Sarbanes-Oxley Act (SOX) and DMS
The Sarbanes-Oxley Act, (or SOX), also known as the Public Company Accounting Reform and Investor Protection Act of 2002, was enacted in response to a number of major corporate and accounting scandals, like Enron and WorldCom. In response to these scandals, SOX legislation imposed new reporting and record-keeping requirements on all publicly-traded companies mandating that executives of those companies take personal responsibility for the procedures and integrity of the company’s financial reports and data.
As a result of these stringent rules and subsequent accountabilities, most company executives look for software solutions like document management software to automate and streamline their internal financial reporting and processes while ensuring they meet compliance.
Compliance
SOX is organized into 11 sections, though Sections 404 and 302 are the biggest areas of focus when looking at a software purchase.
Section 404
Requires management to take responsibility for the integrity of financial information by evaluating IT systems and processes and then producing evidence that the company has done a reasonable job keeping sensitive information safe.
Section 302
Requires that the CEO and CFO issue periodic statements certifying that adequate controls are in place for the protection of financial information in the organization.
Ignorance of a vulnerable system is no longer a defense since CEO’s and CFO’s are now personally accountable for this information. Finally, to be SOX compliant, the company must have regular external audits that ensure that data is accurate, unaltered, and that it offers a true representation of the company’s financial position.
Software Requirements
To comply with the requirements of SOX, you’ll be looking for a flexible software system that simplifies record-keeping and management of documents throughout the lifecycle of the financial reporting process.
Many organizations struggle understanding SOX compliance requirements since there are no easy-to-read checklists to follow. Let’s take a look at compliance requirements as they pertain to software keeping in mind that they are centered around the necessity for appropriate filing and retention of financial documents, as well as the preservation of audit records.
Access Control
Audit Controls
Integrity
Confidentiality
Availability
Change Management
Access Controls
Access must be controlled to protected financial data via means like unique user-rolls and user-based permissions. All points of access to data, (database, file, folder, etc.), must be appropriately restricted to only provide access to those that are permitted.
How does Ademero measure up?
With Content Central, each user is unique and can be configured to automatically logoff after a set amount of inactivity.
Also, Content Central administrators have full control of user-based permissions so your users only have access to data they need.
Auditing and Logging
Audit controls monitor activity on software systems that contain protected information. The ability to monitor logon and logoff activity, file access, updates, edits, and any security incidents are the main features required for compliance.
Common tools that provide this functionality include are the main features you’re looking for in your software to meet compliance and must be as close to real time as possible to be useful. You will also need a policy in place within your company/office/etc. to regularly monitor using tools provided in the software; tools like
Tool 1
Document History – including updates, edits, etc. to any document
Tool 2
Event Logging – including user access, incidents, etc. system-wide
Tools and features could be named differently depending on your software solution but must cover these basic needs outlined above so administrators can easily view a document or system’s historic data for audits.
How does Ademero measure up?
Ademero‘s detailed system auditing and event logging allows you to track logon and logoff activity, file access, updates, edits, and helps you identify potential security incidents before they happen.
Each document has it’s own extensive auditing through our Document History that monitors other common file tasks as well like copying, checking in and out, downloading, and more.
Integrity
Ensuring the integrity of the financial data is the goal, so software should provide evidence that data has not been modified or altered.
Confidentiality
Confidential information cannot be exposed to unauthorized entities. Features like Encryption and Decryption, Automatic User Logoff, and Unique User Login and Passwords help ensure compliance is easily met.
Unique User Identification
A unique name and/or number for identifying and tracking user identity
Automatic Logoff
Automatic termination of an electronic session after inactivity
Encryption & Decryption
The conversion of data from a readable to an unreadable format and back again.
How does Ademero measure up?
Data security is one of the top reasons users choose Ademero. Whether files are at rest or in transit, data is encrypted with tools like SSL and protected against unauthorized intrusion.
Availability
Since authorized individuals must be provided access to financial data, considerations for compliance with this requirement go beyond the ability of software alone. Physical safeguards like data backups and facility security are considerations that must be applied to meet compliance.
Change Management
The U.S. Securities and Exchange Commission, (or SEC), must be notified of any material changes to the process that governs the flow of financial data. Software that features System Event Logging can make this process exponentially easier by providing a reliable and tamper-resistant way to provide data to the SEC.
How does Ademero measure up?
Ademero works closely with Google Cloud Platform to provide secure data-center facilities for your documents and information.
Pairing with such a trusted name has significant benefits for our hosted customers like third party auditing, trusted infrastructure and facility controls, and compliance with numerous standards beyond those for SOX Compliance.
Keeping it Simple
The hardest part about SOX is knowing exactly what it takes to meet compliance with whatever software you choose, but it doesn’t have to be. It’s actually pretty easy from the software side, which should help you narrow in on the one you want to purchase pretty quickly. When you boil it down, SOX requires publicly-traded companies, (or those planning to become public), to:
Establish a Financial Accounting Framework
- That can generate financial reports
- That those reports are readily verifiable
- And include traceable source data
Source data must remain intact
- And cannot allow for undocumented revisions
Any Revisions to Financial or Accounting Software
- Must be fully documented and
- Include what changed, why it changed, when it changed, and by whom it was changed.
When it comes to picking a DMS, there are several features you’ll need in order to meet compliance. Individual software might call these by different names, but in the end, you’ll be looking for features that provide:
Unique User Identification
Password Protection
Automatic Logoff
Transmission Encryption
Document History
System Event Logging
Login Monitoring
f you’re using your DMS provider to host your system on the cloud, then you’ll also be looking for the requirements for Physical Safeguards like
Data Backups
Redundant Power Servers
Disaster Recovery Plan
Physical Security
Video Surveillance
Fire Suppressant
Limited Access to Servers
When it’s all said and done, you’ll be looking for much more out of your DMS than just an electronic version of a file cabinet. You’re looking for a robust and simple solution that meets all your needs at one low price. One that’s fast to implement, has all the features you need, with a snappy user interface that’s easy to use and understand.
Content Central will keep your office moving with features that do more than just help you meet SOX Compliance. But don’t just take our word for it, give it a try for yourself and see your customized solution in action.
Download a Copy of this Whitepaper
Download our SOX Compliance Brochure