It has been five years since Congress passed the Sarbanes-Oxley Act (SOX) and, yet, questions continue about how to effectively comply with the Act and what documents need to be retained and for how long. When Congress passed SOX in July 2002, it imposed new accounting and financial reporting requirements on publicly traded companies. This impacts all companies traded on US exchanges with revenues in excess of $75 million and also applies to private companies to some degree. Compared to most Congressional Acts, SOX is fairly brief, only containing 66 pages, and yet thousands of pages of articles, including this one, have been written about how the Act affects businesses, both public and private. The most important sections of SOX create strict new rules about how companies must manage their records and SOX takes a very broad definition of the word “records”. A record, under SOX, is any material that contains information about the company’s plans, results, policies or performance. Thus, anything about the company that can be represented with words or numbers is considered a business record and companies are now expected to retain and manage every one of those records, for several years or in some cases permanently depending on the nature of the information. The need to manage potentially millions of records annually creates many new challenges for business, every department head and especially the IT department who must develop solutions to securely store, maintain and manage all this data.

Sections 302 and 404 have the greatest business impact in terms of ongoing compliance obligations. Section 302 became effective with the original Act and Section 404 became effective in 2004. Section 302 pertains to corporate responsibility for financial reporting, and requires that the CEO and CFO personally stand behind the accuracy of their company’s quarterly and annual financial statements. In order for the CEO and CFO to certify that the financial statements are 100% correct, systems must be developed and in place to pull together all of the business performance data from all across the company – even if that data resides in various departments, business units, in separate data centers or on different networks and in different countries. At the end of each quarter, all of the business information must unite into one comprehensive and accurate financial view of the business. In many instances the numbers are created on spreadsheets and flow back and forth between departments and business units as final numbers are revised. During this process and depending on the size of the company, potentially hundreds of people have input into the final data to be reported. All of these spreadsheets, as well as all of the documents and emails that were used to arrive at the final financial conclusions, are considered records under SOX and must be maintained. For example, let’s say an accountant in one of the company’s divisions is working to finalize the division’s quarterly sales and receives an email from the division sales manager to change a sale for Customer A from $20 million to $30 million. That email now becomes a business record under SOX, and so does every other record in the company that may be used to shape or influence the company’s financial reporting. It must not only be retained but is also auditable in the event of any investigation.  Before the CEO and CFO sign off on the company’s financial statements there should be a process in place to manage all of the records that went into creating the financial statements. They both face severe penalties, including prison, if serious errors or fraud is discovered in the financial reporting.

Section 404 requires that annual reports contain a discussion of the effectiveness of internal controls. These place major responsibility on the CFO, the company’s Chief Compliance Officer, and the company’s external auditors who must provide a public opinion about the reliability and effectiveness of the company’s internal controls. Internal control not only include policies and processes but also the company’s IT systems and record retention. A lack of good records retention or document management technology might imply a serious lack of reasonable internal controls to an auditor or investigator. Although SOX does not spell out technology requirements for records retention, it does clearly imply that companies are expected to exercise strong control over all the records and information that is used to produce financial statements. This not limited to just the financial statements and accounting records. It includes marketing and sales reports, internal memos, and even instant messaging, and just about every type of file produced by company employees.

Section 409 mandates significantly expanded disclosure requirements, with disclosures made as quickly and completely as possible after an event affects the company’s performance. SOX makes the assumption that companies have almost real-time visibility into their company’s data, including all sorts of situations and business transactions that are outside the direct control of the accounting or finance functions. For example, let’s say that a marketing manager in your Topeka office is made aware that a large shipment of product is going to be recalled due to a defective part. The recall will very likely have a material affect on the company’s financial performance. As soon as the company is aware of this event, SOX requires that it be disclosed publicly, generally within a matter of a few days.

Sections 103, 801(a) and 802 are the core of SOX’s record retention rules. Section 103 relates to audit work papers and evidence. Sections 103 (a) and 801 (a) require public companies and registered public accounting firms to maintain audit work papers, documents that form the basis of an audit or review, and all information supporting conclusions for at least 7 years.

Section 802 addresses the retention and destruction of records, with implied penalties. Under Section 802 it is a crime for anyone to intentionally destroy, alter, mutilate, conceal, cover up, or falsify any records, documents, or tangible objects that are involved in or could be involved in, a US government investigation or prosecution of any matter, or in a Chapter 11 bankruptcy filing. Section 802 stresses the importance of record retention and destruction policies that affect all of a company’s e-mail, e-mail attachments, and documents retained on computers, servers, auxiliary drives, e-data, web-sites, as well as hard copies of all company records. The rules state that any employee who knows their company is under investigation, or suspects that it might me, must stop all document destruction and alteration immediately. And, the employee must create a company record showing that they have ordered a halt to all automatic e-data destruction practices.

Private companies are also expected to comply with SOX §802. Private companies now face fines plus up to twenty years imprisonment for knowingly destroying, altering or falsifying records with the intent to impede or influence a federal investigation.

The following is a sampling of various types of records, and the generally accepted retention period under SOX.    

E-mail under SOX is considered a business record and must be maintained. There are four key components to ensure compliance under SOX. E-mail must be tamper proof. It must be password protected, read-only and non-deletable, encrypted and digitally signed. It must exist in a closed system both on and off-line. E-mail must follow the defined policies of the business. Policies include what e-mail is archived, retention period and how e-mail is protected. E-mail must have full audit ability of access and movement. It must have the ability to be audited by a third party. And finally, e-mail must be fully indexed and provide full search capability. Specifically, e-mail archiving must be index-based on capturing standard RFC-822 header information.

In conclusion the majority of business today is not in compliance with SOX. Failure to follow SOX records retention requirements is now considered an obstruction of justice and can result in either fine or imprisonment up to 20 years, or both. Like most practices business does not understand they delegate to the credit department. However, the credit department is one of many departments within the company whose reporting information and records is included in the creation of the company’s financial reporting. The responsibility for creating a SOX compliant system rests with company management and the IT department.