Sarbanes-Oxley (SOX) legislation promises to be just the beginning of a series of compliance legislation programs that are already influencing database management for years to come. Databases are at the center of many of the compliance efforts with which publicly held companies are contending as the revised deadline approaches for Section 404 compliance, which has been extended to July 15, 2006. This article briefly defines implications for database administrators on how to survive a Sarbanes-Oxley audit.
Sarbanes-Oxley Is Redefining IT
By this point, all publicly held companies are well down the path to SOX compliance, as a direct result of the original Section 404 compliance deadlines being very tight. The SEC has since pushed out the deadlines for small company 404 compliance to July 15, 2006. Despite this legislation focusing on the disclosure of significant events by C-level executives, the majority of the work falls on database administrators and the IT staffs.
Four sections of Sarbanes-Oxley affect IT organizations:
- Section 302: Corporate Responsibility for Financial Reports. Requires that firms audit, verify, and take corrective action to make sure that their financial data has a high level of accuracy and transactions are ACID-compliant.
- Section 404: Management Assessment of Internal Controls. By far the most well-known of the sections in the SOX Act, section 404 calls for support for internal controls that are auditable by a third party. This section gets the most focus because it's pushed most often by accounting firms that sell auditing services. What's most interesting about Section 404 is the fact that liability for reporting accuracy also carries forward to outsourcers who are contracted to complete this work.
- Section 409: Real-Time Issuer Disclosures. This section defines how quickly a company has to report a material event to the public on a rapid and current basis. Many analyst firms say that the rule is 72 hours or less, and define a material event as any task that has a lasting financial impact on a firm. There's considerable debate about just what is and isn't a material event today—and the fact that synchronization between databases is at the heart of reporting material events throughout a company.
- Section 802: Criminal Penalties for Altering Documents. Focusing on the requirement of retaining records and defining policies for archiving data, this section has the hardest impact on IT, and what's most interesting about this specific area of the Act is that it's not prescriptive, just instructive. This is a major difference for any IT team working on SOX compliance—the Act itself doesn't tell you how to do this, but what level needs to be done.
Together, these sections are redefining IT budgets and strategies, and making a major market for outsourcing. Sarbanes-Oxley's pain is the outsourcer's gain.