Monday is the day that Section 404 of Sarbanes-Oxley, “Management Assessment of Internal Controls,” comes into effect for U.S.-based companies with market capitalization greater than $75 million. It’s the section of the act that potentially has the greatest impact on the storage industry, and while it’s been the cause of anxiety for many, vendors say it’s been an important driver for IT best practices.
The result has been a boon for some IT vendors and a headache for regulated companies, but storage vendors say there may be a silver lining for end users in the form of better business practices.
Section 404 demands that companies put in place an adequate internal control structure and procedures for financial reporting, and holds corporate management accountable for inadequate controls. To ensure compliance with Section 404, enterprises must have data retention and retrieval processes in place, as well as solid documentation of all financial records.
“There is definitely some firefighting going on today in terms of meeting upcoming deadlines,” Paula Lair, product manager of EMC Centera Compliance Edition, told Enterprise Storage Forum. “But Sarbanes-Oxley is not an event. Fulfilling the intent of the law will be an ongoing process.”
IBM is seeing its customers reflect on the larger issues that compliance brings as the deadline looms.
“As we get down to the wire, we hear more and more companies focusing on the business problem and not really focusing on the technology part because they believe they’ve got all the data,” said Al Stuart, chief strategist for IBM Compliance and Data Retention Solutions.
However, integrating and consolidating all the data that could fall under SOX, which could mean anything that could affect financial controls and reporting, is still a challenge for many organizations. According to Hitachi Data Systems, one of the biggest challenges is integration of data that spans remote corners of an enterprise.
“The bigger challenge for the IT shops is being able to integrate information across all the different business lines and meet the more stringent reporting deadline while being able to validate that their processes are accurate and correct,” HDS CTO Hu Yoshida told ESF.
The compliance issues inevitably cut close to what storage is all about; namely data retention, for how long and how much. Faced with uncertainty, IT shops are choosing to save more for longer periods of time rather than risk falling out of compliance.
“In the first six months of 2003, I was hearing from C-level executives two different things,” said IBM’s Stuart. “One was, ‘I’m saving everything forever,’ and equally, I was hearing, ‘If I have to save it for three years, then in three years and 10 minutes, it’s gone.’ I’m not hearing the latter anymore.”
No one can give crystal-clear advice for every data classification issue, said Stuart; that unknown is driving increased data storage needs for end users. Vendors noted that email archiving in particular has been a specific issue that end users are eager to address in order to remain in compliance.
Hitachi’s Hu said the drive for longer periods of storage and greater amounts of data have also led to an increase in multi-tiered storage and virtualization solutions to lower the overall cost of data retention by moving certain data to lower-cost storage. That said, among the myriad compliance requirements is the edict that data be readily accessible, so direct access — as opposed to a tape library — is the way most IT shops are going.