When it was enacted in 2002, the Sarbanes-Oxley Act (often abbreviated to Sarbox or SOX) was a landmark piece of legislation that heralded many changes to how businesses operate and preserve files.
This federal law set new, broader requirements for all public companies in the United States, but included a number of provisions that apply to privately held organizations too (e.g. the part about impeding federal investigation by willful destruction of evidence).
Today, we’re going to look at SOX compliance and email archiving. Here’s what we’ll cover:
- What is SOX compliance?
- SOX compliance requirements
- How information archiving fits into SOX
A Brief History of Sarbanes-Oxley
The Sarbanes-Oxley Act was created in response to a number of corporate fraud scandals and issues.
The biggest in the series of scandals that shook the US at the time, the Enron scandal was revealed in late 2001 and led to the bankruptcy of the Enron Corporation, an energy giant based out of Texas.
The case also contributed to the downfall of Arthur Andersen, which was one of the five largest accountancy partnerships in the world at the time. In a nutshell, Enron hid billions worth of debt in their accounts from failed projects and deals.
To recover the confidence in the market, the US desperately needed serious reforms to their business legislation and practices. Enter SOX.
So what is SOX and what does it do? The SOX Act is governed by the SEC (The US Securities and Exchange Commission). It controls corporations’ financial documentation and mandates the rules for preservation and proper safe-keeping of electronic documentation (ESI), including email and social media communication data.
It is very broad and complex, comprising 11 titles, 6 of which are related to email compliance.
What Changed with SOX?
SOX placed a greater responsibility on businesses to keep accurate financial records, but the main idea behind the legislation was to protect the public and shareholders against all fraudulent practices.
Sarbanes-Oxley compliance means that public organizations have to carefully document and disclose their internal audit controls and ethics and have a greater overview of all employee activities.
Although the bill is really about preventing corporate fraud, it has huge implications for data preservation and the archival of all enterprise information.
What SOX was aiming to bring to companies is a greater market stability and higher security levels.
However, in a practical sense, the Act forced companies to revise the way they handle their internal communication, guarantee sensitive data handling and provide transparent business operation.
Naturally, in the years following the Act, the market showed a growing demand for governance products that would satisfy this complex regulatory compliance.
SOX Archiving Requirements
Although there are no specific guidelines on how an organization should retain records, Section 802 outlines the types of business records that should be retained, with a mandatory retention period of 7 years.
In line with the Final Rule, the auditor needs to retain records that are relevant to the audit or review, including:
“workpapers and other documents that form the basis of the audit or review of an issuer’s financial statements, and memoranda, correspondence, communications, other documents, and records (including electronic records).”
These records need to meet two criteria:
- the materials
- (1) are created, sent or received in connection with the audit or review, and
- (2) contain conclusions, opinions, analyses, or financial data related to the audit or review.
This sparked the need for businesses to create strict policies regarding the retention of electronic records.
How Information Archiving Keeps You SOX-Compliant
The implementation of secure information archiving systems has proved to be the most straightforward way to ensure your compliance with Sarbanes-Oxley.
An archiving solution can be an on-premise appliance or a cloud-based solution that automatically captures emails, attachments, social media posts, text messages and other mobile content together with its metadata.
Metadata is relevant because it provides the information about each message ‒ who sent what to whom, when and through what channels. It’s a must-have for eDiscovery, all forms of regulatory compliance and solving internal employee conflicts.
Once captured, the unstructured data is indexed and stored in an inalterable, tamper-proof format for a specified period of time.
Archiving software also has special features that allow users to search and retrieve huge volumes of data incredibly fast. It also ensures that data is encrypted to combat theft and prevent data breaches.
Information archiving technology provides several SOX compliance-related benefits.
- Firstly, it allows your administrators and compliance officers to locate any electronic record (email, attachment, word file, PDF, social media post, mobile call log, text or IM message) in vast amounts of data.
- It also allows you to fully automate the record retention process by specifying the life-span of data, which can then be deleted in bulk after the retention period expires.
- It prevents unauthorized access to your archived data by allowing you to segregate users, assign different permission levels and roles to personnel and restrict access to business-critical records.
- Finally, the WORM format in which the information is stored prevents tampering and spoliation of evidence.
In order for CEOs, CFOs, COs and auditors to provide financial reports in a timely manner, all your electronic information needs to be unified, available and, above all, searchable.
A central repository that an archiving solution offers prevents your ESI from being scattered across servers, devices and bulky PST files and removes the risk of relying on external servers and software solutions.
In addition, integrity verification functionalities offer additional safety and prove to regulators, auditors and investigators that your archived data has remained unchanged.
5 Steps to SOX Compliance
Here’s a list of steps to follow to get fully compliant with SOX.
1. Understand the background
Good news! Since you’ve made it this far, you have taken the first step towards ensuring SOX compliance. Now that you know what SOX is, and more importantly, why it matters for your company and how information archiving can help, you’re ready to move to some specific steps. The next step is to analyze your technical capacities.
2. Assess your technology
In practice, Sarb-Ox forced organizations to revise the way they handle online communication (outbound, inbound and internal) and ensure proper handling of sensitive digital data. In the years following the Act, email archiving emerged as the optimal solution that can help organizations to meet SOX compliance.
Consequently, the logical second step is to turn your attention to your existing IT solution.
- Look at how you are storing your information, how it is distributed and check how secure your network is.
- Are you already archiving email?
- Are you satisfied with your solution?
Sarbanes-Oxley strictly states that digitally stored information must be stored in a format that prevents it from being altered, manipulated or destroyed – so do you have the procedures in place to prevent this?
3. Choose an Archiving Solution
There are now many technical solutions that can enhance security and help you ensure compliance with data retention laws. The key lies in finding an email archiving solution that archives your information securely and allows data to be retrieved but not deleted, altered or damaged. Before choosing an email archiving solution for your organization, don’t forget to check its hardware and software features and make sure it’s compatible with your mail platform.
Choosing your data solution isn’t the end of your SOX compliance strategy.
During the implementation stage, you need to watch for any risks of data being lost or corrupted as it is migrated into the new system.
Many organizations are reluctant to change their existing data archiving system because they worry about the risks associated with migration, which is why you should always look for archiving companies that provide assistance during data ingestion.
Remember that compliance is an ongoing process.
Continuously assessing security risks and managing your information is the best way to ensure you’re fully compliant.
With email archiving, you’ll be able to identify potential risks before they become actual issues. If you are tasked with monitoring your company’s compliance or if it’s something you do on a regular basis, there’s no doubt you understand the importance of SOX compliance.
And finally, remember that every business is different. This means compliance strategies can vary, but the steps you take from understanding the legislation to monitoring the archiving process will remain the same.
Understanding Compliance: 11 pillars of SOX
The Sarbanes-Oxley Act revolves around 11 major elements, covering everything from corporate board responsibilities to criminal penalties. In brief, these 11 elements cover:
1. Public Company Accounting Oversight Board (PCAOB)
This element asks for the creation of a central and independent oversight board within public accounting firms providing audit services (“auditors”).
2. Auditor Independence
The second element restricts auditing companies from providing non-audit services, such as consulting, to the same clients.
3. Corporate Responsibility
Title III imposes individual responsibility of senior executives for the accuracy of financial reports.
4. Enhanced Financial Disclosures
The fourth element asks for the tighter internal controls for the sake of providing timely reporting of any relevant changes in financial condition.
5. Analyst Conflicts of Interest
This element is focused on the conduct codes for securities analysts, requiring disclosures of any possible conflicts of interest.
6. Commission Resources and Authority
Title VI defines the authority to censure or bar professionals from practice and defines conditions under which such actions can be partaken.
7. Studies and Reports
This element deals with the effect of consolidation of public accounting firms, aiming to prevent the manipulation of earnings and masking of actual financial conditions.
8. Corporate and Criminal Fraud Accountability
Title VIII describes criminal penalties for manipulation, destruction or alteration of financial records or other interference with investigations, while providing protection for whistleblowers.
9. White Collar Crime Penalty Enhancement
This element presents failure to certify financial reports as a criminal offense.
10. Corporate Tax Returns
This element obliges the CEO of any company to sign the company tax return.
11. Corporate Fraud Accountability
Finally, the eleventh element recognizes corporate fraud and record tampering as serious criminal offenses and states the penalties for the offenders.
Putting into Practice: How to Handle the SOX Compliance with the Help of Email Archiving
What SOX was aiming to bring to the companies is, of course, a greater market stability and higher security levels. However, in practical sense, the Act forced companies to revise the way they handle their internal communication, guarantee sensitive data handling and provide transparent business operation.
Naturally, in the years following the Act, the market showed a growing demand for SaaS (software as a service) products that would satisfy this complex regulatory compliance.
Among various options, Email Archiving emerged as the optimal solution that can help companies meet the needs of SOX Act.
Why is that so?
Email Archiving Benefits in the SOX Context
- Simplification of the eDiscovery process ‒ crucial for the provision of timely financial reports by company directors and internal auditors.
- Data storage centralization ‒ removes the risk of relying on external servers and software solutions.
- Custom made optimization for employees ‒ with respect to the SOX elements related to the individual responsibilities of relevant company members.
- Simple and safe Restore functions ‒ provide data safety and easy backup & recovery processes in cases of technical issues.
- Transparent communication ‒ supported by easy data tracking, indexing and archiving, equally important for legal discovery and prevention of data manipulation.
Failing to comply with Sarbanes-Oxley Act can bring a range of severe consequences for any financial business, from higher risks of financial misstatements, operational and financial sanctions and penalties to major negative capital market reactions.
With a simple software tool, both responsible individuals and companies as a whole can meet the SOX regulatory compliance.
In case you need to save all this information for later, here is an infographic you can revisit at any time to see how email archiving and SOX fit together:
Now that you know why SOX compliance matters and how email archiving fits into the equation, here are some useful guides to help you get started with your strategy: