Are there holes in your SOX? (Sarbanes-Oxley Compliance for Public and Private Companies)

Summary:

The illicit transgressions of Enron and the like in the late 1990s lead to regulations created to standardize the trustworthiness of financial institutions and public companies. Companies faced with SOX compliance will need to consider the following: what are the best practice processes, how are these processes different from existing practices, how should new processes be implemented, and how can processes be balanced in the short term with “longer-term strategic goals”?

– – – – – – – – –

A world before SOX:

The business world was in for a rude awakening after a series of highly publicized corporate finance scandals. In the late 1990s, many stories of embezzled corporate dollars emerged involving the likes of Enron, Tyco, and WorldCom. The legislation soon responded to the multitude of serious transgressions committed by the top management of the corporate world.

Crimes committed by these industry bosses ranged from extravagant multimillion-dollar trips to exotic locales, large private gifts to spouses, and shuffling company funds to finance other investments. The corporate world needed to be held accountable for its misdeeds. SOX (Sarbanes-Oxley Act) or the Public Company Accounting Reform and Investor Protection Act of 2002 went into effect to improve corporate governance and help monitor potential future misdeeds.

The Sarbanes-Oxley Act of 2002 requires publicly traded entities to define, assess and document the processes that lead to senior management accountability. SOX requires that substantial audits or verification checks be carried out to ensure that senior management is accountable for its financial actions.

Why should private companies care about SOX?

While SOX applies directly to publicly traded companies, those private companies that wish to do business with companies listed on places like the NASDQ must also comply with Sarbanes-Oxley.

Many large public corporations will simply refuse to do business with private companies that are not SOX compliant. Private companies that want to do business with large public entities are now also drawn into a SOX-compliant landscape.

SOX affects a wide range of industries that “touch” the information of those publicly traded companies, including but not limited to:

• Lawyers
• Accountants and Audit Companies that review the financial statements of the company
• Brokers or dealers and their employees
• Security companies that handle electronic transactions.
• International businesses operating in the United States

Acceptance of SOX by private companies is not an issue, as “73% of private company CEOs said that SOX has done at least a decent job of improving financial governance and transparency for public companies “.(1)

Who is responsible for compliance with SOX communications?

SOX requires that incoming and outgoing correspondence be controlled. Depending on the business structure, communication exchanges may be monitored by chief compliance officers (CCOs), chief information officers (CIOs), and chief risk officers (CROs). These executives are responsible for the security, accuracy, and reliability of the organization’s messaging and reporting systems.

Well-prepared organizations have policies established by their senior-level primary officials that outline what types of information may or may not be communicated outside of a department and outside of the organization. While these rules exist, companies often fail to take the necessary steps to ensure that employees within the organization understand these rules and their importance.

What are the key elements of SOX that relate to electronic data storage and email security?

• SOX Section 404: Financial spreadsheets and reports must be protected from accidental or deliberate falsification or redistribution.
• SOX Section 409: Real-time disclosure of material affecting company finances must be reported within 48 hours
• SOX Section 802: Ensures documents and records are not tampered with
• SOX Section 1102: Corrupting, altering, mutilating, destroying or concealing records are violations. Those found guilty of obstructing an official investigation or proceeding will face 20 years in prison and fines.

The Sarbanes-Oxley Act focuses on the corporate governance, accountability, and reporting practices of publicly traded companies. However, the law also affects private companies that could one day go public and those that do business with publicly traded companies.

What are the holes in your SOX compliance?

While sharing information online is a convenient luxury of e-commerce, it also creates a huge vulnerability as information, data, and correspondence are exchanged from one business to another. Data and email sharing can raise privacy and SOX compliance issues.

This errant misuse of company information is not unique to US companies. Staff at 18% of large UK companies gained unauthorized access to information during 2005, says the report. Nine percent of those large companies saw staff misuse restricted information.(2)

How can your company sew up your SOX holes?

Executive management seeking to comply with SOX must have the strength and commitment to strategic planning and execution of the directives of the Sarbanes-Oxley Act. The company’s CEO, CFO, CCO/CRO, and CIO must cooperate and pay close attention to detail when establishing policies to comply with SOX. The need to create and implement robust email and electronic data retention policies and online SOX compliance has never been greater than in today’s fast-paced e-business world.

Email is not necessarily secure against interception. Whether or not the email is encrypted in transmission depends on your software. Therefore, it is our policy not to send you emails that contain identifiable information about you, your household, or your business.

Andy Purdy, Acting Director of the Department of Homeland Security’s National Cyber ​​Security Division in a 2006 interview with CNET identifies the importance of protecting a company’s important digital assets:

“Small and large businesses and government are important when it comes to reducing cyber risk. We’re trying to raise awareness among partners about liability and technical consumers that they can use to help protect their systems…”(3)

Before Sarbanes-Oxley, corporations saw serious abuse of executive power at the cost of serious business growth. Today, severe criminal and civil penalties for securities law violations will be instituted against companies that fail to meet SOX standards.

How can private companies thrive in today’s email link arena, while being SOX compliant? Introducing strong compliance policies in line with SOX including firewalls, up-to-date antivirus protection, encryption, and email anti-theft measures can help a company work cooperatively with publicly traded companies.

Benefits of email anti-theft software

The implementation of email anti-theft allows a company to grow in credibility, reputation and trust; all factors that lead to increased clientele and revenue.

With security measures in place to maintain business correspondence and protect outgoing email, small and midsize businesses can be wise with their technology budgets and well-armed with the tools and resources necessary to comply with the industry. Customers will feel more secure sharing their personal information with eligible SBM offices, paving the way for better and more secure communication.

– – – – – – – – – – –

Final Notes:

1.) Rob Preston “Time to Regulate the Regulations” Information Week, February 27, 2006, 78.

2.) BBC News, “Firms lax on ID theft protects” March 16, 2006, BBC Online; URL:
http://news.bbc.co.uk/2/hi/technology/4809262.stm

3.) Joris Evers, “Newsmaker: Locking down America’s Net Defenses” February 16, 2006, CNet New.com – [http://news.com.com/Locking+down+Americas+Net+defenses+-+page+2/2008-7348_3-6040223-2.html?tag=st.num]