Sarbanes-Oxley Act & Section 302,404,409

November 25, 2009

The Sarbanes-Oxley Act of 2002 also known as the Public Company Accounting Reform and Investor Protection Act of 2002 is mandatory. ALL organizations, large and small, MUST comply.

Section 302

Corporate responsibility for Financial Activities

Public Company Officers must certify the accuracy of financial statements and must certify that statements fairly present the operations and financialcondition of the issuer.

It also requires material information that is used to generate reports be retained and made available to the public.

It Affects

This directly affects the IT and security departments because it is
primarily IT systems that generate these periodic reports and which control e-mail, the main method of communication within most organizations.

Section 404

Management Assessment of Internal Controls

Section 404 is the most pertinent section within SOX to issues surrounding information security. It addresses the necessity of corporate management to be fully accountable for the integrity of all data associated with their financials.

It states that management teams of public companies must establish and maintain adequate “Internal Controls” over their financial reporting systems to safeguard against unauthorized and improper use of financial information.

Internal Controls are defined as “all control methods a company uses to prevent, detect and correct errors and frauds that might get into financial statements”.

Section 409

Real Time Issuer Disclosure

Public Companies must be aware of, and declare, changes in their financial conditions or operations within 48 hours of material events.  All events which could affect a company’s finances, stock price or intellectual property (among otherthings) must be captured, documented with a process that can be audited and reported in a rapid fashion.

This includes operational risk with IT systems such as:

• Major or extended system outages
• Loss of critical data
• Security breaches
• Intellectual Property and Digital Rights Management issues
• Major computer virus and worm attacks


Corporate Compliance Regulations & Standards

August 27, 2008

More than 8,500 state and federal regulations concern records management in the United States. There are several more voluntary standards that can be adopted. Here is a sampling of some of the more common standards and regulations that concern document and records management.

The Sarbanes-Oxley Act of 2002

Also known simply as “Sarbanes Oxley” or “SOX,” the Sarbanes-Oxley Act of 2002 was passed in the wake of a number of corporate accounting scandals at companies like Enron and Arthur Andersen, which came to light after the year 2000.

Signed on July 30, 2002, the legislation’s goal is to create oversight at publicly traded companies and independent auditors so investors are not fooled by phony profits and revenue. Among the several results of Sarbanes-Oxley is the creation of an oversight board for accounting firms that audit publicly traded companies. It also stresses independence of auditors and financial analysts; addresses corporate responsibility at publicly traded companies; and protects whistleblowers.

At no point does the word “software” appear in the text of the Sarbanes-Oxley legislation. But in order to achieve the type of audit trails and records keeping required to be in compliance, most companies will use some type of content or records management software.

Section 404 of Sarbanes-Oxley is widely cited in the literature of software companies. It requires each annual report of a publicly traded company to contain an “internal control report”, which states the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and contains an assessment of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

Section 409 says that companies must disclose information on material changes in the financial condition or operations of the issuer on a rapid and current basis.

To read a summary of the entire Sarbanes-Oxley legislation, visit: http://www.aicpa.org/info/sarbanes_oxley_summary.htm.

To hear webinar on Sarbanes-Oxley legislation, visit:http://www.complianceonline.com/ecommerce/control/trainingFinder?category_id=30008

The Patriot Act

Maligned in some circles for what is perceived to be a pinching of civil liberties, H.R. 3162, better known as the USA Patriot Act, was signed in October of 2001, just over a month after the terrorist attacks of Sept. 11.

While much of the press coverage has gone to provisions in the bill that let law enforcement track what books people take from the library and the like, there are real business issues mentioned in the Patriot Act. And once again, businesses will turn to software in order to solve them.

The Patriot Act will have the most affect on companies in the financial services sector, which will have to comply with parts of the legislation that concern detecting and preventing money laundering that can be used to finance terrorism. Institutions need an automated process for continuous monitoring of accounts with detection filters and to check account holder names against watch lists and suspicious activity. They also need to track investigations in progress, and clear the names of those who have been investigated.

ISO 9000

ISO 9000 quality standards are implemented by more than 500,000 organizations in 160 countries. ISO 9000 is an international reference for quality management requirements in business-to-business dealings.

The ISO 9000 family examines what an organization does to fulfil the quality requirements of its customers and applicable regulatory requirements, while enhancing customer satisfaction, and achieving continual improvement of its performance in pursuit of these objectives.

ISO 9000 is a generic requirement, which means the same standards can be applied to any organization, large or small, whatever its product, even if the product is actually a service, in any sector of activity, and whether it is a business enterprise, a public administration, or a government department.

To hear webinar on ISO and Quality, visit: http://www.complianceonline.com/ecommerce/control/trainingFinder;jsessionid=BF212C0A5D84A8DDABE76CEACB43B217.jvm1?category_id=30004

ISO 15489

ISO 15489 focuses on the business principles behind records management and how organizations can establish a framework to enable a comprehensive records management programme. ISO 15489 is just a framework and is an optional standard that any organization can adopt.

The standard provides a common international language for organizations that record and file material, regardless of the medium or format; the size of the enterprise; the type of organization; or the level of technology used.

DoD 5015.2

The Department of Defense (DoD) 5015.2 standard defines the basic requirements based on operational, legislative, and legal needs that must be met by records management application (RMA) products acquired by the Department of Defense (DoD) and its components. It also defines requirements for RMA’s managing classified records. It has become the de facto standard for records management systems used by U.S. government agencies.

SEC, NASD and NYSE Regulations

In addition to Sarbanes-Oxley, SEC and non-government securities organizations have regulations in place that require strict record keeping by brokers, dealers, and financial services organizations.

Section 17(a) of the Securities Exchange Act of 1934, Rule 17a-4 of the Exchange Act, NYSE Rule 440, and NASD Rule 3110 require the preservation for three years, and preservation in an accessible place for two years, electronic communications relating to the business of the firm, including interoffice memoranda and communications. That includes e-mail and relevant instant-message correspondence.

For more information, see http://www.law.uc.edu/CCL/34ActRls/rule17a-4.html#top.

To hear webinar on SEC and Quality, visit: http://www.complianceonline.com/ecommerce/control/trainingFinder?category_id=30002

HIPAA

The Health Information Portability and Accountability Act (HIPAA) aims to protect personal information about consumer health records. Congress enacted HIPAA in response to the growing use of the Internet and electronic transactions. HIPAA is a privacy law to protect consumers from having their personal health information exploited by insurance companies, employers, and anyone else who may try to exploit, disclose, or publish their personal health information.

For more information, see: http://www.intranetjournal.com/articles/200211/ij_11_29_02a.html

To hear webinar on SEC and Quality, visit: http://www.complianceonline.com/ecommerce/control/trainingFinder?category_id=30007

Federal Information Security Management Act of 2002 (FISMA)

FISMA requires government agencies to provide a framework for for enhancing the effectiveness of information security in the federal government. The head of each federal agency must provide security measures commensurate with the risk and magnitude of the harm caused by potential security breaches, such as unauthorized use, access, disclosure, disruption, modification or destruction of information management systems.

For a more detailed explanation of FISMA, see:
http://www.chips.navy.mil/archives/04_winter/PDF/FISMA.pdf. (PDF file; reader required.)

Source:Intranet Journal