If you run a public business in the United States, you are required to comply with the
Sarbanes-Oxley Act (SOX). This piece of legislation was implemented to improve the accuracy of corporate disclosures and protect shareholders and the general public from the security threats of accounting errors and fraudulent activity in enterprise businesses.
While SOX does not set specific standards for storing electronic information, it does define which records should be stored and for how long. The consequences that come with not maintaining SOX compliance can include major fines, imprisonment, or both, as we’ve seen in violations with AIG Insurance’s $10 million 2006 fine and even more recent violations shared through SEC press releases. While SOX explicitly refers to public companies, private companies would do well to monitor and comply with SOX to plan for future growth and development. A lack of compliance can delay the acquisition and exit process and negatively affect stock prices when a company goes public. SOX was enacted in 2002 and goes by two other names; in the Senate, it is known as the Public Company Accounting Reform and Investor Act, and in the House of Representatives, it is known as the Corporate and Auditing Accountability and Responsibility Act. The rules and deadline requirements of SOX affect the financial and IT sides of an organization and are administered by the United States Securities and Exchange Commission (SEC). Compliance with SOX is regulated by three rules within Section 802 of the Act regarding the management of electronic records.
These rules govern the destruction, alteration, and falsification of records; the retention period for those records; and the type of records that need to be stored. SOX compliance audits rely on effective and efficient internal processes and controls. Abiding by these rules and requirements ensures the accuracy, accountability, and reliability of the information a company discloses. Companies looking to achieve and maintain SOX compliance are advised to consider the following principles:
- If you manage a private company, consider the SOX rules that already apply to your organization
Private companies don’t get a pass on m any SOX compliance factors, even though they technically apply only to public companies; other laws guarantee similar penalties for retaliation against whistleblowers and destroying or tampering with documents. Other laws also extend to bankruptcy, the statute of limitations for securities fraud, and penalties for mail and wire fraud. It’s in your interest to understand and abide by SOX to benefit from compliance you are already maintaining.
- Use common sense and act with the company’s interests in mind
SOX violations often underscore a lack of best practices and integrity within an organization. By identifying and minimizing conflicts of interest, acting on an informed basis, and using the insight of experts, companies and board members can avoid the consequences that come with SOX violations.
- Automate your IT compliance
Sustainable compliance starts with automation. Not only are systemic reports likely to be accepted as audit evidence, but removing the human element of the reporting process will increase your overall consistency and preparedness no matter when an audit takes place.
- Use the resources available to you to proactively audit your business
The SEC has a number of resources available to help small businesses self-audit for SOX compliance and develop an information system that com plies with industry best practices. Click here to review the evaluation process. True SOX compliance requires a unified approach to strategic, integrated business practices that put the protection and storage of electronic data first. For more information about the IT and application controls your company needs to have in place to maintain SOX compliance, click here.