Sarbanes-Oxley Act and Record Retention Best Practices
The Sarbanes-Oxley Act (SOX) is a law passed in 2002 that sets forth standards for the recording and reporting of financial activities. A key part of that law involves record retention. Businesses must retain their records for set periods of time (and in some cases permanently, depending on the type of record) in order to be compliant with SOX. Here, we will review record retention best practices in order to ensure Sarbanes Oxley Act compliance.
The Main Challenge of SOX
SOX has presented a massive challenge to financial businesses everywhere since they now not only have to make regular and accurate reports, but they need to keep the records around that support the numbers in those reports. This means companies have to maintain millions of records, and that can get expensive.
How to Remain SOX Compliant
Follow these steps to keep your organization compliant with the Sarbanes-Oxley Act.
Responsibility for Financial Reporting – The CEO and CFO must be responsible for Financial Reporting. These officers of the organization bear ultimate responsibility for the financial control of the company and for producing and publishing reports that accurately reflect the financial health of the company. The reporting must be done properly and correctly. If it is not, these officers risk large fines ($5 million) and jail time (20 years), even if the errors are unintentional. Anyone else falsifying information on a financial report or tampering with data, concealing information, impeding an investigation, and the like is subject to 20 years jail time.
Internal Control Report – Company management is responsible for internal control (i.e. data security system) of financial records and for creating and implementing a process to maintain this control. This includes disclosing details on the internal financial reporting control system to the SEC. Management must also report on the effectiveness, and any weaknesses, of the internal control system in the company’s annual report. Any flaws or breaches must be disclosed as soon as they are discovered and included in the report.
Independent Audit – An independent auditor must verify the accuracy of the information in the internal control report including that the internal financial structure of the company is in place and working properly. Auditors are also subject to punishment if they fail to keep audit or review documents for 5 years.
No Retaliation against Whistleblowers – The Act encourages those with knowledge of illegal corporate activity to report it and provides protection for those who do from retaliation. The Department of Justice is authorized to charge and prosecute those who retaliate against whistleblowers with a federal crime.
When it comes to best practices for records retention under SOX, the first thing that needs to happen is a plan. You need to put someone in charge of storing, organizing, and maintaining those records.
You also need to catalog what types of documents you’re dealing with and how long each of those needs to be retained. Any record that contains financial information should be accounted for, including:
- Financial statements
- Accounting records
- Sales reports
- Instant messages
- Bank statements
The list goes on. It may be tempting to try to keep everything indefinitely, but this is simply not possible or practical. It may even violate other regulations such as those governing client privacy.
After planning, the next strong practice is to digitize all records. This massively reduces the physical space needed to store them, and it also facilitates security and retrieval. Document scanning services can convert paper documents into a digital format which can then be indexed into an organized database. Keeping payroll records, tax records, ledgers, and other records for 7+ years is far simpler without rooms full of filing cabinets.
Finally, using multiple repositories is also crucial for records retention. If everything is kept in one place, it can be very easily lost, even if it’s in electronic format. Using multiple servers or storing data in the cloud can help, as can the offsite records storage offered by Armstrong Archives. This allows for enough redundancy that if something happens to one repository, you can still maintain compliance.
Not Indexing Expiration Dates
Many documents contain expiration dates, and failing to track them properly could greatly hamper your entire operation, even leave your company at risk.
Using the Wrong Records Management Service
If you do utilize a company to manage your documents, make sure they understand the specific needs of your business and operations. If they don’t, you might find that accessing your documents is no easier than it was prior to hiring them. The result? Wasted time and money.
While the aforementioned are some of the most common mistakes in document management, they’re not a comprehensive listing of the many considerations your company should be taking into account. An experienced, reputable document management company like Armstrong Archives will help you fill the gaps, ensuring your company can safely maintain and manage its important documents.
Posted By: Sherri Taylor – President/Managing Partner
Sherri Taylor is the Managing Partner and President of Armstrong Archives, one of the largest independent records and information management companies in the Dallas/Ft Worth area.