Do You Have the Right Tools? Complying with SOX in the Year of the Ox (2009)

What's this article about? This article discusses compliance, featuring the need for companies to demonstrate adequate internal reporting controls as Sarbanes-Oxley enforcement deadlines approach late in 2009. The role of high-performance ECM software in facilitating regulatory compliance is explained, with tips for selecting and using appropriate tools to address specific business needs.

Chinese tradition names 2009 the Year of the Ox, reminding me of a great piece of American folklore and perhaps the finest ox the world has ever seen: Babe the Blue Ox, giant lumberjack Paul Bunyan’s stalwart companion. Sporting a distance of 42 ax handles and a cake of tobacco between his horns, he challenged every obstacle in his path. Mention of Babe’s name, or his fearless leader, conjures vivid pictures of swashbuckling exaggeration; any observant listener knows immediately the tales aren’t true, even without close examination. James MacGillivray’s characters make it easy to remember the ‘who’, ‘what’, ‘when’, ‘where’, ‘why’, and ‘how’ of his stories, which have inspired statues, comics, and even an opera. Wouldn’t it be great if demonstrating compliance would be as easy as repeating the brazen yarns of Bunyan and Babe?

Compliance officers recognize that every business activity is committed by someone, at an exact time, from a specific location, and for a reason. Unless the action is purely verbal, each is recorded on paper, electronic media, audio files, or in visual images. Digital information can be tracked down, but following divergent trails can be challenging. With the plethora of tough regulations, and new deadlines looming in 2009 for external auditors to confirm compliance with the Sarbanes Oxley Act (SOX) in particular, quick and cost-effective compliance is a priority, especially for mid-sized businesses.

The ox symbolizes all of the prerequisites for a good compliance system: diligence, reliability, strength, sincerity, and sound judgment. Companies need tools with all of these qualities in order to demonstrate regulatory observance, at a price they can afford. As the next round of Sarbanes Oxley deadlines draws nearer — requiring companies to prove they have adequate internal controls over their reporting — one might consider renaming 2009 from the Year of the Ox to the Year of SOX.

Even the best compliance tools can’t replace a solid file plan and expectations that are communicated clearly to employees. Yet high-performance enterprise content management (ECM) software goes far in automating and facilitating compliance measures and ensuring information transparency. An integrated system centralizes, manages, and leaves secure trails of documents and data, providing faster, easier, and unquestionable proof of business activities. If a flamboyant plaintiff attacks the integrity of your company, or a data intruder tries to interact inappropriately with your files, software like DocFinity® helps you to fight back, separating unquestionable truths from colorful fiction and coverups.

ECM software and regulatory compliance: how it works

High-performance ECM software ensures organizational information transparency, making sure critical data is not plowed under the surface and hidden from view. This is critical for executives who are responsible for monitoring transactions and demonstrating compliance with organizational policies and government regulations. In light of recent high-profile scandals that revealed corporate mismanagement and fraud, executives and internal as well as external auditors require proof of adequate internal controls over an organization’s financial reporting. An ECM suite that tracks every interaction with a file, as well as the detailed path each takes as it travels through the business process, provides the details needed to ensure full observance of the rules. More importantly, when the software is in place, the costs of regular audits and compliance are minimal compared to the time-intensive and expensive process of searching through paper or disjointed electronic files.

ECM simplifies the auditing process, centralizing your documents, images, photos, emails, voice files, faxes, and other documents in a fully searchable repository, or pointing to their location in other applications for fast, easy retrieval. Automated queries and Web access to documents and database tables help auditors move swiftly to confirm regulatory fulfillment so your company can return quickly to business as usual. Process automation tools forward audit-related tasks to the right parties for the required action, reducing the burden of exhaustive search.

Security: protecting your data like an ox

Making sure your files are secure is not enough. If you have — or plan to add — ECM software, make sure it is designed to fully support the compliance measures you have in place. The software should:

• Address IT-related components of financial transactions such as risk and response, information and communications, control activities, and monitoring.
• Effectively implement and demonstrate controls that reflect standards set by Generally Accepted Accounting Principles (GAAP) and other best practices.
• Let management specify individual access to files and to specific pages (and parts of pages) within those files. Access control and segregation of duties are vital to Section 404 of SOX.
• Allow you to designate which persons can perform which actions relating to each file (viewing contents, making/viewing annotations, acting on a task in a queue, signing documents, giving approvals, etc.).
• Provide detailed audit reports, showing who accessed which files, what actions were taken, at what time, etc.
• Contain security features that automatically flag altered database files so that internal and external auditors can be confident they are viewing accurate and complete information.

EDM: keeping an eye on the big picture (and the little details)

Paul Bunyan and Babe always seemed to know where they were headed, and their tales made it very clear where they had already been. Trails of corporate activity may not be as vivid, but they must be equally identifiable. Features you should look for, in addition to the information above, include:

• Email archival, indexing, and robust search capabilities.
• The ability to capture, index and analyze all electronic data, including report data from print streams and items within workflows.
• Customizable reports and queries that can access all data stored in the ECM system or in other software applications and devices with which it is integrated.
• Web-based access to documents, data, reports, and database tables, maximizing each auditor’s ability to monitor properly and minimizing the interruption of auditors and audits on your organization.
• Clear audit trails of files that have been moved to alternate storage such as a Storage Area Network (SAN) or Network Attached Storage (NAS).
• Controls that prevent inappropriate or premature file deletion.

Workflow tracking: following the furrows

Business process automation tools ensure work is processed logically, consistently, and as quickly as possible. In a paper system, constant interaction with ‘files on the move’ can make tracking and reporting challenging; automated tracking and reporting makes it easier. Make sure your system is:

• Able to track where a document is at any time during a specified process. This enables authorized persons to get answers they need about active files quickly, without waiting until processes have been completed.
• Can display actions that involve other software with which the ECM system is integrated. Examples include electronic signatures used to authorize purchases, faxes that were accepted and forwarded inappropriately via email and against company rules, or lists of documents pulled from another software system.

Storage management: preparing for future needs and data recovery

Hierarchical storage management is a critical tool that helps organizations store, move, delete, and back up records and documents electronically. Typical examples include files that:

• Are copied from a central data warehouse and sent to a secondary repository for reference or use in a business process.
• Are no longer part of an active business cycle, and are ready for migration to magnetic tape or other long-term media.
• Need to be accessed from a backup facility and restored after a catastrophic event that causes system interruption or data destruction.
• Are ready for permanent destruction in accordance with regulations.

All purging, migration, and deletion should be governed by administratordefined criteria that reflect the company’s stated policies, in full compliance with government or industry regulations.

As with other parts of an ECM system, storage management tools should provide a thorough and unquestionable record of every interaction with the files. Administrator-defined criteria dramatically reduce instances of file tampering and inappropriate handling, since individuals can only interact with files to the degree the system will permit it. If the administrator fails to establish necessary internal controls, evidence of files that have been altered or falsified, covered up, or inappropriately destroyed should be immediately evident through sophisticated tracking and alert systems inherent in the software.

Audit trails: monitoring where you’ve been

ECM leaves nothing to chance, immediately revealing faulty memories of events, offensive or defensive lies, and colorful (but inaccurate) tales. There’s no harm in James MacGillivray’s string of bombastic and untrue tales, but your business doesn’t need any of its own. With a high-performance ECM system that contains the tools to help you comply, you will be relieved by the assurance that memory and frantic search aren’t the only tools you have when people on your staff, or the people with whom you do business, create colorful or untrue stories pertaining to your business. Armed with compliance tools like DocFinity that are stronger than an ox, you can comply with the intricacies of SOX, leaving your office at the end of each day feeling as confident as America’s legendary and unforgettable hero.

For more information or to schedule a demonstration, please Contact DocFinity now.