EuroSOX – TIME FOR a new approach to compliance

By Jürgen Obermann, CEO of GFT inboxx GmbH

The 5th September 2008 marked the deadline for European organisations to transpose two new directives – the Statutory Audit Directive and the Company Reporting Directive – into domestic law. Commonly referred to as EuroSOX, this latest initiative is the European Commission's eighth guideline for the protection of shareholders, brought in with the aim of ensuring the reliability of annual accounts and consolidated financial accounts of companies, in the wake of recent high profile corporate fraud cases, such as the Parmalat scandal.

Despite the publicity around the introduction of EuroSOX proclaiming the drastic requirements expected from IT, there is surprisingly little said in the EU guidelines as to the concrete IT requirements necessary for organisations to become compliant. Thus suggesting that the current hype regarding 'EuroSOX compliance in IT' has been somewhat exaggerated. After all, companies operating globally have already had to abide by the International Financial Reporting Standards (FRS) or the United States Generally Accepted Accounting Principles (US-GAAP) if they wish to adhere to international legal regulations.

The impact on IT
Aside from the obvious changes necessary in IT, EuroSOX will additionally lead to some indirect IT requirements. These ultimately derive from requirements that qualified auditors have to meet, though they are mainly general requirements regarding the quality of systems, processes and data management, as have already been prescribed for years - e.g. in accordance with Basel II.

In implementing EuroSOX, companies should not look on this as just another compliance regulation to be abided by, but rather as an advantageous tool which should be used to encourage greater business transparency.

Best practice approach to EuroSOX
As far as EuroSOX and other compliance rulings are concerned, IT departments should not interpret individual regulations and laws such as EuroSOX, Basel II etc., but should instead concentrate on a holistic approach. This is as proven in recent research commissioned by GFT inboxx which found that 94% of IT managers in Europe have insufficient knowledge of the legal requirements regarding archiving of e-mails.

IT departments must concentrate on their core tasks. They are not in a position to tackle the legal details of individual laws. This is a job for legally trained and specially qualified expert staff. By concentrating on the combined, generic requirements of all compliance guidelines, IT departments can tackle the issues at a higher level.

The requirements that should be met by an IT department can be roughly divided into three basic tasks, however these are not mutually exclusive:

1.Generic best practice data management and data handling – making sure that a consistent approach is taken across the board.

Long-term safeguarding and processing of all information. Preparation for possible disturbances (disaster recovery), secure long‑term archiving of all information and ensuring access at all times within the parameters of storage times are of the utmost importance in this context.

Transparency, which is above all facilitated by creation of powerful search functions and analytical methods regarding all information in the company.

The first task is very much open to interpretation and is broad in nature. In the event of any doubt, any weak points coming to light as a result of audits and inspections can be resolved in this context. Items two and three, however, are clear and not open to interpretation. An email document either exists or it doesn't. Either powerful overall search is possible or impossible. Inspections will thus concentrate on these points. Thus in the short term there is a need for action from the IT department in this respect.

Recommendations for IT departments

Do not tackle individual legal regulations such as EuroSOX – leave the interpretation to the specialist departments.

Don’t take a siloed approach. Instead concentrate on implementing the common requirements for all compliance guidelines:
a.Transparency of IT processes;
b.Audit-proof long-term archiving and planning for disaster recovery
c.Creation of an overall search and analysis platform to facilitate e‑Discovery

In the short term focus on (b) and (c). They are rigorous requirements that cannot be avoided.

Use this as an opportunity to create a business case for other IT projects.

GFT Inboxx is exhibiting at Storage Expo 2008 the UK’s definitive event for data storage, information and content management. Now in its 8th year, the show features a comprehensive FREE education programme and over 100 exhibitors at the National Hall, Olympia, London from 15 - 16 October 2008

Source: StoragePR