Compliance Becomes a Top Concern
In the arena of corporate governance and compliance, the Sarbanes-Oxley Act (SOX) has commanded considerable attention and deservedly so. Developed in response to accounting scandals that rocked the corporate world, SOX is aimed at improving the transparency and accuracy of financial accounting and record keeping of U.S. publicly traded companies.
But SOX is just one of many federal mandates facing U.S. companies. In the healthcare industry, there’s the Health Insurance Portability and Accountability Act (HIPAA). In the financial services industry, regulations now require T + 1 (“transaction date plus one”) settlement of financial transactions. And the energy sector was targeted in recent legislation, with a number of new mandates from the Federal Energy Regulatory Commission, the Nuclear Regulatory Commission and the EPA.
Many organizations are now developing compliance strategies that will enable them to meet their statutory obligations while also minimizing the disruption of day-to-day operations and the impact on employees. Companies are also looking for ways to keep the costs of compliance to a minimum, and this is where technology has a role to play.
Organizations can use technology to meet compliance demands in a cost-effective way. Software products have emerged in several technology segments in response to emerging regulatory requirements.
The Fit between Compliance and Technology
Corporations have been put on notice: Government agencies and industry self-regulatory bodies will be adamant in enforcing new regulations and have set strict deadlines for organizations to meet the requirements. While some deadlines have already passed, such as HIPAA privacy safeguards (impacting all but the smallest health care providers) and provisions of the Gramm-Leach-Bliley Act (affecting financial institutions), others are still to come.
The compliance deadline for Sarbanes-Oxley section 404 has been extended to the first statements of a company’s fiscal year ending after June 15, 2004. Some HIPAA deadlines applicable to small health-care providers go out as far as 2006. But failure to act within the timelines can mean hefty financial penalties as well as possible imprisonment. Failure to comply with HIPAA can cost up to $250,000 and 10 years in prison (ouch!). And the SOX penalties are even greater — up to $5 million or 20 years in prison. Similarly large fines have been imposed for not following regulations such as SEC rule 17a-4, which applies to e-mail management within broker-dealer organizations. The imperative is clear: comply, or else.
To avoid penalties, it is important to understand the specifics of requirements. For example, SEC Rule 17a-4 states that broker-dealers must preserve all electronic records “exclusively in a no rewritable, non-erasable format.” (It almost goes without saying that these, and all other corporate records, be retained only as long as legally required, after which time they are destroyed.) The rule also requires, however, that broker-dealers be able to produce those records in a timely manner in the event of an audit or regulatory investigation. This combination of requirements places enormous demands on a financial institution that can only be met with specific technologies.
Other regulations, such as Sarbanes-Oxley sections 404 and 409, involve monitoring and reporting on content as well as the process of managing information. Although some of the technology requirements overlap, there are additional capabilities needed. Specifically, these regulations require process management and monitoring of the information, not just storage and retrieval.
SOX was enacted to ensure that U.S. publicly owned companies establish and maintain internal controls, as outlined in Sections 103-a and 404-b of the regulation.
The Silver Lining
While organizations may regard the ever-growing (and ever-changing) list of regulatory requirements as a daunting challenge, the Enterprise Content Management (ECM) and Business process management (BPM) solutions allow an organization’s processes to be fully documented and accompanied by transaction audit trails, putting business managers in a better position to make decisions. BPM also documents the policies that state exactly what needs to be done as well as the procedures that specify how policies should be implemented. Organizations can use this information to continuously improve their processes through the adoption of a full life-cycle process management practice (along the lines of Six Sigma), which, in turn, helps maintain competitive advantage.
Another incremental benefit of implementing technologies for compliance is often improved support for litigation discovery. It’s not uncommon for companies to settle litigation out of court rather than defend against it because settling is likely to be less time-consuming, less resource-intensive and, therefore, less costly. But companies using ECM effectively can be more assured of being able to access information requested in a legal discovery process. ECM also provides an advantage for gathering information needed for audits or for ensuring business continuity in the event of fire, flood or other disasters.
Finally, the combination of organized content and enhanced and automated business processes provides improvements in operational efficiency by reducing manual processing and routing, reducing paper storage and providing faster access to key documents for customer service. These gains can bring not only millions of dollars in savings for large organizations, but also increased revenue through improved customer satisfaction and retention.
With deadlines for compliance fast approaching, organizations clearly need to take action now. Surprisingly, however, a recent poll by the Business Process Management Institute indicated that only 27 percent of those organizations polled are taking steps to comply with SOX, and only 11.5 percent are taking action to do something about HIPAA.
Here are some basic recommendations:
- Know your regulations. This includes both those related to public and private companies in general, and those that are specific to your industry.
- Develop your enterprise strategy and plan for compliance. Make sure your strategy encompasses both processes and content, since both are necessary to ensure compliance.
- Document your retention policies, procedures and schedules. This is important not only to prove to the regulatory bodies that you have them, but also to communicate these policies, procedures and schedules to your employees so they can follow them.
- Determine your specific requirements for a technology solution to enable you to implement your enterprise compliance plan and support your retention policies and your processes.
- Assess your current technology to determine if it meets your requirements and where gaps may exist.
- Research the additional technology needed and procure and implement it as required.
With risk reduction now a business requirement, it’s likely that these organizations will find good reason to take another look at these technologies. Eventually, most laws will have test cases that provide further enlightenment by showing what the regulator considers a violation. The goal is to make sure that your company isn’t the test case.
Are you in compliance? We can help.
Let DocQtek scan & digitize your documents. We will scan your records into formats that can be uploaded into your type of Business Application or just for safe storage and retrieval. Contact us at 800-790-5340 or visit us on the web at WWW.DocQtek.com.