Risk & Compliance
“If you think compliance is expensive, try noncompliance.”
- Former U.S. Deputy Attorney General Paul McNulty
Businesses in virtually every industry are facing mounting regulatory compliance
issues driven by legislation, financial audits and litigation, yet companies continue
to retain and store critical business records on paper despite the risks that it
poses. Here is where technology begins to play an important role.
Beefing up information access control
Even a locked file cabinet or file storage room can be broken into. A robust document
management application requires robust user authentication with IDs and passwords
to retrieve, view or share documents.
Auditing is an essential component to compliance and risk mitigation
To protect your business from compliance violations and penalties, it's essential
to have the ability to track and report which users viewed, annotated or deleted
a document. Simply scanning documents onto a server or filing images in encrypted
folders won't cut it - you need a comprehensive document management system that
provides user or document tracking and reporting.
Putting these monitoring and auditing capabilities in place is more than half the
battle in ensuring compliance. A centralized document management system helps streamline
any potential needs that may stem from audits or litigation (e-discovery) and limits
the possibility of missing documents, which could expose your business to fines
or judgments. A well-maintained document management system can offset considerable
legal discovery and audit costs by making relevant business records readily available.
Regulatory need-to-knows
-
HIPAA: This security rule for affecting any business offering
or managing healthcare plans, effective April 21, 2005, requires best practices
for assuring the confidentiality of electronic patient data, available as needed
and maintained with integrity intact. Penalties for non-compliance: fines up to
$250,000 and imprisonment up to 10 years.
- Sarbanes-Oxley Act:
For public companies, provides requirements for audit committees, financial
reporting, insider trading, executive loans, change disclosure and management's
assessment of controls. Penalties for non-compliance: fines to $5 million and
20 years' imprisonment for destroying e-mails.
-
Gramm-Leach-Bliley Act: Requires financial services companies
to implement safeguards for customers' current and legacy information. Penalties
for non-compliance: fines of up to $10,000 and up to five years' imprisonment.
-
Payment Card Industry: Requires that any company collecting
credit card information keep cardholder data secure and have processes in place
for protecting and monitoring access to data. Penalties for non-compliance: fines
between $5,000 and $100,000 per month.
- SEC 17a-4: Gives
retention periods for securities broker/dealer records; stipulates requirements
if electronic record-keeping systems are used. Penalties for non-compliance: fines
up to $500,000 and imprisonment.
- The Patriot
Act: Requires that identifying information used to open bank and
credit card accounts must be maintained for five years after the date the account
is closed. Penalties for non-compliance: fines of up to $1 million and imprisonment.
-
IRS Rev. Proc. 97-22: States that an electronic storage
system must ensure an accurate and complete transfer of the hardcopy or computerized
books and records to an electronic storage media. An electronic storage system must
also index, store, preserve, retrieve, and reproduce the electronically stored books
and records.
- 21 CFR 11: Defines
the recommendations for managing audit trails, access control and electronic records
retrieval for healthcare and pharmaceutical companies.
How We Ensure Compliance: Curlew Hills Case Study
Other Paper Challenges: Storage
Other Paper Challenges: Productivity
Read Our Paper Challenges FAQ
How Can We Help With Non-Paper Challenges?