DNS - Business Continuity Implications for SOX Compliance

The famous Sarbanes-Oxley Act of 2002 is the federal law enacted as a result of the many corporate financial scandals of the early part of the century, and it was signed into legislation to protect shareholders and the general public from accounting errors and risky, fraudulent activities. The act is enforced by the Securities and Exchange Commission (SEC (News - Alert)) and requires organizations to manage and store their records – including electronic records and messages – for no less than five years. Penalties for non-compliance with Sarbanes-Oxley (SOX) include heavy fines, imprisonment of not more than 20 years, or both. Since electronic records needed to be easily accessible for audits or simply to answer a question related to an audit, the burden falls to the IT department to ensure that the IT infrastructure is in alignment with SOX audit requirements.

When the SOX mandate initially went into effect, there was a mad rush by organizations to ensure electronic records were ready to meet audit deadline requirements. However, rapid adoption of technology means that today’s electronic business records are often stored on a myriad of servers that may or may not be readily available. For this reason, it is more crucial than ever for IT departments to ensure continuous access to the electronic records – any lag time in providing audit materials, even during a disaster can be costly, damage a brand or even cripple an organization.

According to the U.S. National Archives and Records Administration, “80 percent of companies without well-conceived data protection and recovery strategies go out of business within two years of a major disaster.” Business dependency on IT systems for compliance audits has never been greater, so when things go wrong, the impact is often catastrophic. Let’s face it; there are a variety of things that can go wrong. On any given day, a computer or server malfunctions, or a power outage can lead to downtime impacting access to critical data needed for a SOX audit. Organizations need to be prepared for an audit or to respond quickly to a SOX audit question even when disaster strikes – because disaster recovery means a disruption in all business activities, even a SOX audit. During a disaster, organizations are responsible for ensuring that all of the data gets recovered and isn’t lost because it might be needed for an audit. In today’s fast-paced economy disaster recovery is no longer good enough and organizations need to be disaster resilient.

In the wake of these SOX requirements, there are several steps organizations need to take to ensure business continuity across the entire IT infrastructure, even in a mixed environment that includes a virtual environment.

1. Establish an Annual Plan

Develop an IT continuity plan that is disaster resilient and eliminates user downtime – in this 24/7 world no organization can afford any downtime. The solutions you select needs to ensure that an organizations business is always ready for an audit.  

Every year reassess your Sarbanes-Oxley readiness plan and understand what is required for compliance taking into account any issues during the previous year

Take a complete inventory of your entire IT infrastructure, including your applications. Think about any improvements or new applications that have been added or removed from the IT infrastructure. Think about the role that each mission-critical application plays in the workflow process and how if one application goes down could it impact the entire audit. Now, think about the entire workflow process needed to conduct a SOX audit and make the process disaster resilient because recovery from disaster is not the solution, especially when you are on a tight deadline and your organization is facing non-compliance issues which may lead to fines or prison time that can seriously damage your brand – not to mention your life!

Place a particular focus on collaboration: Collaboration is an essential tool when dealing with SOX audit requirements and as such total resilience is required to ensure timely completion of audits or legal discoveries. On the other hand collaboration itself provides potential risks where outages of mobile and collaboration tools can cause data loss in themselves with the inability then to comply with requirements.

2. Selecting a Solution

Understand your organization and how your users interact with your IT infrastructure. You need to select a solution that is appropriate for your organization’s needs and the way you work. While it’s important to implement a disaster solution, don’t implement just any solution because it protects data. Focus on resiliency and continuous availability of critical systems, rather than lengthy recovery which will interrupt important processes.

Make sure the solution you select supports everyone who plays a critical role, everywhere – even those who are mobile. Keep in mind if there is a natural disaster, you might not be able to go the physical office. You need to ensure continuous availability of your business-critical applications even for remote users.

You also need a solution that will ensure that any electronic documents and messages that are being created during a disaster will be recovered for future audits. 

Organizations spanning multiple locations need to be able to access data for SOX compliance, even in a disaster. Regardless of where employees and data are located, they need to have continuous availability to critical applications, such as e-mail that contain critical audit data.

Find and evaluate solutions that will help your organization meet its business and audit needs. While evaluating solutions check references even those that the vendor has not supplied, you should leverage peers in like organizations. In addition you will also want to check references based on geographies, specifically those in know disaster areas like hurricane alley or along a fault line.

3. Test IT

No organization would install a fire alarm system and just assume that it works and employees can evacuate safely – why would an organization implement a disaster resilient solution without testing it? Test your disaster recovery plan on a regular basis; make sure you can still conduct a SOX audit even in the event of a disaster. Of course, any solution is useless if it doesn’t actually work as promised. And you shouldn’t wait to try it out until disaster has struck. When the time comes for an audit, you will not have time to go back and get your ducks lined up!

These tips will not only help you guard against SOX compliance disruption, but also for other types of regulatory audits. There are a variety of other everyday causes, such as computer or server malfunctions, power outages, and more, that can lead to organization downtime. Be sure you’re prepared to do a SOX audit or respond to any audit related question even when disaster strikes – lack of preparedness will impede your ability to respond as well as impact your brand, and more than likely have financial repercussions.