Compliance Solutions
Fortis
Enterprise Document Management
Westbrook Technologies Inc
(August 2007)
SLIDE 1
Regulatory & Compliance
Landscape
• Corporate Governance
–
–
–
–
Sarbanes Oxley
Accounting practices
Transparency and ethics
SEC regulations
• IRS, Labor, State Certification Legislation
– Records retention
– Records availability and retrieval
• Public Information and records
– HIPAA, FERPA
– State public records legislation
• OSHA, EPA, FDA
– CFR21Part11, GMP, NDA, Clean Water, Clean Air
• Federal Reserve
– Check 21
SLIDE 2
Business Challenges
• Ensure corporate policies and practices are being followed.
• Ensure corporate governance regulations are being
followed.
– Document retention
– Document integrity:
• Who can view documents and when
– Audit access/viewing of sensitive documents
• Who can modify, alter, discard documents
– Security over modification, versioning, deletion
– Block overrides, workarounds
• Records retention
– Retention schedules
– Destruction schedules
– Disaster recovery
• Impact on core business
– Minimize impact to ongoing business processes and functions
– Minimize cost and risk
SLIDE 3
Compliance: Common Ground
• What are the key issues – how can document
management help?
• Compliance in the bigger picture is a business practices
and business ethics issue  EDM can be a very major
supporting system
Business processes
Workflow and document
security/retention policies
Roles and responsibilities
Security and access rules
Records Management
Document management archiving,
retention, and control
Fraud prevention
Integrity of document archive,
version and modification control &
tracking, audit trail of accesses
Auditing
Document capture, access, revision
and destruction auditing
Legal oversight
Document query for discovery and
investigation
Security and disaster recovery
Archiving and electronic backup
SLIDE 4
Compliance: Fortis Key Features
• Capture:
– Capture, index all regulated documents
• Office:
– Put all Office document (MS Word, email) under revision
control and retention
• Versioning:
– Track/control modification of documents
– Maintain version histories and record of who modified
• Security:
– Manage access, revision, destruction rights
– Audit trail
• Index/retrieval:
– Auditing, discovery, access
• Archiving:
– Records management, disaster recovery
SLIDE 5
Fortis integrated to Line of Business (LOB)
Systems
• Fortis Office captures office documents (created and
revised) systematically and manages their retention.
• Fortis integration with ERP, CRM and SCM systems links
financial documentation with financial and business
transactions.
• Fortis Approveit provides auditable approval cycles for
invoices, receivables, payables, expenses.
• Fortis ERM systematically captures and archives reports
for financial and business systems.
SLIDE 6
Fortis: Compliance Benefits
• Ensure document control and retention.
• Facilitate document auditing and discovery.
• Enforce business processes:
– Workflows
– Security models
– Retention policies
• Responsiveness to business changes:
– Flexible security, capture, workflow models
• Ability to audit
• Archive security and disaster recovery capability
SLIDE 7
Sarbanes Oxley Act - Penalties
• Failure to maintain financial or audit workpapers (for 7
years):
– Felony penalty: Up to 10 yrs in prison
• Destruction or alteration of papers or records:
– Felony penalty: Up to 20 yrs in prison
• Securities fraud:
– Criminal penalty: Fine and/or up to 25 yrs in prison
• Violation of any SEC provisions:
– Penalties increased to up to $25 million fine and 20 yrs in prison
• State of limitations increases:
– 2 yrs from date of discovery and 5 yrs from date fraud committed
• Lack of auditing vigilance:
– Audit firm can have registration suspended or revoked
– Civil penalties
SLIDE 8
Sarbanes-Oxley Act
Overview
•
•
•
Impacts Publicly Traded
Firms
Corporate Governance
CEOs and CFOs
personally responsible
for quality of internal
reporting.
How Document Mgmt is Applied
•
•
Internal processes
All audit-related documents,
including working papers, must be
retained for 7 years.
– Selective retention of emails
– All associated financial documents
(paper documents, electronic
documents)
•
Document management – a
compliance tool:
–
–
–
–
SLIDE 9
Document control, security control
Internal controls - documentation
Internal controls - workflows
Dashboard:
• Visibility of controlled
documentation
• Business process documentation
• Security and access auditing
HIPAA
Overview
•
•
•
Pertains to providers
and insurers
Requires guaranteeing
privacy of patient
medical and personal
data
Accessibility of
information must be
strictly limited to those
with a “need to know”
SLIDE 10
How Document Mgmt is Applied
•
•
Capture all patient records
Place patient records and charts
within a security model
– Secure retention
– Control access by document type and
by patient
•
Document retrieval
– Record retention, archiving
– Remote and indexed retrieval
– Patient file portability with security
model maintained
OSHA
Overview
•
•
Health testing data.
Plant safety
21CFR11
How Document Mgmt is Applied
•
Place health testing data within a
records management environment.
– Secure retention.
– Control access by document type and
by patient.
– Record retention, archiving.
– Remote and indexed retrieval.
– As built.
– Mgmt of change.
•
Capture plant-wide documentation.
– Manage versioning, revision, change
approvals.
– Retrieval by plant systems and events.
SLIDE 11
FDA
Overview
•
Good manufacturing
practices.
How Document Mgmt is Applied
•
– Manufacturing procedures.
– Lot documentation and
auditing.
– Testing data
Place lot documentation in a
document management environment.
–
–
–
–
•
Capture all lot records, testing.
Manage by lot, by timestamp, by plant.
Record retention, archiving.
Archiving, retrieval, retention.
Capture plant-wide documentation.
– Manage versioning, revision, change
approvals.
– Retrieval by plant systems and events.
SLIDE 12
NJ OPRA
(Example of State Records Management Laws)
Overview
•
Open access to public
information
– Minimum access hours
– Response time
•
•
Web access a preferred
mechanism
Ensure privacy of
citizen’s personal data
How Document Mgmt is Applied
•
•
– Control access to personal information
– Control to information types exempted
from public access
•
Document retrieval
– Web publish public document portal
– Powerful indexing and retrieval
•
SLIDE 13
Capture, manage, retain public
records
Security model
Archiving and disaster recovery
Compliance: Fortis Customer Examples
• Saucony, Inc.: Sarbanes-Oxley
– Establish and audit internal controls.
– Disclosure of “material events” within 48 hrs
• Merchant Services Inc.: FTC Records retention
– Risk, Fraud & Chargeback transaction mgmt
– FTC records retention compliance
– Risk and fraud investigation speed
• HTI Inc.: OSHA Health records and documents
– Mobile industrial health risk testing records
– OSHA 30 year record retention compliance
– HIPAA / OSHA privacy rules
• Dassault Falcon Jet: FAA safety and records-keeping rules
– Aircraft Services Engineering
– Engineering information management and retrieval
– FAA service and documentation requirements
SLIDE 14
Fortis Customers – cont.
• MT Business Technologies: IRS, DOL
– IRS required records keeping
– DOL employee records retention
• Union Hospital: HIPAA
– Security and privacy complaince for HIPAA
– Retrieval of 2.8 million medical records
• Sotheby’s UK: Custom / export compliance
– Proof of ownership, import/export paper trail
– UK customs and excise compliance
• Banner Health Hospitals: Credentialing
– Physician credentialing and updating
– Compliance with state licensing, DEA
• Agfa Medical Devices: Non-conformance
– Comply with FDA recall regulations
SLIDE 15
The Fortis Value Proposition
• The Fortis document management provides strong
business benefits:
– Improved work processes
– Better and faster access to crucial business information
– Better performance in functions such as customer service and
accounts payable
– Eliminate paper storage costs and overhead
– Improve disaster readiness and recovery
• At the same time as those business benefits are being
realized; Fortis achieves regulatory compliance:
–
–
–
–
Control over document retention, modification, destruction
Powerful search to achieve discovery, auditing
Enforce workers to follow designed business processes
Security to ensure privacy
• And:
– Safeguard intellectual property
– Guard against business espionage
SLIDE 16