Paper trails Featured

12:31pm EDT May 26, 2004
When BP needed to monitor activities -- ranging from Alaskan drilling operations to selling food in convenience stores -- to ensure it was in compliance with the Sarbanes-Oxley Act, it turned to Warrensville Heights-based Axentis for a solution.

The Sarbanes-Oxley Act, one of a series of federal privacy, security and disclosure initiatives, has left many companies scrambling to implement internal controls to stay in compliance with the laws.

"Governance, risk and compliance (GRC) laws are very complicated," says Steve Lindseth, chairman of Axentis. "CEOs are sitting at the top of a company looking at a large global corporation with multiple units, geographic areas and product lines, and have to think about matrixing all that with all the regulations they are subject to."

While some aspects of GRC laws are vague, the federal government has defined seven elements that make up effective compliance. If a company can prove it has complied with these elements, any potential fine can be reduced by 95 percent.

Axentis has based its software on helping companies comply with the law and create an audit trail to prove compliance.

"It starts very basically by grouping people," says Lindseth. "In a company, the CEO and head of janitorial might be in the same group because they both hire people, and therefore have to follow guidelines of EEOC compliance. It may be the only compliance issue they share, but they both need to know the guidelines."

Once people are grouped, requirements are outlined and procedures created. These guidelines and requirements are automatically communicated by e-mail and require a response to prove a person had knowledge of them.

For example, a new hire might be required to read a sexual harassment policy. The policy can automatically be e-mailed within a set number of days of starting employment and require a response acknowledging receipt of the message. If a response isn't received in a defined time period, the person's boss is automatically notified. If the boss doesn't do anything, a notice is sent up the chain of command until the issue is resolved.

"Someone might get an e-mail that says, 'We detected in your last expense report that you gave a gift worth $120 to a doctor, and that violates our rules on gift-giving to doctors,'" says Lindseth. "It was detected in the sales expense system. That data sits there now, but the person responsible for doing something with it never does it. The system the data is in isn't compliant.

"Our system organizes people and requirements, and tells them what to do and when to do it. It tells people within the authority hierarchy they need to do something. It brings consistency to a broad plethora of activities."

The system is customizable so that internal policies can be applied the same way specific governance laws are. If a CEO wants to ensure everyone reads a new vacation policy, the system can be configured to demand the same sort of response as a Sarbanes-Oxley or other government requirement.

"At the end of the day, when a CEO and CFO sign off on Sarbanes-Oxley, they better know things are working the way they are supposed to," says Lindseth. "They are personally and potentially criminally liable, so they better have measurements.

"It's all about telling people what they are supposed to do and when it's appropriate to do so." How to reach: Axentis (440) 519-2929

Draconian nightmare

Businesses have been forced to deal with a slew of new privacy and financial regulations that are often vague and burdensome to comply with.

Some of the most common:

* Sarbanes-Oxley. Enacted mainly as a response to Enron and other corporate accounting scandals. The law requires companies to become more fiscally accountable. Compliance is difficult to define, so companies are often left to take their best guess as to how to comply.

* Gramm-Leach-Bliley. Limits the ability of financial institutions to disclose nonpublic personal information about customers to third parties. Institutions must also tell customers about their privacy policies.

* Health Insurance Portability and Accountability Act. Requires physicians and other health care professionals to take measures to protect the security and integrity of patients' private information kept in electronic form. The final provisions of this act take effect in October.

* Patriot Act. Extends law enforcement's surveillance and investigative powers. Businesses are responsible for seeking, detecting and reporting computer trespasses. Banks are expected to identify, discover, gather, amass, investigate and report on financial activity to a far greater degree than was ever expected before.