No software exists that will make your firm—presto!—Sarbanes-compliant.
Bob Tillman is worried. At a recent tech conference in New York, Tillman, director of public affairs for the Association of Records Managers and Administrators (ARMA), found himself surrounded by vendors hawking hardware and software that promised to help companies get smarter about managing their documents. Offering scanners to smart pens to workflow and routing software as well as full-range governance application suites, the array of technology could overwhelm even the most informed CIO. The most common pitch? Regulatory compliance.
“It gives me a little angst that all these companies are running around and saying their software is Sarbanes-Oxley compliant,” Tillman says. “There is no such thing as ‘Sarbanes-Oxley compliant.’ It’s not like HIPAA, which has this litany of rules. The SEC has not laid down a regimen of things that you as a company have to do for Sarbanes-Oxley, other than the certification and the 404 section of the act.”
With analysts calling document management one of the cornerstones of Sarbanes-Oxley compliance (the other is business process management), vendors are looking to cash in on what has become the big tech issue of the moment. But, as Tillman points out, there’s no off-the-shelf program that qualifies as the proverbial “turnkey solution,” because the scope of Sar-banes is too broad.
Under the act, public companies are required to archive any and all financial data, and also to keep a record of a document’s lifecycle—who within the company had access to, viewed or amended a given document. What’s more, all this information has to be retrievable upon request by the Securities and Exchange Commission, and in just two business days. Sure, the SEC may grant individual firms extra time to gather the data on a case-by-case basis, but it’s not backing down on enforcing the policy. Several major banks and investment firms have already been fined, most notably Bank of America Corp., which in early March was fined $10 million—the largest fine ever levied by the SEC for failure to produce documents—for refusing to produce e-mails and compliance forms concerning trading activities. According to SEC reports, Bank of America refused to provide documents and “engaged in dilatory tactics that delayed the investigation.” Moreover, some requested documents had been destroyed after regulators requested them— a move that Bank of America claims was inadvertent. And $10 million proved just the beginning: After agreeing to create a special department to handle data retention, B of A consented the same month (March, 2004) to pony up $375 million—$125 million in fines and $250 million to investors—to settle SEC claims that it traded mutual funds improperly. The bank also agreed to exit the securities clearing business by 2005.
Still, if Bank of America may be one of the latest to feel the SEC’s sting on document retrieval, it’s not the first. Another notable precedent for such fines came back in December 2002, when the commission, in a joint action with the New York Stock Exchange and NASD, fined several Wall Street firms—Goldman Sachs, Salomon Smith Barney, Deutsche Bank Securities and U.S. Bancorp Piper Jaffray among them—$1.65 million each for failing to produce requested e-mail records fast enough.
“That’s the one place where the SEC has an amazingly short tolerance,” says ARMA’s Tillman. “When the SEC says they want information, you better be able to bring it up.”
The two-day turnaround presents a significant challenge. “It really raises the bar in terms of what management needs to do,” Bruce Winters, a senior manager at PricewaterhouseCoopers, says. “Most of the world is not ready for that.”
Ask your records manager:
Ask your business managers:
Tell your compliance department: