RESOURCE CENTER

INDUSTRY ARTICLES DATASHEETS FACILITY INFORMATION NEWSLETTERS CORPORATE BROCHURE

TAKE A TOUR REQUEST FOR INFORMATION WHAT'S NEW? CLIENT SURVEY PCI COMPLIANCE PROMOTIONS ONLINE PAYMENT GUARANTEE PRIVACY POLICY SITE MAP

RESOURCE CENTER |

INDUSTRY ARTICLES

Sarbanes-Oxley: Stricter Rules and a Seat at the Table for Records Managers

Reprinted from DataBits newsletter 2005 #1 - With contributions from John Montaña, General Counsel with Cunningham & Montana Inc.

In the wake of accounting scandals like Enron, WorldCom and Tyco International, Congress passed a high-profile piece of legislation called the Sarbanes-Oxley Act of 2002, commonly known as "SOX."

Records managers understand one impact of SOX very well because the Act states what records an organization must archive and for how long those records must be stored.

But if there's a silver lining to the accounting scandals, it's the impact on the status of the records manager within his or her company. As companies put SOX compliance #1 on their list of fiduciary responsibilities, decisions relating to records management have moved up the corporate ladder, with senior management recognizing the crucial nature of the records manager's job.

Changes in records management

SOX has brought about a number of changes in records management. "Although Sarbanes-Oxley really isn't a law about record-keeping, per se, it clearly implies certain processes necessary for compliance. For example, a company will want to increase its record keeping to show how thoroughly it is performing steps like auditing its financial controls," says John Montaña, General Counsel with Cunningham & Montana, Inc., a records management consulting firm in Landenberg Pennsylvania.

"Beyond Sarbanes-Oxley, however, the climate surrounding finance and accounting records has changed pretty dramatically and corporations now have a great desire to have top-end records management retention programs. This is important for gaining the confidence of regulators, investors and the public," Montaña says.

Montaña, who is one of only a handful of lawyers in the country specializing in records and information management law, says that even before the accounting scandals lawyers had become concerned about sloppy records management practices over the past ten to 15 years. In fact, companies' records management practices had increasingly become issues in litigation. That trend was accelerated, however, by events like the Enron case because the shredding of documents took place under the guise of a records retention schedule.

"All of a sudden records retention schedules have come under great scrutiny and if your organization has a records retention schedule, suddenly there is a high-stakes incentive to prove that your records retention program is not improper," Montaña says.

That incentive goes directly to personal criminal liability, such as what happened in the case of Frank Quattrone, the ex-Credit Suisse First Boston investment banker. Quattrone was found guilty of obstructing justice and witness tampering by trying to block investigations by regulators and a grand jury when he forwarded an e-mail in late 2000 urging colleagues to "clean-up" their files.

Records management ramifications of SOX

"Record retention has become more stringent for audits of public entities under Sarbanes-Oxley, which requires an auditor to retain for a seven-year period all relevant work papers, memos, correspondence and records (paper and electronic) that contain conclusions, opinions, analyses or financial data created, sent or received in connection with an audit," writes Ed McCarthy in "Tips for the Sarbanes-Oxley Learning Curve" in the June 2004 issue of the Journal of Accountancy. "Sarbanes-Oxley itself mandates internal reviews of a number of things, including the record-keeping system," Montaña adds. He provides the following advice for Sarbanes-Oxley compliance:

It is critical that your company's accounting, finance records and associated records are managed properly, have appropriate retention periods and that the retention process is managed appropriately and transparently.
Those in companies regulated by the Securities and Exchange Commission (SEC) also must think carefully about the kinds of data objects and records that must be created just to demonstrate Sarbanes-Oxley compliance.
Determine which processes you'll undertake to meet SOX compliance, how you'll document those processes and how you're going to manage those records. This is because the law itself is fairly vague about exactly what you're supposed to be documenting and what kinds of records you should create.

SOX is giving records managers higher visibility and with that visibility comes increased accountability. "Datasafe works in partnership with records managers to ensure prompt, accurate and efficient access to their records when they need them," says Ron Reis, Datasafe Vice President and Co-owner.

While financial statements and transaction data are most critical under SOX, Datasafe's Records Management service ensures all records are treated with the same level of safety and security. "There are records that are unique or otherwise irreplaceable and for those we recommend storage in our temperature and humidity-controlled media vaults via our Media & Data Protection service," Reis adds.

<< Back