Newbie Question: File Retention and Backups 2037



  • I agree with NC’s good recommendations, as Financial and associated history (including things like email unfortunately) is the key information that must be retained for 7 years.



  • I presume the log files u mean are one of the following
    a. DB logs
    b. Network logs
    c. Firewall logs
    d. user Activity logs
    The IT functions typically carry out periodic log reviews on the above logs and hence would retain a report on the above. This apart, such logs are retained for a period of 90-120 days( generally).
    Again, a risk assessment activity needs to be done to decide upon te retention period.
    I’m confused. So does this mean that there is no legal SOX requirement to retain logs (db, network, firewall, user activity)? Is it just recommended to be 90-120 days? Thanks in advance.



  • I Quote Section 404 of the act
    ‘SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.
    (a) RULES REQUIRED. The Commission shall prescribe rules
    requiring each annual report required by section 13(a) or 15(d)
    of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d))
    to contain an internal control report, which shall
    (1) state the responsibility of management for establishing
    and maintaining an adequate internal control structure and
    procedures for financial reporting; and
    (2) contain an assessment, as of the end of the most recent
    fiscal year of the issuer, of the effectiveness of the internal
    control structure and procedures of the issuer for financial
    reporting.
    (b) INTERNAL CONTROL EVALUATION AND REPORTING. With
    respect to the internal control assessment required by subsection
    (a), each registered public accounting firm that prepares or issues
    the audit report for the issuer shall attest to, and report on, the
    assessment made by the management of the issuer. An attestation
    made under this subsection shall be made in accordance with standards
    for attestation engagements issued or adopted by the Board.
    Any such attestation shall not be the subject of a separate engagement.’
    The act by itself does not specifically mention anything about controls, except that there should be a good control framework which ensures accurate financial reporting.
    Rest all is the imagination of human beings. Requirements do not arise from the act, but from human interpretation( i dare to say BIG 4 INTERPRETATION)
    hope this helped
    cheers



  • I do think that ‘the 7 years’ mentioned and all interpretation from PCAOB is for registered public accounting firms (including BIG 4). What about management? Does SEC guide mention anything about time retention? I didn’t find any specific topic.
    Additionally, those requirements are for test working paper only (those used for documenting audit tests). What about the IT department?
    I agree with NC about the 90-120 days, but I would say that 1-year should be better (during attestation period). Also, for FPI should be 1 and a half-year, due to the 20-F limit on each June 30.



  • This discussion is interesting. Is there a difference between US and foreign issuers on requirements (I’m aware for example that US do regular quarterly returns)?
    I can confirm that the minimum retention period is seven years in the UK for SOX. I also noted that the guidance is for the audit firm only but we took legal advice and their opinion was that this applied to us also. I have concluded that this is as a result of the US requirements because the UK’s Companies Act only requires six years.
    Yes this is open to interpretation and my interpretation is that the seven year rule applies to the papers supporting my certification. These papers should stand alone therefore all other supporting papers, logs, etc need not be kept for the same period.
    What is important is that in standing alone these papers must be able to support reperformance. This is where I think the confusion arises. If you reference to a log entry, invoice, etc. then you will need to keep all that backing information. If you include copies of these relevant papers within your testing papers then you don’t. This then means you could have an IT rentention policy for SOX of a maximum 18 months so that all evidence is retained for testing purposes but after that can be destroyed (if you feel really bold and brave you could just keep the last few months of each year for testing and thus reduce your retention policy further).
    Of course there may be retention policies other than SOX that may require longer periods than that.



  • How long the logs needs to be retained is not specified in SOX and its an operational decision on the company’s part. That said I see 1 year as a good duration for retention of any in-scope logs to facilitate testing. I won’t recommend 90-120 days retention as we do have the same duration for some logs and we have to modify the policy for 365 days when it was pointed out by our external auditors.
    We plan to retain the SOX related documentation including flowcharts, test workpapers, evidence(summary) etc for 7 years. To retain everything for 7 years is a huge overhead on IT.



  • On the rentention of logs I would go for a year - as we had an issue where the logs were kept for a quarter -and in Q4 we were told we couldn’t ‘proove’ the audits had happened in Q1 as we didn’t keep the logs…
    As our system auto removes them - we now print and file them so the external can tick the box - and say ‘Yup done’.
    😞



  • Do you mean the audit of the logs or were the logs evidence of an audit in itself?
    If the first I would improve my testing documentation.
    If the second I would challenge why Q1 was needed for SOX.
    That being said it would be good practice to keep supporting logs, etc for as long as the SOX testing takes and allow deletion upon certification. Unfortunately though that would be longer than 12 months because sign off will at least take another couple of months after year end.



  • Once again this forum has proven that there are multiple possibilities and interpretation with respect to log retention.
    Each organization has and sees its own retention requirements distinctly. This whole topic of log retention should be based on Risk assessment alone.
    This forum is proving to be really informative.
    keep writing all.
    thanks



  • I won’t recommend 90-120 days retention as we do have the same duration for some logs and we have to modify the policy for 365 days when it was pointed out by our external auditors.
    I agree with this even beyond SOX aspects, as keeping log history and actively reviewing it is imperative from a security standpoint. A one year history is certainly more beneficial than one quarter of a year.
    One further comment to ‘save some trees’ is that folks may want to look at log consolidation and reporting tools. Bindview, KSA, and other tools might help facilitate this need. These are worthwhile investments not only for saving paper, but the capability to isolate events and analyze security from a historical standpoint. Another idea is to image log files if possible to FileNet or other optical repositories.
    This forum is proving to be really informative. keep writing all.
    Absolutely Agree 😎 😎 😎


Log in to reply