Record Retention Policies 451



  • Section 103 of the Act requires that the Auditor keep their testing records for 7 years, but it makes no such requirement of the company itself.
    We’re taking the view that the Auditors should be keeping their own testing records independently of our records and do not want to maintain all our testing records (which will be much greater in quantity than the auditors’) for a full 7 years if we have no such requirement to do so, especially as some of the information is particularly sensitive in nature. We’re negotiating with our Auditors at present, but we feel that 3 years is reasonable.
    Do you have any further updates on your position in relation to this topic?



  • The view forming in my project is that records that are purely evidence of testing need be kept only until the audit is concluded - so until 3 months or so after the year-end.
    Other record retention is retained in accordance with tax and other regulatory requirements - normally about 7 years.



  • The view forming in my project is that records that are purely evidence of testing need be kept only until the audit is concluded - so until 3 months or so after the year-end.
    Other record retention is retained in accordance with tax and other regulatory requirements - normally about 7 years.
    That almost sounds like saying that you only need to keep financial statement records until the audit is completed, which we all know is not correct. I feel that the internal test results are direct support for the management assertion that controls are effective and should be retained as long as the underlying financial records for the same year are retained. How else can management defend its position on internal controls if the SEC comes in at a later date to investigate either financial reporting or support for management’s assertions on internal control?



  • That almost sounds like saying that you only need to keep financial statement records until the audit is completed, which we all know is not correct
    That’s not what I said. I was referring only to records that only evidence that controls were carried out e.g. checklist that all month-end processes were carried out. Of course, many control documents will also support figures in the financial statements and financial statements records need to be retained for a period determined by taxation and other regulatory bodies - normally 7 years or more.
    How else can management defend its position on internal controls if the SEC comes in at a later date to investigate either financial reporting or support for management’s assertions on internal control?
    Because they had a process that resulted in their assertion and they documented that.
    Because their auditor attested to it.



  • Per the SEC regs - ‘The issuer must maintain evidential matter, including documentation, to provide reasonable support for management’s assessment of the effectiveness of the issuer’s internal control over financial reporting’
    Since the assertion is included in the 10Q and 10K, I believe that this information needs to be maintained as long as any other information that is contained in these filings.
    The fact that the external auditor expressed an opinion on management’s assessment of the controls does not relieve management from retaining support for management’s assertion. Only having a documented process will not suffice. Tests of the effectiveness of the process need to be maintained to support that the process was working as designed.



  • OK. We’re slightly talking at cross purposes.
    I was thinking controls documentation although I referred to testing documentation. On the latter I completely agree with you.



  • No worries. We’re on the same side here.
    Our position is that we will comply with the laws, but not necessarily do more than we have to, especially iof there is a cost for the extra compliance. This is a ‘pass/fail’ exercise. We don’t need to have an ‘A’ grade if a ‘C’ will pass.



  • We don’t need to have an ‘A’ grade if a ‘C’ will pass
    Our current phrase is something like ‘we don’t need to build a Rolls-Royce if a Ford Focus will do’ 😉



  • Does anyone know of a direct requirement in SOX that requires a formal policy with regard to record retention etc. We presently don’t have a formal comprehensive written policy, however, the policy is essentially we save everything. I have been tasked with justifying a new policy or going with the status quo.
    I’ve just gotten tasked with the same. Are you game for sharing whatever information we find? diane_at_hrglobal.net



  • I have also been tasked with the issue of record retention. My reseach, on the web and the comments from here seem to indicate there are no clear rules for retention time. It seems a company needs to adapt a policy in writing according to S/O. My company has a potpori of generated paperwork and there are some standards for record retention, but mostly this is scattered about. At this point, I think it is time to go back th the drawing board and start fresh.
    There are some good articles indicating the areas of concern, such as emails. One article strongly recommned that the legal department be involved. I am guessing the best way to start is to identify the types of records generated and go from there.
    These days, a document can include just about anything. ‘It definitely includes e-mail and written documents, and it can include database records and, in some cases, cell phone text messages,’’ Lange says. ‘There is little case law on instant messages, but I think we’ll see more of that in years to come.’
    IMPLEMENTATION
    Just how long should an organization hold on to each type of record? ‘That is the million-dollar question,’’ says Lange. ‘It varies depending on industry. That’s why it’s so important to involve the legal team and records managers to make sure you are researching the applicable laws.’
    After first identifying required regulations, an effective document retention policy should clearly specify the retention periods for every type of document, says Gary P. Crispens, director of internal audit at the Virginia Department of the Treasury. ‘The most challenging aspects of records retention are the identification of the required holding period and the cataloging of the documents into a storage inventory.’
    INTERNAL AUDITING’S ROLE
    ‘Internal auditors play a huge role in making sure that a corporation is following its document retention policy and that when required, the policy’s destruction ends at the appropriate time,’’ says Lange. ‘But I don’t think it’s something that internal auditors can do on their own. They need corporate buy-in at every level of the organization.’



  • This following seemed to help me get started
    Records Retention Schedule
    Holding onto unnecessary business records will quickly use up all available storage space in most businesses. A formal records retention program should be carefully developed by management and take into consideration special circumstances, legal requirements, industry standards, pending investigations, and potential litigation. The following retention periods are intended as general guidelines only. Before destroying any business records, it is advisable to seek legal counsel.
    Retention Period
    Accident reports/claims (settled cases)
    7 years
    Accounts payable ledgers and schedules
    7 years
    Accounts receivable ledgers and schedules
    8 years
    Audit reports
    Permanently
    Bank statements
    4 years
    Capital stock and bond records: ledgers, transfer registers, stubs showing issues, record of interest coupons, options, etc.
    Permanently
    Cash books
    Permanently
    Charts of accounts
    Permanently
    Checks (canceled checks for important payments, special contracts, purchase of assets, payment of taxes, etc. Checks should be filed with the papers pertaining to the underlying transaction.)
    Permanently
    Checks (canceled except those noted above)
    7 years
    Contracts and leases (expired)
    7 years
    Contracts and leases still in effect
    Permanently
    Correspondence, general
    2 years
    Correspondence, legal and important matters
    Permanently
    Correspondence, routine with customers/vendors
    2 years
    Deeds, mortgages and bills of sale
    Permanently
    Depreciation schedules
    Permanently
    Employee personnel records (after termination)
    4 years
    Employment applications
    3 years
    Financial statements (year-end, other months optional)
    Permanently
    General ledgers, year-end trial balances
    Permanently
    Insurance records, current accident reports, claims, policies, etc
    Permanently
    Internal audit reports (miscellaneous)
    4 years
    Inventory records
    7 years
    Invoices to customers or from vendors
    7 years
    IRA and Keogh plan contributions, rollovers, transfers and distributions
    Permanently
    Minute books of directors, stockholders, bylaws and charter
    Permanently
    Payroll records
    Permanently
    Petty cash vouchers
    4 years
    Property records, including costs, depreciation reserves, year-end trial balances, depreciation schedules, blueprints, and plans
    Permanently
    Purchase orders
    4 years
    Receiving sheets
    1 year
    Safety records
    6 years
    Sales records
    7 years
    Stock and bond certificates (canceled)
    Permanently
    Subsidiary ledgers
    7 years
    Tax returns, revenue agents’ reports, and other documents relating to determination of income tax liability
    Permanently
    Time cards and daily reports
    7 years
    Trademark registrations, patents and copyrights
    Permanently
    Voucher register and schedules
    7 years
    Vouchers for payments to vendors, employees, etc (includes allowances and reimbursement of employees, officers, etc, for travel and entertainment expenses)
    7 years
    The AICPA Auditing Standards Board has released a proposed Statement on Auditing Standard (SAS), Audit Documentation, which would supersede SAS No. 96 of the same name. This proposed Standard would not apply to audits of public companies because audit documentation requirements for those audits are contained in Auditing Standard No. 3 of the Public Company Accounting Oversight Board.
    The proposed SAS provides enhanced guidance concerning matters that should be documented and the retention of documentation. Specifically, the proposed Statement requires:
    The auditor, when preparing audit documentation, to consider the needs of an experienced auditor, having no previous connection with the audit, to understand the procedures performed, the evidence obtained and specific conclusions reached.
    Documentation of audit evidence that is contradictory or inconsistent with the final conclusions, and how the auditor addressed the contradiction or inconsistency.
    The auditor to assemble and lock-down the final audit engagement file within 60 days following the delivery of the auditor’s report. After that date, the auditor may not delete or discard existing audit documentation, and must appropriately document any subsequent additions or changes.
    A minimum file retention period of five years.
    The proposed SAS would also amend SAS No. 1, Codification of Auditing Standards and Procedures, Dating of the Independent Auditor’s Report, to require that the auditor’s report not be dated earlier than the date on which the auditor has obtained sufficient competent audit evidence to support the opinion on the financial statements, and SAS No. 95, Generally Accepted Auditing Standards, to require the documentation of a justification for a departure from Statements on Auditing Standards.



  • SOX requires require e-mail storage and retrieval functions by July 06
    This is news to me. Note that this article excerpt originates from a vendor press release so should be taken with a grain of salt. I sent the writer an e-mail requesting SEC/PCAOB source citation but haven’t heard back.
    Do any of you know anything about a specific rule related to the situation described below?
    Thanks,
    Theda
    Nearly Half May Not Make Second Sarbanes-Oxley Deadline (from thechannelinsider.com).
    By John Hazard September 27, 2005
    Forty-five percent of IT executives responding to an August poll said their companies are unlikely to meet the message retention requirements of Sarbanes-Oxley by the July 2006 deadline.
    Those companies were granted an extension beyond the law’s original July 15, 2005, deadline and have until July 15, 2006, to comply with the message retention aspects. Additionally, federal regulations such as HIPAA and the Patriot Act require message storage and retrieval functions …
    Any messages and records, including e-mail and IM, that may affect financial decisions or public disclosures must be available for review by the company’s key decision makers. The law dictates those records and messages by logged, archived and available for review. Annual audits will be conducted to determine compliance. Failing to meet the corporate accountability deadline can mean fines … and jail time for corporate executives and officers.



  • Let us know what you hear back. This is news to me. It may just be an aggressive interpretation of the SOX rules to try and sell document retention software.



  • SOX requires require e-mail storage and retrieval functions by July 06
    This is news to me. Note that this article excerpt originates from a vendor press release so should be taken with a grain of salt. I sent the writer an e-mail requesting SEC/PCAOB source citation but haven’t heard back.
    Do any of you know anything about a specific rule related to the situation described below?
    Thanks,
    Theda
    Nearly Half May Not Make Second Sarbanes-Oxley Deadline (from thechannelinsider.com).
    By John Hazard September 27, 2005
    Forty-five percent of IT executives responding to an August poll said their companies are unlikely to meet the message retention requirements of Sarbanes-Oxley by the July 2006 deadline.
    Those companies were granted an extension beyond the law’s original July 15, 2005, deadline and have until July 15, 2006, to comply with the message retention aspects. Additionally, federal regulations such as HIPAA and the Patriot Act require message storage and retrieval functions …
    Any messages and records, including e-mail and IM, that may affect financial decisions or public disclosures must be available for review by the company’s key decision makers. The law dictates those records and messages by logged, archived and available for review. Annual audits will be conducted to determine compliance. Failing to meet the corporate accountability deadline can mean fines … and jail time for corporate executives and officers.
    I smell bullshit :evil:


Log in to reply