In July 2002 President Bush signed the Sarbanes-Oxley Act into law following a slew of corporate scandals including those at Enron, Tyco and WorldCom. The Sarbanes-Oxley Act was developed to address flaws in the way corporations have been reporting their financial information for decades.
The measure not only affected the financial side of corporations but also left IT managers with a cloudy picture of how Sarbanes-Oxley will impact their operations. Some of the questions the new legislation raised include:
- What types of data need to be archived and for how long?
- What actions do IT managers need to take, and what is the priority?
This two-part article will address these questions and will recommend an enterprise records management approach for dealing with Sarbanes-Oxley.Sarbanes-Oxley Act
The Sarbanes-Oxley Act states that all business records, including electronic records and electronic messages must be saved for "not less than five years." The consequences for non-compliance are fines, imprisonment, or both. Sections 801 and 802 of Sarbanes-Oxley contain the rules that impact IT records management. The first rule deals with destruction, alteration, or falsification of records.
Sec. 802(a) "Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both."
The second rule defines the retention period for records storage. Best practices indicate that corporations securely store all business records using the same guidelines set for public accountants.
Sec. 802(a)(1) "Any accountant who conducts an audit of an issuer of securities to which section 10A(a) of the Securities Exchange Act of 1934 (15 U.S.C 78j-1(a)) applies, shall maintain all audit or review workpapers for a period of 5 years from the end of the fiscal period in which the audit or review was concluded."
This third rule defines the type of business records that need to be stored, including all business records and communications, including electronic communications.
Sec. 802(a)(2) "The Securities and Exchange Commission shall promulgate, within 180 days, such rules and regulations, as are reasonably necessary, relating to the retention of relevant records such as workpapers, documents that form the basis of an audit or review, memoranda, correspondence, communications, other documents, and records (including electronic records) which are created, sent, or received in connection with an audit or review and contain conclusions, opinions, analyses, or financial data relating to such an audit or review."
Sarbanes-Oxley is not a set of business practices and does not specify how IT managers are to store corporate records. Rather Sarbanes-Oxley defines which records are to be stored and for how long. Failure to comply can result in severe penalties. IT managers are faced with the challenge of creating a corporate records archive that satisfies Sarbanes-Oxley and fits their budget.Enterprise Records Management
A successful approach to managing corporate electronic records is to create a centralized enterprise records management (ERM) system that will store multiple data types securely, accurately and for the required period of time (retention period). When designing an ERM system, several important issues must be taken into account.
The size of an ERM system will vary depending on the size of the enterprise and the number and nature of its transactions, but it will certainly be terabytes (and possibly, petabytes) of data storage. The archive can become quite large because Sarbanes-Oxley states that all business records must be saved, including electronic messages, for at least five years and possibly longer.
The choice of storage media will also impact the long-term compatibility of the data types. Depending on the media type – optical, disk or tape, the ability to retrieve data can be straightforward or very difficult. Media formats and the software required to access data changes frequently over time. Can the data you store today be read in five years?
Data must be saved in a manner that is certifiably unalterable. If a corporation becomes involved in a federal investigation, it will need to provide clear proof that the records contained in the ERM system are accurate and tamper-proof. Technologies such as "WORM" media, which combines a secure index and an audit log, help to ensure that records are stored safely and are not tampered with. New WORM disk storage devices are available from EMC and Network Appliance that can assist with records storage and retention period management. The new EMC Centera and the Network Appliance SnapLock both offer secure "read-only" storage for files and records.
As individual records are stored in the archive, they must be classified and tagged with a retention period that matches their data type and application. The number of different retention periods can be dozens depending on the industry, local, state and federal regulations. It is recommended that you consult with your corporate compliance officer to define a retention schedule for all the data types to be stored.
Part two of this series will explore the "gold standard" of ERM system design and the benefits of an ERM system to your organization.
About the author:
Bob Spurzem is a Principal Analyst with Contoural Inc. an independent provider of storage consulting and storage education services. He has been closely involved in the storage industry for the six years as a Product Marketing Manager with leading storage software vendors.
Do you want to see more articles and insights from noted industry observers? Visit the complete Bits & Bytes column library.