The world was shocked when corporate scandals emanating from respected companies such as Enron and WorldCom hit the US. These examples of greed overriding good business sense made legislators take note of the ease with which shareholders could be duped and lose money, and they rushed new legislation, such as Sarbanes-Oxley (SOX), into effect to make it harder to hide irregularities.
SOX legislation not only makes it harder to cheat, it also holds company directors responsible when irregularities occur. And while local companies may feel they can ignore the law as it only applies to listed American companies reporting revenues of $75 million and above, they will find the tentacles of SOX and similar legislation springing up all over the world, including in SA.
In short, SOX holds executives directly responsible for the accuracy of their companies` financial statements. If problems are found, the penalties can reach $5 million in fines and a 20-year jail term or both. The legislation also tries to limit conflicts of interest that would make financial analysts less than objective and it leaves control of auditors to board audit committees, not CxOs.
So far there is little to concern non-US-listed companies. However, similar legislation is in place or on the way in other countries from Europe to Australia and can be expected in SA in due course. When this happens, companies are going to have to implement stringent internal controls to ensure they deliver as required.
Business records must be managed
E-mails so glibly fired off today will need to be stored in case they are needed in court cases tomorrow.
Paul Mullon, marketing director, Metrofile
Document retention, both electronic and physical, will become a crucial part of compliance as SOX and other regulations will prescribe specific regulations for managing business records, especially those that pertain to the auditing process. For example, the Act requires public accounting firms to retain audit records and any information that supports those conclusions and reports for a period of seven years. Wilful destruction of these records can result in prison terms.
E-mails so glibly fired off today will need to be stored in case they are needed in court cases tomorrow. Old contracts that have no more value to a business may have to be produced to settle complaints or queries, and fraud cases dating back years will require historical documentation to be produced on demand.
The example made of Merrill Lynch analyst Henry Blodget is a case in point. New York attorney-general Eliot Spitzer uncovered e-mails detailing how biased the analyst`s research was. When the dust cleared, Merrill Lynch had agreed to pay a fine of $200 million and Blodget was fined $5 million and banned from Wall Street. (The actual case was broader than merely Blodget or Merrill Lynch.)
Every company must therefore determine what the characteristics of an appropriate, compliant records management programme will be. The following records management pillars are recommended best practices from the US`s Iron Mountain for complying with the records management provisions of SOX.
1. Consistency: Most companies` records management programmes are fragmented, with each division or department focusing on their own requirements and processes. Digital and paper records are handled as separate entities with little integration between them. A legally credible management programme must be founded on a consistent design and implementation of records retention and destruction policies across media types, geography and business units.
2. Accountability: Records management is normally relegated to the back rooms of an organisation where archivists and librarians are accountable, to some degree, for managing the process. There is rarely any senior management involvement. This is a mistake, as regulations will demand a senior executive take control of the records management process and execution. This same executive will be accountable for failures in the system.
3. Adoption: Policy handbooks and the most carefully thought out records management programme are useless if senior management does not ensure the theory is translated into practice at all levels of the company. Employees generally do not understand the significance of records management, nor are they trained in basic procedures since information and tools are neither current nor readily available - or nobody bothers to read them. The programme must be adopted throughout the company, without exception.
4. Accessibility: A successful records and document management system must, as noted above, transcend departmental and divisional requirements and be applied across the company to enable it to deliver whatever information is required in reasonable time when requested. The optimal manner of accomplishing this is to develop a single, consolidated and easily accessible system for all records in all media, or at least a universal view of records archives containing various media formats.
SOX and related legislation should not be seen as a punitive measure. It is a set of principles designed to protect shareholders and employees. A side-effect of the regulations is that they assist in improving corporate governance and the availability of reliable information.
Companies adopting these principles will initially find it an onerous task to get their business processes aligned, but once this has been accomplished, the extended transparency and intelligence gatherable will feed directly to the bottom line.
Knowing the status of every aspect of one`s business can only assist in better decision-making. Effective, monitored internal controls allow staff of all levels to avoid peripheral distractions and focus on their contribution to those issues core to the company`s success - which is why they were employed in the first place.
Share