iQoncept - Fotolia


4 steps to remain compliant with SOX data retention policies

Data retention policy is inherent to Sarbanes-Oxley Act compliance. In this tip, learn SOX data retention best practices to remain regulatory compliant.

The regulations companies must comply with are as varied as the services they provide and the regions they operate in. Large financial institutions in the U.S. must comply with the Sarbanes-Oxley Act (as a public company), the Gramm-Leach-Bliley Act (for financial companies), the Payment Card Industry Data Security Standard (for credit service providers),  SEC Rule 17a-4 (for those in the financial services industry) and local privacy regulations when operating in other countries.

If healthcare providers and payers are customers of the financial institution, the firm must also comply with privacy requirements under the Health Insurance Portability and Accountability Act (HIPAA) to protect patient health information.

Despite the variations -- public versus private, global versus operating only in the United States -- the foundation of most Sarbanes-Oxley compliance mandates is data retention best practices.

What are SOX compliance requirements?

The Sarbanes-Oxley (SOX) Act requires that all financial reports also include an "Internal Controls Report" to show that all financial data is accurate and that appropriate controls are in place to protect the information. The SOX Act also requires companies to develop a year-end financial disclosure report and mandates that an independent, external auditor review these controls, as well as their associated policies and procedures, during what is called a "Section 404" audit.

The auditor may also conduct interviews with staff and determine whether personnel have duties that match their job description and that they are properly trained on handling financial information. In addition to SOX Section 404: Management Assessment of Internal Controls, Section 302: Corporate Responsibility for Financial Reports and Section 409: Real Time Issuer Disclosures require the following processes be monitored, logged and audited:

  • network and database activity;
  • internal controls;
  • login attempts;
  • account and user activity; and
  • information access.

The requirements listed under SOX Section 802: Criminal Penalties for Altering Documents, focus on business data retention and protection. This rule outlines penalties and fines that come with the alteration, destruction, or concealment of business records to obstruct or influence a legal investigation.

Don’t Be Burdened by SOX Compliance

We’re here to help you stay SOX compliant. Download our guide, Tools and Strategies to Help You Stay SOX Compliant, to gain insights on how to navigate data compliance regulations and how single sign-on tech can improve SOX adherence.

Section 802 specifies criminal penalties -- including fines and/or imprisonment for no more than 20 years -- for destroying, altering or falsifying audit records. Specifically, as spelled out by the U.S. Securities and Exchange Commission, audit and accounting records must "be retained for seven years after the auditor concludes the audit or review of the financial statements." The rule not only addresses the retention of records related to issuers' financial statements, but also the financial statements of registered investment companies. The records covered in the rule include any memoranda, correspondence, communications, and electronic records that are created, sent or received in connection with the audit or review, as well as any conclusions, opinions, analyses, or financial data related to them.

The SOX compliance rules stipulate how long certain audit records should be kept. For example, receivable or payable ledgers and tax returns must be kept for seven years, while customer invoices must be retained for five years. Payroll records and bank statements, however, must be kept forever.

How to remain compliant with SOX data retention policies 

While SOX Section 802 is clear about what type of business records should be stored and for how long, it does not stipulate how or where these records are kept. To help put it in perspective, let's focus on meeting SOX data compliance mandates in four steps.

Step 1. Identify SOX compliance mandates

SOX Section 302 and 404 have the greatest business impact in terms of compliance obligations. Section 302 calls for a corporate responsibility for financial reporting process and holds the CEO and CFO responsible for ensuring the accuracy of quarterly and annual financial data statements. Spreadsheets, documents and emails that were used to arrive at the final financial conclusions are considered records under SOX data retention requirements, and therefore must be maintained.

SOX data retention compliance

Before the CEO and CFO sign the company's financial statements, there should be a workflow reporting process in place to manage all financial statements. If serious errors or fraud are discovered in the financial reporting process, the company would face severe penalties for noncompliance.

Section 404 requires that annual reports contain information regarding internal control. The rule places major responsibility on the CFO and the company's external auditors to ensure the effectiveness of internal controls, including policies, processes and company IT systems used for data retention.

Step 2. Identify data retention periods for each regulation

In this step, we'll examine financial data retention periods based on recommendations made by David Balovich, a well-known expert on document retention and destruction policies set by the American Institute of Architects Austin Chapter.

SOX Act Sections 103 (a) and 801 (a) require public companies and registered public accounting firms to maintain audit work papers for at least seven years.

SOX does not mandate private companies to comply, but under Section 802 whoever knowingly destroys, alters or falsifies records with the intent to impede or influence a federal investigation may be fined and/or imprisoned for no more than 20 years.

SOX specifies different data retention dates for different document types. A retention period of seven years is required for:

  • accounts payable ledger;
  • accounts receivable ledger;
  • time cards; and
  • product inventory.

A retention period of five years is required for:

  • invoices to customers;
  • invoices from vendors; and
  • purchase orders.

Employment applications must also be retained for three years. There is a permanent retention period for bank statements, contracts and leases, employee payroll records, legal correspondence, training manuals and union agreements. 

The American Institute of Architects Austin Chapter's document retention and destruction policy references the SOX Act, and Balovich explains that one of the purposes of the policy is to ensure the organization eliminates accidental destruction of records

A retention period of seven years is required for:

  • state sales tax information and returns;
  • business expense records;
  • invoices;
  • bank statements;
  • earning records; and
  • payroll tax records.

A Data retention period of seven years is required after employment was terminated for records relating to employee promotion, demotion or discharge.

A retention period of five years is required for:

  • sales records;
  • state unemployment tax records;
  • accident records and workers unemployment records; and
  • salary records.

retention period of three years is required for:

  • general correspondence;
  • credit card receipts; and
  • employment applications.

There is a permanent retention period for Articles of Incorporation, executive/board policies and resolutions, bylaws, chapter charter, state sales returns, financial statements, depreciation schedules, check registers, payroll registers, tax returns, employment and termination agreements and insurance policies.

Step 3. Determine document storage

Electronic media is the preferred storage method under the SOX data retention mandates. It must preserve the required records in a nonrewritable, nonerasable format as defined in the Securities Exchange Act of 1934.

Under SOX, the business must ensure that an email:

  • be tamper-proof, permanent-word protected, encrypted and read-only;
  • follow the policies of the business on how email is archived, what the data retention period is, and how email is protected;
  • can be audited by a third party if needed; and
  • be fully indexed and searchable.

Under Section 802, if documents cannot be converted or are not economically feasible to convert to an electronic format (e.g. too large to fit onto a CD-ROM), you need to secure the original and hard copies in locked cabinets or vaults. When documents reach retention expiration dates, they should be destroyed. Section 802 rules state that any employee who knows the company is under investigation, or suspects it might be, must stop all document destruction and alteration immediately.

Step 4. Implement data retention policy

To handle multiple data retention dates, organizations should consolidate these dates into a corporate or organizational data retention policy. The policy should include:

  • review dates to check the impact of organizational changes and who is responsible for meeting the data retention requirements;
  • document and email archiving policies;
  • email alerts when any system has been compromised; and
  • notifications on impending noncompliance.

SOX financial data retention and deletion requirements are complex processes that require time, money and close attention to enact. In a post-Enron world, abiding by Sarbanes-Oxley compliance best practices is necessary to maintain transparency and to avoid penalties for noncompliance at your enterprise.

Next Steps

A SOX compliance handbook

Five steps to prepare for SOX audit requirements

Backup retention policy best practices: A guide for IT admins

The raw -- yet burgeoning -- potential of coreless banking

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
and ESG