Public Company Accounting Reform and Investor Protection Act

Compliance Journal

Subscribe to Compliance Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Compliance Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Compliance Journal Authors: John Katrick, Elizabeth White, Maria C. Horton, Progress Blog, Don MacVittie

Related Topics: Compliance Journal, Sarbanes Oxley on Ulitzer

Compliance Journal: Article

A Storage Management Perspective on Sarbanes Oxley

Compliance Is Not Only the Right Thing to Do, It's Good for You Too

Storage and Section 404
Why the emphasis on process? This past November, Section 404 of the Sarbanes Oxley Act went into effect. Among other things, it requires a company to file an internal control statement with its annual report that includes "an assessment, as of the end of the most recent fiscal year ... of the effectiveness of the internal control structure and procedures of the issuer for financial reporting." Essentially, the government is demanding not just that the data be retained, but that companies provide some evidence that they are managing and protecting this information in an appropriate way that ensures compliance - i.e. show us some proof!

While the primary IT-specific impact of Section 404 falls on those groups responsible for financial applications, the IT infrastructure, particularly storage and data protection, is also feeling the effect. At a minimum, storage groups must identify and document processes and establish reporting capabilities to demonstrate that storage management policies and processes are in compliance. From a regulatory perspective, storage-specific activities fall under the category of "general controls", activities that support applications and ensure that systems are reliable and data is protected.

What aspects of storage management must be considered and what needs to be done? Specific areas include:

  • Data protection, including data security and the management of backup/restore operations
  • Data availability, including policies related to the access to and retrievability of data, both current and from archival sources
  • Data recovery, including the ability to recover data in the event of a disaster
Activities in each of these areas include:
  • Ensuring that policies exist, are documented, and blessed by legal and compliance
  • Processes are validated against policies to ensure that they support them, that they are documented, and that they are followed
  • Reporting processes and tools in place that provide evidence;
  • A validation process - testing of controls and the accuracy of reporting information

Next: The Upside of SOX...

More Stories By Jim Damoulakis

Jim Damoulakis is CTO of GlassHouse Technologies, the leading independent provider of storage services.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.