Wednesday, July 18, 2007

The Impact of the US Sarbanes-Oxley Act on Records Management World Wide

As 404 looms near for small and medium size businesses, it's important to know a bit about it's background, as well as chop through the jargon to help you better understand the impact on your business. With the permission of Lorraine Bradshaw and the wonderful people at www.FreePint.com, I am republishing "The Impact of the US Sarbanes-Oxley Act on Records Management World Wide", which originally appeared in FreePint No. 161, published 17th June 2004 byFree Pint Limited. Keep in mind, however, that this article is from 2004, and since then a number of technology firms have answered the call to provide simple SOx compliance solutions. Hyperknowledge, www.hyperknowledge.com, is a favorite company of mine that makes user-friendly solutions, and provides training as well.

The article is a quick read and outlines the basics of SOx. It will provided a basis for more complicated topics I will be discussing later.

Enjoy:

"The Impact of the US Sarbanes-Oxley Act on Records Management World Wide"
By Lorraine Bradshaw

Mention the names WorldCom, GlobalCrossing, HIH, Ansett, Enron and Andersen and most people will know that these former giants of the corporate world are no more. Whilst the reasons behind the failures are complex, one of the main reasons was due to poor records management practices, and in particular the retention and disposal of corporate records.

After the energy giant Enron collapsed, the role that Arthur Andersen played was investigated. Arthur Andersen, one of the "big 5"accounting firms, was retained by Enron to ensure investors could rely on the company's financial statements. But Andersen was also a major business partner - soliciting and selling millions in consulting services to Enron. Added to this conflict of interest, Andersen was also responsible for some of Enron's internal bookkeeping, and some of Andersen's executives ended up taking jobs at Enron. Whilst Andersen took the steps to fire the Enron lead auditor, Mr David Duncan, after it was discovered that he had ordered the destruction and shredding of documents pertaining to the audits performed by Andersen, it was not enough to save the organisation from being charged with obstruction of justice by the US judiciary system, effectively sealing its fate.

Introduction of the US Sarbanes-Oxley Act
-----------------------------------------

In a move to eliminate perceived conflicts of interest such as Andersen and Enron, Senator Paul D Sarbanes (D-Md) and Republican Michael G Oxley introduced a bill to the US Senate that was quickly adopted by the Bush administration. The Bill sought to ensure that auditing firms could no longer perform non-auditing work for their clients. The services to be banned included consulting, internal accounting and information system design<http://www.accountancyage.com/News/1129572>.

The United States Sarbanes Oxley Act 2002 states that non-compliance with the rules applying to the maintenance of records is a federal crime in America and can result in a jail term of up to 20 years and large fines. The Act also governs accounting practices and specifies mandatory retention periods of five years for all audit and review work papers. Failure to keep records (in whatever format) for the specified term can result in jail terms of up to 10 years.

Complying with the Act requires that an organisation should produce, on request, authentic and reliable records and all supporting documentation. Section 1102 of the act is concerned with tampering with records or impeding official proceedings and states that:

"Whoever corruptly - (1) alters, destroys, mutilates, or conceals a record, document, or other object, or attempts to do so, with the intent to impair the object's integrity or availability for use in an official proceeding; or (2) otherwise obstructs, influences, or impedes any official proceeding, or attempts to do so, shall be fined under this title or imprisoned not more than 20 years, or both." The Act can be viewed in its entirety at <http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf>.

But what has all this got to do with records management in the rest of the world?

In simple terms - Any company or organisation that is an SEC (the United States Government's Securities and Exchange Commission) registrant, as well as those subsidiaries of US or European parent companies that are SEC registrants MUST comply in full with Sarbanes Oxley.

An Introduction to Retention and Disposal of Records
----------------------------------------------------


Every organisation needs to keep records of business decisions and transactions to meet the demands of legislative and corporate accountability. With the ever-increasing use of technology to meet the growing demands of business to achieve efficiency savings, greater market share, and to communicate more efficiently and effectively with clients and customers alike, there has been an explosion in the creation, distribution and use of electronic records. However, as the Sarbanes-Oxley Act has stated, these records need to be kept for a minimum of 5 years.

Of course - the 5 years stated is for auditing records in America, depending on the country of origin for your business, you may need to keep records for alternative lengths of time. Today's paper does not hope to address the issues surrounding the retention and disposal of all records. For those of you who are interested, Information Enterprises Australia publishes an annual volume entitled "The Australian Record Retention Manual" and contains over 1660 pieces of legislation that affects the retention and disposal of records in Australia and the penalties for not doing so. If you would like more information please go to <http://www.iea.com.au>. What the US Sarbanes Oxley Act has done, is to high light the problems relating to the long term retention of records.

As we have seen, the Sarbanes Oxley act requires organisations to keep records in whatever format for as long as they are needed.

As the Director General of Australia said in 1995 "It is a fundamental tenet of our democratic society that evidence in the form of records, be created, kept, preserved and be accessible into the future. With the growing diversity of electronic records, we face a major challenge; that is, developing strategies, standards and processes to ensure electronic records are accessible for as long as they are needed."

In the 9 years since the then Director General of Australia, Mr. Nichols, made that statement, there has been a move towards that goal. However, despite many tens of millions of dollars, thousands of "person" hours and countless projects to try and solve the many issues surrounding the longevity of electronic records, there is still not a single, long term, tried and tested solution to the problem of what on earth do we do with electronic records when they are no longer needed on a day to day basis, but still need to be kept for legal and/or other reasons.

Whilst there have been a few notable exceptions, few organizations have yet been brave enough to attempt an electronic archiving implementation strategy based entirely on current thinking. It is not hard to see why. Jeff Rothenberg also said in 1995 "it is only slightly facetious to say that digital information lasts forever - or five years, whichever comes first".

The problems associated with legislation like the US Sarbanes Oxley Act are complex. As more records are being generated electronically, ensuring organisations are able "to produce, on request, authentic and reliable records and all supporting documentation" is difficult.

Part of the problem is the speed to technological obsolescence of the computer hardware and software used to generate the records. Other concerns are:

Media Fragility and Version Control
-----------------------------------

Migration of records across software upgrades can render old files and documents unreadable by the later versions. "Migration is essentially a translation. With migration, as with all translations, some information is lost, no matter how skilled the interpreter. In migration, it is usually the context, rather than the data, that drops out or is improperly reconstructed in the new code. This can be crippling in dynamic formats, in relational databases, and even in simple spreadsheets".

Most people agree that if you have a paper document - you can preserve the object and you preserve the record. With E-records, people experience the record through a performance (by using appropriate software/hardware). Therefore with e-records if you preserve the performance you can preserve the record. However, there is the issue of data migration - if the record has been migrated through various versions - questions you need to ask yourself are:

(i) Is the version that I am viewing the version that the originator wanted me to see?
(ii) Is it in the correct format?
(iii) Can I see the object in the same way as the original creator saw?

It is said that the key to preservation is:
------------------------------------------


(i) Actively determining what it is you want to keep
(ii) The use of Standards and best practice for example - ISO 15489; PDF-A and JPEG 2000(iii) Full documentation as to decisions made, which software used and the records migrated or transferred
(iv) Active involvement in technology decisions, records managers, librarians and archivists should be involved at an organisational level
(v) Remember there is no silver bullet

Monday, July 16, 2007

Sarbanes-Oxley and the Small Business

Updates arriving soon. For more information, please contact me at SarbOxConsultant@gmail.com