Privately Held Companies and Sarbanes-Oxley Considerations 40



  • I am the Manager of Information Services for a professional services firm. Senior management is telling me that most of the Sarbanes-Oxley laws don’t apply to us because we are privately held, and that we will be in compliance by having an email retention policy of only 3 weeks.
    I am sure that the type of company in question may affect where we fit into the laws, but does any of this sound right? If something were to happen and non-compliance was found, I am sure myself and my staff could be implicated and held accountable ot some extent.
    Any advice? :roll:



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • If you feel as the technology leader for your organization that being in compliance would allow your organization greater control, then do it. At the moment private companies like yours are determining if they should comply now or later.



  • we will be in compliance by having an email retention policy of only 3 weeks.
    I’d say your firm’s management doesn’t understand SOX, if they think e-mail retention policies have anything to do with compliance with SOX. I have been focused on public company compliance, but I have seen several discussions of implications for private companies.



    1. Email retention polices have nothing to do with SOX compliance.*
    2. Private companies do not have to comply.
      However, if your a private company providing IT services, and possibly other services, to a company that must be SOX compliant SOX does effect you.
      Although there is a high learning curve, as an IT professional you should really take a look at Cobit Objectives.
      They will give you a much better understand of the importance of controls. And help you structure your IT security policies much much more effieciantly.
    • I simplified that statement… Email retention policies MIGHT be part of SOX compliance IF you are using email as part of your controls. For example all requests for access to accounting server must be completed via email and approved by Accounting Controller.
      In that case email retenion is part of SOX compliance but only becuase you make email part of your control.
      I hope that makes sense.


  • It is also important to know that being a privately held company, if it is a child company of a public entity, than you should be SOX-compliant as well.
    Honestly, when looking at it, any organization should consider aligning their operations to be SOX compliant over the next couple of years just for peace of mind.


Log in to reply