Email retention 507



  • Does anyone have any further detail re email?
    ‘Sec rule 17a-4 email retention’
    Thanks



  • Not my area, but this might give pointers. Sorry if not.
    sec.gov/news/press/2002-173.htm
    Specifically the bullet-points detailing the violations referred to:
    Violated Section 17(a) of the Securities Exchange Act of 1934, Rule 17a-4 under the Exchange Act, NYSE Rule 440 and NASD Rule 3110 by failing to preserve for a period of three years, and/or preserve in an accessible place for two years, electronic communications relating to the business of the firm, including interoffice memoranda and communications.

    Violated NYSE Rule 342 and NASD Rule 3010 by failing to establish, maintain and enforce a supervisory system to assure compliance with NASD and NYSE rules and the federal securities laws relating to retention of electronic communications.



  • Is there a list available some where as to what type of ‘business-related’ emails must be archived? Thanks.



  • I’m pretty late to the thread, but the rules quoted by MikeE only apply to a small set of companies that are governed by the SEC - mostly securities dealers and other financial institutions. I can’t find any indication that this would apply to a public company at large.
    That is not to say that retaining email is the wrong thing to do. I just don’t think there is a hard-and-fast law or regulation about it.



  • Thanks for your input. :?



  • We do not retain all emails in our company. Our internal legal guidance is that retention of pertinent email is the responsibility of an individual if the email is proof of review or part of a decision-making process that impacts financial reporting.



  • Following the Thread So Far - here are my suggestions
    From a Sarbanes perspective- as you all may be aware by now- the focus is set on Internal Control Environment.
    Email retention is not spelled out as clear as one would like to see. However the audit practices that I have seen - External Auditors are recommending their clients to retain the emails for at least 2 years - ESPICIALLY - if the company is using the email communications - as part of their INTERNAL CONTROL environment.
    Example - let us take a scenario - where in the XYZ company - by a written policy - permits its managers to approve the changes made in the IT projects via EMAIL. Similarly the business managers are permitted to confirm their final acceptance to changes via email.
    In the above example- the critical controls within the Change Management are now embedded within the email communication. Clients now are either required to keep printing these emails as evidence to the approval process - or retain the same for future audit purposes.
    Also keep in mind that - if a public company goes for a RE-STATEMENT, it would need to be able to produce the evidence for the existence of controls environment as it existed in the prior fiscal year. Again in this scenario - your retention of emails could be very helpful.
    Madhav Vedula CISA
    Sr. Internal Auditor
    mvedula_at_go.com
    mvedula_at_consultant.com



  • The use of email by a few to evidence approvals is not necessarily a valid reason to archive ALL emails. Certainly in a brokerage where most communication is this way, and where the industry is highly-regulated, it makes more sense to do so. In a normal business environment, this seems to be overkill. There should be a policy that email approvals designated as controls be retained either electronically or in hard copy.


Log in to reply