Manage Learn to apply best practices and optimize your operations.

Four steps to consolidate SOX data retention and deletion processes

Data retention policy is inherent to Sarbanes Oxley Act compliance. In this tip, learn SOX data retention best practices to remain regulatory compliant.

The regulations companies must comply with are as varied as the services they provide and the regions they operate...

in. Large financial institutions in the U.S. must comply with the Sarbanes Oxley Act (as a public company), the Gramm-Leach-Bliley Act (for financial companies), the Payment Card Industry Data Security Standard (for credit service providers), Basel II (if they operate in Europe), SEC Rule 17a-4 (for those in the financial services industry) and local privacy regulations when operating in other countries.

If healthcare providers and payers are customers of the financial institution, the firm must also comply with privacy requirements under the Health Insurance Portability and Accountability Act (HIPAA) to protect patient health information.

Despite the variations -- public versus private, global versus operating only in the Southwest United States -- the foundation of most compliance mandates is data retention. To put it in perspective, let's focus on meeting Sarbanes Oxley Act (SOX) data compliance mandates in four steps.

Step 1. Identify SOX compliance mandates

SOX Section 302 and 404 have the greatest business impact in terms of compliance obligations. Section 302 calls for corporate responsibility for financial reporting and holds the CEO and CFO responsible for ensuring the accuracy of quarterly and annual financial statements. Spreadsheets, documents and emails that were used to arrive at the final financial conclusions are considered records under SOX data retention regulations, and therefore must be maintained.

Electronic media -- including CD-ROMs and cartridge tapes -- is the preferred storage method under the SOX data retention mandates.

Before the CEO and CFO sign the company's financial statements, there should be a workflow process in place to manage all financial statements. If serious errors or fraud are discovered in the financial reporting, the company would face severe penalties.

Section 404 requires that annual reports contain information regarding internal controls. The rule places major responsibility on the CFO and the company's external auditors to ensure the effectiveness of internal controls, including policies, processes and company IT systems used for data retention. 

Step 2. Identify data retention periods for each regulation

In this step, we'll examine data retention periods based on recommendations made by David Balovich, founder of professional business credit consulting firm 3JM Company and a well-known expert on document retention and destruction policies set by the American Institute of Architects Austin Chapter.

SOX Act Sections 103 (a) and 801 (a) require public companies and registered public accounting firms to maintain audit work papers for at least seven years.

SOX does not mandate private companies to comply, but under Section 802 private companies will get slapped with fines and face up to twenty years imprisonment for knowingly destroying, altering or falsifying records with the intent to impede or influence a federal investigation.

SOX specifies different data retention dates for different document types. A retention period of seven years is required for:

  • Accounts payable ledger
  • Accounts receivable ledger
  • Time cards
  • Product inventory
  • Payroll records
  • Tax returns

A retention periods of five years is required for:

  • Invoices to customers
  • Invoices from vendors
  • Purchase orders

Employment applications must also be retained for three years. There is a permanent retention period for bank statements, contracts and leases, employee payroll records, legal correspondence, training manuals and union agreements. 

The American Institute of Architects Austin Chapter's document retention and destruction policy references the SOX Act, and Balovich explains that one of the purposes of the policy is to ensure the organization eliminates accidental destruction of records

A retention period of seven years is required for:

  • State sales tax information and returns
  • Business expense records
  • Invoices
  • Bank statements
  • Earning records
  • Payroll tax records

A data retention period of seven years is required after employment was terminated for records relating to employee promotion, demotion or discharge.

A retention period of five years is required for:

  • Sales records
  • State unemployment tax records
  • Accident records and workers unemployment records
  • Salary records

A retention period of three years is required for:

  • General correspondence
  • Credit card receipts
  • Employment records

There is a permanent retention period for Articles of Incorporation, executive/board policies and resolutions, bylaws, chapter charter, state sales returns, financial statements, depreciation schedules, check registers, payroll registers, employment and termination agreements and insurance policies.

Step 3. Determine document storage

Electronic media -- including CD-ROMs and cartridge tapes -- is the preferred storage method under the SOX data retention mandates. It must preserve the required records in a non-rewritable, non-erasable format as defined in the Security and Exchange Act of 1934 (also known as Rule 240 [171-4]).

Under SOX, the business must ensure that an email:

  • Be tamper-proof, permanent-word protected, encrypted and read-only.
  • Follow the policies of the business on how email is archived, what the data retention period is, and how email is protected.
  • Be audited by a third party.
  • Be fully indexed and searchable.

Under Section 802, if documents cannot be converted or are not economically feasible to convert to an electronic format (e.g. too large to fit onto a CD-ROM), you need to secure the original and hard copies in locked cabinets or vaults. When documents reach retention expiration dates, they should be destroyed. Section 802 rules state that any employee who knows the company is under investigation, or suspects it might be, must stop all document destruction and alteration immediately.

Step 4. Implement data retention policy

To handle multiple data retention dates, my recommendation is to consolidate these dates into a corporate or organizational data retention policy. The policy should include:

  • Review dates to check the impact of organizational changes and who is responsible for meeting the data retention requirements.
  • Document and email archiving policies.
  • Email alerts when any system has been compromised.
  • Notifications on impending non-compliance.

About the author:
Judith M. Myerson is the former ADP security officer/manager at a naval facility, where she led enterprise projects for its Materiel Management System. Currently a consultant and subject matter expert, she is the author of several books and articles on cloud use, compliance regulations, mobile security, software engineering, systems engineering and risk management. She received her master of science degree in engineering from the University of Pennsylvania and is certified in risk and information system control (CRISC).

Let us know what you think about the story; email Ben Cole, site editor. For more regulatory compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Next Steps

The keys to compliance-ready retention schedules

RM, financial benefits from records retention and deletion schedules

This was last published in June 2014

Dig Deeper on Business records management

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

How does your organization ensure compliance with Sarbanes Oxley data retention and deletion requirements?