The United States Congress enacted the Sarbanes-Oxley Act in 2002 in an effort to prevent the major corporate and accounting scandals embodied by Enron, Tyco and World Com. The corporate malfeasance of these publicly traded companies rocked the financial markets in the early years of the 21st century. Evidence presented in congressional hearings of the business practices of these entities revealed manipulation of electronically stored data both at the servers located at the corporate offices as well as at the remote server backup. Because of this disclosure in the hearings, the authors of the Sarbanes-Oxley Act included standards for the storage and security of electronic records in Section 404 of this legislation. The stakes are high for publically owned companies to ensure compliance with these standards, as there are both criminal and civil penalties for failure to follow the specifications mandated in the law.
The standards that apply to electronic data management are as follows:
- Time for Retention of Records: Sarbanes-Oxley mandates financial records and audit reports are saved and available to review for a period of no less than seven years.
- Specifications for the Types of Records and Electronic Communication Required to be Retained and Stored: In addition to financial and audit records, internal memos, reports and emails must be stored and accessible to authorities investigating the corporation.
- Retention of Complaints: Publicly held companies, their accountant and auditors must have records of complaints retained and accessible for investigators.
- Internal Controls: As part of the requirements for internal controls, data on servers must be securely backed up on a regular basis. The data on the server backup must be recoverable in the event of data loss or corruption on the home servers.
- Prevention of Alternation or Destruction of Records: The data maintained on remote data storage must have a means or monitoring and tracking changes in files in order to detect changes to attempt to alter or destroy files.
The complexity of the Sarbanes-Oxley mandates and the possibility for criminal penalties for the failure of a publically held company, auditing firms and accounting agencies failing to comply with these standards necessitate the entities to evaluate carefully the security and monitoring procedures for the retention of records. Given the extensive length of time companies and firms are required to retained records, remote online data storage is a necessity. Information technology administrators must carefully evaluate the ability of their server backup provider to meet the standards outlined in Sarbanes-Oxley. A secured data storage provider with knowledge of the Sarbanes-Oxley standards is a valuable partner in navigating the regulations and assuring compliance.
When choosing a server backup provider, it is essential to ensure the service provides Continuous Data Protection to monitor the changes in files so nothing is lost. The remote server must be able to recognize the electronic medical record application on the user side in order to prevent corruption of files. The service needs to provide user side passwords for access to encrypted data, which are resistant to brute force hacking techniques, so there is no unauthorized access to financial reports, electronic communications and memoranda. Managed remote server backup services and online backup provide the advantage of monitoring the activity of the servers fulfilling the Sarbanes-Oxley standards related to audit controls and data integrity. A comprehensive web-based user control panel for the remote server is required in the event of an enforcement authority investigation.
Although multiple companies expressed concern about the cost of implementing the procedures required by Sarbanes-Oxley, the cost effective services provided by remote backup servers reduce cost as compared to trying to devise in-house solutions. Additionally, a 2006 Lord and Benoit report indicated publicly held companies realized a ten percent gain in share price by demonstrating compliance with Sarbanes-Oxley.