Sarbanes-Oxley one year later: the Sarbanes-Oxley Act has had a far-reaching impact on global business, yet there are still more questions than answers.

• Author: Montana, John
• Position: Capital edge: legislastive & regulatory update

When passed, the Sarbanes-Oxley Act of 2002 was heralded as a solution to a wide range of perceived corporate abuses. When fully implemented, it probably will be such a solution, at least in part--the standards of conduct and disclosure it mandates and seeks to enforce undoubtedly will eliminate many past problems. From a records and information management (RIM) perspective, however, things are a bit different.

A year after its passage, Sarbanes-Oxley continues to provide more questions than answers for those seeking guidance on compliance issues for their records and information programs. This situation persists because Sarbanes-Oxley's fundamental emphasis and implementing regulations focus primarily on procedural requirements, certifications, and required disclosures as the tools through which to gain compliance, rather than on required recordkeeping and paper trails.

Make no mistake--the former are powerful tools. The Act's financial statements certification requirement, for example, provides a strong incentive for those executives who must sign to ensure that the statements are correct. In similar manner, Sarbanes-Oxley's Corporate and Criminal Fraud Accountability Act of 2002 provisions, which mandate criminal penalties for improper document destruction, will make midnight shredding runs a far riskier proposition for those who seek to cover up evidence of wrongdoing.

The reality is, however, that although Sarbanes-Oxley is fundamentally about records and information--its whole purpose could be characterized as ensuring that corporate accounting records are accurate and complete, and fully disclosed--it doesn't actually say much about records. The certification of financial statements is a good example: If the certification turns out to be false, the certifying executives certainly will find their necks on the line. In view of this consequence, it would be nice for executives to know what constitutes adequate due diligence and what documentation of due diligence they ought to create.

No such guidance is forthcoming, however. CEOs are on their own as to what ought to be done. Should certifications make it to court, as surely they eventually will, the issue of just what the CEO reviewed will come up, as will the paper trail the CEO used to document that review.

Other provisions give rise to similar issues. Criminal liability is mandated for improper shredding, but no light is shed on what constitutes a Sarbanes-Oxley-compliant records...