Government is cleaning up the way companies do business after
accounting and governance
scandals rocked investor confidence and damaged the reputation
of companies large and small.
The Sarbanes-Oxley Act (SOX) of 2002 was enacted in response
to the high-profile Enron and
World Com financial scandals to protect shareholders and the
public from accounting errors and
fraudulent practices by organizations. One primary component
of the SOX is the definition of
which records are to be stored and for how long. For this
reason, the legislation not only affects
financial departments, but also IT departments whose job it is
to store electronic records. SOX
states that all business records, including electronic records
and electronic messages, “must be
saved for not less than five years.” The consequences for
noncompliance are fines,
imprisonment, or both. Three rules of Sarbanes-Oxley affecting
the management of electronic
records address the following areas:
A. The destruction, alteration, or falsification of records.
It states that persons who knowingly
alter, destroy, mutilate, conceal, or falsify documents shall
be fined or imprisoned for not more
than 20 years, or both.
B. The retention period for records storage. Best practices
indicate that corporations securely
store all business records using the same guidelines set for
public accountants. Organizations
shall maintain all audit or review work papers for a period of
five years from the end of the fiscal
period in which the audit or review was concluded.
C. The business records and communications that need to be
stored, including electronic communications. IT departments are
facing the challenge of creating and maintaining a corporate
records archive in a cost-effective fashion that satisfies the
requirements put forth by the
legislation. Essentially, any public organization that uses IT
as part of its financial business
processes must implement IT controls to comply with SOX.
BENEFITS FROM SARBANES-OXLEY
Many businesses are promoting the benefits they received from
implementing SOX. General
Electric Co., which spent about $30 million on SOX compliance,
has added controls that boost
investors’ confidence in the company. United Technologies used
SOX to standardize
bookkeeping audits in its disparate businesses around the
world. The biggest advantage of all,
though, may be the greater confidence investors have in
financial results. Some officials believe
it will take another two years (around 2008) for companies,
auditors, and regulators to apply the
law efficiently. That might appear to be a long time, and it
may seem to be expensive; however,
it is a small price to pay to help organizations run smoothly
and renew investor confidence.
IMPLEMENTING SARBANES-OXLEY
Ultimately, Sarbanes-Oxley compliance will require a great
deal of work among all departments.
Compliance starts with running IT as a business and
strengthening IT internal controls. The
following are a few practices organizations can follow to
ensure compliance with the Sarbanes-
Oxley Act. Overhaul or upgrade financial systems to meet
regulatory requirements for more
accurate, detailed, and timely filings. Examine the control
processes within the IT department
and apply best practices to comply with the act’s goals. For
example, segregation of duties
within the systems development staff is a widely recognized
best practice that helps prevent
errors and out-right fraud. The people who code program
changes should be different from the
people who test them, and a separate team should be
responsible for changes in production
environments. Ensure that information system customization are
not overriding controls by
working with internal and external auditors. Homegrown
financial systems are fraught with
potential information-integrity issues. Although leading
enterprise resource planning (ERP)
systems offer audit-trail functionality, customization of
these systems often by pass those controls. Work with the CIO, CEO,
CFO, and corporate attorneys to create a document-
retention-and-destruction policy that addresses what types of
electronic documents should be
saved, and for how long.
Required:
i. What do you think an unethical accountant or manager at
Enron thought were the rewards
and responsibilities associated with his or her job
ii. Discuss the two policies an organization can implement to
achieve Sarbanes-Oxley
compliance