Wednesday, 11 June 2008

SOX Problems

Based on recent client documents and engagements I have come to the determination that most companies do not understand that SOX requires more than compliance with §§ 302 and 404 for IT systems. Most would not even make it this far.

Two significant provisions of Sarbanes-Oxley are defined in §§ 802 and 1102 and codified, respectively, at 18 U.S.C. 1519 and 18 U.S.C. 1512(c). These provisions impose substantial criminal penalties on any individual or entity -- public or private -- for destruction of evidence or obstruction of justice regarding any actual or "contemplated" federal investigation, matter or official proceeding.

In Dec. 1, 2006, amendments to the Federal Rules of Civil Procedure where introduced to focus on retention and production of electronically stored information. Courts, government regulators, public auditors and the plaintiffs' bar require increasingly sophisticated means of electronic discovery detailing issues such as metadata, keyword searching and forensic imaging. In turn, the demands have intensified for greater transparency in companies' policies and practices.

There is supporting case law for these provisions [see U.S. v. Ionia Management S.A., No. 3:07 CR 134, 2007 U.S. Dist. Lexis 91203 (D. Conn. Dec. 12, 2007) and U.S. v. Fumo, No. Crim. A. 06-319, 2007 U.S. Dist. Lexis 79454 (E.D. Pa. Oct. 26, 2007)].

I have not seen one company with SOX requirements who has an adequate data retention policy and associated process as yet.

The Real-Time Disclosure (§ 409) reporting also requires the disclosure of legal risks. With the determination of the 2001 California case against Cisco and the subsequent introduction of security breach disclosure rules, it is legally mandated that SOX also encompasses monitoring.

Mistakes or omissions are incorporated in § 906. This requires that data handling and error testing has been conducted. It is insufficient to state that we use a vendor product as a number of companies have done.

Non-compliance with § 802 is the simplest breach. The US courts have determined that email is a business record. Two week backup and retention cycles (as many clients are doing) is a breach of SOX and also Australian legislation. This is attached to fines of up to $5,000,000 and imprisonment for up to 20 years (it is a criminal offence). I have not noted a current SOX client that is even considering this.

No comments: