Digital Content and SOX Compliance

Compliance ChecklistSOX

The Sarbanes–Oxley Act of 2002 was put in place by the US government to protect investors in public companies following a series of corporate and accounting scandals perpetrated in the late 90’s and early 00’s which included Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. These scandals, which cost investors billions of dollars when the share prices of affected companies collapsed, shook public confidence in the nation’s securities markets.

Much has been written about these scandals and also SOX and what is now required of Public Companies and their stakeholders to secure societies confidence in the Markets and keep corporate officers and employees out of jail. This piece concerns itself with a specific set of challenges relating to Digital Content used in a public company or for that matter any company.

Section 404, 802 & Digital Content

Section 404 of the Act “Assessment of Internal Controls” & Section 802 “Criminal Penalties for influencing US Agency Investigation” are key sections relating to the effectiveness of the act and the actions and processes public companies must take or put in place.

In particular section 404 is concerned with the prevention and detection of fraud and error and the adequacy of controls required. The integrity, authenticity and provenance of digital content (data, text, Audio, Video etc.) must be secured and be non repudiable. We know that digital content is much easier to change than paper based content and public companies must find cost effective solutions to assure trust and confidence in their management and control of Digital content. Section 404 focuses on content authenticity and integrity.

Section 802: “ Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both”. This brings home the importance of being able to identify fraudulent, malicious or even just simple errors that may be part of an audit or evidential chain and required to establish trust and confidence in digital data/content. Section 802 in addition to the focus above in section 404 also brings attention to the history and flows of the digital content.

How can public companies identify and prevent fraud or error in their digital content cost effectively?

  1. Identify & List the company’s digital assets (versions, time lines etc.)
  2. Perform a Risk analysis and identify those critical digital assets.
  3. Identify those critical digital content types and forms that must be protected and controlled through their life cycle.

Sample critical Digital Assets

  • Contractual documentation
  • Policy & Procedure documents and records
  • Intellectual Property
  • Trademarks and copyright
  • Financial reports
  • HR & employee records
  • Performance Management records
  • Software applications
  • Software logs
  • Databases
  • Recorded telephone conversations
  • Recorded conference calls(Audio/Video)
  • Images, Photographs, Videos

Identify & implement appropriate software controls as a solution to the digital content/asset protection such as Digiprove.

What are the core features that a simple software solution must have?

  • Establish the authenticity and integrity of digital content on entry into the company’s digital world whether created within that world or entering externally via an electronic communication or scanned. (This can be achieved by creating a unique digital fingerprint of the content and metadata such as date, time, location, ownership)
  • Maintain full confidentiality of this digital content in that it does not get sent externally outside the company’s own controlled digital world to be certified.
  • Create an audit trail for the defined digital content and any actions taken on that content.
  • Be able to verify the provenance of any digital content once it has been certified and identify if it has been tampered with.

Digiprove products tick all the boxes:

Selfprotect – A simple SaaS on-line service for content and communications.

Autoprotect – A simple background utility that automatically protects all files within identified folders.

Signasure – Captures and applies (handwritten) electronic signatures to documents, creating proof of signature and content. (New Product)

Brokerprove – A standalone solution for SME professional service providers.

Software Development Toolkit – Enables Digiprove technology to be quickly integrated into a company’s business applications.