November 02, 2022 by Marko Dinic

The 2023 Quick Guide to SOX Compliance and Email Archiving

When it was enacted in 2002, the Sarbanes-Oxley Act (often abbreviated to Sarbox or SOX) was a landmark piece of legislation that heralded many changes to how businesses operate and preserve files.

This federal law set new, broader requirements for all public companies in the United States, but included a number of provisions that apply to privately held organizations too (e.g. the part about impeding federal investigation by willful destruction of evidence).

Today, we’re going to look at SOX compliance and email archiving. Here’s what we’ll cover:

  • What is SOX compliance?
  • SOX compliance requirements
  • How information archiving fits into SOX

A Brief History of Sarbanes-Oxley

The Sarbanes-Oxley Act was created in response to a number of corporate fraud scandals and issues.

The biggest in the series of scandals that shook the US at the time, the Enron scandal was revealed in late 2001 and led to the bankruptcy of the Enron Corporation, an energy giant based out of Texas.

The case also contributed to the downfall of Arthur Andersen, which was one of the five largest accountancy partnerships in the world at the time. In a nutshell, Enron hid billions worth of debt in their accounts from failed projects and deals.

To recover the confidence in the market, the US desperately needed serious reforms to their business legislation and practices. Enter SOX.

So what is SOX and what does it do? The SOX Act is governed by the SEC (The US Securities and Exchange Commission). It controls corporations’ financial documentation and mandates the rules for preservation and proper safe-keeping of electronic documentation (ESI), including email and social media communication data.

It is very broad and complex, comprising 11 titles, 6 of which are related to email compliance.

What Changed with SOX?

SOX placed a greater responsibility on businesses to keep accurate financial records, but the main idea behind the legislation was to protect the public and shareholders against all fraudulent practices.

Sarbanes-Oxley compliance means that public organizations have to carefully document and disclose their internal audit controls and ethics and have a greater overview of all employee activities.

Although the bill is really about preventing corporate fraud, it has huge implications for data preservation and the archival of all enterprise information.

What SOX was aiming to bring to companies is a greater market stability and higher security levels.

However, in a practical sense, SOX forced companies to revise the way they handle their internal communication, guarantee sensitive data handling and provide transparent business operation.

Naturally, in the years following the Act, the market showed a growing demand for governance products that would satisfy this complex regulatory compliance.

Understanding Compliance: 11 pillars of SOX

The Sarbanes-Oxley Act revolves around 11 major elements, covering everything from corporate board responsibilities to criminal penalties. In brief, these 11 elements cover:

1. Public Company Accounting Oversight Board (PCAOB)
This element asks for the creation of a central and independent oversight board within public accounting firms providing audit services (“auditors”).

2. Auditor Independence
The second element restricts auditing companies from providing non-audit services, such as consulting, to the same clients.

3. Corporate Responsibility
Title III imposes individual responsibility of senior executives for the accuracy of financial reports.

4. Enhanced Financial Disclosures
The fourth element asks for the tighter internal controls for the sake of providing timely reporting of any relevant changes in financial condition.

5. Analyst Conflicts of Interest
This element is focused on the conduct codes for securities analysts, requiring disclosures of any possible conflicts of interest.

6. Commission Resources and Authority
Title VI defines the authority to censure or bar professionals from practice and defines conditions under which such actions can be partaken.

7. Studies and Reports
This element deals with the effect of consolidation of public accounting firms, aiming to prevent the manipulation of earnings and masking of actual financial conditions.

8. Corporate and Criminal Fraud Accountability
Title VIII describes criminal penalties for manipulation, destruction or alteration of financial records or other interference with investigations, while providing protection for whistleblowers.

9. White Collar Crime Penalty Enhancement
This element presents failure to certify financial reports as a criminal offense.

10. Corporate Tax Returns
This element obliges the CEO of any company to sign the company tax return.

11. Corporate Fraud Accountability
Finally, the eleventh element recognizes corporate fraud and record tampering as serious criminal offenses and states the penalties for the offenders.

In case you need to save all this information for later, here is an infographic you can revisit at any time:
SOX: All You Need to Know

How Does Data Governance Make SOX Compliance Easier?

SOX compliance has had a heavy impact on two parts of organizations that may or may not not have a particularly strong working relationship – the IT department and financial professionals, including accountants and many others.

Had SOX been passed 50 years ago, the recordkeeping process – the aspect most tied to a modern company’s IT department – would have involved a lot of duplication, paperwork and filing but little else. The current era of business demands a different style and approach.

The importance of IT
Consistent, strong and proactive data governance goes a long way toward meeting the many SOX requirements. Because SOX legislates the types of records required for retention and the period over which they must be kept, businesses need to both develop and implement an effective strategy for holding onto these important documents and retrieving them.

The IT department is critical to the success of SOX data retention strategies, but this important need may be overshadowed by the financial components of the law.

The role of data governance and a holistic SOX compliance strategy
Using a holistic approach to information management – in other words, data governance – can provide major benefits in terms of SOX compliance. When organizations fully integrate the IT team as a part of the larger business organism and treat it as an asset, as opposed to the traditional strategy of setting IT off in its own sphere, they can more fully integrate operations and get everyone involved with compliance projects on the same page.

Full integration of the IT department into a company is especially helpful when a strategy needs changing or systems related to records management and email archiving solutions require expansion, change or updates.

Today, IT departments lead the implementation of technology solutions that aid in SOX compliance and play a role in policy development as well. With the amount of SOX-eligible data growing each day, it’s crucial to include the IT department in regulatory efforts and use the best possible software and platforms to effectively and securely manage that information.

SOX Compliance Archiving Requirements

Although SOX notoriously lacks specificity in terms of clear guidelines about how organizations should retain records, the management of email is a fundamental element of SOX compliance.

Section 802 outlines the types of business records that should be retained, with a mandatory retention period of 7 years. Here’s a quick, 3-point overview of email retention within Sarbanes-Oxley.

  • Section 802(a) – addresses the unlawful and deliberate alteration, destruction of falsifying records. Whenever you read any overview of SOX, there are two things that are always mentioned. One is Enron and the other is the punishment for knowingly altering, falsifying or destroying documents as “fined, imprisoned for not more than 20 years, or both”. The reason you always hear about the punishment is because it’s so severe. To avoid it, organizations need to ensure that the records are kept securely and in an unalterable format, ideally using an email archiving solution.
  • Section 802(a)(1) – outlines the record retention periods for audit and review documents and stipulates the retention of 5 years from the end of the fiscal period. As email and all other electronic records fall within the act’s definition of important documents, it’s vital to ensure that the email retention strategy allows for email records to be retained for 5 years.
  • Section 802(a)(2) – gives a definition of documents relevant to the audit or review, including “workpapers and other documents that form the basis of the audit or review of an issuer’s financial statements, and memoranda, correspondence, communications, other documents, and records (including electronic records). The key point we’re looking at is the reference to “electronic records”. As email is such an important corporate record these days, SOX compliance email retention falls under this description and is, therefore, subject to the other provisions contained in the Act.

How Information Archiving Keeps You SOX-Compliant

The implementation of secure information archiving systems has proved to be the most straightforward way to ensure your compliance with Sarbanes-Oxley.

An archiving solution can be an on-premise appliance or a cloud-based solution that automatically captures emails, attachments, social media posts, text messages and other mobile content together with its metadata.

Metadata is relevant because it provides the information about each message ‒ who sent what to whom, when and through what channels. It’s a must-have for ediscovery, all forms of regulatory compliance and solving internal employee conflicts.

Once captured, the unstructured data is indexed and stored in an inalterable, tamper-proof format for a specified period of time.

Archiving software also has special features that allow users to search and retrieve huge volumes of data incredibly fast. It also ensures that data is encrypted to combat theft and prevent data breaches.

Information archiving technology provides several SOX compliance-related benefits.

  1. Firstly, it allows your administrators and compliance officers to locate any electronic record (email, attachment, word file, PDF, social media post, mobile call log, text or IM message) in vast amounts of data.
  2. It also allows you to fully automate the record retention process by specifying the life-span of data, which can then be deleted in bulk after the retention period expires.
  3. It prevents unauthorized access to your archived data by allowing you to segregate users, assign different permission levels and roles to personnel and restrict access to business-critical records.
  4. Finally, the WORM format in which the information is stored prevents tampering and spoliation of evidence.

In order for CEOs, CFOs, COs and auditors to provide financial reports in a timely manner, all your electronic information needs to be unified, available and, above all, searchable.

A central repository that an archiving solution offers prevents your ESI from being scattered across servers, devices and bulky PST files and removes the risk of relying on external servers and software solutions.

In addition, integrity verification functionalities offer additional safety and prove to regulators, auditors and investigators that your archived data has remained unchanged.

5 Steps to SOX Compliance

Here’s a list of steps to follow to get fully compliant with SOX.

1. Understand the background
Good news! Since you’ve made it this far, you have taken the first step towards ensuring SOX compliance. Now that you know what SOX is, and more importantly, why it matters for your company and how information archiving can help, you’re ready to move to some specific steps. The next step is to analyze your technical capacities.

2. Assess your technology
In practice, Sarb-Ox forced organizations to revise the way they handle online communication (outbound, inbound and internal) and ensure proper handling of sensitive digital data. In the years following the Act, email archiving emerged as the optimal solution that can help organizations to meet SOX compliance.

Consequently, the logical second step is to turn your attention to your existing IT solution.

  • Look at how you are storing your information, how it is distributed and check how secure your network is.
  • Are you already archiving email?
  • Are you satisfied with your solution?

Sarbanes-Oxley strictly states that digitally stored information must be stored in a format that prevents it from being altered, manipulated or destroyed – so do you have the procedures in place to prevent this?

3. Choose an archiving solution
There are now many technical solutions that can enhance security and help you ensure compliance with data retention laws. The key lies in finding an email archiving solution that archives your information securely and allows data to be retrieved but not deleted, altered or damaged. Before choosing an email archiving solution for your organization, don’t forget to check its hardware and software features and make sure it’s compatible with your mail platform.

4. Implementation
Choosing your data solution isn’t the end of your SOX compliance strategy.

During the implementation stage, you need to watch for any risks of data being lost or corrupted as it is migrated into the new system.

Many organizations are reluctant to change their existing data archiving system because they worry about the risks associated with migration, which is why you should always look for archiving companies that provide assistance during data ingestion.

5. Management
Remember that compliance is an ongoing process.

Continuously assessing security risks and managing your information is the best way to ensure you’re fully compliant.

With email archiving, you’ll be able to identify potential risks before they become actual issues. If you are tasked with monitoring your company’s compliance or if it’s something you do on a regular basis, there’s no doubt you understand the importance of SOX compliance.

And finally, remember that every business is different. This means compliance strategies can vary, but the steps you take from understanding the legislation to monitoring the archiving process will remain the same.

Putting into Practice: How to Handle the SOX Compliance with the Help of Email Archiving

What SOX was aiming to bring to the companies is, of course, a greater market stability and higher security levels. However, in practical sense, the Act forced companies to revise the way they handle their internal communication, guarantee sensitive data handling and provide transparent business operation.

Naturally, in the years following the Act, the market showed a growing demand for SaaS (software as a service) products that would satisfy this complex regulatory compliance.

Among various options, email archiving emerged as the optimal solution that can help companies meet the needs of SOX Act.

Why is that so?

Email Archiving Benefits in the SOX Context

  1. Simplification of the ediscovery process ‒ crucial for the provision of timely financial reports by company directors and internal auditors.
  2. Data storage centralization ‒ removes the risk of relying on external servers and software solutions.
  3. Custom made optimization for employees ‒ with respect to the SOX elements related to the individual responsibilities of relevant company members.
  4. Simple and safe Restore functions ‒ provide data safety and easy backup & recovery processes in cases of technical issues.
  5. Transparent communication ‒ supported by easy data tracking, indexing and archiving, equally important for legal discovery and prevention of data manipulation.

Failing to comply with Sarbanes-Oxley Act can bring a range of severe consequences for any business, from higher risks of financial misstatements, operational and financial sanctions and penalties to major negative capital market reactions.

With a simple archiving software, both responsible individuals and companies as a whole can meet SOX email retention requirements.



What are the 4 controls of SOX?

To be SOX compliant, companies must establish four key security controls. These controls are: access control (physical and electronic control preventing unauthorized users from viewing sensitive financial information), IT security (ensuring proper controls are in place to prevent data breaches and having tools to remediate incidents if they occur), data backups (maintaining backup systems to protect sensitive data), and change management (the ability to add new users and computers, update and install new software, and make changes to the data infrastructure, keeping the record of what has changed).

Who regulates SOX?

The Sarbanes-Oxley Act (SOX) is regulated by the US Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB). The SEC governs financial reporting and corporate governance for publicly traded companies while the PCAOB regulates audit firms. They ensure SOX compliance across all publicly traded companies.

Is SOX compliance mandatory?

SOX compliance is mandatory for every publicly traded US company and some private companies. Not complying with SOX regulations can have serious legal and financial consequences to the company.
What happens if you are not SOX compliant?
Not being compliant with SOX can result in penalties for your organization. These include fines, being unlisted from public stock exchanges, or even imprisonment. The severity of the penalties is determined by if you knowingly and purposely didn’t meet the SOX requirements, wilfully submitted a non-compliant report, or your organization failed to comply.

Is SOX only for public companies?

No, SOX doesn’t only apply to public companies. Some provisions apply to privately held companies registered in the US SEC. These provisions are: Compliance with federal and state law, intentional destruction or falsification of documents with the intention of influencing a federal agency investigation, and retaliation against someone providing a law enforcement officer with information relating to federal offense. In short, private companies don’t need to comply with reporting requirements, but they are subject to penalties.

Jatheon specializes in large-scale email, social media and mobile communications archiving for regulated industries. Check out our on-premise solution to easily ensure complete SOX compliance.
About the Author
Marko Dinic
As Jatheon’s CEO, Marko Dinic oversees new business development and has a leadership role in shaping the company’s vision, strategy, and product development. Outside work, he loves visiting places off the beaten path, investing, and space travel.

See how data archiving can simplify compliance and ediscovery for your organization

Book a short demo to see all the key features in action and get more information.

Get a Demo

Share via
Copy link
Powered by Social Snap