A Simple Way to Ensure SOX Section 802 Compliance
After the Enron and Worldcom scandals of 2001, the Sarbanes-Oxley Act (SOX) was enacted by Congress to help prevent certain types of fraudulent practices. Among other things, SOX has had critical implications for IT. Not only because of the role information technology plays in all businesses nowadays but because of SOX’s industry-leading Section 802 data retention requirements.
SOX Section 802 Business Record Retention Compliance Is a Challenge for IT
Business Data Lifecycle
Defining a framework to properly manage and control business data as it goes through its life cycle is a good place to start. This framework must provide a way to understand and control business data from creation, to updating, to deletion. In addition, this framework must lay out a plan to control and eliminate risks associated with data falsification, alteration, and/or destruction.
SOX Section 802
SOX Section 802 focuses on business data retention and protection. However, Section 802 defines mostly the what and not the how — i.e., what type of business records should be stored and for how long but not how it should be done or where these records should be kept.
Exploding Business Data Makes Data Retention and Protection An Ever Growing Challenge for IT
Here are the 3 primary rules outlined in SOX Section 802 for the management of electronic records:
1. Destruction, falsification, and/or alteration
This rule relates to the intended alteration, destruction, falsification, concealment, or mutilation of business records or documents with the intent to obstruct, impede or influence a legal investigation. Significant penalties, fines, and/or up to 20 years imprisonment are also outlined.
2. Retention period
This relates to the length of time business records should be retained. The length of time varies by business record type. Here are some examples:
- Receivable or payable ledgers – 7 years
- Employment applications – 3 years
- Contracts and leases – forever
- Invoices to customers – 5 years
- Payroll records – forever
- Tax returns – 7 years
- Timesheets – forever
- Bank statements – forever
3. Data types
This rule outlines a high level classification of business records that must be retained and stored and includes things like electronic communications (e.g., email, EDI), business records (e.g., invoices, bills, checks, bank statement), and general communications (e.g., letters, memos, publications).
Defining, assigning, monitoring, escalating, and recording the security control points (i.e., the activities required to ensure compliance) to ensure that they are in fact being carried out, on time, as expected, is a major challenge.
Using a tool like CommandHound to ensure that nothing falls through the cracks can significantly help any business with SOX compliance efforts. CommandHound is a task management tool built from the ground up to make sure things get done and to drive accountability in any compliance effort.
CommandHound Ensures That All SOX Section 802 Compliance Activities Are Performed As Expected Every Time
You just need to load the security control points that ensure compliance with SOX Section 802 into CommandHound, and then assign responsibilities, due dates, and, more importantly, escalation paths and deadlines. CommandHound will relentlessly remind, escalate, and report on progress and on any exceptions so nothing is forgotten.
SOX compliance, or any other type of compliance activity for that matter, can be greatly enhanced with a tool like CommandHound which was built with timely compliance in mind.
In addition, using a tool like CommandHound can provide all the documentation and audit logs required to prove that all the controls were properly defined, in place, communicated, and executed as expected.
Would you like to learn more how CommandHound can help you with your SOX compliance efforts?