Ten questions about Sarbanes-Oxley compliance

Zero Data Loss- Disaster Recovery Live Webinar Critical Considerations for Data De-duplication A Roundtable Discussion on File Management The New Foundation of Storage: Xiotech's Intelligent Storage Element ESG Report: 3PAR Company Profile Taneja Group Report: Next Generation Fibre Channel Storage Systems Market Computerworld Report: Virtual Reality Computerworld Report : Smart Storage Computerworld Report: Storage Gets Strategic Sign up to receive Security Resource Alerts

March 30, 2005 (Computerworld) -- Imagine this scenario: You are a CIO at a publicly traded company in turmoil, and your chief financial officer was forced to resign at the end of last quarter after material weakness concerns were raised by your external auditors. Three months ago, the Securities and Exchange Commission got involved and launched a formal investigation, and your company is now constantly scrutinized. It's time for your CEO to report earnings, and it's not good news.
Now your general counsel adds more bad news. Under the Sarbanes-Oxley Act, your management must demonstrate that adequate internal controls have been established to safeguard confidential information from being compromised during the "blackout." With the rumor mill running rampant, you know the likelihood of an internal disclosure concerning earnings information is high.
However, you have no means to detect these communications if they are leaked in a Web mail or a post to an Internet bulletin board. Even if you could detect this, what information should you protect? Is there a blueprint compliance strategy that could be deployed in a way that could detect all electronic disclosures?
There are solutions available, but first you must understand Sarbanes-Oxley, how it affects your business and what information -- by law -- needs to be protected.
You and your CEO must know the answers to the following 10 questions in order to prepare and prove that you have deployed the right mix of internal controls:
1. What types of information must be protected by internal controls according to Sarbanes-Oxley?
Information should be considered nonpublic if it isn't widely disseminated to the general public, including electronic information. Unauthorized disclosure of nonpublic data is a violation of federal securities laws. This information should be protected, but it should also be monitored to ensure it isn't disclosed inappropriately.
Section 404 describes management's responsibility for building internal controls around the safeguarding of assets related to the timely detection of unauthorized acquisition, use or disposition of an entity's assets that could have a material effect on the financial statements. You need to demonstrate that you have the capabilities to monitor, detect and record electronic information disclosures.
2. Since so much nonpublic information is communicated beyond e-mail based on the Simple Mail Transfer Protocol, how can we build internal controls to adequately detect the timely disclosure of information flowing over Web mail, chat, or HTTP?
In today's networked world, it's not just about e-mail. Management can't ensure the truthfulness or accuracy of financial data if it doesn't have the means to monitor the movement of sensitive information across the entire corporate network 24 hours a day, seven days a week.
Demand more from technology. New products are available that can monitor electronic disclosure of nonpublic information and aren't limited to SMTP-based e-mail. These technologies can monitor, record and provide alerts on electronic disclosures by analyzing all information flowing over the corporate network from Web mail and chat to file transfer protocol and HTTP. This type of monitoring technology combined with a storage system that allows forensic searches into stored information can prove invaluable if an investigation is required.
3. What are the penalties for exposing nonpublic information?
The use of nonpublic information concerning a company or any of its affiliates (a.k.a. "inside information") in securities transactions ("insider trading"), may violate federal securities laws. Penalties can include:

• Exposure to investigations by the SEC.


• Criminal and civil prosecution.


• Relinquishing profits realized or losses avoided through use of the information.


• Penalties up to $1 million or three times the amount of any profits or losses, whichever is greater.


• Prison terms of up to 10 years.

4. What action should a company take if nonpublic information is inappropriately exposed on its network?
If nonpublic information is inappropriately disclosed on your network, you must rapidly execute a response program to identify the extent of the exposure, assess the effect on the corporation and its customers, and notify all affected parties.
Section 409 of Sarbanes-Oxley mandates that companies publicly disclose additional information concerning material changes in the company's financial condition or operations. While Sarbanes-Oxley contains many reporting requirements, real-time identification of material changes and disclosures (the consensus being 48 hours) is the most significant challenge.
5. Who is personally liable if there is a compliance violation?
The CEO and the CFO must certify all financial statements filed with the SEC. The maximum penalty for Securities Exchange Act violations has increased to $5 million for individuals and $25 million for entities, as well as imprisonment of up to 20 years.
Section 802 of Sarbanes-Oxley states, "Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any records, documents, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any department or agency of the U.S. ... or contemplation of any such matter or case, shall be fined ... imprisoned not more than 20 years, or both."
6. How long is the "reach back" on compliance violations?
Section 804 of Sarbanes-Oxley extends the statute of limitations in private securities fraud actions to the earlier of two years after the discovery of the facts constituting the violation or five years from the violation.
7. Are there compliance strategies I can deploy to help prove due diligence if our company is investigated?
Today, an offensive rather than a defensive compliance program is important.
Deploy strategies that provide you with the evidentiary support you need when things go wrong. New network security appliances designed to capture and record all electronic communication can provide forensic capabilities with automated reporting that corresponds to compliance needs.
These solutions must be deployed within an overarching compliance strategy that aligns with the business to continuously:

• Identify and monitor risks.


• Establish effective internal controls.


• Test the validity of the controls.


• Support CEO and CFO certifications.


• Conduct third-party audits.


• Monitor for changes in risks, controls and compliance needs.


• Adjust proactively, as needed.

8. What role should external auditors play in compliance?
The Public Company Accounting Oversight Board was created through the Sarbanes-Oxley Act to oversee the auditors of public companies. The board recently approved Auditing Standard No. 2, an audit of internal control over financial reporting conducted with an audit of financial statements. The new standard highlights the benefits of strong internal controls over financial reporting and furthers the objectives of Sarbanes-Oxley.
9. Will I need to prevent electronic disclosures from occurring?
No compliance program can ever prevent 100% of misconduct by corporate employees. Nor do the regulations state that you must prevent internal disclosures --including electronic disclosures -- from happening.
If investigated, you will need to show due diligence that you have the ability for an appropriate and rapid response to detect and deter misconduct that exposes your company to operational risk that may have a material effect on your business.
10. What happens if I am investigated?
Compliance programs should be designed to detect the particular types of operational risks most likely to occur in a corporation's lines of business. Management must be able to answer two fundamental questions:

1. Is the corporation's compliance program well-designed?


2. Does the corporation's compliance program work?

How does your story end?
Because you understood the connection between electronic disclosure and the need to monitor disclosure across your corporate network, you deployed technology that could monitor, analyze and store all communications for after-the-fact investigations. Every session traversing every network egress point was analyzed. The monitoring system that was put in place stored terabytes of information during the blackout period -- all retained in the event of an audit.
Your company sent an e-mail from the CEO to all employees specifically stating that the disclosure of earnings information during the blackout period wouldn't be tolerated.
On the first day, you detected 129 occurrences of the CEO's internal memo being leaked. Further investigation revealed that 16 employees also disclosed inappropriate information or traded stock during the blackout. You communicated with the general counsel, who was able to take the appropriate action to remediate the situation and report it according to compliance mandates. Your CEO kept his job.
A walk on the wild side?
Believe it or not, this case study wasn't just a walk on the wild side; it's based on events that are occurring inside many organizations. If you haven't evaluated the effectiveness of your internal controls in light of the new reality of electronic disclosure, start thinking about it. Don't wait for the first Sarbanes-Oxley convictions or for Standard & Poor's to downgrade your company's credit rating. These controls can be the difference between companies that recover from material weaknesses and companies that go bankrupt trying to bounce back. Don't just ask yourself the 10 questions above; take the answers to heart and begin applying them to your organization before it's too late.
Kim Getgen is vice president of strategy at Reconnex Corp., a provider of risk management and security products in Mountain View, Calif.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"Both Google and Apple appear to be rolling out new solid state disks in two different environments: the data center..." Read more... "It's IT Blogwatch: in which Sun finally releases OpenSolaris, but with a surprising, cloud-computing twist, courtesy of Amazon EC2. Not..." Read more... Read more Storage posts or See all Blogs

Tools circulate that crack Debian, Ubuntu keys Former Microsoft manager offers free fix for XP SP3 'endless reboot' Can Icahn take on the Yahoo board and win? More top stories...

DNS trouble knocks NSA off Internet Developers confirm, explain why they're avoiding Windows Vista NASA moves to save computers from swarming ants

Shuttle Columbia's hard drive data recovered from crash site Specialists have retrieved about 99% of the data on a disk drive on board the crashed space shuttle Columbia. Don't miss the photographs of the recovered drive. The top 15 vaporware products of all time These big ideas were supposed to revolutionize technology, but they never actually appeared. In a few cases, you'll be glad they didn't. Opinion: Malware vs. anti-malware, 20 years into the fray Nearly 20 years after the first Internet worm, Steven J. Vaughan-Nichols takes stock of the malware/anti-malware landscape and spotlights how the two sides are approaching the battle. Leopard at six months: Does it live up to the early hype? Though some thought it was released too soon, Mac OS X 10.5 has matured into a solid operating system, says reviewer Michael DeAgonia. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 2 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Enterprise-Class Security Zone Enterprise Solutions Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone The Data Center Management Zone See your link here

Critical Considerations for Data De-duplication Critical Considerations for Data De-duplication Register for this live webcast, airing May 22nd at 2pm ET! Go to the webcast  Computerworld Technology Briefing: Automation + Virtualization = Datacenter Optimization Download this Technology Briefing now! (Source: CA) Apart from its merits, virtualization can introduce new levels of complexity into the datacenter. The complexity can impede the freeing up of valuable human resources to work on more strategic projects. What are needed are tools and solutions to help IT optimize resources while ensuring performance, availability, and business continuity. Download this executive briefing  The Missing Piece of Virtualization Get this white paper now! (Source: Neterion) Server virtualization saves money and increases flexibility.  But it faces some real limits.  Currently, I/O-intensive applications like databases or ERP systems are often excluded from virtualization, due to bottlenecks that are introduced by extra layers of software. I/O virtualization changes the game.  With new industry-standard technologies and 10 Gigabit Ethernet, hardware-based IOV eliminates these bottlenecks, enabling higher numbers of VMs and applications per virtualized system. To uncover new cost saving opportunities, read this new whitepaper and find the missing piece of virtualization. Download this white paper  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Six Support Issues That Keep Execs Awake at Night Spam Spikes: A Real Risk to Your Business The New Foundation of Storage: Xiotech's Intelligent Storage Element View more whitepapers

• Tools circulate that crack Debian, Ubuntu keys
• Former Microsoft manager offers free fix for XP SP3 'endless reboot'
• Can Icahn take on the Yahoo board and win?
• More top stories 

Storage Virtualization from IBM: Optimizing Storage Throughout the Information Lifecycle Learn how storage virtualization fits into an Information Lifecycle Management strategy and learn how IBM's market leading technology for storage area network (SAN) virtualization can improve storage utilization, decrease time and effort required for storage provisioning, simplify data migration, reduce application downtime and more. Download this white paper now!  See more Whitepapers



Computerworld Technology Briefing: Spyware: A Clear and Present Danger Computer viruses for the most part are nuisances today. Spyware on the other hand can prove utterly devastating if not crippling to a business. Spyware was at the root of the massive TJX case last year in which personal data on millions of people was compromised. And often if you think you are protected, in fact you are not. Download this Technology Briefing Now  See All Executive Briefings



HP StorageWorks EVA4400 Before now, midsize customers settled for either an expensive and complex array or low cost solution that lacked functionality. Now experience virtual storage with enterprise class functionality at an affordable price. View this product demo now





• Seth Weintraub: Vodafone building TV service for 3G iPhone?

• FAQ: Windows XP SP3 reboot hell (and how to get out of it)

• Review: Which 3G network is the best?

Read more news 



• Even in this day and age

• Data recovery from Columbia

Read more Shark Bait