Companies with few IT resources that need to meet the SOX deadline -- and those with similar compliance needs -- should learn best practices for choosing and implementing the appropriate data retention systems, experts suggest.
Jim Van Orden, executive director of the Information Technology Solution Providers Alliance (ITSPA), a nonprofit organization based in Dallas, said it is important that SMBs find the right help because contract and document management systems are plentiful and can cost anywhere from $50,000 to $500,000.
"Sometimes banks and other institutions hold [private SMBs] to the same kinds of processes that are required by SOX," said Van Orden, whose organization is funded by grants from Hewlett-Packard Co. and other Fortune 500 companies. "Even a very small business might be required to do effective financial data collecting."
SOX was enacted in response to high-profile corporate financial scandals at companies like Enron Corp. and WorldCom Inc. It's designed to protect shareholders and the general public from accounting errors and fraudulent accounting practices.
The act also states that public companies -- or private firms with public debt -- must save all business and electronic records and electronic messages for at least five years. Companies failing to comply with SOX risk fines, their executives could be jailed or both.
Section 404 of SOX requires managers of registered companies to prove that their firms have established and maintained internal controls over financial reporting. Midsized businesses with a market capitalization of more than $75 million must comply by Nov. 15, and companies under this amount have until July 15, 2005.
According to the Boston-based Yankee Group's 2003 SMB Applications and Web Survey, only 5% to 16% of SMBs planned to upgrade or purchase software because of their need to comply with SOX.
While SOX didn't appear to be a major concern for SMBs last year, Yankee senior analyst Steve Hilton said awareness of compliance issues is growing as a result of other laws that call for data retention. Those laws include the Gramm-Leach-Bliley Act, which protects consumers' financial information, and the Health Insurance Portability and Accountability Act, which provides for strict security protection of patient or employee health information.
Still other SMBs face compliance issues as a result of industry-specific regulations.
For example, Great Lakes Gas Transmission Co. in Troy, Mich., deals with compliance issues almost daily. The gas pipeline company, which has about 200 employees, including four IT staffers, is highly regulated by the Federal Energy Regulatory Commission and the U.S. Department of Transportation.
Katie Held, a senior network support specialist with Great Lakes Gas Transmission, said keys to running at optimum compliance levels include ensuring that all computer hardware is up to date, that backups are run regularly and, perhaps most importantly, that all applications are deployed properly.
Those guidelines go a long way toward ensuring efficient compliance with regulations and the security of stored data, Held said.
"I have to be kind of a wicked witch with some of these people that want to install an application five times," Held said. "Don't be afraid to follow the documentation and the legal requirements of your software."
Developing a compliance plan
The ITSPA suggests that companies setting out to comply with SOX and other regulations start by defining the compliance needs. The organization said financial and IT auditors can assist in this task.
When looking at vendors of compliance products and services, it's best to find one that can develop an overall compliance strategy for your company, according to the ITSPA. This strategy should cover software and the company-wide processes involved in ensuring compliance.
The ITSPA also recommends that SMBs consider buying a contract management system. The organization said dozens of software packages are available that can help SMBs stay on top of contract compliance and controls. Some of these products contain SOX assessment tools.
Companies that need to comply with SOX should also consider appointing a compliance officer. The ITSPA said this person should be the main source for both financial and non-financial data and should form a committee consisting of the chief information officer, the CEO and the chief financial officer.
Next, write a company-wide compliance plan and make sure that all employees understand the compliance requirements.
"Everyone has to be involved," Van Orden said.
For security purposes, Van Orden added that it's important to remove older computers and update old operating systems.
"If [your computer hardware] predates Y2K, for instance, you're very vulnerable to security breaches," Van Orden said. "We recommend that they update or refresh desktops and PCs regularly."