Sarbanes-Oxley Act Overview

What is the Sarbanes-Oxley Act

SEC , commonly called SOX, sets forth records management and retention policies for all public companies. SOX was enacted in 2002 in response to corporate scandals involving large, public corporations, such as Enron and WorldCom and their accounting firms, and is currently law.

How are Email and Instant Message Records Involved?

Today, the vast majority of organizations use email and instant messaging to communicate internally and as a vehicle for the exchange of documents and correspondence between businesses and their outside consultants, accounting firms and audit firms. Since these communications often contain information about business transactions and business decisions, these email communications must be retained in order for an organization to comply with the provisions of Sarbanes-Oxley.

Violation of the Sarbanes-Oxley Act involving destruction or falsification of records related to any federal investigation or bankruptcy proceeding are subject to penalties. Such records include email documents. Penalties range from a fine to a prison sentence of up to 20 years for "whoever knowingly alters, destroys, mutilates" any record or document with the intent to impede an investigation.

What are the Sections of SOX that are Relevant?

Section 302: Corporate Responsibility for Financial Reports
This section requires that CFOs and CEOs personally certify and be accountable for their firms' financial records and accounting. This section has been highlighted due to its link to top management.

Section 103: Auditing, Quality Control and Independence Standard and Rules
This section requires companies to “prepare and maintain for a period of not less then 7 years, audit work papers and other information related to any audit report, in sufficient detail to support the conclusions reached in such report.”

Section 105: Investigations and Disciplinary Proceedings
Section 105 requires “the production of audit work papers and any other document or information in the possession of a registered public accounting firm or any person thereof, wherever domiciled, that the Board considers relevant or material to the investigation, and may inspect the books and records of such firm or associated person to verify the accuracy of any documents or information supplied.”

Section 404: Management Assessment of Internal Controls
Section 404 requires companies to report on the effectiveness of internal controls regarding financial reporting. Since internal business decisions and data are discussed, transported and stored in corporate email systems, ensuring that data cannot be accessed or tampered with is critical to the reliability of financial reporting.

Corporate email messages have the same status as other commonly used business documents and are subject to the same rules.

Section 409: Real-time Issuer Disclosures
Regarded as the most demanding of the requirements, Section 409 requires that companies provide real-time disclosures of any events that may affect a firm's stock price or financial performance within a 48-hour period.

Section 802: Criminal Penalties for Altering Documents
As a result of the document destruction by various businesses and their accounting firms, most notably Enron and Arthur Anderson, Section 802 provides stiff penalties – fines of up to $1,000,000 and/or prison terms for “whoever knowingly alters, destroys, mutilates any record or document with intent to impede an investigation.”

Click here to read and review the entire Sarbanes-Oxley Act

To learn how Erado's on-demand electronic message archive, supervisory, discovery, and compliance solutions can ensure that electronic records retention requirement for firms that need to comply with Sarbanes Oxley  (commonly called SOX) are met please contact us at 866-67ERADO (866-673-7236)