Sarbanes-Oxley and Information Management

Organizations have done much more in the areas of information security and paper-based records management than in electronic records management, ma...
Stephen TaubJuly 15, 2004

The Sarbanes-Oxley Act has led many companies to change how they manage information, according to a study conducted by AIIM — an industry association for enterprise content management — and Kahn Consulting.

“The Current State of Information Management Compliance” addresses Section 404 of Sarbanes-Oxley, which for many companies becomes effective with their first fiscal year ending after November 15. The study also addresses the 1996 Health Insurance Portability and Accountability Act, which as of July 1 demands that healthcare providers who treat Medicare patients submit electronic claims using a standard HIPAA reporting format.

The study is based on seven “keys” of information management compliance developed by Kahn Consulting and based on guidelines used by the federal court system when sentencing organizations for wrongdoing.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

“It’s tempting to think of this as just a Sarbanes-Oxley or HIPAA problem, but it really is part of a long-term trend toward defining what transparency and accountability means in an electronic era,” explained Randolph Kahn, founder and principal of the consultancy, in a statement. “Organizations need to look beyond their current practices and adopt a broader framework for managing their information assets — namely, a framework of information management compliance.”

One of the key findings of the study, for example, is that 37 percent of the more than 400 companies surveyed have made changes to their information management because of Sarbanes-Oxley, and 26 percent because of HIPAA. Yet more than one-third reported that they haven’t received any guidance on these issues from an executive in the last 18 months, and nearly half do not provide an executive statement of support for the information management program.

One reason for this shortfall, the study suggests, is that many organizations fail to bring the right people to the table to develop and administer their information management program. For example, when developing program elements, only 35 percent of companies involve lawyers in the process.

“Organizations have done much more in the areas of information security and paper-based records management than they have in the area of electronic records management,” the study points out. That’s “a huge inconsistency, given that most of the documentation of business and organizational processes is now conducted electronically.”

The study also warns that gaps in communication and training threaten to undermine the effectiveness of many programs. For example, more than 60 percent of companies said they do not provide regular employee training, and the training that is conducted often focuses on records and information managers rather than executives and IT staff.

Fewer than one in six survey respondents are firmly convinced that their companies would uncover records management failures, the study also found.