Compliance and Regulation: Impacting on Global Business CommunityFollowing fallout from major corporate crashes such as Enron and Worldcom, stricter compliance legislation has been introduced around world to ensure that business managers and principals are more accountable for their actions.
The latest compliance standards focus on greater accountability and control in key business processes – most importantly document flows and data management.
There are two central aspects to enforcing compliance:
•The corporate duty of care in enforcing standards •The need for legal protection in event of litigation or a dispute
Non-compliance is not an option, companies risk stiff fines and executives can be held personally liable if information is not in order. Therefore, it is important that business examines all regulations, not just those affecting their specific area of operation, but also generic legislation affecting general business activities.
The consequences of non-compliance are extremely serious; in December 2002 SEC fined five Wall Street brokerages a total of $8.25m for improperly storing e-mail communications (Forrester Research).
Distributing documents for approval, whether in hard copy or electronic form, raises security issues. Who is authorised to access documents, and what information can they access within them? This is particularly important to ensure compliance with legislation such as Sarbanes Oxley Act, which applies to US companies and their foreign subsidiaries; and in UK, Data Protection Act and Freedom of Information Act.
Document processing software such as Tokairo’s TokOpen system addresses these challenges and automatically enforces compliance. Every action relating to individual document access is audited, access is limited to specified personnel, and actions they can undertake are also controlled. Software can also restrict access to different information within a document, to different specified users or groups within an organisation.
This ability to allow different information in a document to be seen by different users means that divergent needs of Data Protection Act and Freedom of Information Act can both be met automatically, without need to make copies of documents.
This flexibility can also extend to hierarchy of approval based on value of an invoice. So if a member of staff is not allowed to approve payment of an invoice of over £500 for example, it can still be checked by them, but then can automatically be escalated to a superior for payment sign-off.
The following are some of most recent regulations, and effects they can have on corporate document management strategies:
Sarbanes Oxley Act 2002
This is a key driver of compliant corporate document management systems. In US non-compliance is now a Federal offence, carrying a penalty of up to 20 years in prison. US subsidiaries in UK are also required to comply with this legislation. The European Union is expected to introduce similar rulings for member countries.
Under section 302, CEO and CFO must certify that reports accurately show company’s financial condition and results. In addition, they must certify that they have established and evaluated internal controls to ensure accurate recording and reporting of performance. Any deficiencies in these controls as well as any fraud at management level must be reported.
Section 404 requires annual reports to detail internal controls that are in place to ensure accurate financial reporting, as well as an assessment of their effectiveness.
This can have a significant impact on a document management system. For example, a company without clear control and visibility of approving invoices for payment could be in breach of Sarbanes Oxley Act.
Data Protection Act 1998
Regardless of what document management system may be in place, personal information for business use needs to be handled in compliance with Data Protection Act 1998. A secure document management system such as TokOpen can help with compliance, as it reduces scope for theft or accidental loss of personal and confidential data. It can also facilitate execution of valid requests for such data.
The Act enshrines eight principles:
1.Personal data shall be processed fairly and lawfully.
2.It shall be obtained only for specified lawful purposes, and shall not be further processed in any manner incompatible with those purposes.
3.It shall be adequate, relevant and not excessive in relation to purposes for which it is being processed.
4.It shall be accurate and, where necessary, kept up to date.
5.It shall not be kept for longer than is necessary.
6.It shall be processed in accordance with rights of data subjects under Act.
7.Appropriate technical and organisational measures shall be taken to prevent unauthorised or unlawful processing of personal data, and to prevent accidental loss, destruction or damage to personal data.
8.Personal data shall not be transferred to a country or territory outside EU unless an adequate level of protection for rights and freedoms of data subjects is ensured.
Freedom of Information Act
This gives people a general right of access to information held by, or on behalf of, public authorities. It is intended to promote a culture of openness and accountability amongst public sector bodies, and to increase public understanding of how public authorities work, why they make decisions they do, and how they spend public money.
Good document management should be a key objective for all organisations, public and private, in drive to achieve business efficiency, and ensure that information is easily retrievable and properly documented. As a result of this, public authorities will then be able to comply more easily with legislation that affects them, such as Freedom of Information Act.