Corporate Compliance Regulations & Standards

August 27, 2008

More than 8,500 state and federal regulations concern records management in the United States. There are several more voluntary standards that can be adopted. Here is a sampling of some of the more common standards and regulations that concern document and records management.

The Sarbanes-Oxley Act of 2002

Also known simply as “Sarbanes Oxley” or “SOX,” the Sarbanes-Oxley Act of 2002 was passed in the wake of a number of corporate accounting scandals at companies like Enron and Arthur Andersen, which came to light after the year 2000.

Signed on July 30, 2002, the legislation’s goal is to create oversight at publicly traded companies and independent auditors so investors are not fooled by phony profits and revenue. Among the several results of Sarbanes-Oxley is the creation of an oversight board for accounting firms that audit publicly traded companies. It also stresses independence of auditors and financial analysts; addresses corporate responsibility at publicly traded companies; and protects whistleblowers.

At no point does the word “software” appear in the text of the Sarbanes-Oxley legislation. But in order to achieve the type of audit trails and records keeping required to be in compliance, most companies will use some type of content or records management software.

Section 404 of Sarbanes-Oxley is widely cited in the literature of software companies. It requires each annual report of a publicly traded company to contain an “internal control report”, which states the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and contains an assessment of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

Section 409 says that companies must disclose information on material changes in the financial condition or operations of the issuer on a rapid and current basis.

To read a summary of the entire Sarbanes-Oxley legislation, visit: http://www.aicpa.org/info/sarbanes_oxley_summary.htm.

To hear webinar on Sarbanes-Oxley legislation, visit:http://www.complianceonline.com/ecommerce/control/trainingFinder?category_id=30008

The Patriot Act

Maligned in some circles for what is perceived to be a pinching of civil liberties, H.R. 3162, better known as the USA Patriot Act, was signed in October of 2001, just over a month after the terrorist attacks of Sept. 11.

While much of the press coverage has gone to provisions in the bill that let law enforcement track what books people take from the library and the like, there are real business issues mentioned in the Patriot Act. And once again, businesses will turn to software in order to solve them.

The Patriot Act will have the most affect on companies in the financial services sector, which will have to comply with parts of the legislation that concern detecting and preventing money laundering that can be used to finance terrorism. Institutions need an automated process for continuous monitoring of accounts with detection filters and to check account holder names against watch lists and suspicious activity. They also need to track investigations in progress, and clear the names of those who have been investigated.

ISO 9000

ISO 9000 quality standards are implemented by more than 500,000 organizations in 160 countries. ISO 9000 is an international reference for quality management requirements in business-to-business dealings.

The ISO 9000 family examines what an organization does to fulfil the quality requirements of its customers and applicable regulatory requirements, while enhancing customer satisfaction, and achieving continual improvement of its performance in pursuit of these objectives.

ISO 9000 is a generic requirement, which means the same standards can be applied to any organization, large or small, whatever its product, even if the product is actually a service, in any sector of activity, and whether it is a business enterprise, a public administration, or a government department.

To hear webinar on ISO and Quality, visit: http://www.complianceonline.com/ecommerce/control/trainingFinder;jsessionid=BF212C0A5D84A8DDABE76CEACB43B217.jvm1?category_id=30004

ISO 15489

ISO 15489 focuses on the business principles behind records management and how organizations can establish a framework to enable a comprehensive records management programme. ISO 15489 is just a framework and is an optional standard that any organization can adopt.

The standard provides a common international language for organizations that record and file material, regardless of the medium or format; the size of the enterprise; the type of organization; or the level of technology used.

DoD 5015.2

The Department of Defense (DoD) 5015.2 standard defines the basic requirements based on operational, legislative, and legal needs that must be met by records management application (RMA) products acquired by the Department of Defense (DoD) and its components. It also defines requirements for RMA’s managing classified records. It has become the de facto standard for records management systems used by U.S. government agencies.

SEC, NASD and NYSE Regulations

In addition to Sarbanes-Oxley, SEC and non-government securities organizations have regulations in place that require strict record keeping by brokers, dealers, and financial services organizations.

Section 17(a) of the Securities Exchange Act of 1934, Rule 17a-4 of the Exchange Act, NYSE Rule 440, and NASD Rule 3110 require the preservation for three years, and preservation in an accessible place for two years, electronic communications relating to the business of the firm, including interoffice memoranda and communications. That includes e-mail and relevant instant-message correspondence.

For more information, see http://www.law.uc.edu/CCL/34ActRls/rule17a-4.html#top.

To hear webinar on SEC and Quality, visit: http://www.complianceonline.com/ecommerce/control/trainingFinder?category_id=30002

HIPAA

The Health Information Portability and Accountability Act (HIPAA) aims to protect personal information about consumer health records. Congress enacted HIPAA in response to the growing use of the Internet and electronic transactions. HIPAA is a privacy law to protect consumers from having their personal health information exploited by insurance companies, employers, and anyone else who may try to exploit, disclose, or publish their personal health information.

For more information, see: http://www.intranetjournal.com/articles/200211/ij_11_29_02a.html

To hear webinar on SEC and Quality, visit: http://www.complianceonline.com/ecommerce/control/trainingFinder?category_id=30007

Federal Information Security Management Act of 2002 (FISMA)

FISMA requires government agencies to provide a framework for for enhancing the effectiveness of information security in the federal government. The head of each federal agency must provide security measures commensurate with the risk and magnitude of the harm caused by potential security breaches, such as unauthorized use, access, disclosure, disruption, modification or destruction of information management systems.

For a more detailed explanation of FISMA, see:
http://www.chips.navy.mil/archives/04_winter/PDF/FISMA.pdf. (PDF file; reader required.)

Source:Intranet Journal

Advertisements

About FISMA?

August 6, 2008

The Federal Information Security Management Act of 2002 (FISMA), FISMA imposes a mandatory set of processes that must be followed for all information systems used or operated by a U.S. federal government agency or by a contractor or other organization on behalf of a federal agency. These processes must follow a combination of Federal Information Processing Standards (FIPS) documents, the special publications SP-800 series issued by NIST, and other legislation pertinent to federal information systems, such as the Privacy Act of 1974 and the Health Insurance Portability and Accountability Act. However, following these mandates only results in “compliance” and not “security”.[citation needed]