Friday, 17 February 2012

Digital Content & SOX compliance

The Sarbanes–Oxley Act of 2002 was put in place by the US government to protect investors in public companies following a series of corporate and accounting scandals perpetrated in the late 90’s and early 00’s which included Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. These scandals, which cost investors billions of dollars when the share prices of affected companies collapsed, shook public confidence in the nation's securities markets.
Much has been written about these scandals and also SOX and what is now required of Public Companies and their stakeholders to secure societies confidence in the Markets and keep corporate officers and employees out of jail. This piece concerns itself with a specific set of challenges relating to Digital Content used in a public company or for that matter any company.

Section 404, 802 & Digital Content
Section 404 of the Act “Assessment of Internal Controls” & Section 802 “Criminal Penalties for influencing US Agency Investigation” are key sections relating to the effectiveness of the act and the actions and processes public companies must take or put in place.

In particular section 404 is concerned with the prevention and detection of fraud and error and the adequacy of controls required. The integrity, authenticity and provenance of digital content (data, text, Audio, Video etc.) must be secured and be non repudiable. We know that digital content is much easier to change than paper based content and public companies must find cost effective solutions to assure trust and confidence in their management and control of Digital content. Section 404 focuses on content authenticity and integrity

Section 802: “ Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both”. This brings home the importance of being able to identify fraudulent, malicious or even just simple errors that may be part of an audit or evidential chain and required to establish trust and confidence in digital data/content. Section 802 in addition to the focus above in section 404 also brings attention to the history and flows of the digital content.

How can public companies identify and prevent fraud or error in their digital content cost effectively?

1.       Identify & List the company’s digital assets (versions, time lines etc.)
2.       Perform a Risk analysis and identify those critical digital assets
3.       Identify those critical digital content types and forms that must be protected and controlled through their life cycle.

Sample critical Digital Assets
·         Contractual documentation
·         Policy & Procedure documents and records
·         Intellectual Property
·         Trademarks and copyright
·         Financial reports
·         HR& employee  records
·         Performance Management records
·         Software applications
·         Software logs
·         Databases
·         Recorded telephone conversations
·         Recorded conference calls(Audio/Video)
·         Images, Photographs, Videos

Identify& implement appropriate software controls as a solution to the digital content/asset protection such as Digiprove.

What are the core features that a simple software solution must have?

·         Establish the authenticity and integrity of digital content on entry into the company’s digital world whether created within that world or entering externally whether it be via an electronic communications or scanned solution. (This can be achieved by creating a unique digital fingerprint of the content and meta data such as date, time, location, ownership)
·         Maintain full confidentiality of this digital content in that it does not get sent externally outside the companies own controlled digital world to be certified.
·         Create an audit trail for the defined digital content and any actions taken on that content.
·         Be able to verify the provenance of any digital content once it has been certified and verify if it has been tampered with.

Digiprove products tick all the boxes:

Selfprotect – a simple SaaS on-line service for content and communications
Autoprotect – a simple background utility that automatically protects the identified files and folders.
Completeprotect – includes digital log event certification and audit trail along with autoprotected content. (New Product)
Signasure – enables and protects documents with all types of digital signatures (New Product)
Brokerprove – A standalone solution for SME professional service providers
Embedprotect – A software developer’s kit that enables Digiprove technology to be quickly integrated into a company’s business applications

No comments:

Post a Comment