After months of preparation and trepidation, Sarbanes-Oxley arrives Monday for U.S. publicly traded companies.
The result has been a boon for some IT vendors and a headache for regulated companies, but storage vendors say there may be a silver lining for end users in the form of better business practices.
Monday is the day that Section 404 of Sarbanes-Oxley, "Management Assessment of Internal Controls," comes into effect for U.S.-based companies with market capitalization greater than $75 million. It's the section of the act that potentially has the greatest impact on the storage industry, and while it's been the cause of anxiety for many, vendors say it's been an important driver for IT best practices.
Section 404 demands that companies put in place an adequate internal control structure and procedures for financial reporting, and holds corporate management accountable for inadequate controls. To ensure compliance with Section 404, enterprises must have data retention and retrieval processes in place, as well as solid documentation of all financial records.
"There is definitely some firefighting going on today in terms of meeting upcoming deadlines," Paula Lair, product manager of EMC Centera Compliance Edition, told Enterprise Storage Forum. "But Sarbanes-Oxley is not an event. Fulfilling the intent of the law will be an ongoing process."
IBM is seeing its customers reflect on the larger issues that compliance brings as the deadline looms.
"As we get down to the wire, we hear more and more companies focusing on the business problem and not really focusing on the technology part because they believe they've got all the data," said Al Stuart, chief strategist for IBM Compliance and Data Retention Solutions.
However, integrating and consolidating all the data that could fall under SOX — which could mean anything that could affect financial controls and reporting — is still a challenge for many organizations. According to Hitachi Data Systems, one of the biggest challenges is integration of data that spans remote corners of an enterprise.
"The bigger challenge for the IT shops is being able to integrate information across all the different business lines and meet the more stringent reporting deadline while being able to validate that their processes are accurate and correct," HDS CTO Hu Yoshida told ESF.
Data Retention Affects Storage Issues
The compliance issues inevitably cut close to what storage is all about — namely data retention, for how long and how much. Faced with uncertainty, IT shops are choosing to save more for longer periods of time rather than risk falling out of compliance.
"In the first six months of 2003, I was hearing from C-level executives two different things," said IBM's Stuart. "One was, 'I'm saving everything forever,' and equally, I was hearing, 'If I have to save it for three years, then in three years and 10 minutes, it's gone.' I'm not hearing the latter anymore."
No one can give crystal-clear advice for every data classification issue, said Stuart; that unknown is driving increased data storage needs for end users. Vendors noted that email archiving in particular has been a specific issue that end users are eager to address in order to remain in compliance.
Hitachi's Hu said the drive for longer periods of storage and greater amounts of data have also led to an increase in multi-tiered storage and virtualization solutions to lower the overall cost of data retention by moving certain data to lower-cost storage. That said, among the myriad compliance requirements is the edict that data be readily accessible, so direct access — as opposed to a tape library — is the way most IT shops are going.
SOX Pushes Other IT Priorities Aside
According to Mary Kay Roberto, senior vice president and general manager at Veritas, in many cases, SOX compliance has been pushing other IT priorities to the back burner.
"Unfortunately, this occurs many times when an organization has not been proactive in planning for the change in regulation and the demands of e-discovery," she said. "Civil litigation and government subpoena and good corporate governance are growing realities. IT and existing projects can be heavily impacted if a system has not been put into place ahead of time to deal with these realities."
The effect of Sarbanes-Oxley compliance on other IT priorities may be waning, according to some. IBM's Stuart said that last year, SOX created somewhat of a panic. IT budgets were tight and people were taking money from other projects and putting it toward compliance. In 2004, IBM said it has seen an expansion of IT budgets, and as such, compliance is having less effect on other priorities.
In the view of vendors, SOX has actually served to bring to the fore priorities that should have been at the forefront to begin with.
"Things like cleaning up your files, consolidating, backup and protection was kind of on the back burner and was not a high priority from the business side," said HDS's Hu. "This now gives IT people the opportunity to implement those types of procedures. All this really adds up to better IT practices."
"This will actually help end users in the near term by putting in place some critical infrastructure that will make managing and accessing electronic records in a secure way much easier and more effective," said EMC's Lair. "Properly leveraging a corporation's information assets is definitely a 'win' for end users."
That said, vendors and those offering compliance services have likely reaped the greatest benefits from SOX. "It's great to be in the storage business right now because everybody is saving a lot of stuff," said IBM's Stuart.
HDS' Hu remarked that even though SOX has likely increased sales of replication software and data protection services, it's difficult to separate out all the SOX-specific components.
"What's good for efficiency within an organization is also good for SOX," Hu said.