Sarbanes Oxley : Technology : Records Management
March 20, 2009 12:00 PM
A Critical Success for SOX Compliance
The Sarbanes-Oxley Act of 2002 (SOX) has been evolving within publicly-traded companies in the U.S. for over half a decade. During this time, the importance of records management and its impact on managing the document lifecycle (document creation through disposal) and compliance has emerged as a critical success factor. Records management is an essential component in controlling business processes, assuring accurate financial reporting, and providing reliable audit findings.
Manager, New Records Business Development
Océ Business Services
Some of the benefits that companies have realized through this evolution of SOX have been improvements in:
• Organizational governance
• Financial system controls
• Information management processes and controls
• Effectiveness of supporting technologies
• Auditing processes
Impact on Records Management
Public companies must formally document, test and assess their internal control processes, particularly with respect to the adequacy of their financial records management. The records management processes must support the accuracy of financial transactions and the accurate valuation of company assets. This includes meeting the requirements of critical stakeholders in departments such as accounting, tax, finance, and legal. Depending on a company’s business sector, there may be additional stakeholders outside of SOX compliance and risk points within its organization. For example, an energy sector company might have stakeholders in Process Safety Management, while a manufacturing company might include Health and Safety.
Even though these other stakeholders are not directly related to SOX compliance, all of the stakeholders must work together to develop a records management strategy that encompasses the entire organization. A particular record type may have a longer retention period based on the needs of a stakeholder outside of SOX compliance, but these retention requirements must be uniformly followed throughout the company.
SOX-compliant processes and procedures feed and impact systems that span Enterprise Resource Planning (ERP), Electronic Content Management (ECM), workflow and collaboration, document management, email and records management. SOX processes impact the access and management of multitudes of documents and records across the entire organization.
The Silo Mentality
Compliance processes must also be developed collaboratively between stakeholders to ensure buy-in and to effectively leverage technology. Technology solutions often failed in the past because they only addressed a portion of document lifecycle components. This silo mentality will compound any existing problems that impact managing electronic documents. In the past, IT departments focused on tool selection for specific needs. Now they must ensure that each tool works in unison with other tools and systems to maintain compliance.
For example, many companies implemented collaboration systems during their initial release nearly a decade ago. Many of the tools were designed with strengths in collaboration, while offering “light” capabilities in electronic document management, and many were devoid of any records management functionality. Now that many of these products have evolved, they offer strong tools that incorporate rich document management and records management functionality. The task of upgrading early developed products may require substantial IT support, configuration and even customization to comply with business processes and the current infrastructure within the organization. This can be as basic as ensuring that solutions include integrated authentication (Active Directory, LDAP, etc.).
In contrast to past approaches, following are key components of a solution that will help insure that your organization meets today’s compliance requirements.
• Compliance Audits -- In order to be SOX compliant, solutions must be auditable and companies must conduct self audits. Electronic document workflows must be designed within the boundaries of newly-established SOX compliance rules.
• Business Process and Workflow -- It is not necessary to automate every manual process. The 80/20 rule applies well to this environment – close to 80% of compliance can be achieved by improving 20% of the processes. It is essential to understand that whenever a paper process is automated to electronic workflow, the process itself must be redesigned. One must also ensure that technology solutions include paper documents in conjunction with electronic documents. Examples include faxes, digitally signed electronic documents, and signed versions of paper documents.
• Version Control -- Version control is a necessity that was often not included within many of the early developed collaboration and document management systems. One common example is that many companies have a multitude of draft versions of a contract – whereas the official executed record is the version that matters. The company must formally agree on how to manage draft versions. This decision must be incorporated into the records management policy and the technology utilized must enable identification of the official record as well as provide ability to enforce retention. This is no simple task as versions could span document management
systems, multiple repositories, ERP systems, collaboration tools, email systems, network drives, hard drives, etc. Fortunately, technology is now available to store
version identification that is embedded within the metadata of the documents to ensure the official record is identified and properly managed.
• Records Destruction Legal Hold Process -- The document lifecycle process must include a legal hold process for suspending the destruction of records. At the same time that companies were figuring out how to comply with SOX, they were impacted by the changes made to the Federal Rules of Civil Procedure (FRCP) amended in December, 2006. One of the changes mandates all companies (public and private) must have a formal litigation hold program. This means that the records destruction process must cease immediately for related records upon notification of legal action. Destruction must also cease immediately upon anticipation of any reasonably foreseeable litigation. None of this can be accomplished without formal goals, clear guidance, executive commitment, good communication, employee training, ongoing assessment and enforcement processes.
• Disaster recovery -- Disaster recovery means disaster recovery. Tools and systems that are designed to address only disaster recovery cannot be effectively utilized for records management. Disaster recovery tools should never be considered a document repository or records archive. They should also never be used to prove compliance efforts.
• Records Retention -- The records management program must ensure that financial records are retained for the mandated time periods so they can ultimately support financial statements. Don’t listen to anyone who says there is one time period for all financial records. The SOX related retention requirements are only a few of the 10,000+ Federal and state laws and regulations that govern records retention. Financial records, audit reports, audit work papers, documentation of internal controls, and the multitude of other record types all have specific retention requirements. Equally important, companies must be able to locate and retrieve the records if and when they are called upon. It is not just enough to ensure records have been retained for the correct time period – what good is retention if they cannot be found?
• Electronic Records Management -- Now that many companies rely heavily on electronic data and electronic documents, it is critical that electronic records management is included in a formal compliance strategy. This involves more than adding a paragraph to the records management policy that states “this policy applies to all electronic records…” This was an inadequate solution put in place by many companies in the 1990’s. It would have been better to not address the issue rather than create policies with no procedures, no tools, no training, and no possibility of compliance. The requirements must include physical and electronic information maintained on any and all storage media. It must encompass records that exist in the form of email, voice mail and communications maintained on any messaging systems utilized by the company. Similarly, public accounting firms have records management requirements for audit work papers for their client corporations plus any related financial data and correspondence. Again, this includes email, voicemail and communications maintained on any messaging systems utilized by the accounting firm.
Sanctions for Non-Compliance
SOX includes sanctions for the intentional inappropriate destruction of corporate records. The willful, premature destruction of corporate audit records can call for imprisonment of up to 10 years. Organizations must also be aware that SOX is only one of many regulatory mandates that can levy significant penalties to companies that do not comply with published records management regulations. Now it is more important than ever for companies to have a formal records management strategy put into place.
Failure to Comply is Not an Option
The introduction of SOX, recent changes to the FRCP and a multitude of other ever-changing legal mandates demand that public corporations and their legal counsel effectively manage all records and information.
As a best practice, an enterprise-wide records management program—for paper, and electronic records (including e-mail)—is an essential part of sound financial controls and internal policies needed for SOX compliance. Companies must also understand the entire realm of records management as it relates to their business sector to ensure that their compliance processes meet the SOX requirements in addition to a multitude of other constantly-changing recordkeeping requirements.
When considering the risks associated with poor records keeping and challenges of properly managing and storing electronic information, it is easy to see the benefits of an effective records management plan. As record-keeping technology and the laws governing them continue to evolve, the organizations that take strategic approaches to effective document and records management will be able to handle information more efficiently, maintain data to better support their business operations and ensure compliance with federal regulations and legal statutes. Meeting these challenges will go a long way toward avoiding the risks—civil, criminal and regulatory—associated with ineffective records management as well as toward driving success in the days ahead.
Manager, New Records Business Development
Océ Business Services
Patrick Queen, CRM, CDIA, MIT is Manager, New Records Business Development for Océ Business Services. He can be reached at firstname.lastname@example.org