Complexity of language aside, Sarbox has wide-ranging implications that span the breadth of the high-tech industry. It has become increasingly important to know which portions of the law apply to your organization, and to the organizations that you do business with.
HIPAA, GLBA, ISO 17799... In addition to Sarbox, the sheer number and diversity of industry regulations make corporate compliance a challenging combination of company policy, necessary technology, and the ability to implement them both. What appears in nearly all government and industry regulations is the requirement for a comprehensive incident response process, and the technology needed to support it.
There are two critical sides of the equation to consider: That of the corporation, and that of their client. From a corporate perspective, getting a handle on all of the new legislation is not an easy task. An untold number of vendors are touting their ability to sell you magic software that answers all of your compliance needs. One silver band-aid to mend all of your untoward ways! Unfortunately, it doesnít work that way and in this careful economy, spending money on every new "issue" isnít looked upon kindly by the CFO. So how do you know which product is right for your organization? Do you really need a product? How about policies? Are the policies you currently have in place enough to call them compliant?
Those questions lead to more questions, such as, what are companies doing about compliance? What should they be doing? Is there a "minimum level of compliance"? Should corporations be as fearful as the Ďcompliance campí is telling us we should be? The questions are endless.
I decided to consult the oracle of all things, the industry expert that is not me. In this case I turned to Victor Limongelli, General Counsel for Guidance Software in Pasadena, California. Victor spoke to me about what he sees happening in the industry from implementation to compliance enforcement. The changes are real, as is the seriousness of failing to comply.
"A company could have terrible internal controls and zero-ability to conduct internal investigations, but if at the end of the day theyíve had no fraud, then theyíve had no losses. Itíd be less likely that the SEC would go after them than the companies that have had fraud occur that the SEC was able to uncover. However, no one really knows what the level of enforcement will be, as most of the provisions of Sarbanes-Oxley havenít come into effect yet. The 404 provisions relating to internal controls, go into effect later this year for U.S. companies and next year for smaller and foreign issuers."
"I believe that the SEC will be focused on going after the high-level executives, and you see that currently with the type of prosecution against Koslowski of Tyco, and Kenneth Lay of Enron. The SEC is very focused on the heavy-hitters. Sarbox certainly reflects that with the requirement that the CEOs and the CFOs evaluate and attest to the companyís internal controls," explains Victor.
Could it be construed then, that worrying about compliance isnít something one should be doing? It begs the question of complacence. How can any organization be sure that it wonít experience some type of fraudulent action that requires an investigation? To put it simply, they canít.