Sarbanes-Oxley Compliance and ECM

It’s been only four years since the Sarbanes-Oxley Act (SOX) was passed.  But in many ways this one piece of legislation has already had a profound impact on the entire business community.  The goal of SOX is to achieve greater transparency and accountability in financial reporting, and in doing so, provide a way to more closely scrutinize public coporations from the outside.  Stiff fines, penalties and the threat of litigation have been strong motivators to get companies to comply.  But many or maybe even most companies still have a long way to go.

Part of the reluctance or difficulty with SOX is just coming to grips with what it all means.  SOX does not clearly spell out in black and white the steps for achieving compliance.  It was intended to provide overall guidance, but it is very broad and lengthy, consisting of 11 parts and 66 sections.  The language in SOX was written in very general terms to spell out requirements that apply to all public companies, and the interpretation and the methods by which SOX compliance are achieved is still evolving.

Application of SOX to a business requires a sound understanding of the company’s business processes and the flow of information in the business.  Perhaps the most onerous SOX requirement is contained in section 404 that requires companies to maintain documentation of all their internal controls and to be able to provide access to that information so that an external auditor can regularly review and attest to the company compliance with the law.

Section 302 requires that corporate executives provide and certify the correctness of the contents of company financial reports and also certify that the procedure for the preparation of the reports was done in a manner that is consistent with the law.

Sections 302 and 404, in particular, and to a lesser extent, sections 103, 104, 105, 408, 409, 801, 802, 906 and 1102 of SOX focus on the management and control of business processes and the information that flows through them.

Forward-thinking corporate executives have seen that Sarbanes-Oxley, while restrictive, is in many ways just good business.  It is a very structured approach for reducing operational risk, improving business performance, and achieving competitive advantage.

While there is no ‘silver-bullet’ for achieving SOX compliance, technology exists today to simplify the task.  Enterprise Content Management (ECM) components like Document Management, Records Management and Business Process Management can assist in meeting many of the SOX requirements.

Applying general ECM tools to SOX compliance may make sense to many companies rather than a closely tailored SOX-out-of-the-box solution.  Many companies need to deal with other types of compliance other than SOX.  There is a lot of overlap in requirements, but clearly the system should be flexible to handle requirements and scenarios that fall outside of those from SOX.  Banks, finance and insurance companies are bound by Basel II, health care companies are bound by HIPAA, and public companies also need to comply SEC regulations such as 17a-4.  Not to mention FDA CPR 21 Section 11, FASB, IASB, MISMO, and the Patriot Act.

ECM assists in the capture and classification of documents and records and manages them through their complete lifecycle and controls their final disposition, and its use is applicable across a the entire range of regulatory compliance applications.

ECM benefits for compliance applications:
– eliminate/reduce the risk of being unable to locate critical documents
– save labor required to manage, locate and retrieve documents required for audits
– fast ROI from the improved speed in document retrieval
– ability to provide quick and accurate responses to regulatory bodies and court requests

When approaching compliance, products from ECM tool and application vendors like Formtek should form the base of the solution.  ECM technology can assist in dramatically reducing the overall cost of achieving compliance.