SOX, COBIT, COSO, HIPAA, Section 404? All of this compliance talk can get a little overwhelming. Today there are over 10,000 different regulations in the United States alone. Like it or not, any IT storage group in a public company must provide ongoing reports that prove their data is being secured through backup and restore activities. Here are five of the common SOX compliance myths and the reality to help you set the record straight.

Myth #1:
There are very specific regulatory guidelines to follow for SOX compliance.

Not true. In fact the government does not set any guidelines for SOX compliance. Companies must define their own compliance control framework, and then, through process of audits, must prove that they are adhering to that framework.

There are two organizations that provide "best practices" to help you create your own framework. COSO(Committee of Sponsoring Organization of the Treadway Commission) was formed in 1985 and is funded by accounting associations and institutes. COBIT (Control Objectives for Information and related Technology) is also a popular control framework that was created by the Information Systems Audit and Control Association. (ISACA).

Myth #2:
Only public companies need to be concerned about SOX compliance.

False. Regulatory compliance isn't just for public companies anymore. In fact any company with a market cap over $75 million is subject to regulations like Sarbanes-Oxley. Private companies in the following areas should consider becoming SOX compliant.

Preparing for an initial public offering - Companies planning on executing an initial public offering must be SOX compliant upon filing.

Preparing for a merger with a public company - Management of potential public acquirers will likely view the private company to be acquired as needing to be SOX compliant.

Reporting to federal regulatory agencies- Numerous government agencies have starting to use SOX requirements as the standards for internal controls and corporate governance.

Doing business with government entities - There are many states - including California - which have passed SOX-type laws affecting companies doing business with them.

Adopting an internal control framework for regulatory compliance increases internal efficiency as well. If your company is private and growing quickly, regulatory compliance is just around the corner.

Myth #3:
The costs for noncompliance aren't that severe.

Not true. The penalties for noncompliance can be very severe. Many financial institutions have paid hefty fines for noncompliance including: Morgan Stanley fined $1.45 billion, CitiGroup fined $410 million; Janus fined $230 million.

In addition to financial penalties, SOX defines prison terms as well.

-20 year prison term for destroying, altering or fabricating records in federal investigations or any "scheme or artifice" to defraud shareholders

-25 year prison term for securities fraud

-20 year prison + $5 million fine for CEO & CFO penalties for false statement to SEC or failing to certify financial reports

-10 year prison term for destroying key audit documents and email

Myth #4
Regulatory compliance isn't resource intensive. I'll script a few reports and be done with it.

False. If not done right, maintaining regulatory compliance can be a substantial drain on your IT resources. Some number of IT personnel will need to be in charge of the care and feeding of the compliance auditors. According to Jim Damoulakis, CTO of GlassHouse Technologies, "The thing that adds workload is that you now have to prove that you're doing it."

Manually creating reports through scripts is a very time consuming process. Plus the number of reports required for an audit will increase each year as the scope of the audits naturally broadens. Plus the frequency of audits typically increases from once a year to quarterly, to sometimes even monthly. Keeping up with the additional reports can be an endless, zero-sum game.

In addition to the compliance scope and frequency changing, the auditors themselves frequently change. New auditors need to be educated on your environment and another set of reports must be produced. This ongoing

Having a flexible automated reporting solution that can easily generate audit trail reports minimizes the time spent scripting reports and streamlines the process of providing auditbale reports to internal and external auditors.

Myth #5
If I pass my compliance audit this year, I'm safe for next year. Compliance requirements don't change.

Not even close. Regulatory compliance is not a one-time project, but an ongoing process. It's an auditing process that grows in frequency and scope every year. As companies become aware of compliance best-practices the frequency of compliance audits tends to increase from one annual external audit to include quarterly and sometimes monthly internal audits.

Each compliance audit is different and so is each auditor. As compliance auditors become more knowledgeable about your environment, they will require more information and additional reports when it comes time for the next audit. Also, external compliance auditors are typically junior associates who frequently rotate out of the job. Your auditor this year is not likely to be the same person that does your next audit.

The best way to be prepared is to practice "sustainable compliance". In other words make compliance part of your business. To achieve this goal use data protection management that provides automatic reports. You will be able to quickly respond to new report requests and increasing demands with little impact on the resources of your IT organization.

Schedule a demo to see how APTARE StorageConsole can help you achieve the ultimate goal of sustainable compliance.