Corporate Compliance Regulations & Standards

More than 8,500 state and federal regulations concern records management in the United States. There are several more voluntary standards that can be adopted. Here is a sampling of some of the more common standards and regulations that concern document and records management.

The Sarbanes-Oxley Act of 2002
Also known simply as "Sarbanes Oxley" or "SOX," the Sarbanes-Oxley Act of 2002 was passed in the wake of a number of corporate accounting scandals at companies like Enron and Arthur Andersen, which came to light after the year 2000.
Signed on July 30, 2002, the legislation's goal is to create oversight at publicly traded companies and independent auditors so investors are not fooled by phony profits and revenue. Among the several results of Sarbanes-Oxley is the creation of an oversight board for accounting firms that audit publicly traded companies. It also stresses independence of auditors and financial analysts; addresses corporate responsibility at publicly traded companies; and protects whistleblowers.

At no point does the word "software" appear in the text of the Sarbanes-Oxley legislation. But in order to achieve the type of audit trails and records keeping required to be in compliance, most companies will use some type of content or records management software.
Section 404 of Sarbanes-Oxley is widely cited in the literature of software companies. It requires each annual report of a publicly traded company to contain an "internal control report", which states the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and contains an assessment of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
Section 409 says that companies must disclose information on material changes in the financial condition or operations of the issuer on a rapid and current basis.
To read a summary of the entire Sarbanes-Oxley legislation, visit: http://www.aicpa.org/info/sarbanes_oxley_summary.htm

The Patriot Act
Maligned in some circles for what is perceived to be a pinching of civil liberties, H.R. 3162, better known as the USA Patriot Act, was signed in October of 2001, just over a month after the terrorist attacks of Sept. 11.
While much of the press coverage has gone to provisions in the bill that let law enforcement track what books people take from the library and the like, there are real business issues mentioned in the Patriot Act. And once again, businesses will turn to software in order to solve them.
The Patriot Act will have the most affect on companies in the financial services sector, which will have to comply with parts of the legislation that concern detecting and preventing money laundering that can be used to finance terrorism. Institutions need an automated process for continuous monitoring of accounts with detection filters and to check account holder names against watch lists and suspicious activity. They also need to track investigations in progress, and clear the names of those who have been investigated.

ISO 15489
ISO 15489 focuses on the business principles behind records management and how organizations can establish a framework to enable a comprehensive records management programme. ISO 15489 is just a framework and is an optional standard that any organization can adopt.
The standard provides a common international language for organizations that record and file material, regardless of the medium or format; the size of the enterprise; the type of organization; or the level of technology used.

DoD 5015.2
The Department of Defense (DoD) 5015.2 standard defines the basic requirements based on operational, legislative, and legal needs that must be met by records management application (RMA) products acquired by the Department of Defense (DoD) and its components. It also defines requirements for RMA's managing classified records. It has become the de facto standard for records management systems used by U.S. government agencies.
To see a copy of DoD 5015.2 in Word or PDF format, see http://jitc.fhu.disa.mil/recmgt/standards.htm .

SEC, NASD and NYSE Regulations
In addition to Sarbanes-Oxley, SEC and non-government securities organizations have regulations in place that require strict record keeping by brokers, dealers, and financial services organizations.
Section 17(a) of the Securities Exchange Act of 1934, Rule 17a-4 of the Exchange Act, NYSE Rule 440, and NASD Rule 3110 require the preservation for three years, and preservation in an accessible place for two years, electronic communications relating to the business of the firm, including interoffice memoranda and communications. That includes e-mail and relevant instant-message correspondence.
For more information, see http://www.law.uc.edu/CCL/34ActRls/rule17a-4.html#top .

HIPAA
The Health Information Portability and Accountability Act (HIPAA) aims to protect personal information about consumer health records. Congress enacted HIPAA in response to the growing use of the Internet and electronic transactions. HIPAA is a privacy law to protect consumers from having their personal health information exploited by insurance companies, employers, and anyone else who may try to exploit, disclose, or publish their personal health information.
For more information, see: http://www.intranetjournal.com/articles/200211/ij_11_29_02a.html
 

Federal Information Security Management Act of 2002 (FISMA)
FISMA requires government agencies to provide a framework for for enhancing the effectiveness of information security in the federal government. The head of each federal agency must provide security measures commensurate with the risk and magnitude of the harm caused by potential security breaches, such as unauthorized use, access, disclosure, disruption, modification or destruction of information management systems.