Privately Held Companies and Sarbanes-Oxley Considerations 40
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
If you feel as the technology leader for your organization that being in compliance would allow your organization greater control, then do it. At the moment private companies like yours are determining if they should comply now or later.
-
we will be in compliance by having an email retention policy of only 3 weeks.
I’d say your firm’s management doesn’t understand SOX, if they think e-mail retention policies have anything to do with compliance with SOX. I have been focused on public company compliance, but I have seen several discussions of implications for private companies.
-
- Email retention polices have nothing to do with SOX compliance.*
- Private companies do not have to comply.
However, if your a private company providing IT services, and possibly other services, to a company that must be SOX compliant SOX does effect you.
Although there is a high learning curve, as an IT professional you should really take a look at Cobit Objectives.
They will give you a much better understand of the importance of controls. And help you structure your IT security policies much much more effieciantly.
- I simplified that statement… Email retention policies MIGHT be part of SOX compliance IF you are using email as part of your controls. For example all requests for access to accounting server must be completed via email and approved by Accounting Controller.
In that case email retenion is part of SOX compliance but only becuase you make email part of your control.
I hope that makes sense.
-
It is also important to know that being a privately held company, if it is a child company of a public entity, than you should be SOX-compliant as well.
Honestly, when looking at it, any organization should consider aligning their operations to be SOX compliant over the next couple of years just for peace of mind.