Compliance shouldn't limit your choice of technology
How does SOX affect a company's adoption of new technology and storage formats that appear every couple years?
By itself, the Sarbanes-Oxley Act
does not directly limit a company's choice of storage technologies and formats.
The SEC regulations implementing
the Sarbanes-Oxley Act require companies to evaluate and certify internal controls that provide "reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles." Internal controls include policies and procedures that "pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer ..."(17 CFR 240.13a-15, etc.) Much of the interpretation is left to company management and to the public accounting firms that attest to the company's evaluation of its internal controls in terms of a recognized "control framework" such as the COSO framework.
A company should update its record archiving requirements and policies as part of its evaluation of internal controls, to support CEO/CFO
certification by the compliance deadline. The deadline is set for mid to late 2004 for most large U.S. companies, depending on when their fiscal year ends. Also, SOX is just one source of requirements. Depending on the industry and geography, other regulations may require more specific technical safeguards to ensure the integrity and availability - or privacy - of stored records.
Ed note: If you would like to read additional compliance articles, opinions and expert advice, make sure to sign-up for our ALERTS on compliance. Click here to sign up. SearchStorage.com also offers alerts on low-cost storage.
Do you agree with this expert's response? If you have more to share, post it in one of our
This was first published in February 2004