| Summary: | | | | - SOX Section 404: Financial spreadsheets and |
| The illicit transgressions by Enron and those alike in the | | | | reports must be safeguarded from being falsified or |
| late 1990s, lead to regulations created to standardize | | | | accidentally or deliberately redistributed. |
| the trustworthiness of financial institutions and public | | | | - SOX Section 409: Real time disclosure of material |
| companies. Companies facing SOX compliance will | | | | that impacts the company's finances must be reported |
| need to consider the following: what are the best | | | | within 48 hours |
| practice processes, how do these processes differ | | | | - SOX Section 802: Guarantees that documents and |
| from existing practices, how should new processes be | | | | records are not altered |
| implemented, and how can short term processes be | | | | - SOX Section 1102: Corrupting, altering, mutilating, |
| balanced with longer "term strategic goals?" | | | | destroying or concealing records are violations. Those |
| A World Before SOX: | | | | found guilty of obstructing an investigation or official |
| The enterprise world had a rude awakening after a | | | | proceeding will face 20 years in prison and fines. |
| series of well-publicized corporate financial scandals. | | | | The Sarbanes-Oxley Act focuses on corporate |
| Many stories of misappropriated corporate dollars | | | | governance, accountability and the reporting practices |
| surfaced in the late 1990s involving the likes of Enron, | | | | of publicly held companies. Yet the act also impacts |
| Tyco and WorldCom. Legislation soon responded to | | | | private firms that one day might become public and |
| the multitude of gross transgressions committed by | | | | those who do business with publicly traded companies. |
| the upper echelon management of the enterprise | | | | What are the Holes in Your SOX Compliance? |
| world. | | | | While sharing information online is a convenient luxury |
| Offenses committed by these industry heads ranged | | | | of e-commerce, it also creates a great vulnerability as |
| from extravagant multi-million dollar trips to exotic | | | | information, data and correspondence are traded from |
| locals, large private gifts to spouses and shuffling | | | | business to business. Data and email exchange can |
| company funds to bankroll other investments. The | | | | pose both SOX compliance and privacy concerns. |
| corporate world needed to be held accountable for its | | | | This errant misuse of company information isn't |
| misdeeds. SOX (Sarbanes-Oxley Act) or the Public | | | | exclusive to U.S. companies. Staff at 18% of large UK |
| Company Accounting Reform and Investor Protection | | | | firms gained unauthorized access to information during |
| Act of 2002 came into fruition to improve corporate | | | | 2005, the report says. Nine per cent of those large |
| governance and help police possible future misdeeds. | | | | firms saw staff misuse restricted information.(2) |
| The 2002 Sarbanes-Oxley Act requires publicly traded | | | | How Can Your Firm Sew Up its SOX Holes? |
| entities to define, evaluate and document processes | | | | Executive management seeking to be SOX compliant |
| which lead to senior management accountability. SOX | | | | must have the fortitude and commitment to strategic |
| requires that audits or substantial verification controls | | | | planning and execution to the Sarbanes-Oxley Act's |
| must be in place to ensure senior management is held | | | | directives. The firm's CEO, CFO, CCO/CRO and CIO |
| culpable for their financial actions. | | | | must cooperate and have demanding attention to |
| Why Should Privately Held Businesses Care About | | | | detail when establishing policies to be SOX compliant. |
| SOX? | | | | The need for creating and implementing strong |
| While SOX applies directly to publicly traded | | | | electronic data and email retention policies and |
| companies, those privately held businesses who wish | | | | compliance in line with SOX has never been greater |
| to do business with businesses traded on places like | | | | than in today's fluxing electronic business world. |
| the NASDQ must also become Sarbanes-Oxley | | | | Email is not necessarily secure against interception. |
| compliant. | | | | Whether or not email is encrypted in transmission |
| Many large public corporations will simply refuse to do | | | | depends on your software. It is therefore our policy |
| business with privately held companies who are not | | | | not to send emails to you that contain identifiable |
| SOX compliant. Private firms who want to do business | | | | information about you, your household, or business. |
| with large public entities are now also thrown into a | | | | Andy Purdy, acting director of the National Cyber |
| SOX compliant landscape . | | | | Security Division of the Department of Homeland |
| SOX affects a broad range of industries who "touch" | | | | Security in a 2006 interview with CNET identifies the |
| information of those traded firms, they include and are | | | | importance in protecting a company's important digital |
| not limited to: | | | | assets: |
| - Attorneys | | | | "Small businesses and large enterprises and the |
| - Accountants and Auditing Firms who review | | | | government are all important when trying to reduce |
| company financial statements | | | | the cyber-risk. We're trying to raise awareness with |
| - Brokers or dealers and their employees | | | | partners of the responsibility and techniques |
| - Security companies handling electronic transactions | | | | consumers can use to help secure their systems..."(3) |
| - International businesses who operate in the United | | | | Before Sarbanes-Oxley, corporations saw a gross |
| States | | | | abuse of executive power at the cost of earnest |
| Acceptance of SOX by private companies is not an | | | | growth in business. Today, stiff criminal and civil |
| issue, as "73% of private company CEOs said SOX | | | | penalties for violations of securities law will be instituted |
| has done at least a decent job of improving financial | | | | against companies who do not meet SOX standards. |
| governance and transparency for public companies."(1) | | | | How can private firms flourish in today's email reliant |
| Who's Responsible for SOX Communication | | | | arena, while being SOX compliant. Introducing strong |
| Compliance? | | | | compliance policies in line with SOX which include |
| SOX requires incoming and outgoing correspondence | | | | firewalls, up-to-date virus protection, encryption and |
| be monitored. Depending on the business's structure, | | | | email anti-theft measures can help a business work |
| communication exchanges can be monitored by the | | | | cooperatively with publicly traded companies. |
| Chief Compliance Officers (CCOs) Chief Information | | | | Benefits of Email Anti-Theft Sofware |
| Officers (CIOs) and Chief Risk Officers (CROs). | | | | Implementing email anti-theft allows a company to |
| These executives are responsible for the security, | | | | grow in credibility, reputation and trust; all factors which |
| accuracy and the reliability of the organization's | | | | lead to increased clientele and revenue. |
| reporting and messaging systems. | | | | With security measures to keep company |
| Well-groom organizations have policies set in place by | | | | correspondence as well as protect outbound email, |
| their high level primary officers outlining what sorts of | | | | SMB firms can be both prudent with their technology |
| information may or many not be communicated | | | | budgets and well-armed with the tools and resources |
| outside a department and outside the organization. | | | | necessary to be industry compliant. Clients will feel |
| While these rules exist, firms often don't take the | | | | more secure about sharing their personal information |
| necessary steps to make sure employees within the | | | | with compliant SBM offices, paving the way to better |
| organization understand these rules, and their | | | | and safer communication. |
| importance. | | | | End Notes: |
| What are the Key Elements of SOX Which Relate to | | | | 1.) Rob Preston "Time to Regulate the Regulations" |
| Electronic Data Storage and E-mail Security? | | | | Information Week, 27 February, 2006, 78. |