Although the federal Sarbanes-Oxley Act of 2002 was passed last year, it will continue to unfold as the U.S. Securities and Exchange Commission sets deadlines for compliance and publishes rules on requirements and compliance.
Section 302: Corporate Responsibility for Financial Reports
The warm up to Sarbanes-Oxley arrived last fall with Section 302, which requires CFOs and CEOs to personally certify and attest to the accuracy of their companies' financial results. Most enterprises were able to comply with that SEC regulation through manual processes and without much tinkering to underlying systems and processes.
Section 404: Management Assessment of Internal Controls
The most pressing challenge for SarbOx compliance lies primarily within Section 404, which requires auditors to certify the underlying controls and processes companies use to reach financial results. Although the original deadline loomed this fall, the SEC recently extended the deadline for 404 compliance by about eight months to June 15, 2004, for most large U.S. companies. Smaller businesses and foreign private issuers have until April 15, 2005, according to the SEC.
Right now corporations are or should be beginning to shoulder the brunt of Section 404, which requires auditors -- either internal and external -- to certify internal controls and the processes by which executives arrived at the numbers.
Section 409: Real-Time Issuer Disclosures
The most difficult aspect of Sarbanes-Oxley compliance, say analysts and observers, is yet to come. Section 409 -- as yet without a final deadline -- calls for real-time reporting of material events that could affect a company's financial performance. The time-sensitive aspect of this regulation will likely put significant pressure on existing data infrastructures, requiring deeper system integration and more intelligent analytics tools.
"Analytics will be a big one for some of the later sections [of Sarbanes-Oxley] like 409, requiring real-time disclosure of significant events that affect financials," says Lindsey Sodano, research analyst at AMR.
Enterprises will need a souped-up analytics infrastructure to report wide-ranging events within 48 hours, which is the current interpretation of this regulation. "There are all kinds of events that occur outside your ERP backbone that you will need to drawn on," Sodano says.
Sections 404 and 409 will require a significant amount of system integration investments as well as implementation of real-time notification and event-driven alerts, says Alex Veytsel, research analyst at Aberdeen Group in Boston.
Section 802: Criminal Penalties for Altering Documents
Although many sections of the act tighten requirements for records and documentation retention, Section 802 adds provisions specifically related to the destruction or falsification of records in any federal investigations and bankruptcy.
Penalties range from a fine to prison sentences of not more than 20 years for "whoever knowingly alters, destroys, mutilates" any record or document with the intent to impede an investigation.
Other areas of SarbOx specify minimum retention periods for accounting documents including work papers, correspondence, or any communications or documentation containing conclusions or opinions about audit information.
Another critical step to meeting Sarbanes-Oxley compliance is gaining control of instant messaging, which has become a vital tool for real-time communications within financial organizations and enterprises of all stripes. In fact, last month the National Association of Securities Dealers (NASD) issued new requirements to its members calling for the retention of instant messages for at least three years. The guidelines also say IM must stand up to the same record keeping and supervisory requirements as e-mail.