As if managing the day-to-day operations of your telecommunications infrastructure isn't difficult enough, then consider compliance. SOX, HIPAA... you know the drill. Modern-day regulations designed to improve security, confidentiality, and authenticity can mean major headaches for IT managers, especially telecom managers!
Today, we'll focus on how SOX can impact your day-to-day telecommunications operations, and what to expect.
The Sarbanes-Oxley Act was created and enacted into law to minimize corporate and accounting scandals, similar to Enron, Tyco, and WorldCom. Within SOX, there are 11 compliance "titles" that effectively act as an oversight mechanism. So, how does SOX affect telecom managers? Simple answer: in many ways.
Obviously, technology, especially in the telecommunications field, has improved drastically since the advent of PBXs, voicemail, and unified messaging. In the old analog form, it was nearly impossible without the use of tape recording equipment to preserve phone conversations and messages. Now, with VoIP, unified communications, and WAV voicemail attachments, things have changed. It is much easier to preserve and archive old voicemail messages, recordings of phone calls, and databases of call detail records.
Regardless, the format or method of the stored communications isn't the problem. Instead, it's the obligation of communication preservation that can dramatically effect your organization. But wait! What about all of the meaningless calls between coworkers and their families that have nothing to do with SOX compliance? Are those conversations and messages required to be kept and archived?
Rules on retaining communications are dictated by subject matter. While telecom technology has matured drastically, it still can't distinguish accurately about what content to save, and what to discard - automatically, that is.
Unfortunately, there are always ways around the auditing system, and no blend of technology has made it 100% foolproof. In the case of account codes, it's very easy for a user to use a personal account code to mask "illegal" conversations in order to prevent archiving mechanisms to record them.
In the end, it all comes down to this: consult with a SOX-trained legal firm to ensure your organization is "telecom + SOX" compliant. Until the legal system "catches up" with technology, SOX compliance in the telecom sense, will continue to be a very gray area.
The Leader in Network Knowledge
Record Retention and SOX
Gray area is the operative word… When we think of the implications of SOX for IT and telecom managers, the line between operational management and detailed, specific compliance requirements is often blurred. Sarbanes-Oxley is focused on internal control over financial reporting. Far too often operational issues get lumped into SOX compliance when they are not directly related to internal controls over financial reporting or systems that support these activities. In part due to these challenges, the Public Company Accounting Oversight Board (PCAOB) implemented a new audit standard (AS-5) that employs a top-down, risk-based approach to control assessment. The Institute of Internal Auditor’s GAIT methodology is another great resource in thinking about what’s material in the realm of IT and telecom to SOX compliance.
Section 802 of the Sarbanes-Oxley Act of 2002 provides guidance on record retention requirements resulting from SOX. This section of the act speaks to the retention period, five (5) years, of work-papers used to support the audit of publicly traded firms.