everythingpossible - Fotolia


SOX compliance reliant on data governance strategy, with IT support

SOX compliance hinges on an effective data governance strategy, but much needed help is available from information technology tools and processes.

In July 2002, the United States government passed the Sarbanes-Oxley Act (SOX). SOX enhanced existing regulations and created new standards for U.S. public companies' boards of directors, executives, senior management and Certified Public Accounting firms. To be in compliance with SOX, executives and senior management must personally attest, in writing, to the completeness and accuracy of the financial information and reporting that is made available to regulators, shareholders and to the general public.

SOX also expanded boards of directors' oversight role, as well as that of external auditors. Additionally, SOX significantly increased both corporate and personal penalties for fraudulent financial activity. To understand the broad scope and significant gravity of SOX, one needs look no further than the now-fabled stories of Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom, to name just a few.

In each of these situations, companies were subject to huge fines, while individuals paid enormous financial penalties and served significant time in prison (some are still there). But the biggest impact was felt when companies collapsed and public confidence in the U.S. securities market was shaken worldwide.

As enterprises continue to refine their data and document management policies, standards, practices and procedures to ensure compliance with SOX and other regulations, the associated operational challenges have been substantial. A 2013 white paper published by Canon Business Process Services included the following record management stats:

  • Enterprises spend 10% of revenue on document management, production and distribution.
  • Knowledge workers spend 20% of their work day looking for documents.
  • Knowledge workers find the data that they are looking for 50% of the time.

The emergence of data governance strategy

As the big data explosion continues to grow in terms of sources, volume, types and uses of information, remaining compliant with SOX has become increasingly challenging across many dimensions. The IDC's 2010 Digital Universe Study projects that by the year 2020, the amount of data that will require proactive management will increase by nearly 100 times its 2009 volume. Information governance (IG) has emerged as a discipline to support enterprise needs in both meeting these challenges and potentially exploiting the opportunities presented by new data management capabilities.

As with any form of governance, to be most effective, IG must be integrated within other existing and ongoing frameworks, policies, procedures and practices in use by the enterprise and/or lines of business, including the following:

  • Overall enterprise governance, especially where there are touch points with IT and/or operations
  • Overall IT governance, especially where there are touch points to data and/or information management
  • Master data management, if not already addressed above
  • Risk management and regulatory compliance, especially as related to roles and responsibilities (accountability framework and value creation)
  • Internal and external audit, especially as related to processes, standards and metrics
  • Finance, especially as related to financial reporting

Get by with a little help from your (IT) friends

There are several areas where technology will play a major role in enabling and supporting information governance and, in turn, SOX compliance:

Document and content management. Tools in this space generally provide the enterprise with secure and auditable workflow and/or process management capabilities that provide a good basis for a "single source of truth" for mission-critical documents.

Records management. A critical component of document and content management is data classification to determine records' retention and destruction lifecycle. Many records management technologies provide automated support to adhere to government regulations including SOX, ISO 15489 (records management), MoReq2 (Model Requirements for the Management of Electronic Records), DoD 5015.02 (Electronic Records Management Software Applications Design Criteria Standards), 21 CFR Part 11 (document management software to help life sciences organizations comply with FDA regulations), and many others.

Auto classification. Intelligent technology that scans text and automatically generates records management classification codes can yield significant savings in time and money. These tools also provide consistency that helps with content management, audits and regulatory compliance reviews.

Imaging. This refers to scanning technology that transforms paper documents into electronic images. Depending upon the industry and use case, paper documents can be destroyed once they are suitably imaged. Imaged content generally yields significant operational savings in paper-intense process management applications. Images are also much less expensive to store, search and retrieve than paper documents.

Optical character recognition (OCR). Generally an option or extended feature of imaging, OCR can turn a scanned document (which starts out as a picture) back into its original text. Once a document has been converted, it can be much more easily classified, read, searched and updated as needed. Text-based documents generally occupy less digital storage than images, adding an additional financial incentive to implementing OCR.

Archiving. Data archiving provides enterprise-level storage in a secure and scalable environment that is usually built to accommodate high volumes of documents at varying stages of their content management lifecycle. Archiving provides significant reduction in search and retrieval times, especially when satisfying e-discovery or proof-of-compliance requests. Archival systems are further cost-effective because of their use of advanced data compression, auto-disposal and auto-classification techniques, as well as the ability to automatically eliminate duplicate documents.

Information technology can clearly play a major role in enabling effective data governance that supports SOX compliance. But as always, there is no silver bullet to SOX compliance or information governance. Sound governance strategies start with good leadership and require communication, education and training.

Most importantly, collaboration across all aspects of the enterprise will ensure that when it comes to SOX-related information governance, everyone does the right things and all things are done right.

About the author:
Harvey Koeppel is the president of Pictographics Inc., a management and technology advisory and consulting services firm that has provided executive-level support to the financial services industry since 1979. Harvey is also vice chairman of the World BPO/ITO Forum, a leading industry association focused on advancing the adoption and effective use of outsourced products and services globally.

Let us know what you think about the story; email Ben Cole, site editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Next Steps

How IT security can take advantage of Sarbanes Oxley compliance processes

Consolidate SOX data retention, deletion schedules

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
and ESG