Mike's webcast received a lot of interest from our viewers and many of you had questions you wanted Mike to address. In this Q&A, Mike answers a few of the top questions posted by our viewers. These questions focus on the effect of the regulations on companies along with budget concerns and how to figure in compliance with evolving technologies.
How does SOX effect a company's adoption of new technology and storage formats that appear every couple years?
Mike Casey: By itself, the Sarbanes-Oxley Act does not directly limit a company's choice of storage technologies and formats. The SEC regulations implementing the Sarbanes-Oxley Act require companies to evaluate and certify internal controls that provide "reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles." Internal controls include policies and procedures that "pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer ..."(17 CFR 240.13a-15, etc.) Much of the interpretation is left to company management and to the public accounting firms that attest to the company's evaluation of its internal controls in terms of a recognized "control framework" such as the COSO framework.
A company should update its record archiving requirements and policies as part of its evaluation of internal controls, to support CEO/CFO certification by the compliance deadline. The deadline is set for mid to late 2004 for most large U.S. companies, depending on when their fiscal year ends. Also, SOX is just one source of requirements. Depending on the industry and geography, other regulations may require more specific technical safeguards to ensure the integrity and availability - or privacy - of stored records. Companies should evaluate new storage technologies and formats in terms of well-defined archiving policies and procedures, to ensure that infrastructure changes do not compromise required safeguards.
What if a "record" consists of structured data. That is, rows across related tables in a database?
Mike Casey: Financial accounting databases and ERP systems are among the most important applications that create and manage data for the financial reports and internal controls that SOX addresses. Therefore, structured data needs to be addressed for SOX compliance, along with any attached documents, messages and other audit-trail data that support the complete business record. Several vendors offer database archiving products that can address these requirements. Companies should assess their archiving policy requirements, and then match them to appropriate software and hardware infrastructure.
Do you recommend SANs as the backbone of the storage archives? If not, what else should be considered?
Mike Casey: Yes, it makes sense to build your centralized data archives on a SAN backbone to ensure performance and scalability -- if you have already invested in a Fibre Channel SAN infrastructure to support centralized ERP applications and storage, or if you are moving in that direction. However, if you are a smaller organization that finds NAS or dedicated server storage adequate for current needs, a NAS storage solution may be the appropriate near-term choice for your storage archives as well. In either case, be sure to consider additional requirements such as disaster recovery.
I am just starting out with compliance, where should I be looking to budget my money to get the ball rolling?
Mike Casey: First, find out whether your company is facing any urgent compliance deadlines that might force a quick tactical solution, such as an e-mail archiving server with dedicated storage. If you have some time for planning -- or if you are looking at archiving a more extensive set of applications such as ERP databases and Web content servers -- you should start with a systematic assessment of the requirements. This process will enable you to develop a consensus in your organization regarding the archiving policies, in terms of compliance requirements as well as service levels and other business needs. Then, define the most appropriate and cost-effective architecture for meeting the full set of requirements. Your favorite storage vendor(s) will be eager to help. An independent storage services firm can also help you get the ball rolling.
How do I know which regulations affect my company? I am a large publicly traded retailer.
Mike Casey: Check with your inhouse compliance officer or legal counsel and do your own due diligence. A few examples to consider:
1. For a publicly traded company, applicable regulations will likely include financial reporting and corporate governance rules that are intended to protect investors, such as the rules introduced or reinforced in the U.S. by the Sarbanes-Oxley Act.
2. Consumer privacy laws may also apply to large retailers that keep records on customer accounts and credit card transactions. Privacy laws have been passed at state and national levels in the U.S. and many countries have adopted strong privacy laws to implement the European Union directive on data protection.
3. Large retailers tend to be large employers, and various employment-related laws and regulations impose record-keeping and reporting requirements. Examples include occupational health and safety regulations, and the HIPAA privacy and security rules which may apply to employee records containing health and benefits information.
In addition to developing records retention, backup and archiving policies that meet current regulatory requirements, you should establish procedures to review the policies and procedures periodically in light of emerging laws and evolving regulatory interpretations.