The Sarbanes–Oxley Act of 2002 was put in place by the US government to protect investors in public companies following a series of corporate and accounting scandals perpetrated in the late 90’s and early 00’s which included Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. These scandals, which cost investors billions of dollars when the share prices of affected companies collapsed, shook public confidence in the nation's securities markets.
Much has been written about these scandals and also SOX and what is now required of Public Companies and their stakeholders to secure societies confidence in the Markets and keep corporate officers and employees out of jail. This piece concerns itself with a specific set of challenges relating to HR Digital Content used in a public company or for that matter any company, and the role of HR in ensuring best practice for digital content relating to the management of the primary asset of the company “It’s staff”
Section 404, 301,806 & Digital Content
Section 404 of the Act “Assessment of Internal Controls”
In particular section 404 is concerned with the protection of corporate assets. HR in the context of the overall goals of SOX “To protect investors in public companies” contribute to internal controls relating to people that could create significant financial risk for the organisation including employment law litigation and fraud. Employment contract clauses such as non-disclosure, non-solicit, non-compete, IPR & confidential information protection and performance standards are all critical as are the HR processes to control and manage any exposure. Training is another area of importance such as specific job skills, health & safety, and legal obligations the integrity of the training and training records are also central to avoiding potential litigation whether it be commercial, employment law or product/professional indemnity financial exposures. Add to this that rules and policies relating to procurement, expense reporting and commissions all create potential fraud opportunities then we can see HR their processes and digital content make a significant contribution to SOX compliance.
Section 301 & 806: are also key sections where HR digital content is fundamental to compliance and in fact may produce important digital evidence for internal or external scrutiny. The sections refer to the “Whistle-blower” requirements which are usually managed by HR. Creating a trusted Whistle-blower process with integrity may involve digital content of many types including databases, documents, audio and video records. HR must ensure that the process is fair and transparent, it protects the rights of all parties and that there is avoidance of retaliation litigation risk. Not only that but once whistle-blower reports an incident everything in the system becomes potential evidence so as ediscovery finds this evidence the digital forensic chain must be secured.
How can HR in public companies identify and prevent litigation & financial risk?
1. Identify & List the company’s HR digital assets (versions, time lines etc.)
2. Perform a Risk analysis and identify those critical digital assets
3. Identify those critical digital content types and forms that must be protected and controlled through their life cycle.
4. Ensure that whistle-blowers procedures are digital and evidential friendly
5. Put in place adequate digital evident and asset authenticity and integrity controls
Identify& implement appropriate software controls as a solution to the digital content/asset protection such as Digiprove.
What are the core features that a simple software solution must have?
· Establish the authenticity and integrity of digital content on entry into the company’s HR digital world whether created within that world or entering externally whether it be via an electronic communications or scanned solution. (This can be achieved by creating a unique digital fingerprint of the content and meta data such as date, time, location, ownership)
· Maintain full confidentiality of this HR digital content in that it does not get sent externally outside the companies own controlled digital world to be certified.
· Create an audit trail for the defined HR digital content and any actions taken on that content.
· Be able to verify the provenance of any HR digital content once it has been certified and verify if it has been tampered with.
Digiprove products tick all the boxes:
Selfprotect – a simple SaaS on-line service for content and communications
Autoprotect – a simple background utility that automatically protects the identified files and folders.
Completeprotect – includes digital log event certification and audit trail along with autoprotected content. (New Product)
Signasure – enables and protects documents with all types of digital signatures (New Product)
Brokerprove – A standalone solution for SME professional service providers
Embedprotect – A software developer’s kit that enables Digiprove technology to be quickly integrated into a company’s business applications