Addressing Sarbanes-Oxley Compliance Section 404 With Xythos
Centrally Store Files & Documents
Access Files Safely & Securely
Test Drive
Xythos Enterprise Document Management Suite free for 30 days.
The portion of the Sarbanes-Oxley Act that has created some of the greatest anxiety is Section 404, which mandates that companies must demonstrate the breadth and depth of their internal controls on finances.
Needless to say, collecting all the relevant documentation for the yearly audit can prove to be as challenging as dealing with the auditors themselves. As long as users store documents on their own laptop or desktop computers, departmental file servers, and other systems, or forward them to each other as email attachments, the Section 404 requirements will continue to be a huge chore. The cost of failure—various federal penalties, ranging from fines to restrictions on the company's ability to trade stock or do business at all—is extremeley high. The way to ensure proper compliance is to put controls in place to centrally store files and documents. The way to ensure IT managers sleep well at night is to ensure that document and files accecss is safe and secure. Xythos can help address Sarbanes-Oxley requirements as shown in the following use case.
Use case:
The Chief Financial Officer (CFO) mandates that all policy and procedures manuals will be stored in a particular directory on Xythos. All content that goes into this folder will automatically be versioned, and there will be a record of all users who have viewed or edited the file. It is, therefore, possible for the CFO, when needed, to demonstrate what the policies and procedures manuals said at a particular point in time, and all the users who accessed those versions of the manuals.
The CFO also sets the expiration on these manuals to six months, so that there will be a regular reminder to review and update accounting policies. By using Xythos' workflow features, the CFO also maintains a record of the individuals who approved changes to the company's internal financial controls. Once the new draft is completed, the CFO locks it to further change until the next review period.
The CFO also mandates that all email and instant messaging traffic related to internal controls be stored in a special subfolder for later reference. These steps alone eliminate one of the biggest hurdles towards meeting the Section 404 compliance requirements: rather than hunting down all the relevant internal controls documents, the information is already stored in one place. As an extra precaution, the CFO conducts regular searches on the content of documents, to make sure that relevant information isn't accidentally left out of the initial presentation to the auditors. If the CFO runs this kind of search regularly, Xythos can save it, making it possible to re-run the search at any time with a single click.
Next, the CFO applies some of Xythos' features to implement these internal controls. Operational documents, such as budget spreadsheets and contracts, need to be strictly controlled. According to Sarbanes-Oxley guidelines, the accounts receivable group should not have access to accounts payable documents. Membership in these groups is already defined in the company's LDAP service, so there is no need to create and maintain a duplicate membership list in Xythos. In this fashion, the CFO creates AR and AP directories that allow these two groups to see each other's documents, if needed, but not alter them. The CFO can, therefore, demonstrate that the company is not able to play the sort of accounting shell games that led to the collapse of Enron.