|
ACP Thin Client Newsletter Article |
|
||
|
The Sarbanes-Oxley Act was passed by Congress in response to scandals at Enron, WorldCom and other large corporations. If you really want to read all 66 pages of the act (frequently referred to as SOX), you can find it here:
If you simply want to find out what is probably important to you, read on.
The act identifies its purpose in the first paragraph:
"To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes."
At the 30,000 foot level it simply creates a committee to hold accounting firms to a high standard regarding the audits of public companies. But while directed at the accountants, by extension it touches all the publicly traded companies that they audit. It is the trickle down part that has many concerned.
Because auditors are required to maintain "all audit or review work papers" for five years, expect companies to err on the side of caution. This is especially true considering the fact that now CFOs and CEOs are held personally accountable if they miss compliance deadlines.
Companies spent $5.8 billion meeting SOX requirements in 2005. Where did the money go? Most of it will be used to comply with Section 404 which requires that companies "document, control, and secure business processes that directly and materially contribute to reported financial results." And nowadays this often includes e-mail.
Microsoft says that the Sarbanes-Oxley Act will “perhaps, have the single largest impact on the corporate world in the last 100 years.” The penalties for failing to keep up with documents can be fines of millions of dollars and extended jail terms.
But this is just for financial documents, isn't it?
It is a felony to "knowingly destroy or create documents to impede, obstruct or influence" any existing (or even contemplated) federal investigation. Phillip Morris found out about this the hard way. A few years ago they were fined nearly $3 million for deleting e-mail after a judge ordered them to keep all documents that could potentially be relevant to a government lawsuit.
If the government suspects that you deleted that old e-mail or attachment to avoid producing incriminating correspondence, you could be in violation of the document-retention clause of SOX. Look at Section 1519:
"Whomever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the Untied States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both."
But it gets worse...
Suppose any employee of a publicly traded company makes a sexual harassment report to the Human Resources department and the EOC. Once HR hears about the problem, it could easily be determined that they need to keep every document or e-mail that could possibly confirm a sexual discrimination bias. And if users have the ability to load games, animations, or photos onto their PC (and then onto the network) these have to be accounted for as well.
Imagine how impossible it will be to anticipate, with 100% accuracy, which material will be subpoenaed 5 years from now? And from the company's point of view (remember, the officers can be held personally accountable) there may be documents that an employee is holding with the intent of making a case against his boss. These office related documents kept on a PC and private from the employer could be an ugly surprise at a trial.
But how does this relate to Thin Clients?
The centralization of desktop applications and data inherent in the Thin Client design makes it much easier to comply with the Sarbanes-Oxley Act. Additional security is provided because only screen updates and keystroke information pass between the Thin Client and server, with none of this data inadvertently stored on distributed PCs.
Without a doubt it is now irresponsible to allow remote offices or users to store corporate information on local servers or hard drives. Imagine the problems for a financial company that allows sensitive information to be stored on a contractor’s laptop when that laptop is stolen. If the contractor only had access to applications (and necessary programs) via Terminal Services the theft becomes almost a non-event.
Thin Client technology, by definition, ensures that all communications, documents and work flows originate and are stored on central servers. Once these servers have been made secure and are regularly archived, management will always have copies of every stored document and can take whatever steps are necessary to index and retain the data.
Additionally, on a Thin Client network, failed hard drives do not affect the integrity of corporate data and rouge applications cannot be loaded without IT's permission.
So, which makes more sense - storing corporate information on individual hard drives of PCs and servers across the country, or centralizing all corporate information in corporate data centers where it is always backed up, managed, redundant and secure?
Humor from the SEC: I often have the feeling that many times the term "FAQ" is misused - that they are not the most common questions, just questions the author made up to make a point. I think there is no clearer example of this than what the SEC lists on its site as FAQs about SOX:
For more information on ACP and Thin Client management software, please visit our web site at http://www.thinmanager.com
For an archive of past newsletter articles, or to sign up for this monthly newsletter online, please visit our newsletter index at Past Articles
(c) Copyright 2007 Automation Control Products. All rights reserved. All product names contained herein are the trademarks of their respective holders.
