(Part 2 in our series on IT Compliance Concerns.)

In Part 1 of our series, we discussed how the Sarbanes­Oxley (Sarbox or SOX) Act was created

in response to financial and accounting fraud including the Enron, Worldcom, and Tyco scandals;

who SOX compliance affects; and the possible benefits to non­public companies working toward

becoming SOX compliant. In this part, our focus is on SOX compliance and the concerns it raises

for Information Technology managers and their departments.

What are the primary Information Technology concerns for SOX compliance?

Sarbanes­Oxley compliance focuses on the retention of audit trails, generally in the form of logs

files and electronic records that contain, relate to, or comment on financial data. (These records

often relate to the generation of financial statements that will be submitted to shareholders and

the SEC.) According to SOX regulations, these audit trails may not be destroyed, altered, or

falsified, and must be retained and auditable for five years. Sarbanes­Oxley regulations define

which records to store and how long to store them.

This means that almost every aspect of IT operations will be affected. Messaging, storage,

virtualization, networking, and more can all be involved as long as they relate to any financial data

or activity. Additionally, new platforms for communication such as blogs, wikis, social media, and

more, lead to new compliance concerns. If communication pertains to finance and accounting, IT

professionals must track and archive it in order to be prepared for compliance audits.

This is a sharp contrast to the past, where an IT department’s major focus was usually on being

able to restore failed systems. Now, with the additional regulatory requirements of the Sarbanes-
Oxley Act, IT’s focus must also include data retention and accessibility in the event of an

investigation.

What kinds of information does IT need to store with regard to SOX compliance, and how?

In general, spreadsheets, documents, and emails used to arrive at final financial conclusions.

Electronic media, which can include CD­ROMs and cartridge tapes, are the preferred storage

methods. Just some of the additional data IT needs to store according to SOX data retention

regulations includes:

● Three years ­ Employment applications, general correspondence, credit card receipts, and

employment records.

● Five years ­ Customer invoices, vendor invoices, purchase orders, sales records, state

unemployment tax records, accident records and workers’ unemployment records, and

salary records.

● Seven years ­ Accounts payable ledger, accounts receivable ledger, time cards, product

inventory, payroll and payroll tax records, tax returns, sales tax information and returns,

business expense records, bank statements, earning records. Public companies and

registered public accounting firms must also maintain audit work papers for seven years,

and employee promotion, demotion, or discharge records must be retained for seven

years after employment is terminated.

● Permanent retention ­ Bank statements, contracts and leases, employee payroll records,

legal correspondence, training manuals, union agreements, Articles of Incorporation,

executive/board policies and resolutions, bylaws, chapter charter, state sales returns,

financial statements, depreciation schedules, check registers, payroll registers,

employment and termination agreements, and insurance policies.

Do non­public companies also need to be concerned with SOX compliance?

While the Sarbanes­Oxley Act applies primarily to publicly listed companies, Section 802 of the

act states that private companies can be faced with fines, and their executives with up to twenty

years of imprisonment for the knowing destruction, alteration, or falsification of records with the

intent to impede or influence a federal investigation.

Further, if you do business with a public company, you may have found that some of these

companies require their vendors to become SOX compliant.

Finally, there are advantages to private companies to become SOX compliant. Adopting SOX-
compliance controls and procedures can improve your organization’s overall IT security program.

And working toward SOX compliance can also help an organization make headway in other areas

such as PCI DSS compliance (which we will discuss later in our series on IT compliance

concerns).

Coming soon: Part 3 in our series on IT Compliance Concerns, “Your Company and HIPAA

Compliance.”

To read more about SOX:

● For up­to­date information on the Sarbanes­Oxley Act, you can check the Securities and

Exchange Commission’s (SEC’s) website.

● You can also learn more about Information Technology concerns created by the

Sarbanes­Oxley Act in TechTarget’s e­handbook, The SOX Effect.

(Part 1 in our series on IT Compliance Concerns.)

What is the Sarbanes­Oxley (SOX) Act?

The Sarbanes­Oxley Act of 2002 is a federal law that set both new and expanded requirements

for public company boards, management, and public accounting firms in the U.S. It is more

commonly known as Sarbox, or SOX. This act also contains some provisions for private

companies, such as those concerning the willful destruction of evidence to impede a Federal

investigation.

The Sarbanes­Oxley Act was a reaction to corporate and accounting scandals including Enron,

Worldcom, and Tyco. Some of the factors that made these scandals possible, and that the act

attempts to prevent, include auditor conflicts of interest; boardroom failures such as failure to

establish effective oversight mechanisms for financial reporting; conflicts of interest among

securities analysts; and more.

Who is affected by SOX compliance?

Ultimately, responsibility for SOX compliance rests squarely on the shoulders of the leaders of an

organization rather than on the IT department. This means that although the IT department may

prepare SOX audit statements, it will be c­level executives of a company that face fines and

possible imprisonment if penalties are assessed. SOX audit statements must be certified by the

CEO of a corporate entity, reflecting this responsibility.

Section 802 of the Sarbanes­Oxley Act describes penalties for infractions:

Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false

entry in any record, document, or tangible object with the intent to impede, obstruct, or influence

the investigation or proper administration of any matter within the jurisdiction of any department or

agency of the United States or any case filed under title 11, or in relation to or contemplation of

any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or

both.

For example, in one of the first fines levied under the Sarbanes­Oxley Act, CEO Calixto Chaves of

Rica Foods, Inc., agreed to pay $25,000 in regard to charges that company officials certified the

accuracy of the company’s annual financial statement, while knowing that these statements did

not include the required independent audit report.

Are there advantages to becoming SOX compliant for non­public companies?

According to TechTarget’s e­handbook, The Sox Effect, “Adopting SOX­compliance controls and

procedures can improve your organization’s overall IT security program, even if your company is

not a publicly traded one typically targeted by SOX regulations.” SOX compliance is not

particularly concerned with ensuring the security of data or systems. Rather, it focuses on best

practices for keeping track of who has access to financial data, where that data came from, and

keeping track of whether that data gets changed. For instance, organizations that follow SOX best

practices will perform more regular reviews of user accounts and privileges related to finance

systems and data. While this certainly can require additional IT resources, it can pay off in fewer

costly security incidents. Working toward SOX compliance can also help an organization make

headway in other areas such as PCI DSS compliance (which we will discuss later in our series on

IT compliance concerns).

Coming soon: Part 2 in our series on IT Compliance Concerns, “What Does My IT Team Need to

Know About SOX Compliance?”

To read more about SOX:

● For up­to­date information on the Sarbanes­Oxley Act, you can check the Securities and

Exchange Commission’s (SEC’s) website.

● You can also learn more about Information Technology concerns created by the

Sarbanes­Oxley Act in TechTarget’s e­handbook, The SOX Effect.

The statistics are worrying. According to a study done by the University of Texas, slightly over 40% of businesses that experience a catastrophic data loss never reopen and just over 50% of them shut down within as little as two years.

Perhaps surprisingly, most data losses are not caused by hurricanes, floods, and fires. A study from Pepperdine University breaks down causes of data loss from most to least common:

• Hardware failures
• Human errors
• Software corruption
• Theft
• Computer viruses

What can you do to protect your business from these risks?

Hardware failures

To avoid data loss from hardware failures, you must consistently back up your systems and data. You must also consider the hardware you’ll use for your backups. For example, tape backups are known to have a high rate of failure. You’ll want to avoid using them as your backup storage medium. Additionally, you’ll want to have your backup data storage be completely separate from your primary storage.

Human errors

You can’t completely avoid human errors. Even if your business has well thought out policies data policies along with clear instructions for shutting down and/or rebooting systems, your employees cannot be guaranteed to follow the policies perfectly at all times.

The best way to protect your business from these errors and from accidental deletion of files or records is to assume that the errors are going to happen, and back up your data accordingly. Key concepts for these backups are automation and retention. You need to have your backups occur automatically without human intervention. And you need to have retention of data. This means that even if errors are not identified for long periods of time, your data will be available for recovery when the errors are eventually discovered.

Software corruption

Software corruption occurs when software becomes unreadable by your computer. The causes for this can vary, and the results can be subtle and may go undetected for some time. As with human errors, the best way to protect your business from this cause of data loss is to have automated data backups and retention of data in case the errors are not found for a significant time period.

Theft

Theft involves copying data for use by competitors or actually destroying it. Copying data this way can be considered a form of corporate espionage. Our blog post, “Cyber Corporate Espionage,” discusses some of the ways you can protect your business from such attacks.

Actual destruction of data, however, is a different matter. This sort of vandalism is usually committed by a disgruntled or former employee. You can gain some protection against it by having careful policies regarding employee terminations. These should be the same for voluntary or involuntary terminations, and should include promptly disallowing former employees access to your systems. If destruction of data occurs despite your best efforts, automation of data backups and retention of data are once again your most effective ways to recover your data.

Computer viruses

A computer virus is code or a program that is loaded onto a computer without the user’s knowledge and runs against the user’s wishes. Viruses can take over computer memory, destroy data, and can often transmit themselves across systems.

To protect your business against viruses, you must have a firewall and you must install anti-virus software.

Although the risks from data loss are significant, you can take steps to minimize them. Planning for hardware failure, implementing policies to reduce the effect of human error, software corruption, and theft, and protecting your systems from computer viruses are all ways you can protect your business.