Sarbanes-Oxley Frequently Asked Questions
1. Why should an organization implement a technology-based solution to address Sarbanes-Oxley compliance issues? Answer
2. So, all I need is to purchase a technology-based solution and our firm becomes compliant? Answer
3. I already have an imaging system and it works adequately, so I have all I need, correct? Answer
4. How much does it cost to have a Formal Written Records Retention Policy developed for my company? Answer
5. Are private and not-for-profit organizations affected by the Sarbanes-Oxley Act? Answer
6. What does IDT offer as a solution to specifically address Sarbanes-Oxley Act? Answer
7. Can you highlight some of the features of your IDT Corporate Compliance Pilot Pack offering? Answer
1. Why should an organization implement a technology-based solution to address Sarbanes-Oxley
A: Failure to comply raises the risk to the corporation, its employees and officers of increased litigation and severe criminal and
financial penalties (Section 802, 1102, 1106, and 1107 of the Act). The costs of implementing a system are far less than a violation
and/or conviction. Further, a technology-based solution specifically designed to address Sarbanes-Oxley provides a higher level of
assurance to the officers of the corporation that they are meeting the requirements of the law giving them comfort to sign a
Back to top.
2. So, all I need to do is purchase a technology-based solution and our firm becomes compliant?
A: Unfortunately, it is not quite that simple. First, an organization must establish a Formal Written Records Retention Policy.
IDT has partnered with a well renowned Law firm who specializes in formulating Corporate Record Retention Programs. The expertise
of this firm stems from first hand dealings with the SEC on the very issue of Records Retention. In partnership with this firm,
we have a defined process to enable your company to proceed forward with the right program-whether the need is to create a new
retention policy or revise and update existing retention policies and procedures. Utilizing extensive questionnaires and personal
interviews, we collect information from key corporate personnel. This helps chronicle the history of document retention, including
both paper and electronic records, within the company and how those records are stored in order to assess the company's (and its
employees) understanding of retention requirements. After these critical steps are complete, then the technology solution enters
the equation. You can't put forth a technology-based solution without first knowing your requirements and that necessitates having
and enforcing a "Formal Written Records Retention Policy."
Back to top.
3. I already have an imaging system and it works adequately, so I have all I need, correct?
A: While you are on the right track, Sarbanes-Oxley mandates stringent controls be placed on accounting practices. It is much
more involved than just "imaging" documents. The Act heightens the need for effective record keeping and destruction policies.
The corporation must have a Corporate Compliance program which includes a Records Retention Policy and Electronics Communication
Policy. A "corporate record" now expands far beyond a simple piece of paper. The deletion of computer files in an attempt to simply
free up disk space can potentially prove to be a costly mistake. Therefore, a Compliance Solution that manages the lifecycle of paper,
electronic documents (Enterprise Content Management) and business processes (Workflow) becomes critical to the organization. Imaging -
by itself - does not specifically address Records Management or Compliance, thus an "add-on" product or an entirely new product suite
encompassing document imaging, workflow, records management and compliance is needed.
Back to top.
4. How much does it cost to have a Formal Written Records Retention Policy developed for my company?
A: The costs vary (from a few thousand dollars on up) depending on the complexity of the business, the number of divisions, and other
compliance and/or regulations that may affect the organization. Current policies may need to be revamped in light of recent legislation.
Training and communications to employees about the policies are imperative as well. It should be noted that the policy requires frequent
updating as the business model and practices change. Thus, the organization should plan to allocate annual budget dollars for this
Back to top.
5. Are private and not-for-profit organizations affected by the Sarbanes-Oxley Act?
A: Unfortunately, the private or not-for-profit veil is pierced quite easily. Sarbanes-Oxley mandates strict policies and procedures, which result in the need for Corporate Record Retention Programs. Since 1987, the Federal Sentencing Guideline has recognized that such a program is an essential element of an effective compliance program, which may result in mitigating penalties for criminal violations by an organization. Although this law primarily addresses record retention issues for public companies, private companies and not-for-profit institutions are beginning to see the impact of this legislation. Organizations in pre-IPO mode or having aspirations of going public will eventually need to conform to the Act and it is better to have the infrastructure in place before doing so. Additionally, those organizations seeking a merger or acquisition by a public organization would need to take many of the steps required to demonstrate compliance with the high standards of Sarbanes-Oxley. Finally, many private organizations may service the Federal Government. More and more Federal contracts will require compliance with the Sarbanes-Oxley Act.
Request a free Client Alert regarding how Sarbanes-Oxley affects private companies. Simply type "Client Alert" in the comments box.
Back to top.
6. What does IDT offer as a solution to specifically address Sarbanes-Oxley Act?
A: IDT offers the IDT Corporate Compliance Pilot Pack - a turnkey solution encompassing all the necessary hardware, software, professional services and support agreements necessary in order to comply or satisfy various sections of the Act. IDT Corporate Compliance Pilot Pack solution provides the ability to capture, store and manage the information that is used to automate the business processes around the compliance regulations. Further, the IDT Corporate Compliance Pilot Pack solution provides online tracking and discovery of vital corporate information, ensuring business processes are accurate and the information maintains integrity throughout its life cycle.
For the first time, executives responsible for compliance now have the tools to more effectively manage their areas of responsibility. Compliance Officers, CFO's, CEO's, Records Managers, etc. can now:
The IDT Corporate Compliance Pilot Pack provides corporate management with complete visibility into the status of their Sarbanes-Oxley compliance initiatives by:
- Build approved workflows or automate existing ones, to automatically complete the activities necessary to collaborate on and complete
internal controls while providing management reporting on the progress of these efforts.
- Post policies and sanctioned processes into the secure repository where they can be leveraged and transmitted across the enterprise
in an automated and closed-loop manner - including the ability to acknowledge the receipt and attestation of those individuals who received it.
- Secure corporate records in a market-leading records management solution. Regardless of the medium or type, the IDT Corporate Compliance
Pilot Pack can manage the corporate assets in a consistent and approved manner.
- Make complete audit trails available to executives and auditors, providing a comprehensive history of the system and users interactions
and activities. Since the solution leverages a shared technology base, all activities - whether in the repository, the records management
systems, or with workflow - are traced and logged as a complete audit trail in the system.
- Know the state of their compliance initiatives in real-time through graphic charts and drill down information and take preventive action
when and where necessary.
- Easily integrating with corporate Enterprise Resource Planning systems including: Oracle, PeopleSoft, JD Edwards, Microsoft Business
Solutions and others to identify and integrate key financial data into a more complete compliance and control environment to minimize
costs and increase efficiency of compliance initiatives.
- Complying with Section 302 of the Act by providing a repository for the collaboration and review of companies' periodic financial reports
and internal controls. The highly secure and browser accessible repository in the IDT Corporate Compliance Pilot Pack allows auditors, CFOs
and CEOs to review and attest to this sensitive and critical information in a defensible and provable manner, allowing them to sign the
required attestation with much lower risk.
- Meeting Section 403 mandates by facilitating the disclosure of specific financial transactions within two business days. Similarly, Section
409 requires rapid disclosure of any information on material changes in the financial condition or operations of the company. The IDT Corporate
Compliance Pilot Pack can integrate with existing applications to automatically extract this information and other triggering events to
initiate this disclosure. Alternatively, the IDT Corporate Compliance Pilot Pack allows Windows or Web-based forms to automate and expedite
the disclosure and submission of this required information.
- Complying with Section 404 by providing workflow and auditing capabilities to ensure that internal controls and compliance initiatives
are being executed in an appropriate and timely manner. Creating the control policy or specifying the procedure in a document or drawing is
not enough in today's climate. Executives, boards, and auditors must have the tools and information that enable them with complete visibility
on the state of these initiatives. By providing notifications, executive reporting and remediation workflows that help get problem areas
back within acceptable levels, managers now have the confidence as never before to make these important attestations as to the effectiveness
of their control environment.
- Satisfying Section 802 requirements that stipulate documents, communications, and other assets that are part of the financial reporting and
auditing function be kept in an unalterable, yet readily accessible manner, for seven years. The records management application can handle all
types of content - from physical to electronic (e-mails, documents, Word, Excel, and others) with the same applications and administrators that
are handling the other components of the compliance solution.
- Assisting whistleblower support and protection granted under Section 806 that mandates that information provided to support a claim of
misconduct by an individual or the organization be handled in an expedited, consistent, and approved manner. The IDT Corporate Compliance
Pilot Pack assists companies as they register these issues and enables them to follow consistent steps and notifications as the issues are
investigated and remediated; all within a closed-loop environment that allows for full management visibility and an iron-clad audit trail.
Back to top.
7. Can you highlight some of the features of your IDT Corporate Compliance Pilot Pack offering?
Department or company level record series
Hold controls for disposition suspension (due to audit, litigation, etc.)
Citation management, including integration with 3rd party retention databases
Save either as an entire object or broken down between the message and the attachments
"Drag and drop" declaration into a records folder within the Exchange client
Batch declare or individual posting
Memo-based reporting to manage required approvals
Historical tracking for post-destruction reference
Automated destruction receipts
Define storage facilities, down to row, bay, shelf, and position levels
Manage at the individual storage unit level
Complete content view at any level
Barcoding support and label printing
Over 110 standard reports
Custom queries and saved queries allowed
Complete audit system of user activity/history
Proprietary security management model
User level security management
Encrypted password administration
Back to top.