Sarbanes-Oxley Act of 2002


The Sarbanes-Oxley Act, commonly referred to as 'SOX', was signed into law on July 30th, 2002 and introduced highly significant legislative changes to financial practice and corporate governance regulation. It introduced stringent new rules with the stated objective: "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws".

The legislation came about after a round of highly publicized corporate scandals rocked the corporate world in the opening years of the new millennium; the most notable of these included the Enron collapse and subsequent revelations of accounting irregularities at WorldCom.

At the risk of oversimplifying a landmark piece of legislation and speaking strictly as it relates to information technology, data backup, management processes and disclosures, the act contains several key sections.

Sections 103 and 104 are closely related and provide details about the length of term (7 years) that accounting and auditing entities must retain all documents and data relating to audit reports of companies required to comply with SOX. While the physical paperwork can be maintained in various ways, electronic backup of digital records is highly advisable considering that investigators usually demand all versions of documents in their analysis. With encrypted, secure offsite backup of these files, they are protected from prying eyes or malicious intent, and virtually any version of a file can be retrieved very quickly for comparison, and for building the paper trail that proves that control processes were properly followed.

Section 105 addresses the confidential nature of the accounting and audit files prepared for and received by an organization's board of directors. Again, digital backup copies are the best bet for preserving these files because they can be encrypted and compressed prior to storage, and with the best [offsite] backup solutions, remain encrypted and compressed in storage until they are restored to the original source location. This makes it virtually impossible for the contents of these sensitive documents to become known to, or to be 'restored' by anyone other than authorized individuals clearly a critical piece of the compliance puzzle with regards to accounting and auditing firms.

Section 302 of the eleven-section law is entitled Corporate Responsibility for Financial Reports and is important because it places the responsibility of attesting to the content, accuracy, and (perhaps most importantly) the authenticity of financial reports issued by that organization squarely on the shoulders of executive management and the board of directors at public companies.

Section 404 also involves the placement of additional responsibility on senior management and corporate officers but has implications that extend deep into the rank-and-file of the company as well. Initially, Section 404 seems to simply require an addendum to the company's annual report. This addendum, referred to as an internal control report, states that management is responsible for maintaining an adequate internal control structure, and is also to include an assessment by management of the control structure's effectiveness.

The loss of data from any critical systems during the reporting processes can send the entire compliance scramble into a tailspin, and at the very least the corporate stewards will be required to log this deficiency in their periodic reports. In light of the contempt with which Congress has met previous corporate cover-up activity, the permanent loss of potentially revealing data in this manner could well be seen as a federal-level "dog ate my homework" plea. Unfortunately, the media can act as a catalyst for speculation, spinning what might truly be an unfortunate event into a story that sends investors scrambling.

The bottom line? Compliance with Sarbanes-Oxley depends heavily on reports created from sensitive data, without even the appearance of impropriety in its compilation. These reports must be generated from actual, factual data, with strict access and process safeguards all along the way and executive-authorized documentation to attest to the existence of and adherence to these safeguards. Remotely backing up the data that is crucial to the creation of these reports insures that localized hazards such as fire, theft, or opportunistic or vindictive employees are neutralized and that the mission critical reports can be drawn from original data.