What exactly is Sarbanes-Oxley?
The Sarbanes-Oxley Act, commonly called SOX, sets forth records management and retention policies for all public companies. SOX was enacted in 2002 in response to corporate scandals involving large, public corporations, such as Enron and WorldCom and their accounting firms, and is currently law. Click here to view the Sarbanes-Oxley Act of 2002.
How are email records involved?
Today, the vast majority of organizations use email to communicate internally and as a vehicle for the exchange of documents and correspondence between businesses and their outside consultants, accounting firms and audit firms. Since these communications often contain information about business transactions and business decisions, these email communications must be retained in order for an organization to comply with the provisions of Sarbanes-Oxley.
What organizations are impacted?
All companies under the jurisdiction of the U.S. Securities and Exchange Commission must comply with the Sarbanes-Oxley Act. Basically, any publicly-traded company must follow Sarbanes-Oxley regulations. In addition, private firms that may one day be merged with or acquired by a public company will fall under these regulations as well. It is recommended that all such entities implement a data retention strategy.
What are the penalties for non-compliance with Sarbanes-Oxley?
The Sarbanes-Oxley Act states that violations involving destruction or falsification of records related to any federal investigation or bankruptcy proceeding are subject to penalties. Such records include email documents. Penalties range from a fine to a prison sentence of up to 20 years for "whoever knowingly alters, destroys, mutilates" any record or document with the intent to impede an investigation. Additional penalties differ according to section violation guidelines.
What are the requirements of Sarbanes-Oxley?
There are many sections to SOX. A few of the sections most relevant to records retention are:
- Section 302: Corporate Responsibility for Financial Reports
This section requires that CFOs and CEOs personally certify and be accountable for their firms' financial records and accounting. This section has been highlighted due to its link to top management.
- Section 103: Auditing, Quality Control and Independence Standard and Rules
This section requires companies to "prepare and maintain for a period of not less then 7 years, audit work papers and other information related to any audit report, in sufficient detail to support the conclusions reached in such report."
- Section 105: Investigations and Disciplinary Proceedings
Section 105 requires "the production of audit work papers and any other document or information in the possession of a registered public accounting firm or any person thereof, wherever domiciled, that the Board considers relevant or material to the investigation, and may inspect the books and records of such firm or associated person to verify the accuracy of any documents or information supplied."
- Section 404: Management Assessment of Internal Controls
Section 404 requires companies to report on the effectiveness of internal controls regarding financial reporting. Since internal business decisions and data are discussed, transported and stored in corporate email systems, ensuring that data cannot be accessed or tampered with is critical to the reliability of financial reporting.
Generally, under SOX, corporate email messages have achieved the same status as other commonly used business documents and are subject to the same rules.
- Section 409: Real-time Issuer Disclosures
Regarded as the most demanding of the requirements, Section 409 requires that companies provide real-time disclosures of any events that may affect a firm's stock price or financial performance within a 48-hour period.
- Section 802: Criminal Penalties for Altering Documents
As a result of the document destruction by various businesses and their accounting firms, most notably Enron and Arthur Anderson, Section 802 provides stiff penalties - fines of up to $1,000,000 and/or prison terms for "whoever knowingly alters, destroys, mutilates any record or document with intent to impede an investigation."