Datamaps Mitigate Risk under the Federal Rules of Civil Procedure and Meet Evolving Attestation Requirements under Section 404 of Sarbanes Oxley Act

Employees perform,collaborate and execute tasks more efficiently when able to find the information they need when they need it; there are legal discovery cost savings to consider as well.

The impetus for developing a so-called datamap comes from the Federal Rules of Civil Procedure, specifically the procedural requirements of Rule 26(f), which requires parties to discuss ESI (electronically stored information) at the outset of each case. The commentary to the new rule states in pertinent part that:

When a case involves discovery of electronically stored information, the issues to be addressed during the Rule 26(f) conference depend on the nature and extent of the contemplated discovery and of the parties’ information systems. It may be important for the parties to discuss those systems, and accordingly important for counsel to become familiar with those systems before the conference. With that information, the parties can develop a discovery plan that takes into account the capabilities of their computer systems. In appropriate cases identification of, and early discovery from, individuals with special knowledge of a party’s computer systems may be helpful.

It is easier said than done, but organizations need help with the design and development of a reliable process for understanding where information is stored there are broader organizational benefits to consider.

A reliable and defensible datamap could address potential deficiencies in internal technological controls and enable organizations to institute key processes in compliance with a series of evolving requirements under the Public Company Accounting Reform and Investor Protect Act of 2002 (“SOX”) as related to records and information management.  See J. Randel L. Kuhn, Jr., “Electronic Records Management and Sarbanes-Oxley Compliance: A Case Study of the COBIT Approach,” The Icfai Journal of Audit Practice, Vol. 4, No. 4 (Oct. 2007) (“Kuhn Study”).

The management and handling of ESI should be considered an entity level control examined as part of the SOX 404 attestation process. The Kuhn Study focused on utilizing the COBIT (Control Objectives for Information and related Technology) framework to comply with Sections 302 and 404 requirements, specifically as they relate to the retention and availability aspects of electronic document management. Id. The Study examines reported IT material weaknesses in internal controls over financial reporting specific to electronic records management and presents the findings of a case study where a global conglomerate applied the COBIT framework to successfully comply with SOX.

To comply with SOX attestation requirements, “global organizations face a daunting task of defining financial records, identifying and implementing appropriate records management procedures, and coordinating efforts across business units and geographic locations to ensure consistent application of prescribed policies and procedures.” Id. By putting in place a process for identifying the location of unstructured and structured information stored on network systems, organizations will be able to meet these evolving controls requirements under SOX.

When considering all the benefits of being able to find what you need when you need it, don’t loose sight of how a comprehensive datamap will improve internal controls and help satisfy evolving requirements under SOX 404.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: