The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation passed by the U.S. Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures. The U.S. Securities and Exchange Commission (SEC) administers the act, which sets deadlines for compliance and publishes rules on requirements.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
The Sarbanes-Oxley Act was enacted in response to a series of high-profile financial scandals that occurred in the early 2000s at companies including Enron, WorldCom and Tyco that rattled investor confidence. The act, drafted by U.S. Congressmen Paul Sarbanes and Michael Oxley, was aimed at improving corporate governance and accountability. Now, all public companies must comply with SOX.
The Sarbanes-Oxley Act not only affects the financial side of corporations, but also IT departments charged with storing a corporation's electronic records. The act is not a set of business practices and does not specify how a business should store records; rather, it defines which records should be stored and for how long. SOX states that all business records, including electronic records and electronic messages, must be saved for "not less than five years." The consequences for noncompliance are fines, imprisonment or both.
IT departments are increasingly tasked with creating and maintaining a corporate records archive in a cost-effective fashion that satisfies the requirements put forth by the legislation. Section 802 of Sarbanes-Oxley contains the three rules that affect the management of electronic records. The first rule deals with the destruction, alteration or falsification of records, and the resulting penalties. The second rule defines the retention period for records storage. Best practices indicate that corporations securely store all business records using the same guidelines set for public accountants. The third rule refers to the type of business records that need to be stored, including all business records and communications, including electronic communications.