Record retentions period clarification 2799



  • I need help on the subject of record retention period requirement for SOX compliance. May i know exactly if the requirement of record retention for SOX compliance is 7 years for all documents? if it is not for all documents or records, may I know what type of documents or records must be retained for 7 years?
    I would greatly appreciate it if there is a sample table of documents or records to be retained. ( i am working for a TELCO service provider here in the Philippines and the company I working with right now is a list company in NYSE). Thanks in advance for the great help.
    regards,
    SAANJR



  • To my knowledge, there is no specific record retention requirement for SOX documents. However, since SOX certification is part of a company’s 10Q and 10K, most are looking to record retention requirements for those documents, which is 7 years.



  • Kymike,
    Can you provide the source for this record retention period for information that goes into the quarterly and annual reports that are filed with the SEC (e.g. the Section in the Securities Exchange Act, in the United States Code, or the SEC rule in the Code of Federal Regulations, etc.).
    I only know of a retention period during which the registered public accountant needs to keep his audit work papers.



  • Hi gmerkl - While 7 years is my own understanding, I did a quick web search and found some of the following info.
    http-and-#58;//www.google.com/search?-and-q=sarbanes-oxely retention
    The 2nd link found contained a Word document (dated 2005) that shared the following
    Sections 103, 801(a) and 802 the heart of SOX’s records retention rules

    • Sarbanes-Oxley sections 103, 801(a) and 802 speak directly to Records Retention. Section 103 relates to Audit Work Papers and Evidence.
    • Sections 103 (a) and 801 (a) require public companies and registered public accounting firms to maintain audit work papers, documents that form the basis of an audit or review, and all information supporting conclusions for at least 7 years.
      This Wikipedia link may contain more up-to-date information …
      http-and-#58;//en.wikipedia.org/wiki/Information_technology_controls#Section_802_.26_Records_retention
      Section 802 and Records retention
      Section 802 of Sarbanes-Oxley requires public companies and their public accounting firms to maintain all audit or review work papers for a period of five years from the end of the fiscal period in which the audit or review was concluded. This includes electronic records which are created, sent, or received in connection with an audit or review. As external auditors rely to a certain extent on the work of internal audit, it would imply that internal audit records must also comply with Section 802.
      In conjunction with document retention, another issue is that of the security of storage media and how well electronic documents are protected for both current and future use. The five-year record retention requirement means that current technology must be able to support what was stored five years ago. Due to rapid changes in technology, some of today’s media might be outdated in the next three or five years. Audit data retained today may not be retrievable not because of data degradation, but because of obsolete equipment and storage media.
      Section 802 expects organizations to respond to questions on the management of SOX content. IT-related issues include policy and standards on record retention, protection and destruction, online storage, audit trails, integration with an enterprise repository, market technology, SOX software and more. In addition, organizations should be prepared to defend the quality of their records management program (RM); comprehensiveness of RM (i.e. paper, electronic, transactional communications, which includes emails, instant messages, and spreadsheets that are used to analyze financial results) , adequacy of retention life cycle, immutability of RM practices, audit trails and the accessibility and control of RM content.


  • Both sections of the Sarbanes-Oxley Act that you quote (i.e. 103 and 802) and the SEC’s implementing rule only require auditors to retain workpapers relating to audits or reviews of financial statements for 7 years after the conclusion of the audit or review (see sec.gov/rules/final/33-8180.htm).
    They do not require issuers to retain any records. If the auditor does not keep and retain a copy of any workpapers that were created by the issuer’s internal auditors that the auditors audited or reviewed, tough luck for the auditor.
    That’s also what I remembered.



  • Both sections of the Sarbanes-Oxley Act that you quote (i.e. 103 and 802) and the SEC’s implementing rule only require auditors to retain workpapers relating to audits or reviews of financial statements for 7 years after the conclusion of the audit or review (see sec.gov/rules/final/33-8180.htm).
    They do not require issuers to retain any records. If the auditor does not keep and retain a copy of any workpapers that were created by the issuer’s internal auditors that the auditors audited or reviewed, tough luck for the auditor.
    That’s also what I remembered.
    Hello everyone,
    Thanks for your inputs, i really have a dillemna here in this requirement because it is very difficult to retain records or documents for 7 years( or 5 years) that are related to audit , as this would mean retaining all records as this is very dependent on the audit trail… Is there a sample record retention policy and a sample listing of records from a telco company… this can really help us a lot …
    regards and many thanks,
    Alex Navarro ( SAANJR)…



  • If you are not a registered public accounting firm that audits issuers (i.e. companies) that have registered securities with the US Securities and Exchange Commission (SEC), then you do not need to retain any work papers for Sarbanes-Oxley purposes.
    There is no legal requirement in the Sarbanes-Oxley Act. I recommend that you contact you registered public accounting firm since it is they who have to retain their audit work papers.



  • Hello,
    We are a registered TELCO service provider in the Philippines (PLDT/SMART) and registered with US stock exchange and Philippine stock exhange , we are required to have SARBOX retention period but i have this internal audit policy that required us to retain almost all records for 7 years, and it quoted that this is a SARBOX requirement. What would be real requirement for SARBOX?
    regards,
    SAANJR



  • we are required to have SARBOX retention period but i have this internal audit policy that required us to retain almost all records for 7 years, and it quoted that this is a SARBOX requirement’
    Instruction 1 to item 308 in regulation S-K (17 CFR 229.308 in the Code of Federal Regulations on www.gpoaccess.gov) only specifies that the company ‘must maintain evidential matter, including documentation, to provide reasonable support for management’s assessment of the effectiveness of the registrant’s internal control over financial reporting.’
    It does not specify a minimum number of years. See also SEC Release 33-8238 (http://www.sec.gov/rules/final/33-8238.htm) section II.B.d. and VIII.
    The Sarbanes-Oxley Act and the rules of the US Securities and Exchange Commission do NOT have a requirement for companies to retain working papers for 7 years.



  • I found this Q-and-A posted on a public section of ComplianceWeek website. It provides one attorney’s opinion of SOX record retention -
    QUESTION
    When a public company divests a business unit that will become a private company, what are the recordkeeping considerations for SOX documentation and testing materials? Must the public seller retain the SOX records unique to the divested operation? Does Article 2-06 of SEC Regulation S-X, which requires accounting firms to retain records for seven years, have any bearing on this (assuming no agreement between the seller and its auditor)?
    ANSWER
    Section 13(b)(2) of the Securities Exchange Act which was inserted in 1977 by the Foreign Corrupt Practices Act requires the preparation and maintenance of books and records in reasonable detail that accurately and fairly reflect the transactions and dispositions of assets. This requirement applies to all companies that have securities registered under that Act as well as on all companies required to file reports pursuant to the Exchange Act that is, public or reporting companies. So in answer to your first question: Yes, the public company seller must retain either the original records or copies of the original records. However, neither the Exchange Act nor SOX specifies a minimum period that this information must be maintained. There are no record retention requirements imposed upon the buyer by the Exchange Act or by SOX, provided that the buyer is not a public company.
    Generally, public companies adopt record retention policies that mandate the retention of documentation supporting the companies’ public reporting for a period of five to seven years. There are a number of factors that public companies and their advisers take into consideration in determining the length of time that financial records should be maintained. Included among them are:
    Section 302(b) of SEC Regulation S-T (relating to electronic filings) imposes a retention period of five years on public companies for all documents executed by a signatory to an electronic filing. This includes public reports and the certifications executed by CEOs and CFOs pursuant to Sections 302 and 906 of SOX.
    Section 304© of SEC Regulation S-T imposes a retention period of five years on issuers for each document filed with the SEC that omits certain graphic, image, audio or video material included in the document that was publicly distributed.
    Instruction 1 to Item 308 of SEC Regulations S-K and S-B instructs public companies to maintain documentation that provides reasonable support for management’s assessment of the effectiveness of the public company’s internal control over financial reporting required by Section 404 of SOX.
    Section 802 of SOX requires accountants to maintain certain corporate audit records or to review work papers following the completion of an audit or review of a company’s financial statements. Article 2-06 of SEC Regulation S-X, which was adopted by the SEC to implement the requirements of Section 802 of SOX and to which your question alludes, requires that auditors of public companies retain records relevant to an audit or review of a public company’s financial statements for a period of seven years from the time that the audit or review is concluded.
    Section 804 of SOX increased the statute of limitations for private securities fraud lawsuits. The statute of limitations was changed to the earlier of two years following discovery of the facts constituting the violation, and five years after the violation. Previously, the time periods had been one and three years, respectively.
    Foreign jurisdictions and stock exchanges are adopting mandatory record retention requirements applicable to entities located in or doing business in their jurisdictions or having securities listed on their exchange, which must be assessed in determining the company’s record retention needs.
    Tax advisers often recommend that financial records be maintained for tax purposes for up to seven years because of relevant tax law statutes of limitations.
    The sale of a business unit should not change the public company seller’s approach to records retention. Certainly, the public company is exposed to regulatory and civil litigation risk for up to five years and should therefore retain those records for a minimum of 5 years. In addition, since the public company’s auditor is required by Article 2-06 of SEC Regulation S-X to retain records relevant to an audit or review of a public company’s financial statements for a period of seven years from the time that the audit or review is concluded (these records would arguably be subject to subpoena by a civil litigant or regulatory authority), it seems appropriate that the company’s records should be maintained for a corresponding period of time.


Log in to reply