Sarbanes-Oxley & How it Applies to Email Archiving

Email Archiving and Retention Services The Sarbanes-Oxley Act of 2002 is was referred to as the "Public Company Accounting Reform and Investor Protection Act" in the Senate, and the "Corporate and Auditing Accountability and Responsibility Act" in the House of Representatives. Sarbanes-Oxley was enacted on July 30, 2002 in the wake of several accounting scandals by several publicly traded corporations. A few of these widely publicized corporations included Enron, Tyco, and WorldCom.

In the nutshell, the goal of Sarbanes-Oxley was to put into place some guidelines, or rules, to which organizations should adhere to. Over the years Sarbanes-Oxley compliance has trickled down to various non-mandated industries as well as a yardstick for transparency and operational integrity. Sarbanes-Oxley can be broken down into the following 11 components:

  1. Public Company Accounting Oversight Board (PCAOB) - Title I consists of nine sections and establishes the Public Company Accounting Oversight Board, to provide independent oversight of public accounting firms providing audit services ("auditors"). It also creates a central oversight board tasked with registering auditors, defining the specific processes and procedures for compliance audits, inspecting and policing conduct and quality control, and enforcing compliance with the specific mandates of SOX.
  2. Auditor Independence - Title II consists of nine sections and establishes standards for external auditor independence, to limit conflicts of interest. It also addresses new auditor approval requirements, audit partner rotation, and auditor reporting requirements. It restricts auditing companies from providing non-audit services (e.g., consulting) for the same clients.
  3. Corporate Responsibility - Title III consists of eight sections and mandates that senior executives take individual responsibility for the accuracy and completeness of corporate financial reports. It defines the interaction of external auditors and corporate audit committees, and specifies the responsibility of corporate officers for the accuracy and validity of corporate financial reports. It enumerates specific limits on the behaviors of corporate officers and describes specific forfeitures of benefits and civil penalties for non-compliance. For example, Section 302 requires that the company's "principal officers" (typically the Chief Executive Officer and Chief Financial Officer) certify and approve the integrity of their company financial reports quarterly [3]
  4. Enhanced Financial Disclosures - Title IV consists of nine sections. It describes enhanced reporting requirements for financial transactions, including off-balance-sheet transactions, pro-forma figures and stock transactions of corporate officers. It requires internal controls for assuring the accuracy of financial reports and disclosures, and mandates both audits and reports on those controls. It also requires timely reporting of material changes in financial condition and specific enhanced reviews by the SEC or its agents of corporate reports.
  5. Analyst Conflicts of Interest - Title V consists of only one section, which includes measures designed to help restore investor confidence in the reporting of securities analysts. It defines the codes of conduct for securities analysts and requires disclosure of knowable conflicts of interest.
  6. Commission Resources and Authority - Title VI consists of four sections and defines practices to restore investor confidence in securities analysts. It also defines the SEC’s authority to censure or bar securities professionals from practice and defines conditions under which a person can be barred from practicing as a broker, advisor, or dealer.
  7. Studies and Reports - Title VII consists of five sections and requires the Comptroller General and the SEC to perform various studies and report their findings. Studies and reports include the effects of consolidation of public accounting firms, the role of credit rating agencies in the operation of securities markets, securities violations and enforcement actions, and whether investment banks assisted Enron, Global Crossing and others to manipulate earnings and obfuscate true financial conditions.
  8. Corporate and Criminal Fraud Accountability - Title VIII consists of seven sections and is also referred to as the "Corporate and Criminal Fraud Act of 2002". It describes specific criminal penalties for manipulation, destruction or alteration of financial records or other interference with investigations, while providing certain protections for whistle-blowers.
  9. White Collar Crime Penalty Enhancement - Title IX consists of six sections. This section is also called the "White Collar Crime Penalty Enhancement Act of 2002." This section increases the criminal penalties associated with white-collar crimes and conspiracies. It recommends stronger sentencing guidelines and specifically adds failure to certify corporate financial reports as a criminal offense.
  10. Corporate Tax Returns - Title X consists of one section. Section 1001 states that the Chief Executive Officer should sign the company tax return.
  11. Corporate Fraud Accountability - Title XI consists of seven sections. Section 1101 recommends a name for this title as "Corporate Fraud Accountability Act of 2002". It identifies corporate fraud and records tampering as criminal offenses and joins those offenses to specific penalties. It also revises sentencing guidelines and strengthens their penalties. This enables the SEC the resort to temporarily freeze transactions or payments that have been deemed "large" or "unusual".

How Does Sarbanes-Oxley Apply to Email Archiving?

Sarbanes-Oxley puts a lot of regulatory emphasis on proper record retention. These records include electronic communications such as email. This archiving must include all incoming, outgoing, and internal email communications. While email archiving can be handled internally by a corporations IT Department, there is a growing trend in the interest of accountability of outsourcing email archiving to a third party provider, such as Pleth, LLC's Plethware product, so that in the event any ethical accusations are ever made, the argument of internal tampering would be unlikely.

How can Plethware Help?

With properly archived and retrievable email, your messages are automatically retained and immediately accessible when requested. Offloading your archiving management to Pleth, LLC reduces internal server load, improves production server operation and saves IT resources. In the Plethware archives you can:

  • Capture, index and safely store up to 9 copies of auditable email; including header information, body and attachment content
  • Use full text search capabilities to find email based on message components in a secure web-based search and discovery interface
  • Maintain original message integrity using WORM technology to assign date/time stamps and unique headers to safeguard against deletion
  • Export to standards-based formats like .pst, .pdf, .txt and mime
  • Gain unlimited storage with guaranteed uptime

About the Author

Cotton Rohrscheib

Cotton is a veteran developer having worked on over 300 projects worldwide, ranging from small business to the Fortune 500. Today Cotton enjoys exploring the possibilities of software development and website integration with all business models in mind.

Cotton has served on numerous boards of directors and most recently as the President of a State Tourism Organization. He resides in Conway, Arkansas with his wife Donna and attends The Church Alive, where he is a Youth Leader in his spare time. Cotton also remains active in many aspects of the development community and interacts frequently in blogs and forums with other members of the development community.

Blog

Tweets @cottonr

Cotton Rohrscheib