Sox and Disaster Recovery Plans

A Backup Article Contributed by A.J. Vasaris

Sox and Disaster Recovery Plans

If you are a publicly traded company, the U.S. Securities and Exchange Commission (SEC) has plenty to say about your disaster recovery plans. The Sarbanes-Oxley Act (SOX) wants to protect investors, so they have described disaster recovery and the responsibilities of your company to your clients.

Once a company goes public, it falls within the domain of the SEC, which aims to protect investors and maintain integrity. Therefore, the SEC issues several key provisions for Sarbanes-Oxley compliance, including the following:

1. Restore Confidence in the Accounting Profession: Such measure address accounting oversight boards, rules to improve the independence of outside auditors and forbid improper influence on outside auditors, etc.

2. Improve Corporate Conduct - these provisions require CEOs and CFOs to certify financial, as well as other information, in corporate quarterly and annual reports. They prohibit trading during pension blackout periods and they prohibit corporate loans to insiders, and more.

3. Additional provisions call for improved disclosure and financial reporting, improved gatekeeper performance, and enhanced enforcement tools.

Understanding Disaster Recovery Plans

Many organizations are still floundering to understand how SOX affects them and their shareholders. That's because SOX goes beyond finance to encompass governance, risk, ethics, compliance and more. And while many organizations may seek to solve the compliance conundrum with IT solutions, such an approach would be shortsighted and inadequate.

Companies must embrace a more holistic approach to compliance that includes better communication, training, and a strong risk management structure. If they already have a good business continuity program and disaster recovery plan in place, organizations are better equipped to monitor and manage many of the problems SOX seeks to curtail including countless financial functions.

Starting Your Disaster Recovery Plan

The first step in writing your disaster recovery plan is to ensure that all financial systems are in fact being backed up. If all of the company's financial records are maintained on a single server, you could simply burn a copy of the entire hard drive to a CD or DVD on a periodic basis. If you're running SAP with multiple payrolls per month and data coming from multiple locations, the backup-and-recovery solution won't be as simple.

Most companies do a decent enough job of documenting what needs to be backed up and making the archives. What many companies fail to do is test those backups on a periodic basis to make sure they work. They sometimes discover too late that the incremental backups they'd been making to save time are inadequate to recover the entire system.

Financial managers should work closely with the IT department to schedule a test recovery of financial data at least annually. Your SOX conformance auditors will want to see a written disaster recovery plan that covers how the company will restore the information systems' environment, recover data from backups, and bring financial systems up to a pre-disaster state. The auditors will also want to see written evidence that you actually performed the tests.

Some financial managers assume that the IT department will automatically restore all financial systems and data from the backups. In most cases, that's exactly what will happen, as long as the right backups are being made...and tested.