Company document retention requirements vis-a-vis SOx 880

  • We are looking at our company’s document retention practices in the context of SOx (we’re a foreign filer so not been through the whole process yet) and we’ve been told (by external auditor and outside consultant) that the following applies:

    • documents to evidence management’s testing activities:
      7 or (?) 10 years; one party says that not all the underlying records need to necessarily be retained, so long as the management testing documentation is sufficiently detailed in its description of what was looked at.
    • ALL documents to evidence ALL instances of key control execution: a period that would ensure all control evidence is available for external audit testing selection; i.e. until the external auditor has completed their SOx audit work, which normally should be a few months after year-end
      Is this correct ??

  • Anyone have an answer?

  • Here is an interesting article that will help you answer your question - look for the Section VIII 😉

  • Thanks much Melly - I just printed the article and will read it tomorrow; I hope it’s what we are looking for.

  • The article helped a little bit. What I am now leaning towards as a conclusion, also based on input on the IIA’s SOx discussion forum, is as follows:
    (A) Documentation of management’s assessment activities (i.e. all management testing documentation) should be maintained in accordance with the existing financial records retention policies in place pursuant to pre-existing SEC rules and regulations. I.e. apply the same policies to SOx-process-specific documentation, that already applies to other (financial) records. But that does not extend to possible underlying documentation that would previously have been discarded; that can continue as before.
    (B) All source documents NOT subject to the above retention policies noted under (A) but that can be subjected to management’s assessment (i.e. documents that management, or their designate such as internal audit could decide to pull and perform testing on during the year) should be retained to the extent, and for the period, as agreed between the company and its external auditor. I.e. if the external auditor wants to be able to select their own sample from the same population of key control execution as management, then all that documentation would have to be retained until the external auditor can execute their test. After that, it can be discarded.
    I don’t think Dutch record retention laws come into play here; management’s assessment documentation does not serve any Dutch-mandated requirements, only SEC/US requirements. Meaning that, of course we now already comply with the Dutch laws on this topic and we will continue to do so, but the records that we now must maintain pursuant to SOx and related US/ SEC regulations are not also ‘governed’ by Dutch record retention laws and regulations I would say.
    I think I will clear this position with our in-house counsel first though.

Log in to reply