Melding Process, Security and Archiving to Certify with Confidence

1
Melding Process, Security and Archiving to
Certify with Confidence

• Charles B. Clark
• Business Development Manager
• IMC
• 11480 Commerce Park Dr.
• Reston, VA 20191
• (703)994-0725
• cclark_at_imc.com

2
Enabling the Process

• DocConnect Image Enables your Line of Business
  Application
• Provides retrieval from your LOB transactions
• Improves service and response with a short
  learning curve

More Important

• DocConnect Image Enables your Process
• By capturing images and data at the beginning of
  your process we facilitate
• Greater process control
• Increased automation
• Improved efficiency

3
Who We Are

• Established 1981 privately owned
• 350 employees
• Global presence
• Leadership in industry standards groups
• Industry recognition for expertise
• Headquarters in Reston, Virginia
• Profitable and debt-free

4
Some of What We Do

• Information Technology
• Document imaging/COLD
• Content Management
• Advanced search and navigation
• Work flow / e-Process
• Data warehousing
• Portals and e-business sites
• Custom applications/integration
• Regulatory Compliance
• Data Recovery systems
• Offshore development
• Industries
• Banking Financial Services
• Manufacturing
• Technology
• Life Sciences
• Retail
• Telecommunications
• Transportation

5
Partial Customer List
Public Sector (Core Health, Environment,
Veterans)
Life Sciences (Pharma, Biotech, Academia)
Commercial Sector Solution-Specific (Core
Financial Services, Manufacturing)
6

• Enabling Applications

7
DocConnect Architecture
8
Todays Topic Compliance

• Information Management Consultants
• IMC
• Information Management Compliance
• IMC

9
Let IMC Remind You

• Technology
• Does Not
• Deliver Compliance

10
Regulatory Compliance Is Not Just About SOX,
HIPAA, 17a-3, 17a-4, Patriot Act, Etc.

• It is about your Company and its Level of
  Compliance Commitment
• Policies Procedures
• Executive Responsibility
• Delegation
• Communication Training
• Auditing Monitoring
• Consistent Enforcement
• Continuous Improvement

11
Companies Invest in EDMS/Workflow Solutions for
Productivity Gains!
Compliance is the Icing on the Cake
12
Case Studies
13
Security, Archiving and Process Management Can
Produce a Significant Positive ROI

• Case Studies
• Healthcare Company 318 ROI in 4 months
• Canadian Government Agency
• ROI 265 in 1.15 years
• Aver. Annual Savings 324,700 CDN
• Annual Benefits per User 2,598 CDN
• Key Benefits
• Improved information organization and access
• Improved technology management
• Improved records and audit management
• Increased worker productivity
• Increased IT staff productivity
• Reduced communication costs
• Reduced paper, filing, and file storage costs
• Reduced administrative overhead
• Reduced legal and regulatory costs
• Reduced storage hardware and software costs

Non-financial consequences Jail
time Fines Potential Shareholder Litigation
Source Nucleus Research
14
Case Studies - Content Management

• Ohio-based National Furniture Retailer chain
• Implemented image-enabled A/P processing
• Achieved 12 month ROI by eliminating FedEx
  Charges
• Significantly reduced staff time spent retrieving
  paper documents from archive for store managers
• Improved security and control over invoice access
• Has now rolled-out content management to other
  areas within the organization

15
Case Studies-Content Management

• Midwest Natural Gas Supplier
• Image-enabled their A/P system
• Now completed with daily A/P processing in ½ day
  instead of the full day
• Auditors strongly approved of solution and
  encouraged its further use
• Centralized Contracts management
• Implemented a contracts tracking system to ensure
  approval process compliance
• Use full-text searching to increase monitoring of
  contractor compliance
• Estimate over 500k annual savings, and
  significantly reduced risk for regulatory
  compliance
• Audit firm certified document controls to be in
  compliance with Sarbanes-Oxley Act

16
Case Studies-Content Management

• Large Extended-care Facility implemented content
  management system for patient charts
• Use CD publishing utility to distribute requested
  info to third parties in a secure and password
  protected method
• System maintains audit trail of activity
  information for HIPAA Compliance

17
Case Study-Messaging

• Large Financial Services Company
• Pain Points
• Risk of non-compliance
• Exchange server management issues
• No audit trails for supervisory activity
• LEGATO Solution
• EmailXtender, EmailXaminer, DiskXtender
• Benefits Realized
• Reduced risk via full SEC and NASD Compliance
• Audit by NYSE passed 100 successful
• Substantial reduction in time required to respond
  to audit (weeks to minutes)
• Stable Exchange environment (via offloading
  archived email)
• Storage space savings (removal of duplicate
  messages)
• Automated operations (policy enforcement of
  supervisory rules automated migration to WORM)
• Flat staffing levels even with increased email
  messages/day

18
What do these case studies share in common?
19
The Bottom Line is Still The Bottom Line
What is the most significant business driver
behind your current interests?
20
Security, Process and Archiving in a Regulated
Environment
21
Regulatory Compliance Is Not Just About SOX

• The Patriot Act- Tools Required to Intercept and
  Obstruct Terrorism
• New Basel Capital Accord (Basel II), which is now
  scheduled to become effective for the top eight
  U.S.-based banks in 2007
• Corporate and Criminal Fraud Accountability Act
• State and Vertical Industry Regulations
• HIPAA Healthcare Privacy
• SEC Rules 17a-3 and a-4 eMail Management
• Graham-Leach-Bliley Act Financial Privacy issues

All Require Some Form of Records Management,
Security and Process Oversight
22
What is Different?
Before
After

• Civil Penalties (fines) only for fraud
• Only final audit documents must be retained
• Quarterly historic reporting
• Internal audit processes were implicit, as long
  as the auditor certified them
• Auditors were consultants
• Final audit was opinion on accuracy of financial
  statements
• Auditors had to understand internal controls

• Criminal penalties for document falsification
• In process audit documents are retained
  off-balance sheet
• Near real-time requirements to report events that
  will have adverse effect
• Internal controls are mandatory and must be
  documented
• Separation of audit and consulting
• Sec. 404 of SOX requires auditors attestation
  Every process must be a 100 percent
  controls-based approach

Source Gartner
23
Process and Control Are Key to SOX
Need for Broad Perspective to Comply With Sec 302
and 404
CONTENT ISSUES Trusted Repository Security eSignat
ures Certification of Reports E-mail
Retention/Archiving Records Retention COSO
Framework
PROCESS ISSUES Automate manual processes Process
Controls Identify, Test Certify Documentation/M
onitoring Accelerated deadlines 10Q/K Auditable
workflows
SOX
Its Also Not Just About Archiving
COSO Consortium of Sponsoring Organizations AICP
A, AAA, FEI, IIA and IMA
Source Gartner
24
What Kinds Documents Are We Talking About Here?

• Corporate Board minutes and notes
• Investor relations materials (news releases,
  newspaper clippings, market reports, etc.)
• Financial control documents, transaction
  confirmations
• Contracts
• Due diligence documents, especially with regard
  to merger and acquisition activity
• Corporate council activity
• Records Management Administration
• Internal and external audit activity
• Corporate security
• Internal fraud investigation activity
• E-mail and fax analysis, storage (bulk
  processing)
• And more

25
A Suggested Action Plan
26
Paths to Compliance

• Evaluate existing controls
• Identify high risk areas
• Determine appropriate level of control
• Security should not be stifling!
• Establish and enhance controls
• Ensure documentation passes 3rd party review
• Communicate and train
• Monitor via disclosure committee
• Establish continuous improvement process
• Certify with confidence

27
Think Enterprise Architecture
SOX
HIPAA
Patriot Act
Source BPM Institute
28
Compliance Committee Checklist
Source Gartner
29
Addressing Compliance with Confidence
Move toward becoming a "Real-Time Enterprise"
30
Making Compliance Pay Off
Nearly 77 of companies will spend more on IT,
Business Process Change, Corporate Governance,
and/or consulting this year as a direct result of
SOX compliance AMR Research

• Get your compliance strategy in order by
• Overall productivity improvement
• Implementation of revenue enhancing document
  processes and repositories
• Total regulatory process optimization
• A well thought out regulatory compliance strategy
  can provide a positive return on investment

31
Compliance Reference Access

• All Regs - Basic Internet Search
• SOX- arma.org Sarbanes-Oxley-Forum.com
• HIPAA arma.org cms.hhs.gov/hipaa
• 17a-3 Univ of Cinncinatti-College of Law
• 17a-4 17a-4.com
• Graham-Leach-Bliley - ftc.gov/privacy/glbact/

32
Questions??

• How should I address the retention of capital
  related invoices especially when they relate to
  buildings and other assets that will be around a
  long time? Do they need to be permanent?
• Our document retention is just a few years, but
  with Grants involved we need to retain longer.
  How long would that be?
• Machine sensible recordswhen do electronic data
  files replace the original paper documents, and
  do they relieve the requirement to retain paper?

33
Thank YouCharles B. ClarkBusiness
Development ManagerIMC11480 Commerce Park
Dr.Reston, VA 20191(703)994-0725cclark_at_imc.com