8/2/2019 Sarbanes-Oxley Act (SOX)

1/1

Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted in response to the high-

profile Enron and WorldCom financial scandals to protect shareholders and the general public from

accounting errors and fraudulent practices in the enterprise. The act is administered by the Securities and

Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements.

Sarbanes-Oxley is not a set of business practices and does not specify how a business should store

records; rather, it defines which records are to be stored and for how long.

The legislation not only affects the financial side of corporations, it also affects the IT departments

whose job it is to store a corporation's electronic records. The Sarbanes-Oxley Act states that all

business records, including electronic records and electronic messages, must be saved for "not less than

five years." The consequences for non-compliance are fines, imprisonment, or both. IT departments are

increasingly faced with the challenge of creating and maintaining a corporate records archive in a cost-

effective fashion that satisfies the requirements put forth by the legislation.

FAQ: What is the impact of Sarbanes-Oxley on IT operations?

The following sections of Sarbanes-Oxley contain the three rules that affect the management ofelectronic records. The first rule deals with destruction, alteration, or falsification of records.

Sec. 802(a) "Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a

false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence

the investigation or proper administration of any matter within the jurisdiction of any department or

agency of the United States or any case filed under title 11, or in relation to or contemplation of any

such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both."

The second rule defines the retention period for records storage. Best practices indicate that corporations

securely store all business records using the same guidelines set for public accountants.

Sec. 802(a)(1) "Any accountant who conducts an audit of an issuer of securities to which section 10A(a)

of the Securities Exchange Act of 1934 (15 U.S.C 78j-1(a)) applies, shall maintain all audit or review

workpapers for a period of 5 years from the end of the fiscal period in which the audit or review was

concluded."

This third rule refers to the type of business records that need to be stored, including all business records

and communications, including electronic communications.

Sec. 802(a)(2) "The Securities and Exchange Commission shall promulgate, within 180 days, such rules

and regulations, as are reasonably necessary, relating to the retention of relevant records such asworkpapers, documents that form the basis of an audit or review, memoranda, correspondence,

communications, other documents, and records (including electronic records) which are created, sent,

or received in connection with an audit or review and contain conclusions, opinions, analyses, or

financial data relating to such an audit or review."

http://searchfinancialsecurity.techtarget.com/definition/Securities-and-Exchange-Commissionhttp://searchfinancialsecurity.techtarget.com/definition/Securities-and-Exchange-Commissionhttp://searchfinancialsecurity.techtarget.com/definition/Securities-and-Exchange-Commissionhttp://searchcompliance.techtarget.com/feature/FAQ-What-is-the-impact-of-Sarbanes-Oxley-on-IT-operationshttp://searchcompliance.techtarget.com/feature/FAQ-What-is-the-impact-of-Sarbanes-Oxley-on-IT-operationshttp://searchcompliance.techtarget.com/feature/FAQ-What-is-the-impact-of-Sarbanes-Oxley-on-IT-operationshttp://searchfinancialsecurity.techtarget.com/definition/Securities-and-Exchange-Commission