A technology blog for The Economist Group IT team

Tuesday, June 24, 2003

Will Sarbox affect us?

No, this is not to do with a terrorist gas attack (I saw next week's episode of Spooks last night on BBC Three, but that's another story; suffice to say it's rather too dumbed down and therefore obvious). The Sarbanes-Oxley Act is US regulators' answer to problems highlighted by the Enron/Xerox/[insert company name] scandal and it comes into effect on October 31 2003. Since it was enacted, legal opinion has begun to form on just what the effects of it will be. Well, for one, CEOs have to verify that their public accounts are a complete and accurate statement of the financial position of their company and, for two, information that may affect the company's financial position has to be disclosed in a timely fashion.

And some in the IT sector have picked up that Sarbox could herald a new Y2K spending spree. Their rationale behind this theory is that for senior management to be able to satisfy themselves that they are fully aware of their company's financial situation they will need instant access to more information (such as Oracle's daily virtual close) about their company's performance. To enable then to get at this they'll need a properly integrated ERP system, such as PeopleSoft. A series of standalone spreadsheets, for example, would not make for easy access, even if they fed into or out of a corporate ERP/finance system.

But not only that.

Cap Gemini-Ernst & Young told CIO Magazine that among the 48 questions they would ask CIOs to allow then to gauge a comany's compliance with Sarbox are:

37. Does the company have a retention policy for electronic information?
39. How often do you back up your data?
40. What controls are in place over record retention to avoid tampering with the data?
48. What controls are in place to detect wire/mail fraud?

The first two of these relate to the requirements of sections 103 and 802 of the Act. While section 802 (now part of SEC rules) covers distruction of materials, section 103 stiplulates that auditors must keep all supporting documentation relating to an audit for a period of seven years. In turn, this means that the company itself should keep these records too, in case further supporting information is later required. The current thinking is that this "supporting documentaion" includes e-mail communications and (if they were used) Post-It notes where they support or clarify other information.

So, a public company needs to keep archives of it's e-mail system going back seven years? That's the view that many are taking and here's where it affects us. Companies like KVS have products that allow seamless archiving of e-mail so that any e-mail sent can be retrieved at a later date, even if it has subsequently been deleted. However, I haven't seen a product that works with GroupWise yet; could the availability of such products at some point in the future be the influencing factor in the choice of e-mail system? And how much of this is, in turn, because it's easier to develop third party software that integrates via .NET to Microsoft products?

The e-mail archiving is just one example, but you get the picture.

Anyway, the good news is that Sarbox only applies to US public companies (well, some non-public too), which The Economist Newspaper is not. The bad news is that there will be pressure for non-public companies to meet some of the standards laid down by Sarbox and that the EU is planning its own version.

Treo 600

Not sure how far off the ground this product will get, what with the Palm merger, and it doesn't have Graffitti, but boy, does it look good. It's out this fall (that'll be end of the year to you and me).
Even the largest of companies will struggle with Sarbox compliance and I think the main issues they will fall down on is the security, shredding and destruction of matters concerning electronic data as well as correctly identifying data interception and fraud.
Post a Comment

This page is powered by Blogger. Isn't yours?