Thursday, January 27, 2005

Sarbanes-Oxley - what is all the fuzz about?

The last couple of weeks I have been reading some articles about Sarbanes-Oxley and the impact it has on IT budgets. So what is Sarbanes-Oxley ( or in short SOX) all about? Sarbanes-Oxley is a US law with as main goal strengthening corporate governance standards and one of. This law establishes standards concerning corporate boards and audit committees and the way these company stakeholders do their company reporting. Sox consists of 11 sections of which the most important from an IT perspective seem to be sections 404 and section 302. In 2004 Sox was only relevant for those US companies in the accelerated filers list, starting from this year onwards SOX will become relevant for all companies listed on US stock exchanges (Indeed, also European companies - Price WaterHouse Coopers estimates that about 470 European companies will have to comply with SOX)

Summary of challenges
  • SOX requires executives and auditors to attest and sign off internal controls to ensure accurate financial reporting If you need to sign off something you better be sure that you are sure about the underlying data. You will need to conduct audits of your reporting process and need to ensure data quality.

  • Sarbanes-Oxley demands prudent record retention policies This means that emails of key employees within your company can not be simply deleted anymore. You need to devise strict retention periods and also abide these. These policies should not only apply to your emails but also to all "instant messaging" systems.


  • Ernst&Young did a survey a couple of months ago about the efforts that companies are putting in compliance with Sarbanes-Oxley (Download pdf). The two most interesting facts from a System Integrator standpoint are:
  • only half of the companies seem to have a technology platform in place to comply with SOX.

  • 80% of the companies surveyed are planning to implement control self assesment framework and dashboard reporting tools.


  • Lots of IT companies are already proposing their own technology platforms:
  • EMC proposes Documentum ApplicationXtender 5.2 - which will allow you to develop your own content retention modules in .Net

  • HP is working to extend the possibilities of their StorageWorks Reference Information Storage System (RISS)

  • Other companies working in the same area are CommVault, KVS and PermaBit Inc


  • The European Union is not planning to create a similar law for all members states, all individual countries will have to make their own legislations related to corporate governance. However I expect that in the next couple of months some EU guidelines will be put forward. In Belgium, we already have a similar framework in place with the Code Lippens(Article in Dutch).

    No comments: