The Risks of Regulatory Non-Compliance in light of SOX –N. Miller
The cost and magnitude of regulatory mandates associated with corporate compliance, particularly records management, have increased significantly in recent years. As a result, many more companies, not just those in traditionally regulated environments such as pharmaceuticals and aerospace are finding that they need to change from a departmental plan or ad hoc approach to an enterprise-wide compliance strategy. Is your organization prepared to meet the regulatory requirements of the Department of Defense 5015.2 Standard, the Sarbanes-Oxley Act of 2002, or the Security and Exchange Commission’s Rule 17a?
How will your company balance the cost of compliance with the risks of non-compliance? What are you doing to build investor confidence and trust – and can you do it without diluting shareholder value? And, last, but certainly not least, how much will it cost you to comply?
To reduce risks as well as costs, companies are turning to enterprise content management (ECM) – of which enterprise records management (ERM) is a significant part. Because ECM provides a robust environment for managing all types of unstructured content (documents, Web pages, images, rich media, etc.) across the full lifecycle (creation, management, delivery, and archive), companies can solve not only their compliance challenges, but leverage this investment for on going competitive advantage and operational efficiency. Learn how your company can meet that challenge through an effective ERM strategy tightly integrated with ECM.
Understanding the Regulations
Many organizations throughout American government and business have adopted Department of Defense (DoD) Directive 5015.2, issued in 1997, as a de facto records management standard. It provides detailed implementation and procedural guidance on the management of records in the DoD and its departments and offices.
In 2002, Congress enacted the Sarbanes-Oxley (SOX) Act in response to Enron, Worldcom, and other accounting scandals. SOX affects all publicly traded companies, private companies that may go public or be acquired by a public company, and public accounting firms. Among other things, it makes it a federal crime to obstruct justice by destroying or tampering with corporate accounting records. Section 404 of SOX specifically outlines the requirements for public companies regarding records retention.
Everything must be documented in a way that can be reviewed by auditors, including policies and procedures, approvals, authorizations, verifications, recommendations, and performance reviews, in addition to financial data. This includes the widely publicized mandate that CEOs and CFOs must personally certify all financial statements.
In addition to responding to the Sarbanes-Oxley mandates, companies must comply with an expanded SEC Rule 17a and related regulations. SEC Rules 17a-3 and 17a-4 spell out new requirements for securities brokers, dealers, investment companies, financial advisers, and transfer agents regarding records of electronic interoffice communications and communications with customers. Other regulations relevant to records management include NASD Rules 2210, 3010, and 3110, NYSE Rules 342 and 440, ISO 15489, and MOREQ. Together, these rules impose strict ERM requirements on regulated organizations.
In responding to these new regulations and the events that led to their adoption, executives face many challenges. They must manage compliance issues inside and outside the enterprise, balance the organizational costs of compliance with the risks of non-compliance, increase visibility and transparency for corporate practices, and take other steps to maintain or restore investor confidence.