Sarbanes-Oxley one year later: the Sarbanes-Oxley Act has had a far-reaching impact on global business, yet there are still more questions than answers. (Capital edge: legislastive & regulatory update).
A year after its passage, Sarbanes-Oxley continues to provide more questions than answers for those seeking guidance on compliance issues for their records and information programs. This situation persists because Sarbanes-Oxley's fundamental emphasis and implementing regulations focus primarily on procedural requirements, certifications, and required disclosures as the tools through which to gain compliance, rather than on required recordkeeping and paper trails.
Make no mistake--the former are powerful tools. The Act's financial statements certification requirement, for example, provides a strong incentive for those executives who must sign to ensure that the statements are correct. In similar manner, Sarbanes-Oxley's Corporate and Criminal Fraud Accountability Act of 2002 provisions, which mandate criminal penalties for improper document destruction, will make midnight shredding runs a far riskier proposition for those who seek to cover up evidence of wrongdoing.
The reality is, however, that although Sarbanes-Oxley is fundamentally about records and information--its whole purpose could be characterized as ensuring that corporate accounting records are accurate and complete, and fully disclosed--it doesn't actually say much about records. The certification of financial statements is a good example: If the certification turns out to be false, the certifying executives certainly will find their necks on the line. In view of this consequence, it would be nice for executives to know what constitutes adequate due diligence and what documentation of due diligence they ought to create.
No such guidance is forthcoming, however. CEOs are on their own as to what ought to be done. Should certifications make it to court, as surely they eventually will, the issue of just what the CEO reviewed will come up, as will the paper trail the CEO used to document that review.
Other provisions give rise to similar issues. Criminal liability is mandated for improper shredding, but no light is shed on what constitutes a Sarbanes-Oxley-compliant records retention program. Other matters similarly imply some sort of documentation or some way of managing records without giving any hint as to particulars. In each case, the comfort level records managers are used to--a legally required record set, described in detail, with a stated retention period--is absent.
Future regulations, or amendments to the act may provide more detailed guidance on these matters. It is also plausible that future developments will be more of the same: certifications, disclosures, and mandated outcomes, with little or no direction as to their implementation or recordkeeping.
Back to Fundamentals
Where does this leave RIM professionals or corporations seeking guidance on developing records and information programs that are responsive to Sarbanes-Oxley issues? On their own--but that may not be a bad thing. Even without legally mandated requirements, there are many things that can be done, and the lack of stated standards gives corporations some leeway in how to do them. In such cases, standards of reasonableness taken from a variety of sources can be used in place of the legal standards absent from Sarbanes-Oxley.
The first thing is to look to fundamentals. For example, Sarbanes-Oxley mandates penalties for improper records destruction. This points to an obvious starting place: Is the records retention program sound? Is it structured and implemented so that suspicions of improper activity are unlikely to arise? This might be a good time to review the records program from a forensic standpoint and make sure that it passes muster.
Similarly, Sarbanes-Oxley is about ensuring full and accurate audit of accounting records. Although RIM professionals have no control over accounting record content, they do have control over the management of those records. Well-managed and well-organized records facilitate Sarbanes-Oxley compliance because they foster the financial transparency that is the act's goal. Improved records management translates directly into increased compliance and decreased likelihood of violations or allegations under Sarbanes-Oxley.
Finally, the act's current structure offers RIM professionals the opportunity to weigh in on an important aspect of corporate compliance: documenting due diligence on the act's many certifications, procedures, and implementing regulations. One example is the review process for financial certification. The CEO certainly can't look at everything, or even a small fraction of all financial data. Therefore, a winnowing process will need to be developed and documented, as will compliance with that process, to demonstrate that the CEO did his or her best to gain full understanding of the corporation's finances prior to certifying them.
Not only is this an entirely records-oriented process, but new and highly valuable records will be created as a result. RIM professionals can and should be intimately involved, thereby gaining the opportunity to address an issue with a high profile among top management. Other areas of Sarbanes-Oxley afford similar opportunities.
A Watchful Eye
The final thing that information professionals must do is keep a finger on the law's pulse. Sarbanes-Oxley is very new. More regulations are a certainty, as are court cases, professional standards, and other events that will influence future directions. Any compliance decision made today that is not directly mandated by Sarbanes-Oxley itself--and most RIM decisions fit this description--must necessarily be considered provisional. As more is learned about how the law operates in the real world and in the courts, provisional decisions undoubtedly will undergo revision.
Currently, corporations are in a transition state with Sarbanes-Oxley. Those seeking to gain compliance will have to make some of their own rules. It is clear that some actions must be taken, but those actions are not clear. Clarity requires a systematic analysis of the RIM demands made by Sarbanes-Oxley and a self-motivated push toward meeting those demands. Only then can a corporation claim to be compliant with Sarbanes-Oxley.
Sarbanes-Oxley's Impact Is Felt. Internationally
The Public Company Accounting Oversight Board (PCAOB) and the U.S. Securities and Exchange Commission (SEC) recently announced a new proposal requiring foreign firms auditing U.S.-traded firms to register with the accounting board, in compliance with the Sarbanes-Oxley Act of 2002.
The proposal, as well as Sarbanes-Oxley itself, has been met with resistance from foreign audit firms that are unhappy about having to comply with two sets of regulations and having to subject their sensitive audit documents to PCAOB review. European Commission Director of Financial Markets David Wright said recently that the PCAOB should wait one year before implementing any registration system so that European Union (EU) countries can get their own rules in line with the U.S. requirements. But U.S. regulators refused, saying that an aggressive stance was needed to reassure investors. Every company listed on an American exchange, including more than 1,300 non-U.S, businesses, and their CEOs must comply with the Act.
The PCAOB adopted final rules April 23, 2003, but they must be approved by the SEC before becoming effective. The regulations require U.S. firms to register by October 2003 and foreign firms to register by May 2004. Firms failing to register will not be allowed to audit publicly traded companies in the United States.
EU Asks for More Time
EU Internal Market Commissioner Frits Bolkestein called for a moratorium on the registration of EU audit firms so that effective trans-Atlantic and international solutions to restore confidence in financial markets can be agreed upon. Bolkestein said, "Registration of EU audit firms is unnecessary, burdensome, and disproportionate because the EU has already equivalent systems in place that deal with registration, oversight, and external quality assurance of auditors, which are continuously being improved at EU and national levels."
In addition, EU members say some provisions directly contradict the national requirements of the member states where their companies and auditors are based. In the wake of the Enron scandal, many governments strengthened regulations to ensure that a similar scenario would not unfold in their jurisdictions. Last year, EU foreign ministers agreed to develop an "action plan" on company law, which will include a corporate governance review singling out the role of company bosses. The U.K. Accounting Standards Board issued plans for how companies should restate parts of their financial accounts and the disclosures that they should make. In Germany, where many view the rules as too reactionary, the law requires financial reports to be endorsed by management and review boards, not chief executives. Deliberately falsifying balance sheets already is a punishable offense. The Canadian Public Accountability Board was established to supervise the accounting industry, and the Toronto Stock Exchange has amended its governance guidelines and stiffened the penalties for insider trading.
As a result of Sarbanes-Oxley, nearly two-thirds of European executives surveyed by PricewaterhouseCoopers last year said they were less likely to access U.S. capital markets, citing over-regulation as the biggest threat to their business.
John Montana, J.D., is a records management and legal consultant and principal of Cunningham and Montana. He may be contacted at firstname.lastname@example.org.
|Printer friendly Cite/link Email Feedback|
|Publication:||Information Management Journal|
|Date:||Jul 1, 2003|
|Previous Article:||Sorry ... that's classified. (Up front: news, trends & analysis).|
|Next Article:||An integrated approach to records management: the records continuum model's purpose-oriented approach to records management changes the role of...|