impossible for ideas to compete in the marketplace if no forum for
By John Patzakis and
In response to a wave
of high-profile corporate crime such as the Enron debacle, [ii]
Congress passed the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley”), and
President Bush signed the act into law on July 30, 2002.
Sarbanes-Oxley was enacted to protect investors by combating corporate
crime and improving corporate governance. [iii]
As many commentators have noted,
Sarbanes-Oxley requires companies to implement extensive corporate governance
policies to prevent and timely respond to fraudulent activity within the
For example, Sarbanes-Oxley expressly requires publicly traded
companies to create anonymous hotlines for the reporting of fraud, and it
requires executives to certify that their financial statements are accurate.
These and other
provisions require companies to closely review their policies and procedures
regarding internal investigations, and implement the necessary processes and
tools to respond timely and effectively to reports of fraudulent activity.
With the vast majority of information now generated in digital format, [v]
the recovery and analysis of digital data is the primary process for internal
corporate investigations. In other words, for effective self-policing,
including the timely detection and response to reports of fraudulent activity,
companies must have the ability to acquire, search and preserve electronic
data related to fraudulent activity.
however, are ill-equipped to acquire the necessary electronic data that is
central to identifying and responding to incidents of fraud. While companies have spent considerable time adopting and
amending policies in response to Sarbanes-Oxley, relatively few have
implemented the information technology infrastructure that will enable
companies to turn anti-fraud policies into concrete results.
This paper addresses the critical importance of internal computer
investigations as a central component to maintaining adequate corporate
financial controls under Sarbanes-Oxley, and why companies must establish a
technical and procedural infrastructure to perform such investigations.
The paper also explains the current challenges companies face in
creating an infrastructure that is adequately equipped to fulfill the intent
of Sarbanes-Oxley, and the steps companies can take to create an effective and
A major component of
the Congressional response to “the
shenanigans . . .that ha[d] been going on in corporate America”
was to reaffirm the primary responsibility of the Board of Directors and
senior management for any misstatements in a company’s SEC filings, while
increasing penalties for securities fraud. [vii]
Section 302 of Sarbanes-Oxley broadened the scope of accountability for
CEOs and CFOs by requiring them to personally “certify their companies’
financial reports and disclosure controls and procedures, with a potential $5
million fine and up to 20 years in prison as penalties for violations.” [viii]
Section 404 of Sarbanes-Oxley requires companies to institute effective
“internal controls.” Importantly, this responsibility encompasses more than mere
accounting practices. In June
2003 the SEC issued its final rules under Section 404 of Sarbanes-Oxley.
The SEC noted that “internal control is a broad concept that extends
beyond the accounting functions of a company.” [ix]
Under the SEC’s rules, the
internal controls process must include policies and procedures that:
assurance regarding prevention or timely detection of unauthorized
acquisition, use or disposition of the [company’s] assets that could have a
material effect on the financial statements. [x]
Section 302 also
specifically identifies internal fraud as an event that would require
disclosure by senior management. Put simply, an adequate internal control
structure must include “controls related to the prevention,
identification and detection of fraud.” [xi]
(Emphasis added). Clearly, then,
the necessary controls involve much more than proper accounting. Insider
trading and other internal financial fraud, theft of intellectual property and
large-scale misappropriation of customer information are incidents that would
In fact, in order for a
CEO or CFO to properly attest that proper internal controls are in place, the
executive must certify under 302 that he or she has disclosed “any fraud,
whether or not material, that involves management or other employees who have
a significant role in the issuer’s internal controls.” In addition to
these 302 requirements, Sarbanes-Oxley places increased responsibility on
senior management and the Board of Directors for any misstatements in a
company’s SEC filings. As such, the board and senior management may be
potentially liable for failing to disclose incidents of internal fraud, such
as intellectual property theft or misappropriation of customer information.
addresses corporate fraud from another direction:
by providing protection for employees of public companies who report
fraud. Section 806 of
Sarbanes-Oxley is entitled “Protection for Employees of Publicly Traded
Companies Who Provide Evidence of Fraud.”
The “Whistleblower” protections of Section 806 include protections
for employees who provide information concerning “any conduct which the
employee reasonably believes constitutes [fraud, wire fraud, bank
fraud, or securities fraud], any rule or regulation of the Securities and
Exchange Commission, or any provision of Federal law relating to fraud against
As a result, if the
employee reasonably believes that fraud is occurring, the reporting of the
activity is protected, whether or not any fraud is in fact taking place.
The protection applies not only when the employee provides information
to law enforcement, but also where the employee provides information to “a
person with supervisory authority over the employee (or such other person
working for the employer who has the authority to investigate, discover, or
terminate misconduct).” [xiii]
Thus, Section 806 covers every situation in which an employee reasonably
believes that wrongdoing is occurring, and reports such alleged wrongdoing to
the appropriate channels within the company.
The strong protections
afforded to whistleblowers encourage such reporting without fear of
retaliation. In turn, companies must thoroughly investigate reports from
whistleblowers as a control activity. For instance, because senior executives
must disclose relevant instances of fraud under section 302, the failure to
diligently act upon reports from whistleblowers would likely violate the
reporting requirements under 302 as well as the internal controls provisions
under section 404. Moreover, if a
company is convinced that an employee’s reported belief about possible fraud
is unreasonable, the company nevertheless needs to conduct a thorough
investigation to support its assessment of the situation.
Only then can the company have the confidence to reject a whistleblower
report as unfounded.
directly involves the Board of Directors in setting policy for the handling of
whistleblower complaints. Section
301 of Sarbanes-Oxley requires the Board’s audit committee to “establish
procedures for (A) the receipt, retention, and treatment of complaints
received by the issuer regarding accounting, internal accounting controls, or
auditing matters; and (B) the confidential, anonymous submission by employees
of the issuer of concerns regarding questionable accounting or auditing
Thus, as is the case for other provisions of Sarbanes-Oxley, the
responsibility for the proper treatment of whistleblower complaints is
squarely placed at the highest levels of each public company.
These and other
provisions of Sarbanes-Oxley make it essential that companies have the ability
to respond to allegations of fraud. According
to Greg Schaffer, Director of Cybercrime Prevention and Response for
PriceWaterhouseCoopers, Sarbanes-Oxley’s requirements “are causing many
public companies to hire investigators, including computer forensic experts,
far more regularly to review allegations of wrongdoing or indications of
potential fraudulent activity detected by internal company control structures.
Just detecting possible instances of internal fraud is not enough in
today’s environment; those instances must be properly investigated and
addressed.” In order to investigate such allegations quickly and
effectively, whether the investigation is handled internally or outsourced,
all relevant evidence must be gathered, preserved, and analyzed.
For publicly traded companies, this can only be done by ensuring that
the company has the necessary technology and training to acquire,
search and preserve its electronic data.
Computer Forensics Required for Effective Internal Investigations
Even prior to
Sarbanes-Oxley, courts recognized the importance of preserving electronic data
in connection with litigation, including securities fraud investigations.
For example, in In re Bristol-Myers Squibb
Securities Litigation, [xv]
the court determined that the discovery of computer evidence was critical to
ensure a proper investigation of alleged corporate fraud.
The court noted that as the vast majority of documentation now exists
in electronic form, electronic evidence discovery should be considered a
standard and routine practice going forward. [xvi]
The provisions of Sarbanes-Oxley will certainly induce courts and
auditors to look closely at a company’s ability to forensically preserve and
analyze electronic data.
Other agencies and
groups have also adopted standards regarding computer forensics. The leading international information security best practices
standard, ISO 17799, calls on enterprises to use computer forensics to
preserve the admissibility of evidence:
For information on
computer media: copies of any removable media, information on hard disks or in
memory should be taken to ensure availability.
The log of all actions during the copying process should be kept . . . [xvii]
The mere focus upon
computer data, however, is not enough. Computer evidence must be properly
collected, verified and handled under accepted computer forensic procedures to
ensure its accuracy and admissibility in court. As recognized by the courts [xviii],
if a company does not have the tools necessary to collect evidence in a manner
that preserves its admissibility in court, the inability to prosecute or
otherwise institute disciplinary action will likely have diminished impact on
employee behavior, and the company risks compromising its legal (and hence its
When an incident is
first detected, it may not be obvious that it will result in possible court
action. Therefore, the danger
exists that necessary evidence is destroyed accidentally before the
seriousness of the incident is realized. [xix]
An enterprise can
minimize this danger by utilizing the best computer forensics tools available
for response to security incidents so that collecting data will be quick and
management is required to include in the company’s annual report an
assessment of the effectiveness of the company’s relevant internal controls.
Thus, at the end of each fiscal year, management must evaluate the
effectiveness of the company’s internal controls. [xxi]
This evaluation must be based on a “suitable, recognized control
Although the rules do not mandate the usage of a particular framework, [xxiii]
the “report of the Committee of Sponsoring Organizations of the Treadway
Commission (COSO), titled Internal Control – Integrated Framework,
contains the suitable criteria most commonly used in the United States. [xxiv]
In the release issuing the final rules for Section 404, the SEC
specifically noted that “[t]he COSO Framework satisfies our criteria and may
be used as an evaluation framework for purposes of management’s annual
internal control evaluation and disclosure requirements.” [xxv]
As a result, at this time nearly all companies subject to
Sarbanes-Oxley will be using the COSO Framework to evaluate the effectiveness
of their internal controls.
The COSO Framework
recognizes that one of the “temptations” for employee fraud is
“nonexistent or ineffective controls,” as well as “high decentralization
that . . . reduces the chances of getting caught.” [xxvi]
Thus, in order to prevent employee fraud, a company should have in
place effective controls that increase the likelihood of getting caught.
The ability to identify
and detect fraud is likewise enhanced by computer forensics. COSO specifically
recognized the risks of internal fraud: “Former
or disgruntled employees can be more of a threat to a system than hackers.” [xxvii]
In addressing this risk, a company utilizing the COSO Framework needs
to deploy a computer investigation framework for effective risk management of
internal fraud. Of course, the
COSO Framework was not addressing computer forensics when it was published in
1992. However, COSO recognizes
that “[i]nternal control systems change over time.” [xxviii]
Indeed, “the assessment of risks not only influences the control
activities, but may also highlight a need to reconsider information and
communication needs.” [xxix]
When assessing a
company’s ability to gather and access the necessary information regarding
internal fraud (or any computer security incident), the quality of the
information is thus paramount. Only
an effective computer forensics capability allows a company to gather
accurate, timely information concerning the incident, and permits the ready
access to that information. COSO
does not itself mandate specific technology infrastructure or software.
Instead, it recognizes that the “complexity of an entity, and the
nature and scope of its activities, affect its control activities.” [xxx]
Indeed, the COSO Framework notes, “factors that influence an
entity’s complexity and therefore, the nature of its controls include:
location and geographical dispersion, the extensiveness and sophistication of
operations, and information processing methods.” [xxxi]
For many companies, given the breadth of their operations, only an
enterprise-wide, network-enabled computer forensics capability will satisfy
the “Information and Communication” aspects of COSO (and, thus,
Sarbanes-Oxley) with respect to computer security incidents.
Response Capability for Rapid Investigations Necessitated By Sarbanes-Oxley
Section 409 of
Sarbanes-Oxley underscores the fact that the law does not tolerate delay with
respect to investigations. Entitled
“Real Time Issuer Disclosure” Section 409 requires disclosure to the
public “on a rapid and current basis [any] information concerning material
changes in the financial condition or operations” of the company. [xxxii]
Although the SEC has not yet promulgated regulations under Section 409,
the statute itself is clear: each
reporting company must communicate timely information to the public.
In order to do so, a company must effectively and rapidly respond to
internal incidents (such as financial fraud) and external attacks that can
have a material effect on the company.
When it comes to
penalties, Sarbanes-Oxley reserves the most severe sanctions for those guilty
of destroying records, including electronic data.
Under Section 802 of Sarbanes-Oxley, fines of up to $5 million and
imprisonment of up to twenty years can be imposed upon “[w]hoever knowingly
alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false
entry in any record, document, or tangible object with the intent to impede,
obstruct, or influence” any government investigation or official proceeding.
Given the genesis of Sarbanes-Oxley in the Enron/Andersen fiasco, it is
not surprising that evidence destruction now carries heavy penalties.
In order to guard
against employee malfeasance in the face of a pending or threatened government
investigation, a company needs to have the ability to preserve potentially
relevant evidence, and quickly respond to instances of electronic data
destruction through a network-enabled computer forensics capability. Although
under Section 802 the employee who destroys evidence would face criminal
penalties, the company needs to be able to defend itself from claims that the
employee misconduct was performed with the official sanction of or at the
direction of management (such as was alleged in the Andersen case). In order
to do so, the company should have the capability to rapidly and thoroughly
restore, collect, and preserve the relevant evidence. A network-enabled
computer forensics capability provides a company with the ability to rapidly
undelete, analyze, and preserve all of the digital evidence associated with a
government investigation, thereby blunting any subsequent claim that any
destruction of evidence by employees was authorized or overseen by management.
Even before the passage
of Sarbanes-Oxley, the SEC’s official position regarding internal
investigations was that effective self-policing and cooperation with law
enforcement could reduce or even eliminate a corporation’s liability for
violation of the federal securities laws.
For instance, the SEC’s investigation into Seaboard Corporation found
that the controller of one of Seaboard’s divisions had caused Seaboard’s
books and records to overstate assets and understate expenses, and had
subsequently actively concealed such misstatements. [xxxv]
Although the SEC ordered relief against the controller, it took no
enforcement action against Seaboard, due to the company’s prompt and
thorough response to the incident, as well as its cooperation with the SEC. [xxxvi]
The SEC noted that the public at large benefits when “businesses seek
out, self-report and rectify illegal conduct.” [xxxvii]
The SEC, in deciding “whether, and how much, to credit self-policing,
self-reporting, remediation and cooperation,” [xxxviii]
established four broad measures for it to assess:
Indeed, in order to
cooperate effectively with the SEC and law enforcement, a company must be able
to “identify . . . evidence with sufficient precision to facilitate
prompt enforcement actions against those who violated the law.”
A network-enabled computer forensic capability enables a company to
capture, preserve, analyze and turn over to investigators all of the available
digital evidence relevant to an investigation.
As a result, this capability enables self-policing, self-reporting, and
effective cooperation with law enforcement, thereby strongly supporting a
company facing an SEC investigation.
an Adequate and Compliant IT Infrastructure To Support Internal Investigations
From the standpoint of
determining best practices and due diligence for internal investigations,
computer forensics is a standard practice in enforcement investigations for
agencies such as the FBI, United States Secret Service and the Securities and
Exchange Commission. When these agencies investigate public companies,
collecting and analyzing the computer evidence is central to their efforts.
Corporations can and should adopt similar internal capabilities for effective
internal fraud investigations.
developed by Guidance Software, is the leading computer software program
utilized by law enforcement, regulatory agencies, and corporate computer
forensic specialists. EnCase
Enterprise Edition is specifically designed to provide on-demand
enterprise-wide incident response and forensic analysis, thus enabling
immediate, thorough, and non-disruptive computer forensic investigation of
desktops and servers anywhere on a wide-area-network from a centralized
location. This powerful capability dramatically facilitates the handling and
management of internal fraud investigations throughout the organization, which
greatly facilitates compliance with the internal investigation mandates of
Sarbanes-Oxley to combat financial crimes and fraud committed by corporate
insiders. These crimes are compelling internal incidents that warrant
immediate response and investigation. Network-enabled computer forensics tools
such as EnCase Enterprise Edition are an ideal methodology for timely
detecting the “unauthorized acquisition, use or disposition” of company
assets and provide an important component of an internal framework for
internal investigations. Further, a company’s management can feel
confident that including such tools in its assessment of the company’s
internal controls will pass muster with regulators, since the SEC and numerous
other federal agencies use the leading computer forensic software in their own
internal incidents, as well as enforcement investigations.
Victor Limongelli is General Counsel of Guidance Software, Inc.
Congress acted “in response to Enron, Global
Crossing and other bankruptcies.”
Representative Oxley, 148 Cong. Rec.
H5462-02, at *H5462. See also
“The events of the past months have underscored the importance of
transparency in corporate governance. While many believed that Enron was
an isolated occurrence, the failures of Tyco, Global Crossing, and
WorldCom have eroded confidence in the markets, both here and overseas”
Representative Jones, 148 Cong. Rec. H5462-02, at *H5469.
According to Senator Sarbanes, “[t]he bill sets significantly higher
standards for corporate responsibility governance.
. . .
are also extensive criminal penalties contained in this legislation . . .
These provisions, among other things, require the CEOs and CFOs to certify
their company's financial statements under penalty of potentially severe
Senator Sarbanes, 148 Cong. Rec. S7350-04, at *S7351.
One of the central themes underlying Sarbanes-Oxley is that public
companies need to institute and maintain adequate internal controls to
prevent and timely detect fraudulent activities.
Another galvanizing factor was the rampant destruction of computer
evidence that occurred in the Arthur Andersen/Enron case.
See the Arthur Andersen indictment, which alleges that “an
unparalleled initiative was undertaken to . . . delete computer files”
re Bristol-Myers Squibb Securities Litigation, 205 F.R.D. 437, 440, fn2
Representative Bentsen, 148 Cong. Rec. H5462-02,
“Sarbanes-Oxley increased criminal penalties for securities fraud to up
to 25 years in jail and $2 million in fines.”
The Sarbanes-Oxley Act: The
First Year, House Committee on Financial Services, at 14.
The Sarbanes-Oxley Act: The
First Year, House Committee on Financial Services, at 5.
68 FR 36636, 36638, June 18, 2003.
68 FR 36636, 36640, June 18, 2003.
68 FR 36636, 36643, June 18, 2003.
18 U.S.C. § 1514A(a)(1).
18 U.S.C. § 1514A(a)(1)(C).
15 U.S.C. § 78f(m).
F.R.D. 437 (2002)
205 F.R.D. at
ISO 17799, § 22.214.171.124.
State v. Cook, 777 N.E.2d 882, 2002 WL 31045293 (2002 Ohio App.); Gates
Rubber Co. v. Bando Chemical, Indus., Ltd 167 F.R.D. 90, 112 (D.C. Col.,
ISO 17799, § 126.96.36.199.
68 FR 36636, 36642, June 18, 2003.
17 CFR § 240.15d-15(c).
17 CFR § 240.15d-15(c).
“A suitable framework must:
1. Be free from bias
2. Permit reasonably consistent qualitative and quantitative measurements of a company’s internal control;
3. Be sufficiently complete so as not to omit factors that would alter a conclusion about the effectiveness of a company’s internal control; and
4. Be relevant to an evaluation of internal control over financial reporting.” The Sarbanes-Oxley Act of 2002: SEC Issues Final Rules Regarding Internal Control Over Financial Reporting Under Section 404, Cooley Godward LLP, Aug. 4, 2003, at 5.
KPMG’s Defining Issues, No. 03-13, June 2003, at 4.
68 FR 36636, 36642, June 18, 2003.
COSO Framework, at 25.
COSO Framework, at 53.
COSO Framework, at 69.
COSO Framework, at 18.
COSO Framework, at 55.
COSO Framework, at 56.
15 U.S.C. § 78m(l).
As of September 19, 2003, the SEC did not cover Section 409 under its
“Summary of SEC Actions and SEC Related Provisions Pursuant to the
Sarbanes-Oxley Act of 2002”, available at:
18 U.S.C. § 1519.
[xxxv] In the Matter of Gisela de Leon-Meredith,
Exchange Act Release No. 44970 (October 23, 2001).
[xxxvi] Exchange Act Release No. 44969 (October 23,
SEC Release 2001-117 (October 23, 2001).
[xl] Exchange Act Release No. 44969 (October 23,
EnCase is a registered trademark of Guidance Software, Inc.
Search the ENTIRE Business
Forum site. Search includes the Business