Guidelines for Compliance with Sarbanes-oxley

Over the past few years, cases of miserable failure in corporate governance have shocked the financial world. Enron and WorldCom are just two examples of how a few people in a position of power can cause unprecedented damage to hundreds of thousands of people, including investors, employees, and retirees. Lessons thus learned created a wave of regulations, the most significant being the Sarbanes-Oxley Act of 2002, the first major overhaul in the area of securities since the Securities Exchange Act of 1934. A reading of piles of pages of the act and its numerous interpretations does not reveal any explicit links between information resource management and corporate governance. After all, how you comply with the act’s provisions is not dictated. However, a careful study of the act and its requirements suggests that, in the absence of information technology’s involvement, some of the measures one might select to comply with the letter of the law may turn out to be ad hoc, isolated patchworks rather than integrated solutions that yield long-term benefits. Information executives are used to their role in compliance of regulations. HIPAA (Health Information Portability and Accountability Act) is a recent legislation that requires systemic steps to ensure data security and information privacy by covered entities. Aside from regulations, information executives have seen the transition to Euro as a force behind system-wide revisions for some, and Year 2000 (Y2K) compliance to ensure that systems are viable in 2001 and beyond. Such changes impact many systems and applications in various organizations, and to accommodate them is a part of the role of information executives. The Sarbanes-Oxley Act (SOA) applies to those corporations (in the United States and abroad) whose securities are publicly traded on the U.S. financial markets (e.g., NYSE and NASDAQ). The spirit of the provisions of the act is to require the issuer of securities to create a risk management model for its stakeholders, mainly the investor. In this regard, even for a non-publicly traded organization, some of the provisions of the act might be helpful to review and, if appropriate, implement. SOME OF THE MEASURES ONE MIGHT SELECT TO COMPLY WITH THE LETTER OF THE LAW MAY TURN OUT TO BE AD HOC, ISOLATED PATCHWORKS RATHER THAN INTEGRATED SOLUTIONS THAT YIELD LONG-TERM BENEFITS.