Sarbanes-Oxley Compliance: Records Retention

By Ian

Section 802 of Sarbanes-Oxley requires public companies and their public accounting firms to maintain all audit or review work papers for a period of five years from the end of the fiscal period in which the audit or review was concluded. This includes electronic records which are created, sent, or received in connection with an audit or review. As external auditors rely to a certain extent on the work of internal audit, it would imply that internal audit records must also comply with Section 802.

In conjunction with document retention, another issue is that of the security of storage media and how well electronic documents are protected for both current and future use. The five-year record retention requirement means that current technology must be able to support what was stored five years ago. Due to rapid changes in technology, some of today’s media might be outdated in the next three or five years. Audit data retained today may not be retrievable not because of data degradation, but because of obsolete equipment and storage media.

Section 802

Section 802 expects organizations to respond to questions on the management of SOX content. IT-related issues include policy and standards on record retention, protection and destruction, online storage, audit trails, integration with an enterprise repository, market technology, SOX software and more. In addition, organizations should be prepared to defend the quality of their records management program (RM); comprehensiveness of RM (i.e. paper, electronic, transactional communications, which includes emails, instant messages, and spreadsheets that are used to analyze financial results) , adequacy of retention life cycle, immutability of RM practices, audit trails and the accessibility and control of RM content

Section 404

Section 404 puts the onus on both the independent auditor and management to ensure that internal controls (including IT controls) are working.

• Independent auditors are required to attest to management’s assessment of its internal control over financial reporting. Due to this requirement, cycle rotation to test controls is no longer acceptable in public company audits.

• Auditors also have to test preventive and detective controls in order to obtain high levels of assurance about the operating effectiveness of internal controls.

• Management on the other hand must also provide their independent auditors with documentation, evidence of functioning controls and the documented results of testing procedures.

Categories : Sarbanes Oxley

Leave a Reply