical information is secure, yet still easily accessible. Automating data security functions allows customers to simplify the management of compliance-related operations as well as fully leverage information they need to grow their business.


Market adoption of encryption began with financial institutions, federal government and retail industries, but will continue to be driven by the healthcare, state/local government and small and mid-sized business  markets. When looking for security solutions, customers generally favor large IT vendors for their experience and breadth of portfolio to address security from the desktop to the data center. Some vendors also provide validation to enable audit trails for compliance to industry regulations as well as future integration of encryption across an organization to enable end-to-end protection.


The Solution: Information Management and Secure Storage

It is clear that the Sarbanes-Oxley Act has significantly impacted U.S. companies as well as data management technologies over the past 7 years. It is important for companies today to assess the risks of non-compliance and opt for the necessary business process changes for the integrity of corporate records. An effective information management strategy combined with secure storage solutions provide the necessary protection and support in the event of litigation as well as ensure business continuity.