Playing by the New Rules: Embracing SOX Compliance with a Coping Strategy
It’s nearly a forgone conclusion that at least once in even a small company’s life, the company will be faced with regulatory scrutiny, litigation or an accounting need that requires it to search and analyze its business records. Averse to risk? Then try not complying with regulations for archiving your business records. No business, no industry, no employee can hide from the need for accurate business records management that complies with federal and state law—including such regulatory compliance as Sarbanes-Oxley, ISO or HIPAA.
In order to address the new Sarbanes-Oxley legislation—which requires public companies to establish, approve, implement and evaluate their internal controls for purposes of financial statement reporting and operational integrity—organizations are searching for tools to help them achieve corporate compliance. Today’s quick-paced, information-rich businesses are full of data that can be classified as a business record. These business records are required to be collected, tracked, stored, archived and potentially located. Automated, efficient and reasonable recordkeeping protects all stakeholders in a business—officers, employees and shareholders alike. Good recordkeeping allows companies to operate more efficiently, account for their actions and protect assets. Recordkeeping is the “memory” of an organization, the brain by which a company can gain a retrospective on certain corporate actions or inactions. This “memory” becomes the means by which a company can shape its course for the future.
But the amount of data even a single business can produce could be staggering. Many companies, from the CEO to the company records manager, simply become numb to the need for effective records management. And even when they are addressing the most immediate recordkeeping concerns, there is still the “dust-bin”—the repository of archived, legacy data that is stored throughout the network and over disparate systems, whether on a server or residing in a steel filing cabinet in the corporate library.
Compounding the problem is today’s flurry of federal and state regulations. Triggered by scandals involving Enron and Andersen, the specter of complying with SOX has many companies grappling to get current data properly archived. Organizations faced with SOX regulations, despite best intentions, remain uncertain about what data needs to be archived and retained to meet new regulatory and compliance requirements.
Organizations are not sure if they can even meet compliance regulations because they lack the technology to properly meet these targets. Retrieving is another nightmare. Many companies would not know where to look or how to find it, unless they undertook an expensive inventory and comprehensive analysis of their records.
In addition to corporate issues surrounding internal compliance, many organizations are having difficulties managing and consolidating information from remote locations. In companies with multiple offices, the financial truth is often hidden in separate databases, technology solutions and various spreadsheets.
Developing Necessary Compliance Coping Skills
Unfortunately, finding a corporate governance solution that provides the internal control systems necessary to adhere to the financial compliance and auditing processes mandated by Sarbanes-Oxley is perceived as a burdensome task. However, few companies face the underlying problem: defining the process by which business records are attained and retained. In fact, if companies embrace the issue of compliance head-on they can actually improve the business practices, financial performance and reduce the business risk to their organization.
What is needed is a mechanism that provides the essential baseline for establishing financial accountability, policy compliance and procedural tracking. In addition this system must be user-friendly, bringing together employees, technology and processes that support financial governance, auditing processes and Sarbanes-Oxley compliance. This framework becomes the “business rule” that directs processes for expense approval, workflow and document certification, and thus directly aids in automating the flow of financial information throughout the organization, ensuring responsible managers obtain timely and accurate data, aiding in the prevention and detection of fraud or financial irregularities.
What follows is a strategy to ensure compliance by tackling the problem of knowledge management head-on. By evaluating business processes, technology and ERP systems, as well as making corporate changes to improve their ability to support internal controls required by Section 404 of the Sarbanes-Oxley Act, companies faced with compliance issues can make the transition with little to no pain.
Analyze This!
By first evaluating—honestly—your current records management system, you will be able to make the leap to establishing a better framework for keeping records. How much of your current recordkeeping is still physical and how much is electronic? Are you covering all the new records being created with new forms of electronic communications such as instant messaging (IM), blogs and e-mail? Is your firm using e-mail to communicate transaction details or negotiations? Do you have an existing process for capturing the business records that employees and departments generate? How is it captured and what means is used to archive these records?
Once the existing recordkeeping system is inventoried and evaluated, certain trends should emerge. Typically, problem areas will arise in one or more of three areas—people, technology or processes. Creating a mechanism to solve the recordkeeping problems can be thought of in terms of a triangle. People are at one point of the triangle, process is at another point of the triangle and technology is the third point of the triangle.
People Power: People are the originators of records and those who will rely on the records once they are created. Without changing the internal mindset of an organization, becoming compliant with the recordkeeping aspects of Sarbanes-Oxley will be impossible. People often do not understand the reasons for recordkeeping and thus engage in sloppy records management or use non-archiving methods of communication. Also, recordkeeping can be viewed as a non-mission critical task that is taken on only when the more “pressing” responsibilities of an employee have been addressed. The opposite is also true: employees can become so mired in recordkeeping that they shun aspects of their job or the process becomes inefficient and unworkable. Companies must evaluate the mindset of their employees when it comes to recordkeeping. Employees must be taught the reasons for recordkeeping and must be held accountable through measurable objectives.
Technology Solution: Technology is how we automate recordkeeping and how we create a good many records. Without the right technology in place an effective business records system cannot comply with Sarbanes-Oxley. Business records collection and archiving must be considered part of the overall planning process when IT decides to implement new technologies or upgrade existing ones, otherwise things fall through the cracks. How many companies have updated their business records systems to be able to collect information that is posted on corporate blogs, for instance? Is the newest content on the company employee portal being archived? Taking into account IT infrastructure is a key consideration when evaluating your recordkeeping in the quest to become compliant.
Planning should be routine to keep pace with the momentum of technological change. Consideration for open, flexible and scalable technologies must also be taken into account to keep pace with the growth (or downsizing) of an organization.
Technology can also be a problem. First technol