Practising law

Sarbanes-Oxley won't only affect those doing business with the US, it could end up impacting the way everyone operates.



commentary Sarbanes-Oxley won't only affect those doing business with the US, it could end up impacting the way everyone operates.

Introduced after the WorldCom and Enron collapses and other corporate governance failures, the Sarbanes-Oxley Act 2002 was brought in to the US in July 2002 to restore confidence in equity markets and the integrity of financial reporting. It consists of several sections designed to improve the quality of financial reporting. PricewaterhouseCoopers says: "Without a doubt, the Sarbanes-Oxley Act is the single most important piece of legislation affecting corporate governance, financial disclosure, and the practice of public accounting since the US securities laws of the early 1930s."

Sarbanes-Oxley only affects companies that are required to file with the US Securities and Exchange Commission (including public companies over a certain market capitalisation and other companies such as banks and savings associations). All subsidiaries of US issuers and Australian companies listed on a US Exchange are affected. However, many companies that are not required to comply are beginning to adopt the Sarbanes-Oxley standards.

If a company is involved in a legal dispute, the cost of retrieving e-mails that are requested as evidence can run into the hundreds of thousands of dollars.
Companies are also anticipating Sarbanes-Oxley requirements will eventually be adopted locally, and are asking their IT departments to move in this direction. Storage vendor StorageTek found last year that around 83.5 percent of Australian organisations surveyed found regulatory compliance to be an important driver for storage requirements and strategies.

The section most relevant to IT functions is Section 404 -- "Management assessment of internal controls". It states that a corporation must state what internal controls are in place to protect the integrity of the financial reporting mechanism as well as the quality of those controls. External auditors must then attest to the accuracy of these.

For IT managers, this means two key areas must be addressed. The first is the reporting of internal controls, signed by management and attested to by external auditors. The second is the establishment of a framework for internal controls. This identifies five essential components of effective internal control: control environment; risk assessment; control activities; information and communication; and monitoring.

One of the hardest areas in which to meet these compliance levels is with the managing and storage of data, including e-mail. Estimates indicate that as much as 70 percent of business-critical information is stored within an organisation's messaging system. An average corporate user sends and receives 84 e-mails (10MB) per day, and by 2007 it's estimated the securities industry will handle more than 95 million messages a day.

Results of a recent survey show that 29 percent of organisations would not be able to locate an e-mail message that was six-months-old. If a company is involved in a legal dispute, the cost of retrieving e-mails that are requested as evidence can run into hundreds of thousands of dollars.

While some companies systematically erase e-mails after a specified period of time, this a clear breach of Sarbanes-Oxley. In fact, under Sarbanes-Oxley Section 802, a US court may impose a 20-year prison sentence against a defendant who has destroyed any document in contemplation of a federal investigation or matter that may not yet exist.

There is now a shift towards greater corporate governance here and overseas. Many challenges around data storage and retrieval, and who's accessing what over the network, will need much greater control and management.

Oliver Descoeudres is marketing manager at network IP/Internet network infrastructure builder and solutions provider NetStar Australia. He can be contacted at marketing@netstarnetworks.com or on 02 9805 9759.

This article was first published in Technology & Business magazine.
Click here for subscription information.