The public uproar that resulted from the financial scandals of Enron, WorldComm, and other US companies prompted the creation of the Sarbanes-Oxley Act of 2002.  This act, often referred to as “SOX”, was enacted with the intention to bring about some degree of protection for shareholders and employees when accounting errors or fraudulent practices occur in US corporations.  SOX has been arguably one of the most costly legislations for corporations in the modern era – literally billions of dollars have been spent in order for businesses to comply with the regulations outlined in SOX.

A few examples of these regulations include:

  • Defines what business records are to be stored for audit purposes.  These records include both printed and electronic documents that reference any audit, review, notices or opinions regarding financial data for a corporation.
  • Outlines how long the business records should be kept for audit purposes.  SOX stipulates that accountants and businesses must store records for a period of 5 years, based on the business’ fiscal year cycles.
  • Establishes fines or prison sentences for corporations who do not comply with SOX guidelines.   The prison sentences would not exceed 20 years.  Fines can be in the millions of dollars depending on if the audit determines the offenses were committed willfully or unwittingly.
  • SOX applies primarily to US corporations who are registered with the Securities and Exchange Commission.  However, global organizations who conduct business with countries such as the United States are also required to comply with SOX.
  • The audit process for SOX compliance would be conducted by the corporate accounting firm or by an independent auditing company.

While it is very obvious that SOX has dramatically effected accounting practices, SOX compliance has equally impacted (arguably more so) IT operations at most medium to large corporations.

  • First, IT groups must have the mechanisms and capacity in place to store and archive SOX related data.
  • IT groups must also review all correspondence that must be stored to insure the appropriate identifications are on the documents.  This could include date or time stamps, author name(s), intended audiences, and the actual contents of the documentation.  For example, if corporate emails were stored for only one or two years before destruction, mail servers would need to be altered to retain financial-related emails.  Or, the persons who author or manage the financial emails must change their procedures to retain the information using other SOX compliant storage measures.
  • The method used for printed document and electronic data destruction must be properly outlined by the IT groups so that SOX auditors know that the records are properly disposed of in a consistent and reliable manner.

For IT groups particularly, SOX has been a complex project to undertake.  With proper systems and controls in place, SOX can be achieved while keeping the business operations running optimally.

Handling the Remedy is available here and other leading retailers:


David Peterson

David G. Peterson is a business consultant and author of Handling the Remedy. He has extensive international experience managing projects and operations for large financial institutions. He has worked in North America, Europe, Middle East and Asia skillfully managing business and technical requirements, core systems enhancement and support, merger and acquisition integration's, business process reengineering, off-shoring and outsourcing.