Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Sarbanes-Oxley Primer on Document Retention Policies


Published on

  • Be the first to comment

Sarbanes-Oxley Primer on Document Retention Policies

  1. 1. The Sarbanes-Oxley Act: An Overview Kimberly R. Stuart Crain Caton & James, P.C.
  2. 2. Why Have the Act? <ul><li>ENRON </li></ul><ul><li>WORLD-COM </li></ul><ul><li>ARTHUR ANDERSEN </li></ul>
  3. 3. Why Have the Act (seriously)? <ul><li>Legislation directed at </li></ul><ul><ul><li>publicly-traded companies </li></ul></ul><ul><ul><li>public accounting firms </li></ul></ul><ul><ul><li>Securities and Exchange Commission (SEC) </li></ul></ul><ul><ul><li>Public Company Accounting Oversight Board </li></ul></ul><ul><ul><li>others </li></ul></ul><ul><li>to protect investors by </li></ul><ul><ul><li>improving the accuracy and reliability of corporate disclosures required by securities laws, and for other purposes. </li></ul></ul>
  4. 4. What does the Act do? <ul><li>Adds new criminal penalties for obstruction of justice by destroying or altering records </li></ul><ul><li>Requires corporate executives to certify the accuracy of reported financial information </li></ul><ul><li>Requires registration with Board of public accounting firms </li></ul>
  5. 5. Who is Affected? <ul><li>Any publicly-traded company </li></ul><ul><li>Any public accounting firm that provides auditing services for publicly-traded companies </li></ul><ul><ul><li>Independent contractor to public accounting firm </li></ul></ul><ul><li>Any company or agency is subject to the obstruction of justice sections </li></ul><ul><li>Any individual ... </li></ul>
  6. 6. Corporate Responsibility - §301 <ul><li>Audit Committee Responsibilities - Complaints audit committee shall establish procedures for </li></ul><ul><ul><li>(A) the receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters; and </li></ul></ul><ul><ul><li>(B) the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters. </li></ul></ul>
  7. 7. Corporate Responsibility <ul><li>Document existing procedures </li></ul><ul><ul><li>Submit to audit committee for approval </li></ul></ul><ul><li>Communicate procedures to employees </li></ul><ul><ul><li>Complaint-Channel issues: </li></ul></ul><ul><ul><ul><li>Directly to audit committee or intermediary </li></ul></ul></ul><ul><ul><ul><li>Internal or third-party </li></ul></ul></ul><ul><ul><ul><li>How to record and retain complaints </li></ul></ul></ul><ul><ul><ul><li>Procedures developed to establish confidentiality and anonymity </li></ul></ul></ul>
  8. 8. Corporate Responsibility §302 <ul><li>Certification of annual or quarterly report required by </li></ul><ul><ul><li>principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions </li></ul></ul><ul><li>Certifies to 6 specific points outlined in §302. </li></ul>
  9. 9. Corporate Responsibility - §403 <ul><li>Disclosures of Officers, directors and principal stockholders </li></ul><ul><ul><li>Electronic filing requirement with the SEC </li></ul></ul><ul><ul><li>Must also be posted on the corporate website no later than end of business day following the filing. </li></ul></ul><ul><ul><li>“Rule 16a-3(k) requires each form to remain accessible on the issuer's website for at least a 12-month period.” </li></ul></ul>
  10. 10. Corporate Responsibility - §404 <ul><li>Annual reports must contain: </li></ul><ul><ul><li>an internal control report, which shall </li></ul></ul><ul><ul><ul><li>state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and </li></ul></ul></ul><ul><ul><ul><li>contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. </li></ul></ul></ul>
  11. 11. Corporate and Criminal Fraud Accountability (Title VIII) <ul><li>Sec. 802 Criminal penalties for altering documents </li></ul><ul><ul><li>This section of the Sarbanes-Oxley adds two new provisions to Title 18 chapter 73 of the US Code, Obstruction of Justice </li></ul></ul><ul><ul><ul><li>Section 1519 </li></ul></ul></ul><ul><ul><ul><li>Section 1520 </li></ul></ul></ul>
  12. 12. Sec. 1519 – Destruction, Alteration or Falsification of Records <ul><ul><li>Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document or tangible object with the intent to impede, obstruct or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the US or any case filed under Title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both. </li></ul></ul>
  13. 13. Sec. 1520 - Destruction of Corporate Audit Records <ul><li>Original requirement </li></ul><ul><ul><li>shall maintain all audit or review workpapers for a period of 5 years from the end of the fiscal period in which the audit or review was concluded. </li></ul></ul>
  14. 14. SEC Final Rule: 33-3180 Retention of Records Relevant to Audits and Reviews <ul><li>http://www.sec. gov /rules/final/33-8180. htm </li></ul><ul><li>Revised to 7 years making the retention requirements the same for all records. </li></ul><ul><ul><li>This eliminated inconsistency between laws and regs regarding Public Accounting Oversight Board </li></ul></ul><ul><li>Documents that do not fall within the Rule: </li></ul><ul><li>superseded drafts of memoranda, financial statements or regulatory filings, notes on superseded drafts of memoranda, financial statements or regulatory filings that reflect incomplete or preliminary thinking, previous copies of workpapers that have been corrected for typographical errors due to training of new employees, dupclicates of documents or VOICE MAIL MESSAGES </li></ul>
  15. 15. Corporate Fraud Accountability (Title XI) <ul><li>Revises Section 1512 of Title 18, United States Code, Chapter 73: </li></ul><ul><li>Section 1102 Tampering with a record </li></ul><ul><ul><li>Sec 1102(2)(c) Whoever corruptly </li></ul></ul><ul><ul><ul><li>1) Alters, destroys, mutilates or conceals a record, document or other object or attempts to do so, with the intent to impair the object’s integrity or availability for use in an official proceeding or </li></ul></ul></ul><ul><ul><ul><li>2) Otherwise obstructs, influences, or impedes any official proceeding, or attempts to do so, shall be fined, or imprisoned not more than 20 years, or both. </li></ul></ul></ul>
  16. 16. Attempt and Conspiracy (Title IX) <ul><li>Creates new section 18 USC 1349 under Chapter 63: </li></ul><ul><ul><li>“Any person who attempts or conspires to commit any offense under this chapter shall be subject to the same penalties as those prescribed for the offense, the commission of which was the object of the attempt or conspiracy.” </li></ul></ul>
  17. 17. Application of penalties <ul><li>New crimes and enhanced penalties created under this Act do not apply to conduct committed before enactment </li></ul><ul><ul><li>Conspiracy </li></ul></ul><ul><ul><ul><li>If begun before the Act but continues after enactment – can be prosecuted under the Act </li></ul></ul></ul><ul><ul><li>Destruction of records – </li></ul></ul><ul><ul><ul><li>Date of alleged obstructive act </li></ul></ul></ul>
  18. 18. What Act Does Not Do <ul><li>No provisions on: </li></ul><ul><ul><li>Developing systems to manage electronic records </li></ul></ul><ul><ul><li>How to retain records to meet retention requirements </li></ul></ul>
  19. 19. Creating a SOX Compliant Document Retention Policy <ul><li>SOX creates a legal duty to retain documents </li></ul><ul><li>Who should you involve to establish a SOX compliant document retention policy: </li></ul><ul><ul><li>Mangement </li></ul></ul><ul><ul><li>Administrative Staff </li></ul></ul><ul><ul><li>Legal Counsel </li></ul></ul><ul><ul><li>Auditors </li></ul></ul><ul><ul><li>IT Personnel </li></ul></ul>
  20. 20. Creating a SOX Compliant Document Retention Policy—The Players <ul><li>Management’s Role: </li></ul><ul><ul><li>Establish corporate goals </li></ul></ul><ul><ul><li>Setting budget for policy </li></ul></ul><ul><ul><li>Select Document Retention Manager </li></ul></ul>
  21. 21. Creating a SOX Compliant Document Retention Policy —The Players <ul><li>Administrative Staff </li></ul><ul><ul><li>Provide input regarding practical effects of policy on daily operations </li></ul></ul><ul><ul><li>Ensure daily compliance </li></ul></ul>
  22. 22. Creating a SOX Compliant Document Retention Policy —The Players <ul><li>Legal Counsel </li></ul><ul><ul><li>Identify document retention requirements relevant to you business </li></ul></ul><ul><ul><li>Provide input into document retention policy with regard to future legal controversies and ongoing legal issues </li></ul></ul>
  23. 23. Creating a SOX Compliant Document Retention Policy —The Players <ul><li>IT Personnel </li></ul><ul><ul><li>Provide input regarding the hardware and software capabilities for your business </li></ul></ul><ul><ul><li>Research new or innovative hardware and software issues to accommodate policy goals and directives </li></ul></ul><ul><ul><li>Work with management to stay within budget </li></ul></ul><ul><ul><li>Manage day to day technical issues with regard to policy </li></ul></ul>
  24. 24. Creating a SOX Compliant Document Retention Policy —The Players <ul><li>Auditors </li></ul><ul><ul><li>Verify that proper documents are retained for SOX </li></ul></ul><ul><ul><li>Communicate with management regarding potential problems </li></ul></ul><ul><ul><li>Communicate with Legal </li></ul></ul>
  25. 25. Creating a SOX Compliant Document Retention Policy —Elements of a Policy <ul><li>Identify documents to be retained </li></ul><ul><li>Identify periods documents should be retained </li></ul><ul><li>Identify, Outline, Implement process for destroying documents </li></ul><ul><li>Identify, Outline, Implement circumstances under which destruction should be suspended </li></ul><ul><li>Document compliance with policy </li></ul>
  26. 26. Rules and Guidelines <ul><li>SEC Final Rule: 33-3180 Retention of Records Relevant to Audits and Reviews </li></ul>
  27. 27. Questions and Discussion