Cheat Sheet: Sarbanes-Oxley

The Sarbanes-Oxley Act - what on earth is that?
It's the name of a piece of US compliance legislation, with global implications, which was signed off in 2002 and is soon to 'go live' with the intention of preventing financial malpractice and accounting scandals such as the Enron debacle. It's becoming known as SOX or SarbOx or SOA.

In fact, anything BUT 'the Sarbanes-Oxley Act', right? I can see why...
Indeed. The Sarbanes-Oxley Act is a bit of a mouthful, though it could be worse. It's also known as the Public Company Accounting Reform and Investor Protection Act. The shorter moniker comes from the names of Senator Paul Sarbanes and Representative Michael Oxley who are credited as the main architects of the Act.

And when is this all going to happen?
The straightforward answer is 15 November, 2004. That is the date on which the Act comes into effect. But in truth companies should have been working on their compliance issues for quite some time. This isn't just a case of flicking a switch at 10 minutes to midnight on 14 November.

So they should be looking at this now?
Companies should have started looking at their SOX issues some time ago - but many are still just waking up to the challenge. According to Margaret Brooks, director of strategic business development and SOX specialist at Computer Associates, finance departments 'get it' but "a lot of CIOs don't know what's going to hit them".

That's a bit harsh isn't it?
Well, one anonymous US CIO certainly concurred. "I feel like a bad storm's coming and I don't know what it is or when it's going to hit," he said at a recent industry event. It's certainly fair to state that it's an issue which relies heavily on IT and that sense of panic is not unique. Many companies are now aware of the spectre of SOX hanging over them without having a handle on what it is and what they have to do to ensure 'compliance'.

So in a nutshell, what does it all involve?
The Act covers a whole range of governance issues - many covering the types of trade that are allowed within a company, with an emphasis upon keeping everything above board. For example, the Act forbids personal loans to officers and directors. Disgraced former WorldCom boss Bernie Ebbers had taken considerable loans from his company shortly before it became the next corporate scandal to rock the US, post-Enron. Other measures regulate the responsibilities of audit committees sent in to check the health of companies' compliance. The Act also offers protection to 'whistleblowers' (for more specific details, see the links at the bottom of this article).

While much of this is common sense and achievable, the actual challenge of SOX is ensuring it is observed and that compliance can be demonstrated and accurately monitored and reported. The most common area of focus is the archiving of all communications and the creation of transparent and auditable systems for recording transactions, dealings and any kind of business correspondence. This should mean traders can't contact one another, or analysts, 'on the sly' and deals can't be 'lost in the muddy waters of business'. Applications such as IM are also being singled out as areas that need to be secured and made clearly accountable.

Kailash Ambwani, CEO of secure IM provider FaceTime, believes IM is "mission critical" to most major financial institutions but he said: "These guys don't have in place the necessary security, accountability, logging or archiving to make those IM sessions compliant."

That is something that will have to change by 15 November.

So every file, every email, every IM, every phone call is going to have to be recorded?
That's been a lot of people's gut reaction, according to Mark Ellis, CA's director of storage and information management, but it's not quite so extreme. Many companies just assume as long as they do that they will be compliant with that aspect of SOX - which is true, if a little naïve regarding the storage and logistics implications of such thoroughness. Ellis describes this reaction as being "like a rabbit caught in the headlights" and explained that "people need to know what they must keep".

"Legal compliance is not about what you need to keep, it's about knowing what you can delete," he said, imploring companies to find out more about the complicated legislation.

And how can they do that?
Most companies are having to work with accredited auditors and consultants to ensure they have 'ticked all the right boxes'. In the US, Ernst & Young and PwC account for about a fifth of this market each, with KPMG and Deloitte and Touche accounting for about 13 per cent each. A successful filing from these companies is priceless for the companies affected by SOX.

How so?
These firms are there to test compliance and search for 'material weaknesses' - flaws that would fail the SOX test - and there is a lot of shareholder trust to be gained from filing for SOX compliance. To date 5,685 firms have filed, which makes for 5,685 happy sets of shareholders.

Even if nothing bad ever happens, companies cannot afford to be remiss with their compliance. Non-compliance with SOX will probably mean heavy fines - which as yet have not been outlined or defined - and a serious loss of shareholder trust and brand value. After all, nobody wants to think their stocks might become the next Enron shares. Large financial institutions will probably be able to pay any fines with pocket change but loss of face and the ensuing PR disaster of public 'naming and shaming' could be colossal.

Quite. So compliant companies will be 100 per cent safe from that kind of corporate scandal?
Of course not. There's no such thing as 100 per cent safe but companies need to be able to demonstrate that they have shown due diligence. They may never be able to protect themselves against the actions of a rogue trader who goes offline but they will be able to demonstrably prove they did everything they could to cover their backs and hit their compliance targets.

So will everybody go for this and 'sign up'?
They have to really but it may require a cattle-prod approach - if only because it may be the only way to force the issue. One expert added: "The first major fine that lands on a 'high street' name will galvanise people into action."

And when might that happen?
Some time after 15 November. Watch this space...

For more information about Sarbanes-Oxley, see:
Securities and Exchange Commission
Sarbanes-Oxley.com
Deloitte and Touche
PricewaterhouseCoopers
KPMG