Archiving Controls and testings results 1567

  • Good morning All,
    May be this question has arise already. I admit I have been away for a while… :oops:
    However, I hope some of you do not mind to repeat again:

    • What is the timing required to keep the evidences of the controls and the results of the tests?
    • Is there any indications by PCAOB or any best agreed practices?
      Thanks for your help.
      Keep enjoying SOX.

  • Hi,
    A good practice for consideration might include following a similar strategy and retention period as that adopted by the external auditor. This helps to ensure that the documentation is available for future reference and to support the assessment of the ICFR.
    Simply, replace (Auditor) with Management or SOX as appropriate in the guidance below:
    Audit documentation should demonstrate that the standards of fieldwork were followed and the audit was adequately planned and supervised. It should provide demonstrate that the auditor obtained an adequate understanding of the internal control to plan the audit and to determine the nature, timing, and extent of audit tests and that the evidence accumulated was competent and sufficient to afford a reasonable basis for an opinion on the financial statements.
    The documentation should enable management and other persons reviewing it to understand the nature, timing, extent and results of the procedures performed, and the supporting evidence.
    It should also identify who performed and reviewed the work and that the tests of controls effectiveness support the conclusions.
    The PCAOB established auditing standards requiring registered public accounting firms to prepare and maintain, for a minimum of seven years, audit documentation in sufficient detail to support the conclusions reached in the auditor’s report. It issued Auditing Standard No. 3, Audit Documentation, . It prescribes documentation requirements for auditors of publicly held entities related to an engagement conducted with the PCAOB auditing and related professional practice standards.
    The AICPA Auditing Standards Board issued an exposure draft in 2003 regarding the proposed Statement on Auditing Standards. It integrates the records retention requirements from the SOX Act and requires auditors to adopt reasonable procedures to retain audit documentation and certain other records for at least SEVEN years after completing the audit.
    Hope this helps,

  • I wouold disagree with your advice there Milan.
    Auditors require to keep evidence for 7 years.
    Management, generally, needs to keep financial records of transactions for a similar period - albeit this is driven by tax rather than SOX requirements.
    Management need not keep evidence of controls for that long. In fact you could make a case for not retaining those records as soon as the accounts have been signed off by the auditor.

  • Denis:
    I agree. But what about transaction and security events logs?
    Are these records supposed to be retained for a similar period?

  • I would apply a similar logic to logs - where they are critical to key controls. Where they are not evidence of key controls I would suggest that they need only be retained so long as the business needs them.
    However, I think you need to be pretty disciplined about what you’re logging given the overhead that can be involved.

  • Denis:
    I agree. But what about transaction and security events logs?
    Are these records supposed to be retained for a similar period?
    The security event logs retention duration may be defined by some other regulations too.

  • Generally, tests of controls results should be kept for a similar period as that of the related ‘audit report’. For SOX purposes, the tests of controls performed would be available to support management’s assessment of ICFR.
    Recent court rulings involving acts of management fraud or willful misrepresentations found in the FS after they have been issued, have had the effect of lengthening the retention period ‘standard’. For compliance with SOX, the retention period might be shorter, but doing so gives rise to legal risks.
    In short, I suggest a more conservative approach regarding the retention of electronic records or paper documents when resources permit. Certainly, the ROI for adopting this conservative approach is not easily justified, but in the event of a stockholders’ class action lawsuit against the Company, it might posture management for a stronger defense.

  • Thanks guys.
    As you have anticipated, it’s a matter of costs, specially on large companies with complex IT infraestructure.
    Local regulations (Argentine) requires 3 years retention period for Financial Companies, so at least these companies have a minimum floor.
    The problem comes when we have to apply this criteria to other industries. It’s hard to establish a common ground.

  • If a company is impacted by multiple retention requirements: SOX, HIPAA, SAS 70, ISO 9000, and other statutory requirements, a beneficial way of ensuring proper retention is to create a matrix as noted below and retain items for the longest possible period
    Category … SOX … HIPAA … SAS70 …
    AREA 1… 7 yrs … 3yrs … 5 years
    AREA 2 … etc.
    Also, in addtion to retention, this should be well documented in the SOX e-Library (so you can quickly find it later). It should also be backed up off-site for D/R purposes. Finally, if you have imaging technology burning an optical CD is a nice means of archiving data just in case.

  • Sorry for the late response.
    I concur with Milan. 7 years is apt for doctrine of conservatism. Moreover, archiving is no longer a big deal. We archive hard copies for 3 years. But soft copies can be retained for 7 years.
    I hope that this helps.

Log in to reply