Ten questions about Sarbanes-Oxley compliance

Imagine this scenario: You are a CIO at a publicly traded company in turmoil, and your chief financial officer was forced to resign at the end of last quarter after material weakness concerns were raised by your external auditors. Three months ago, the Securities and Exchange Commission got involved and launched a formal investigation, and your company is now constantly scrutinized. It's time for your CEO to report earnings, and it's not good news.

Now your general counsel adds more bad news. Under the Sarbanes-Oxley Act, your management must demonstrate that adequate internal controls have been established to safeguard confidential information from being compromised during the "blackout." With the rumor mill running rampant, you know the likelihood of an internal disclosure concerning earnings information is high.

However, you have no means to detect these communications if they are leaked in a Web mail or a post to an Internet bulletin board. Even if you could detect this, what information should you protect? Is there a blueprint compliance strategy that could be deployed in a way that could detect all electronic disclosures?

There are solutions available, but first you must understand Sarbanes-Oxley, how it affects your business and what information -- by law -- needs to be protected.

You and your CEO must know the answers to the following 10 questions in order to prepare and prove that you have deployed the right mix of internal controls:

1. What types of information must be protected by internal controls according to Sarbanes-Oxley?

Information should be considered nonpublic if it isn't widely disseminated to the general public, including electronic information. Unauthorized disclosure of nonpublic data is a violation of federal securities laws. This information should be protected, but it should also be monitored to ensure it isn't disclosed inappropriately.

Section 404 describes management's responsibility for building internal controls around the safeguarding of assets related to the timely detection of unauthorized acquisition, use or disposition of an entity's assets that could have a material effect on the financial statements. You need to demonstrate that you have the capabilities to monitor, detect and record electronic information disclosures.

2. Since so much nonpublic information is communicated beyond e-mail based on the Simple Mail Transfer Protocol, how can we build internal controls to adequately detect the timely disclosure of information flowing over Web mail, chat, or HTTP?

In today's networked world, it's not just about e-mail. Management can't ensure the truthfulness or accuracy of financial data if it doesn't have the means to monitor the movement of sensitive information across the entire corporate network 24 hours a day, seven days a week.

Demand more from technology. New products are available that can monitor electronic disclosure of nonpublic information and aren't limited to SMTP-based e-mail. These technologies can monitor, record and provide alerts on electronic disclosures by analyzing all information flowing over the corporate network from Web mail and chat to file transfer protocol and HTTP. This type of monitoring technology combined with a storage system that allows forensic searches into stored information can prove invaluable if an investigation is required.

3. What are the penalties for exposing nonpublic information?

The use of nonpublic information concerning a company or any of its affiliates (a.k.a. "inside information") in securities transactions ("insider trading"), may violate federal securities laws. Penalties can include:

  • Exposure to investigations by the SEC.
  • Criminal and civil prosecution.
  • Relinquishing profits realized or losses avoided through use of the information.
  • Penalties up to $1 million or three times the amount of any profits or losses, whichever is greater.
  • Prison terms of up to 10 years.

4. What action should a company take if nonpublic information is inappropriately exposed on its network?

If nonpublic information is inappropriately disclosed on your network, you must rapidly execute a response program to identify the extent of the exposure, assess the effect on the corporation and its customers, and notify all affected parties.

Section 409 of Sarbanes-Oxley mandates that companies publicly disclose additional information concerning material changes in the company's financial condition or operations. While Sarbanes-Oxley contains many reporting requirements, real-time identification of material changes and disclosures (the consensus being 48 hours) is the most significant challenge.

5. Who is personally liable if there is a compliance violation?

The CEO and the CFO must certify all financial statements filed with the SEC. The maximum penalty for Securities Exchange Act violations has increased to $5 million for individuals and $25 million for entities, as well as imprisonment of up to 20 years.

Section 802 of Sarbanes-Oxley states, "Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any records, documents, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any department or agency of the U.S. ... or contemplation of any such matter or case, shall be fined ... imprisoned not more than 20 years, or both."

6. How long is the "reach back" on compliance violations?

Section 804 of Sarbanes-Oxley extends the statute of limitations in private securities fraud actions to the earlier of two years after the discovery of the facts constituting the violation or five years from the violation.

7. Are there compliance strategies I can deploy to help prove due diligence if our company is investigated?

Today, an offensive rather than a defensive compliance program is important.

Deploy strategies that provide you with the evidentiary support you need when things go wrong. New network security appliances designed to capture and record all electronic communication can provide forensic capabilities with automated reporting that corresponds to compliance needs.

These solutions must be deployed within an overarching compliance strategy that aligns with the business to continuously:

  • Identify and monitor risks.
  • Establish effective internal controls.
  • Test the validity of the controls.
  • Support CEO and CFO certifications.
  • Conduct third-party audits.
  • Monitor for changes in risks, controls and compliance needs.
  • Adjust proactively, as needed.

8. What role should external auditors play in compliance?

The Public Company Accounting Oversight Board was created through the Sarbanes-Oxley Act to oversee the auditors of public companies. The board recently approved Auditing Standard No. 2, an audit of internal control over financial reporting conducted with an audit of financial statements. The new standard highlights the benefits of strong internal controls over financial reporting and furthers the objectives of Sarbanes-Oxley.

9. Will I need to prevent electronic disclosures from occurring?

No compliance program can ever prevent 100% of misconduct by corporate employees. Nor do the regulations state that you must prevent internal disclosures --including electronic disclosures -- from happening.

If investigated, you will need to show due diligence that you have the ability for an appropriate and rapid response to detect and deter misconduct that exposes your company to operational risk that may have a material effect on your business.

10. What happens if I am investigated?

Compliance programs should be designed to detect the particular types of operational risks most likely to occur in a corporation's lines of business. Management must be able to answer two fundamental questions:

  1. Is the corporation's compliance program well-designed?
  2. Does the corporation's compliance program work?

How does your story end?

Because you understood the connection between electronic disclosure and the need to monitor disclosure across your corporate network, you deployed technology that could monitor, analyze and store all communications for after-the-fact investigations. Every session traversing every network egress point was analyzed. The monitoring system that was put in place stored terabytes of information during the blackout period -- all retained in the event of an audit.

Your company sent an e-mail from the CEO to all employees specifically stating that the disclosure of earnings information during the blackout period wouldn't be tolerated.

On the first day, you detected 129 occurrences of the CEO's internal memo being leaked. Further investigation revealed that 16 employees also disclosed inappropriate information or traded stock during the blackout. You communicated with the general counsel, who was able to take the appropriate action to remediate the situation and report it according to compliance mandates. Your CEO kept his job.

A walk on the wild side?

Believe it or not, this case study wasn't just a walk on the wild side; it's based on events that are occurring inside many organizations. If you haven't evaluated the effectiveness of your internal controls in light of the new reality of electronic disclosure, start thinking about it. Don't wait for the first Sarbanes-Oxley convictions or for Standard & Poor's to downgrade your company's credit rating. These controls can be the difference between companies that recover from material weaknesses and companies that go bankrupt trying to bounce back. Don't just ask yourself the 10 questions above; take the answers to heart and begin applying them to your organization before it's too late.

Kim Getgen is vice president of strategy at Reconnex Corp., a provider of risk management and security products in Mountain View, Calif.

Copyright © 2005 IDG Communications, Inc.

Shop Tech Products at Amazon