Sarbanes-Oxley: A Review of its Records Management Implications

Public companies are now intimately familiar with Sarbanes-Oxley and its mandates for clear financial controls and better corporate governance. Sarbanes-Oxley also implicitly mandates that public companies have consistent, credible records management processes. But what specifically are the record management implications of the act? Here is a review of both the short-term, narrow implications, as well as an interpretation of the broader, long-term implications for corporate records management.

Internal Controls Mandate for Public Companies

CEOs of public companies will have to assess their company's internal control environment and include a report in their annual filings as to their findings. Within this internal control assessment report, there needs to be an evaluation of whether the internal controls include records maintenance that accurately supports the transactions and the financial results of the company.

Narrow Implications

• Requires formal testing, review, and documentation of the internal control process
• Requires maintenance of financial records

Broader Implications

• Establishes the need for a records maintenance program for financial recordkeeping that meets the test of timely and accurately reflecting the transactions and dispositions of the company's assets
• Requires information technology, accounting & finance, and legal to collaborate on the development and implementation of a records management program
• Senior management needs to drive the implementation of records management programs

Internal Controls Mandate for Public Accounting Firms

Sarbanes-Oxley requires that, along with the company assessing its internal control environment, the auditors of these public companies also have to perform their own assessment and report on the company's internal environment. This includes assessing that the company's records support the transactions, positions, and financial results of the company.

Narrow Implications

• Public accounting firms (and internal auditors) will be auditing the maintenance and management of financial records

Broad Implications

• Public accounting firms (and internal auditors) are likely to audit records management programs
• Public companies should develop (if not already in existence) records that reflect all transactions and have records management programs that:
  • Retain all those records for adequate periods
  • Enable the company to locate the records when needed

Whistleblower Mandate

Sarbanes-Oxley gives greater responsibility to a company's audit committee as overseers of company management. One of these responsibilities is ensuring there is a clear “Whistleblower” process for employees. Any employee should be able to put forward a concern or complaint regarding management override, company fraud, questionable accounting transactions, etc.

Narrow Implications

• Requires recordkeeping programs for complaints

Broad Implications

• Heightens sensitivity to the integrity of financial reporting
• Increases internal scrutiny

Audit Work Papers Mandate

Sarbanes requires that all public accounting firms keep audit work papers as records for 7 years. This includes both paper and electronic records such as e-mail.

Narrow Implications

• Requires recordkeeping programs for audit work papers and related documents for public accounting firms

Broad Implications

• Indirectly requires recordkeeping programs for audit work papers for corporations
• Requires e-mail retention/archiving re: audit materials - correspondence and related financial data - for both public accounting firms and corporations
• Because Sarbanes-Oxley empowers the PCAOB to subpoena from issuers documents on which an audit is based, issuers may have the same de facto seven year requirement

Destruction of Records

Sarbanes-Oxley prescribes hefty penalties in the event of inappropriate destruction of business records. For willful destruction of corporate audit records, the punishment can include imprisonment of up to 10 years. Destroying or altering records to impede a federal investigation or bankruptcy case, tampering with records, or impeding an investigation are all punishable by prison terms of up to 20 years.

Narrow Implications

• Ad hoc suspension of records destruction, either in anticipation of litigation or across the board as a protective measure

Broad Implications

• Warrants the design and implementation of formal “litigation hold” programs
• Warrants the design and implementation of formal records retention programs to identify retention and disposal requirements of records

Getting Started

CEOs and boards of directors now have no practical choice but to implement compliant records management programs. The components required to successfully implement or upgrade your records management program are the same as any other key corporate program, including:

• Senior executive support
• Appropriate resources
• Clearly defined goals
• Accountability
• Expertise
• Employee training
• Follow up communications and enforcement