Strategies for RIM Program compliance with Sarbanes-Oxley: the goal of any publicly traded company, or any other organization that, for whatever reason, views itself as subject to a similar requirement, should be to become compliant with Sarbanes-Oxley.

• Author: Montana, John C.

In its broadest sense, Sarbanes-Oxley compliant means that the organization's accounting practices and accounting system are transparent; that its external financial audits are conducted completely and openly and with arm's length between the auditor and the client; and that its financial statements and audit reports fully and accurately state the company's financial position. The goal of the information management program should be to create the processes, procedures, and records necessary to demonstrate compliance with this standard and to repudiate allegations of misfeasance or malfeasance. If this goal is achieved, the information management question then becomes an evidentiary one---how does one go about documenting the processes that have been created? Because the Act does not explicitly direct any records management activities on the part of publicly held companies, the corporate records manager cannot simply follow a statutory recipe for information management compliance. Instead, he or she must work backward from the demanded outcomes to develop suitable procedure and practice.

The Act mandates a number of outcomes that demand carefully crafted and rigorously enforced records and information management procedures and practices. Procedures and practices for documenting internal business and compliance processes, procedures, and practices for dealing with investigations or other situations where document production constitutes a part of the compliance mix are included.

The following factors are likely to be important in ensuring Sarbanes-Oxley compliance--certainly gross inadequacy in these areas is likely to lead to problems. They are also factors that may be of interest when conducting a records and information audit, in that any such inadequacies should be identified and corrected. Within each of these broad issues are necessarily subsumed many sub-issues; for example, within the overall issue of developing or complying with a records retention program are many sub-issues relating to the sufficiency of that program. Those sub-issues are necessarily program- and organization-specific and are thus beyond the scope of this document. Nonetheless, the corporate records manager should carefully consider them when contemplating each of the following strategies.

Strategy One: Set up, Maintain, and Ensure Compliance with a Corporate Records Retention Program

In at least two places, (1) the Act imposes severe penalties on parties who impede investigations and law enforcement through improper destruction of records.

In light of recent events, these penalty provisions must be taken seriously. Imposing these penalties does not mean, however, that permanent suspension of a records retention program is either desirable or necessary.

Although the Act offers the potential for very harsh penalties for wrongdoers, those penalties, like most penalties, are subject to limitations of various kinds. Thus, although the Act requires public accountants to maintain audits and audit work papers, authorizes investigations and other proceedings, and permits penalties, the records retention requirements are limited to five (2) and seven (3) years. Causes of action created or altered by the Act are subject to their own limitations periods, (4) or they are governed by pre-existing limitations periods. Thus, as is generally the case, a careful analysis of the risk and compliance envelope permits development of a records retention policy that conforms both to the letter and spirit of the Act, yet still permits the routine disposition of older records whose utility has expired.

Strategy Two: Review the Retention Schedule

Periodic review of an organization's records retention schedule is an accepted part of a well-run RIM program. The Act, and the legal climate surrounding its enactment and enforcement, only add to this imperative. For any organization with periodic review of the schedule built into its program, reviews should henceforth be conducted with the Act and the records management principles arising out of it in mind. The records retention schedule review includes and, as needed, revision of all factors set forth in this section: retention periods, records series, nomendature, indexing and structure, and overall compliance. For organizations that do not periodically review retention schedules or that do not have a formal records retention program in place, the Act should give new impetus to the acquisition of a program and to its regular review. In the event of allegations of wrongdoing, the records retention program will undoubtedly receive very close scrutiny--the resources expended to ensure that it is sound and legally sufficient will be well spent. In contrast, for any organization undergoing Sarbanes-Oxley-related scrutiny, ad hoc destruction of records in the absence of a formal program, no matter how innocent...