Document retention policy 1739



  • I have done a search on this subject on this site and nothing has come up although I am sure you have already discussed this.
    I am regularly told of the 7 years document retention requirement for all SOX work. As I look into this, however, I note that this is PCAOB’s requirement of the external auditors and not management’s. In fact when it comes to management requirements I do not see anything in writing, particularly from the SEC, apart from a brief acknowledgement that guidance would be good in their concept release.
    In my mind if my company retains its evidence of control operation for the financial year in question, this will enable full and proper testing to take place. Once the testing is complete it should be self supporting and stand alone therefore the testing documentation itself should be retained but not all the other evidence used for testing (subject to other stautory requirements over financial reporting, etc). If the testing cycle is risk based and spread over a three year testing cycle then a retention policy of four years should suffice and there is no need to look to 7 years as that is the concern of the auditors.
    Am I missing something?



  • Our Lawyers confirmed to us that we also need to retain documents for 7 years. It is not just an ensternal auditor requirement.



  • I recall that we have discussed this previously, so you may want to search this forum.
    To summarize my understanding, there is no SOX Act requirement on record retention. There is, however, a 7 year retention policy for allfinancial and other information supporting any filing witht he SEC. Since management is performing tests in order to provide an assertion on the effectiveness of internal controls within their annual SEC filings, the information supporting management’s opinion must be retained for seven years.



  • I did some quick searches and found a few references to 7 years for SOX and other regulatory programs
    Please add www and paste into browser
    Storage strategies meet regulatory burden on data retention
    enterprisenetworksandservers.com/monthly/art.php?1821
    Sarbanes-Oxley Act (SOA, Sox)
    Enacted by the U.S. government in 2002 in response to corporate financial scandals, Sarbanes-Oxley Act (SOA, Sox) applies to all publicly held companies in the United States that have more than USD75 million equity market capitalization and that report quarterly to the Securities and Exchange Commission (SEC).
    It covers financial reporting to the SEC, auditing practices and associated document retention. By holding CEOs and CFOs directly responsible for the accuracy of financial reports, this act has had a major effect on U.S. corporations and has already sent one executive to jail. The intent is to preserve all records of business dealings and financial audits for long enough to allow detailed investigations of questionable business activities.
    The company must save all documentation used to create financial reports and audits.
    Sarbanes-Oxley defines documentation as:

    • relevant records such as workpapers;
    • documents that form the basis of an audit or review;
    • memoranda;
    • correspondence;
    • communications;
    • other documents and records (including electronic records) that are created, sent, or received in connection with an audit or review and contain conclusions, opinions, analyses, or financial data relating to such an audit or review.
      The law requires risk assessment, either across the entire company, or by a summation of narrower risk assessments on individual transactions and operations within the company. Storage risk assessment is part of the overall requirement.
      The document retention period is seven years and recovery time is limited to a very few days following a federal request. Because of the legal importance of these documents, Write-Once-Read-Many (WORM) magnetic disk storage should be considered. Security is vital to protect against malicious use of this gold mine of company information.


  • Thanks for all your replies. I did search but it came up with nothing - until I realised that to search I had to keep going back manually through all the postings.
    I am intrigued by the legal advice and the ruling on SEC filings because being a UK based company I think my organisation has its retention policy based on Companies Act requirements which is 6 years plus the current year for all financial info irrespective of SOX. Guess I will have to research this further to make sure that this still satisfies SEC requirements for US filings.
    As for the advice from our own external professionals they have all reiterated the requirement for auditors but have not told us that we must also comply with that. Maybe they are still a little behind all the considerations that the US has already gone through.



  • It is true that UK filers are required to retain documents for 6 years, but for the SEC this will always be 7, therefore, you just need to hold onto documents for an additional year.


Log in to reply