SOX and Phone call recording 2165



  • Hi All
    I am from South Africa working for a company that specializes in telephone call recording solutions. One of our clients, an American company based in SA have asked us for the following:
    Please provide your white papers confirming the SOX compliancy of your Call Recording Solution.
    I have now spent at least three weeks searching the internet for more information. I have also just purchased the SOX Compliancy Toolkit and still no answers.
    I do believe our system will most probably meet all the requirements as it does meet a gazillion other requirements but obviously we need to write a White Paper on this and can not suck anything from our thumbs.
    Is there anybody here that could guide me in the right direction.
    What does a Call Recording system need to do to assist or meet SOX compliancy?
    Any help would be greatly appreciated.
    Yours sincerely
    Johan



  • Hi JCL and welcome to the forums 🙂
    This older thread contains some good starting points for understanding SOX compliancy
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1516
    You may need to get some clarifications (details) from your original requestor on what they are looking for. As a starting point, SOX controls would not be related to the Phone recording equipment itself 😉
    SOX controls are designed to control the financials for the company itself and are designed to provide management oversight and accountability of all stated values, sales, income, etc . Usually, public audit firms help certify results also in order as a neutral party, that’s separate from the company itself.
    Also, your company (or possibly parent company) must be listed as a publicly held company trading on the USA stock exchange (e.g., NASDAQ, NYSE) for Sox compliancy to be required. There are also differences between large and small companies (e.g., USD70 million annually)



  • Hi harrywaldron
    Thank you for the quick response and welcome.
    I did search the archives on this forum before placing my question and found only one thread related to my question. This however did not help.
    On questioning our client as to what exactly they were looking for his response was:
    SOX compliancy relating to ‘Internal auditing the voice tagging’
    This is quite possibly a sales angle from some opposition company to our products.
    Some of the assumptions I am making after reading and trying to understand as much as possible are the following:

    1. To combat internal fraud, internal telephone conversations should also be recorded along with all external calls.
    2. All calls should be tagged with as much information as possible, encrypted, watermarked, and a checksum calculated with an industrial strength checksum algorithm to ensure later authentication.
    3. These recordings should be stored in a secure manner and easily retrievable on defined search criteria.
    4. Audit trails should be maintained on any access to specific recordings.
      I could be completely of track here or be on track but only have half the story. Any more information or your thoughts on this would be appreciated.
      Regards
      Johan


  • Thanks Johan for sharing more insight related to the area being researched. Achieving SOX compliancy requires good controls, procedures, security, etc.
    While I’m more of an IT person, voice records would represent controls ‘above and beyond’ what’s truly required for SOX compliancy. I recall some months ago, a similar thread was submitted related to the retention of Video Camera survelance tapes and we felt this was outside the scope of what is required for SOX.
    As I have backgrounds in IT security and policy development, in the USA there would be potentially privacy concerns on recording any calls without folks knowing in advance (or a message as a call starts stating that ‘this call may be recorded for quality reasons’).
    As a bottom line, voice recordings may be beneficial for security or other reasons, but they are most likely outside the scope of what’s needed to meet SOX standards. Hopefully, some of our expert members might share any potential applicability, as I could also be wrong.
    Finally I did a quick Internet search, and saw some uses of voice recordings in SOX (e.g., special fraud hotlines, etc.)
    Please paste to browser and enter www
    google.com/search?hl=en-and-q=sarbanes oxley voice recordings



  • Hi Johan,
    I’ve been out of SOX for a while, but in its early days every man and his dog used SOX as a political football to get his private projects pushed through: ‘We have to prioritise my idiotic empire building because of SOX, and as none of you know what SOX means just be intimidated and build my empire, please’. Also, lots of folk still have no idea about SOX, and ask you a simplistic question to pass the buck. Frankly, if your guy is asking for a SAS70 type 2 or such, then he knows what he means and you can ask him to show you examples he has from other suppliers to help you out. You can also ask him to define with you what he’s worried about so you can address it in a mutually satisfactory way. A ‘White Paper’ rings alarm bells to me as unless you are a SOX consultancy, a ‘white paper’ is pretty meaningless. It certainly will not help him pass any audit. Off hand, I suspect your phone calls have nothing to do with SOX. What matters (from an IT perspective) are:

    1. Does your company provide a financial service to the company asking you for paperwork? That is, does cash flow between you other than your contractually fixed service costs?
      1.a. If no, then there is probably no SOX relevance at all, so tell your customer very politely to clarify exactly what he wants until he goes away happy :lol:
      1.b. If yes, then what matters are 2 things as a minimum. First is that all cash flows - costs and revenues are correctly reported in a bomb-proof manner. If you get 1 rand in, that gets reported as 1 rand, on time, accurately and completely, and no-one in your company can interfere with that without it being immediately spotted and corrected. Secondly, the systems you use are guarded to prevent anyone, internal or external, being able to use them to get into your customer’s IT systems.
      Hope this helps.
      Z

Log in to reply