Can anyone tell me what if any requirements there are relative to email and/or disater recovery and co-locattion facilities from a Sarbanes-Oxley compliance perspective?
While many public companies have increased the attention they place on having adequate disaster recovery and data-backup plans because of theoretical Sarbox concerns, I don’t believe Sarbox has specific requirements per se on email and disaster recovery.
Sarbox primarily (1) prohibits certain kinds of actions (officer loans, using auditors for non-audit services without pre-approval) and (2) requires more stringent internal controls and procedures (mostly relating to insuring prevention of fraud in financial statements). Unless your auditors require you to show that there are adequate disaster recovery plans as a condition to certifying you have adequate internal controls and procedures (which I don’t think is the case), I don’t think it bears directly.
March 8th, 2010 at 1:27 am
While many public companies have increased the attention they place on having adequate disaster recovery and data-backup plans because of theoretical Sarbox concerns, I don’t believe Sarbox has specific requirements per se on email and disaster recovery.
Sarbox primarily (1) prohibits certain kinds of actions (officer loans, using auditors for non-audit services without pre-approval) and (2) requires more stringent internal controls and procedures (mostly relating to insuring prevention of fraud in financial statements). Unless your auditors require you to show that there are adequate disaster recovery plans as a condition to certifying you have adequate internal controls and procedures (which I don’t think is the case), I don’t think it bears directly.
References :
I am an attorney familiar with Sarbox. Not an accountant though, so maybe the auditors are requiring it in order to give certifications.