Ten questions about Sarbanes-Oxley compliance

Computerworld - Imagine this scenario: You are a CIO at a publicly traded company in turmoil, and your chief financial officer was forced to resign at the end of last quarter after material weakness concerns were raised by your external auditors. Three months ago, the Securities and Exchange Commission got involved and launched a formal investigation, and your company is now constantly scrutinized. It's time for your CEO to report earnings, and it's not good news.
Now your general counsel adds more bad news. Under the Sarbanes-Oxley Act, your management must demonstrate that adequate internal controls have been established to safeguard confidential information from being compromised during the "blackout." With the rumor mill running rampant, you know the likelihood of an internal disclosure concerning earnings information is high.
However, you have no means to detect these communications if they are leaked in a Web mail or a post to an Internet bulletin board. Even if you could detect this, what information should you protect? Is there a blueprint compliance strategy that could be deployed in a way that could detect all electronic disclosures?
There are solutions available, but first you must understand Sarbanes-Oxley, how it affects your business and what information -- by law -- needs to be protected.
You and your CEO must know the answers to the following 10 questions in order to prepare and prove that you have deployed the right mix of internal controls:
1. What types of information must be protected by internal controls according to Sarbanes-Oxley?
Information should be considered nonpublic if it isn't widely disseminated to the general public, including electronic information. Unauthorized disclosure of nonpublic data is a violation of federal securities laws. This information should be protected, but it should also be monitored to ensure it isn't disclosed inappropriately.
Section 404 describes management's responsibility for building internal controls around the safeguarding of assets related to the timely detection of unauthorized acquisition, use or disposition of an entity's assets that could have a material effect on the financial statements. You need to demonstrate that you have the capabilities to monitor, detect and record electronic information disclosures.
2. Since so much nonpublic information is communicated beyond e-mail based on the Simple Mail Transfer Protocol, how can we build internal controls to adequately detect the timely disclosure of information flowing over Web mail, chat, or HTTP?
In today's networked world, it's not just about e-mail. Management can't ensure the truthfulness or accuracy of financial data if it doesn't have the means to monitor the movement of