| Document Management or Enterprise Information | | | | agency. This would call for holding all documents in |
| Management is perhaps one of the most | | | | a secure system where absolutely no one in the |
| important of the enterprise solutions that will | | | | company can alter them once they are finalized. |
| provide a solution to the various requirements of | | | | Also this calls for a formal document retention |
| SOX. Several sections of SOX have a direct | | | | and destruction policy which is strictly adhered to |
| bearing on the manner in which the digital | | | | (in fact, can be proven to be adhered to) and |
| documents/records of the enterprise are created, | | | | which involves making sure that no document |
| reviewed, approved, stored, retrieved, | | | | which any investigating agency would require is |
| transferred, and destroyed. | | | | being destroyed or deleted. Furhter, the act |
| Knowledge Management: Document & | | | | requires that as soon as the company comes to |
| Records Management | | | | know about a potential investigation all documents |
| Estimates have been made calculating that a | | | | pertaining or somehow germane to that |
| significantly large proportion (some say, more than | | | | investigation are immediately ordered |
| 70%) of the documents owned by an enterprise | | | | indestructible to or unalterable by anyone--including |
| are in digital format and might never be seen in | | | | the CxOs of the company. This makes it |
| hardcopy. | | | | important to have a feature related to creat!ing |
| According to Gartner's Editor in Chief James | | | | and accepting "alerts" from the legal department |
| Lundy: Records management will become a top | | | | of the company about any ongoing or upcoming |
| 10 issue for many CIOs in the coming year. | | | | potential investigations and as a consequence |
| In the following, we will discuss the various | | | | immediate information "vaulting" of all related |
| sections of SOX that a document management | | | | documents. This feature will ensure compliance |
| solution might help in complying with. | | | | with this particular section and save a potential |
| SOX Sections: | | | | prison term and a large monetary fine and of |
| Section 302: According to Section 302, the CEO | | | | course loss of credibility. |
| and CFO have to personally certify the financial | | | | This section has a strong bearing on a records or |
| statements and disclosures made by the | | | | document management policy of a company. The |
| company on authenticity and accuracy. This | | | | company should develop a proper document |
| requires a system in place that will make the CEO | | | | management policy and adhere to it in a timely |
| and the CFO confident that all the disclosures that | | | | and rigorous manner. If this is not done, the |
| the company makes are accurate and authentic. | | | | company is exposed to severe costs and |
| This can be done in two ways: | | | | damage in terms of providing documents to |
| One is to trickle-down the responsibility of the | | | | hostile parties in "pre-trial discovery"--the legal |
| CEO and the CFO to the lower management | | | | process of providing all relevant documents to the |
| levels and in response bubble-up the sign-offs | | | | opposing party in a legal suit. It also exposes the |
| from the lower management levels on all | | | | company to accusations of hiding or destroying |
| documents that are inputs to the company filings. | | | | relevant documents--if done at a later |
| Second is to design comprehensive business | | | | stage--even before any legal proceedings are |
| processes that produce the company filings. The | | | | begun against the company--a la Arthur |
| business processes will be designed in a very | | | | Andersen's Enron-related documents. |
| rigorous manner to comply with all the provisions | | | | Document Management systems provide several |
| and proper implementation and training of all the | | | | benefits to the company. Since an IT system is a |
| personnel related to the business processes will be | | | | business process frozen in a particular software |
| carried out and tested on a periodic basis. Further, | | | | and hardware implementation, it proves that the |
| the business processes themselves will be open | | | | particular business process is being consciously and |
| to stringent internal audits that will be carried out | | | | diligently adhered to. In the worst case, this |
| from time to time. | | | | proves that the compliance is being followed in |
| One, or a combination of both these practices will | | | | spirit. Now whether the compliance is being |
| go a long way towards ensuring proper | | | | followed in form can be found out from the |
| compliance. | | | | results of the particular system and also from the |
| For both these options it is clear that a strong | | | | audits of it at various stages of the business |
| enterprise-wide document management system | | | | process. The capability to follow an audit trail on all |
| will provide the foundation on which the | | | | documents created or processed through it is |
| compliance will actually be carried out. In the first | | | | extremely useful in executing compliance activities |
| case, the sign-offs can be configured using a | | | | and also in proving compliance at a later stage. |
| workflow module of the document management | | | | The capability to create workflows automatically |
| system. In the second case, the business process | | | | creates auditable process paths. |
| itself will be configured in the document | | | | The DMS also makes possible to access any |
| management system and all the relevant | | | | documents at any point of time with relative |
| supporting or input documents too will be part of | | | | ease. It also acts as a centralized repository of |
| the DMS and appropriate subordination and linking | | | | documents (both structured and unstructured). All |
| will be done between the official company filings | | | | publicly disclosed documents can be locked in the |
| and all the input documents to it. | | | | final form as images and can not be tampered |
| As proof of the records supporting the final | | | | with later on. These can be stored and deleted |
| company financials--as filed or reported--it is | | | | according to the schedules of various regulatory |
| important to archive all the emails, excel sheets, | | | | and compliance Acts of the Government. |
| instant messages or other communications and | | | | Document and information which is supposed to |
| documents that were exchanged which led to a | | | | be for limited consumption at the top |
| final certified filing by the CEO and CFO. This will | | | | management level can also be strictly screened |
| safeguard the CxO's claim that all the financial | | | | and internal controls on these can be enforced |
| reports are true to their knowledge and due | | | | rigorously. At the appropriate time the documents |
| diligence was carried out before certifying the | | | | can be "published". |
| reports. | | | | Whistleblower: For this section of the act, it is |
| Section 404: The CEO and CFO need to provide a | | | | important that a document management system |
| report assessing and certifying that the "internal | | | | is provided to log all whistleblower |
| controls" have been assessed and are working | | | | communication--absolutely securely where no |
| fine or that there are weaknesses and | | | | unauthorized personnel may be able to access |
| appropriate action is being taken. Complying with | | | | it--and store all communications. |
| this requirement is one of the most difficult parts | | | | An indirect requirement for Document |
| of SOX and requires a whole slew of people, | | | | Management Systems in the enterprise is for the |
| processes and technologies. However, DMS has | | | | purpose of storing the documents related to |
| an important role to play in this. | | | | enterprise compliance policies, their updates, |
| All the emails and attached documents in the | | | | amendments, the internal control policies of the |
| chronological sequence will need to be archived for | | | | company and other documents of a similar nature |
| the purpose of proving that the internal controls | | | | that help in proving the compliance process at the |
| are appropriate. Ideally, a workflow module will | | | | enterprise. |
| provide added assurance that the internal controls | | | | The company needs to make policies about the |
| are implemented. | | | | following aspects of documents: |
| Section 103: requires storing the documents for a | | | | - Creation |
| period of 7 years for audit companies. The | | | | - Approvals |
| company being audited would naturally want to | | | | - Publishing |
| replicate the documentation to guard against any | | | | - Retention |
| discrepancy or miscommunication or | | | | - Access |
| mismanagement. Also another part of the act | | | | - Distribution |
| requires | | | | - Lifecycle |
| Section 409: requires near-real-time reporting of all | | | | This policy will help in implementing the |
| material events--whether internal or external to | | | | contradictory requirements of document retention |
| the investors and the regulatory bodies. This can | | | | for compliance purposes and document deletion |
| be accomplished by using a single enterprise-wide | | | | for reducing the cost of document retention and |
| document management system with appropriate | | | | improving operational efficiency. |
| "alerts" and notifications and workflow configured | | | | Initial step is to define the document retention |
| according to the design of the compliance-based | | | | policy. The second step is to survey the existing |
| business processes. This system would make | | | | document management systems in place in the |
| sure that all relevant information is immediately | | | | enterprise and the third step is to create a proper |
| relayed to the top management (CEO and CFO) | | | | document management system. |
| and the compliance committee and advisors with | | | | Have a centralized repository of documents. |
| minimum delays and latency. DMS provides | | | | Have a structured and hierarchical architecture |
| appropriate capabilities to the compliance advisors | | | | Have security & access control |
| to provide a recommendation (within the | | | | *A Report Distribution System or Document |
| stipulated time frame) linked to each alert and | | | | Management & Workflow System will |
| escalate the reports to the CxOs with the | | | | disburse this to the CEO and the CFO within the |
| appropriate recommendations. The CxOs can then | | | | prescribed time-frame and allow them enough |
| decide whether it merits disclosure under the | | | | time to make their own final judgments about the |
| compliance act based on recommendations of | | | | situation. |
| their Compliance Committee or Advisors. | | | | Finally, a Public Information Distribution System |
| Section 802: provides for criminal penlties for | | | | should exist to quickly disburse this information--if |
| knowingly altering, destroying, concealing and | | | | judged important by the CEO & the CFO--to |
| other activities, such as introducing false records, | | | | the investors & other stakeholders or |
| related to impeding or influencing an ongoing or | | | | relevant authorities prescribed by SOX. |
| potentially upcoming investigation by a federal | | | | Author: Dr. Vikas V. Gupta. |