Sarbanes-Oxley Messaging Compliance for Public Companies
The now infamous accounting scandals at major corporations such as Enron, Worldcom and Arthur Andersen triggered extensive revisions to electronic data management legislation around the world. With the implementation of the Sarbanes-Oxley Act (2002), business records must now be protected at all junctures to prevent document tampering and destruction. The SOX rules also serve to promote corporate accountability; especially when a company is involved in audits, investigations, litigation or other formal proceedings.
Global Relay's suite of hosted services ensures reliability and integrity of electronic records while providing economical and efficient use of company resources. Global Relay Archive, Compliance Reviewer, Message Converter and IM Interpreter are specifically engineered to provide a total compliance solution for public companies subject to Sarbanes-Oxley.
Global Relay Archive, Global Relay's message archiving and compliance system, captures and archives an authentic and complete record of all electronic business communications in a secure but easily accessible offsite storage system. Compliance features include:
- Message Capture of email, attachments, IM & Bloomberg®
- Archives messages for 7 year term (or as defined by deletion policies)
- Access includes web-based instant access for all employees to their messages
- Tamperproof protection of data on dedicated WORM (Write Once, Read Many) drives
- Offsite, mirrored, single instance storage in East/West Coast Data Centers
- Indexes & serializes messages, Bcc & Distribution Lists, metadata & audit trails
- Search & retrieval of any message in seconds using Google-like search engine
- Security & encryption of systems, networks & messages
- Migration of legacy data (.pst files, backup tapes) to archive
- Retention Term flexibility for Litigation Holds & SEC investigations
How does Global Relay Archive work? All email, attachments, Instant Messaging (AOL, MSN, Yahoo, GoogleTalk, etc.), Bloomberg, Thomson Reuters, BlackBerry, Social Media, etc. are securely captured and centrally unified together with imported legacy email and .pst files, in Global Relay Archive for rapid online search, retrieval & monitoring. With secure web-based access and real-time indexing powered by search engine technology, every employee and Compliance Officer has the ability to find any current or historical message in seconds. Read More »
Internal Controls & Supervision
The Compliance Reviewer, Global Relay's monitoring system, provides organizations with a turn-key, flexible, online supervisory system with advanced monitoring, filtering and eDiscovery features enabling enforcement of your firm's email & IM policies for compliance, proper usage and corporate governance. Compliance features include:
- Scan & Monitor email, attachments, IM & Bloomberg from Global Relay Archive
- Content Filtering with company-defined rules to identify prohibited content
- Advanced Analysis with Boolean logic, criteria lists, proximities & action alerts
- Random Sampling of each rep's messages customized by percentage & user
- Keyword Search results are highlighted within the message for quick discovery
- Full Review of messages & attachments, or bulk review of headers only
- Reviewer approval, rejection, escalation based on action icons & defined notes
- Multi-tiered Review structure for review escalation to Super Reviewers
- Wizard Commands for pre-defined, single-click compliance using folders, flags, priorities & labels
- Access Rights of authorized Reviewers governed by customized security rules
- Notifications of compliance violations by email or IM
- Audit Trail with detailed time history of reviews and related actions taken
- Web-based Control Center to modify surveillance & monitoring procedures
- Exclude Words, phrases or email accounts (e.g. disclaimers, attorney-client privileged mail, newsletters) from Flagging Rules
How does the Compliance Reviewer work? Using powerful search engines, the Compliance Reviewer is able to retrieve your firm's messages from Global Relay Archive and apply easy-to-use, company-defined filters and Wizard Commands for efficient review and monitoring of all archived email, IM, and Bloomberg messages. Messages of any user are analyzed on import and flagged for review if violations are detected as follows:
- real time filtering for keyword or phrase violations (start-up list provided)
- specific query using flexible search criteria
- advanced rule-based keyword & phrase proximity analysis
- random sampling (by User, User Group, or firm-wide, using percentages).
Global Relay Archive & Compliance Reviewer Audit Tools are designed to facilitate efficient responses to regulatory audits and evidentiary requests. Global Relay has successfully assisted hundreds of companies and SOX-regulated firms during their audits and regulatory investigations. Currently, Global Relay participates in approximately 3 to 6 customer audits/subpoenas per week.
- Search & retrieval of any message in seconds using Google-like search engine
- Audit Request response within minutes using online search and eDiscovery tools
- Statistics & reporting on Compliance Officer reviews & related actions taken
- Retention Term flexibility for Litigation Holds & anticipated SOX investigations
- Legal Compliance in-house specialists to assist during audits
- Case Management via folder system with shared folders (e.g. external attorney review)
How do Global Relay's Audit Tools assist with an Audit? Global Relay provides flexible and efficient methods to produce records according to the specific criteria of the audit request. Messages are made readily available for examination either by:
Online review of messages via an "auditor account" in Global Relay Archive
- create online search parameters based on Audit request
- restrict access to the exact scope of the audit (by date, user, subject etc.)
- assign Auditors temporary online review privileges
- block attorney-client privileged, personal or restricted messages
- generate an automatic audit trail of Auditor's review (ie: audit the Auditor!)
- side benefit of data no longer in Auditor's possession once audit is complete
Compilation of data for delivery to Regulators
- fast discovery, consolidation and organization of data for export & delivery
- compile requested information on regulator-qualified media such as DVD or CD
Frequently Asked Questions
- What are the Archiving & Compliance Requirements?
Audit & Quality Control:
- Section 103 requires that that all audit work papers, and other information related to an audit report should be maintained for at least 7 years in sufficient detail to verify the conclusions reached in an audit report.
Production of Data:
- Section 105(b) requires the production of all audit-related information to verify the accuracy of any documents or information supplied.
- Section 302 requires that senior management of publicly traded companies personally attest to the accuracy of financial results.
Internal Supervision Controls:
- Section 404 provides that management is responsible for the implementation and maintenance of internal controls for the purposes of financial reporting.
- Section 802(a) establishes penalties for the intentional alteration, destruction or mutilation of records or documents in order to impede an investigation.
Retention of Information:
- Section 802 requires all audit-related information to be retained by an auditor for a period of not less than 7 years. This includes work papers, memoranda, correspondence, communications, and electronic records (including email and IM).
- What is the significance of Sarbanes-Oxley (2002)?
Sarbanes-Oxley requires that all publicly traded companies implement reliable records management practices including the ability to efficiently retain and retrieve data. These requirements aim to protect investors from misrepresentation and fraud of financial data, and to prevent record tampering by improving the accountability, transparency and disclosure of information of public companies and their auditors.
- Who must comply?
Generally, these rules are applicable to all publicly-traded companies under the SEC's jurisdiction. However, Sarbanes-Oxley has created a corporate governance benchmark for all business to establish and adhere to systematic records management, including email retention policies and practices.
- What are the repercussions of non-compliance?
The financial consequences of non-compliance are real, and increasingly severe. Recent high profile judgments include:
- $1.45 billion judgment against Morgan Stanley for being unable to produce reliable emails in the course of fraud litigation
- $2.5 million fine against Merrill Lynch for failing to promptly produce e-mails over a period 17 months
In addition, depending on the violation, non-compliance can be punished by a fine and/or a period of detention:
Failure to maintain audit or review "work papers" for at least five years:
- Fine and/or up to 5 years imprisonment.
The "reckless" violation of certification of the company's financial statements by a CEO or CFO:
- Fine and/or up to 10 years imprisonment.
The deliberate destruction, alteration or concealment of records or documents for use in an official proceeding:
- Fine and/or up to 20 years imprisonment.
- Where can this Legislation be found?
Performing comprehensive due diligence on Software-as-a-Service vendors is a responsibility and a best practice for all Public Companies.
Global Relay can assist with the due diligence process. Global Relay's internal controls are verified by KPMG in a document entitled, "KPMG Report on Global Relay's Business, Operational & Security Controls". The report provides assurances and transparency into the high standards of Global Relay's internal controls, and how these truly differentiate Global Relay.
Specifically, the KPMG Report provides unique and extensive validation of Global Relay's security, business and operational controls related to:
- Physical Security - and safeguards governing data protection and data center controls.
- Change Management - Frameworks for guiding software development releases, operations and change control.
- Network Security & Availability - System architecture, redundancy, access and security.
- Message Archiver & Compliance Reviewer - Inbound message processing, secure storage, data center replication and end-user access.
- Data Import, Extraction & Destruction - Policies, procedures and methodologies for securely handling customer data.
- Security Policies & Standards - Policies & standards governing privacy and confidentiality.
- Personnel Policies & Procedures - Employee life-cycle management.
To learn more about this report and how Global Relay can assist your company with due diligence, contact us today.