Government is cleaning up the way companies do business after accounting and governance scandals rocked investor confidence and damaged the reputation of companies large and small. The Sarbanes-Oxley Act (SOX) of 2002 was enacted in response to the high-profile Enron and World Com financial scandals to protect shareholders and the public from accounting errors and fraudulent practices by organizations. One primary component of the SOX is the definition of which records are to be stored and for how long. For this reason, the legislation not only affects financial departments, but also IT departments whose job it is to store electronic records. SOX states that all business records, including electronic records and electronic messages, "must be saved for not less than five years." The consequences for noncompliance are fines, imprisonment, or both. Three rules of Sarbanes-Oxley affecting the management of electronic records address the following areas: A. The destruction, alteration, or falsification of records. It states that persons who knowingly alter, destroy, mutilate, conceal, or falsify documents shall be fined or imprisoned for not more than 20 years, or both. B. The retention period for records storage. Best practices indicate that corporations securely store all business records using the same guidelines set for public accountants. Organizations shall maintain all audit or review work papers for a period of five years from the end of the fiscal period in which the audit or review was concluded. C. The business records and communications that need to be stored, including electronic communications. IT departments are facing the challenge of creating and maintaining a corporate records archive in a cost-effective fashion that satisfies the requirements put forth by the legislation. Essentially, any public organization that uses IT as part of its financial business processes must implement IT controls to comply with SOX. BENEFITS FROM SARBANES-OXLEY Many businesses are promoting the benefits they received from implementing SOX. General Electric Co., which spent about $30 million on SOX compliance, has added controls that boost investors' confidence in the company. United Technologies used SOX to standardize bookkeeping audits in its disparate businesses around the world. The biggest advantage of all, though, may be the greater confidence investors have in financial results. Some officials believe it will take another two years (around 2008) for companies, auditors, and regulators to apply the law efficiently. That might appear to be a long time, and it may seem to be expensive; however, it is a small price to pay to help organizations run smoothly and renew investor confidence. IMPLEMENTING SARBANES-OXLEY Ultimately, Sarbanes-Oxley compliance will require a great deal of work among all departments. Compliance starts with running IT as a business and strengthening IT internal controls. The following are a few practices organizations can follow to ensure compliance with the Sarbanes- Oxley Act. Overhaul or upgrade financial systems to meet regulatory requirements for more accurate, detailed, and timely filings. Examine the control processes within the IT department and apply best practices to comply with the act's goals. For example, segregation of duties within the systems development staff is a widely recognized best practice that helps prevent errors and out-right fraud. The people who code program changes should be different from the people who test them, and a separate team should be responsible for changes in production environments. Ensure that information system customization are not overriding controls by working with internal and external auditors. Homegrown financial systems are fraught with potential information-integrity issues. Although leading enterprise resource planning (ERP) systems offer audit-trail functionality, customization of these systems often by pass those controls. Work with the CIO, CEO, CFO, and corporate attorneys to create a document- retention-and-destruction policy that addresses what types of electronic documents should be saved, and for how long. Required: i. What do you think an unethical accountant or manager at Enron thought were the rewards and responsibilities associated with his or her job (8 marks) ii. Discuss the two policies an organization can implement to achieve Sarbanes-Oxley compliance (7 marks)