Sarbannes Oxley

The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. It is named after its sponsors Senator Paul Sarbanes and Representative Michael G. Oxley.

Effective in 2006, all publicly-traded companies are required to submit an annual report of the effectiveness of their internal accounting controls to the Securities and Exchange Commission (SEC) (hyperlink + open up new window with SEC info)

Provisions of the SOX detail criminal and civil penalties for noncompliance, certification of internal auditing, and increased financial disclosure. It affects public U.S. companies and non-U.S. companies with a U.S. presence. SOX is all about corporate governance and financial disclosure.

The Act is administered by the SEC, which sets deadlines for compliance and publishes rules on requirements. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long.

The legislation not only affects the financial side of corporations, but also affects the IT departments whose job it is to store a corporation's electronic records. The Sarbanes-Oxley Act states that all business records, including electronic records and electronic messages, must be saved for "not less than five years." The consequences for non-compliance are fines, imprisonment, or both.

IT departments are increasingly faced with the challenge of creating and maintaining a corporate records archive in a cost-effective fashion that satisfies the requirements put forth by the legislation.

The following sections of Sarbanes-Oxley contain the three rules that affect the management of electronic records. The first rule deals with destruction, alteration, or falsification of records.

Sec. 802(a) "Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both."

The second rule defines the retention period for records storage. Best practices indicate that corporations securely store all business records using the same guidelines set for public accountants.