More specifically, the question is ‘What does it mean for a technology company to be compliant in the competitive technology landscape?’
In July 2002, the United States Congress passed the Sarbanes-Oxley Act which was designed to require that over 8,000 corporations publicly traded on U.S. financial markets certify financial results as well as the effectiveness of internal financial controls and related processes. This new legislation has dramatically increased pressure on management teams to ensure transparent and reliable processes aimed at improving trust and investor confidence.
As an example, in 2003 and early 2004, the Securities Exchange Commission completed investigations into ‘creative’ (meaning unethical) accounting practices by several publicly traded companies. Subsequently, legislation was enacted that requires companies to alter the process in which they manage and maintain their records, including but not limited to email communications and any attachments submitted therein.
SEC Rule 17a
Requires that certain business records and communications be readily accessible for two years and at least accessible for a year after that. It further requires that transaction-related records and communications be kept and accessible for seven years after the event.
Requires NASD members to designate a supervisory role within the company to ensure compliance with regulations, and have a system in place to supervise the activities of its employees and associates. This system must enable the retention and review of transactions and correspondence.
Requires members to preserve all books and correspondence, including customer order tickets, account information, and complaints. Much of this material is in the form of e-mail.
National Association of Securities Dealers (NASD) Conduct Rules 3010 and 3110
- The Sarbanes-Oxley Act
A failure to maintain audit or review of work papers for at least five years is punishable by up to five years in prison, and/or a fine.
Corruptly altering, destroying, or concealing records or documents in order to compromise the integrity of the record for use in an official proceeding is punishable by up to 20 years in prison, and/or an unspecified fine amount.
The alteration, destruction, or concealment of any records with the intent of obstructing a federal investigation carries an unspecified fine amount, and/or jail time of up to 10 years.
Other examples of compliance, that are not exclusive to information Technology, include the development of what is referred as a Compliance Framework.
A Compliance Framework consists of three key components:
Specifically related to document retention, the Act states the following:
- Governance, or more to the point, Governance Policies, which describe the overall management approach through which senior executives direct and control the entire organization, using a combination of management information and hierarchical management control structures. These activities ensure that critical management information reaching the executive team is sufficiently complete, accurate and timely to enable appropriate management decision making, and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out systematically and effectively.
- Risk Management is the set of processes through which management identifies, analyses and where necessary responds appropriately to risks that might adversely affect realization of the organization’s business objectives. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party. Whereas organizations routinely manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks etc.), external legal and regulatory compliance risks are arguably the key issue in GRC.
Compliance, as used in the business world, means conforming with stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary.
Of course no single article could possibly cover the entire realm of IT Compliance. but CETS will always be committed to the highest possible ethical standards.