Of Sarbanes, Oxley and storage
Published January 8, 2003
By John Webster, Senior Analyst and Founder,
Data Mobility Group
It is clear that the regulatory climate in Washington has changed. Deregulation was once the watchword. But a number of recent events have altered the regulatory sentiment on Capitol Hill, particularly with regard to financial reporting.
We have witnessed everything from corporate abuse of accounting practices to accusations of outright fraud perpetrated by the most senior managers of publicly held companies. We have become uneasily aware of the complicity of accounting firms and investment houses that were either blind to their clients practices or worse, misled the public into believing that all was well even though, at some level within the organization, they privately knew otherwise.
So the regulatory pendulum is swinging back in the direction of more rather than less. During last year's election cycle, every politician in the running was for preserving the value of individual investments and retirement savings accounts that had been devastated by the practices of ENRON managers. And, every politician -- running for election, reelection, or just watching from the sidelines -- was for sending corporate wrongdoers to jail. It was in this climate of heightened awareness to corporate executive greed and avarice that the Sarbanes Oxley Act of 2002 was born.
Sarbanes Oxley exposes CEOs and CFOs to fines and imprisonment for knowingly making false financial statements. It also makes tampering with financial data which could be the subject of an investigation a crime as well.
We believe that Sarbanes Oxley will have significant long-term effects on the storage industry. Here, we summarize our analysis of the impact of new financial reporting requirements on enterprise storage environments and those who manage them.
- Massive scalability of supporting storage subsystems will be required, particularly by large enterprises with high financial transaction volumes.
- Automated capture and storage of financial data will be required.
- Certification of storage infrastructures as capable of complying with the new regulations will become critical.
- Enterprises will find it difficult if not impossible to "walk" data stored electronically in unaltered form through changes in storage media, storage devices, applications software, and operating systems.
- Communication between IT management and senior executives with regard to corporate policy will become more vital, and policy-based storage management applications will become more of a "must have."
- Reporting requirements will force tighter integration of mainframe and open systems data stores.
The Act states that public accounting firms are required to "prepare, and maintain for a period of not less than 7 years, audit work papers, and other information related to any audit report, in sufficient detail to support the conclusions reached in such report." While the language of the law applies to accounting firms, we believe that to be prudent, enterprises should and will maintain copies of this supporting data for 7 years as well.
In addition, the law states that it is a crime for "any person to corruptly alter, destroy, mutilate, or conceal any document with the intent to impair the object's integrity or availability for use in an official proceeding or to otherwise obstruct, influence or impede any official proceeding…."
We believe that the effect of this provision in the Act will force enterprises to save all data -- including such data formats as e-mails, transaction logs, digitized voice-mail, etc. -- that their corporate attorneys believe could become the subject of an investigation should one arise. Here, the law appears to look as far back in time as it wants to, making it difficult at best to determine how long such data needs to be saved. All of the foregoing equates to more data captured and stored. Further aggravating the situation, regulatory compliance data must now be saved for longer periods of time, making even more challenging the job of building a platform to store all this data.
Therefore, whatever platform one chooses to comply with these new requirements will have to seamlessly and nondisruptively scale in terms of terabytes (and possibly, petabytes) depending on the size of the enterprise, and the number and nature of its transactions.
Enterprises will be required to report material changes of their financial conditions on a timelier basis. In fact, one section of the Act is subtitled "Real Time Disclosure." In addition, enterprises will face shorter deadlines for filing financial reports. Therefore, data required by regulators must be captured, retrieved, and reported more quickly.
In addition, the capture, retrieval and reporting process must occur in a way that does not disrupt applications that are critical to the survival of the enterprise. Intelligent storage can play a critical role here, automating the capture of required data in ways that are transparent to existing applications.
Data will have to be saved in a form that is certifiably unaltered. How this certification process occurs and by whom has yet to be determined. However, the implications of the law are clear. If an enterprise becomes the subject of an investigation, it must be able to prove that the data it produces has remained unaltered in any way, from the time the data was captured and stored up to the time it was retrieved for the purposes of the investigation.
In addition, the Act now requires an enterprise's annual report to contain an "internal control report", which shall "(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting."
To comply with the foregoing provisions of the Act, an enterprise must be able to prove that its infrastructure is capable of capturing the required data as well as maintaining it in unaltered form. Storage infrastructure devices play an essential role in an enterprise's "internal control structure." However, since storage vendors are the ultimate creators of these devices, storage users will look to storage vendors to help them establish the effectiveness of their internal control structures.
Enterprises will find it difficult if not impossible to "walk" data stored electronically in unaltered form through changes in storage media, storage devices, applications software, and operating systems.
As a result of the Act, enterprises will now have save to data in certifiably unaltered form for an as yet undetermined number of years. Access to that unaltered data will also have to be guaranteed for years to come. Here is at least one area where the law bumps up against the present limitations of storage subsystems. As data stored electronically is migrated or "converted" from one media to another, from one platform to another, one can no longer prove that it has been unaltered. In fact, data loss becomes a primary consideration during this process. And yet, we live in a world where rapid technological change and advancement is a constant. Storage infrastructure wears out over time and must be replaced. Enterprises are rarely able if ever to purchase the exact same in infrastructure components to replace others that have worn out. Nor would such a practice be in keeping with IT's mandate to supporting the business interests of the enterprise going forward in time.
IT management will find itself on the horns of a dilemma with regard to long-term compliance with the provisions of the Act with regard to long term retention of records stored electronically. Their only fallback position will be paper-based storage.
IT managers should not and cannot make corporate policy. Yet, they must somehow comply with corporate policy whenever it touches information storage and reporting processes -- often in spite of technological limitations.
With the advent of new regulatory requirements, IT managers will have to work even more closely with senior corporate officers to set policies for regulatory data retention and preservation, as well as deletion.
Corporate policy makers will now include regulatory compliance managers and attorneys who will want multiple years of audit trails, e-mails, and transaction logs saved for possible governmental review. Policies formulated for the capture and retention of this data must be clearly stated by executive management so that they can be clearly understood and implemented by IT management.
The fact that CEOs and CFOs must now certify the veracity of their financial statements under oath will also provoke tighter control of financial data gathering and reporting processes as well.
We spoke earlier about the use of automated, policy-based, storage management applications as an efficient way to address the problem of non-disruptively capturing and storing regulatory data. However, policy-based storage management can't happen without beginning first with a set of well-defined and understood policies.
It is an absolute certainty that, for enterprises with both mainframe and open systems-based applications, the information required by government overseers will be stored on both mainframe and open systems platforms.
Consolidating data from both sources will become the most efficient way to generate the required reports. Consolidation will therefore force tighter integration of mainframe and open systems data storage.
All enterprises touched by the Act must fully understand its requirements. The consequence for not doing so is increased risk exposure. The penalties for noncompliance include fines and imprisonment. Perhaps more threatening is the negative publicity that would go hand in hand with a public investigation -- negative publicity that could put the enterprise out of business all together.
Compliance with the Act will have a significant impact, we believe, on enterprise IT. We further believe that, as a result, opportunities abound for storage vendors of many stripes.
Hardware vendors who can certify the inalterability of stored data will have a clear advantage with customers who are building platforms for the capture and retention of fixed content data.
Software vendors who can help customers automate the capture, storage, and retrieval of SEC-required data will be able to address a critical pain point relating to deadlines and the timeliness of filings.
Finally, a significant services opportunity exists as well for any vendor able to combine the storage utility model with expertise in responding to the requirements of the Act.
The above research perspective was reprinted by permission from the Data Mobility Group. Copyright 2002-2003, Data Mobiliity Group, LLC. (To inquire about this or other Data Mobility Group research on the storage market, contact the Data Mobility Group directly.)
About the author: John S. Webster is the senior analyst and founder of the Nashua, N.H.-based Data Mobility Group. He is also a frequent speaker at storage industry conferences and events, including the upcoming