|
|
|
Features
< Back
Compliance : Sarbanes Oxley : Governance : Documentation
Sarbanes-Oxley Records Management Implications
By
Brian Murphy
|
|
Brian Murphy
Executive Vice President
Iron Mountain
|
Public companies are now intimately familiar with Sarbanes-Oxley and its mandates for clear financial controls and better corporate governance. Sarbanes-Oxley also implicitly mandates that public companies have consistent, credible records management processes. But what specifically are the record management implications of the act? Here is a review of both the short-term, narrow implications, as well as an interpretation of the broader, long-term implications for corporate records management.
Internal Controls Mandate for Public Companies
CEOs of public companies will have to assess their company's internal control environment and include a report in their annual filings as to their findings. Within this internal control assessment report, there needs to be an evaluation of whether the internal controls include records maintenance that accurately supports the transactions and the financial results of the company.
Narrow implications for Public Companies include requiring formal testing, review, and documentation of the internal control process as well as requiring maintenance of financial records.
Broader implications include the need for a records maintenance program for financial recordkeeping that meets the test of being a timely and accurate reflection of the transactions and dispositions of the company's assets. Information technology, accounting & finance, and legal departments must collaborate on the development and implementation of the records management program and senior management needs to drive its implementation.
Internal Controls Mandate for Public Accounting Firms
Sarbanes-Oxley requires that, along with the company assessing its internal control environment, the auditors of these public companies also have to perform their own assessment and report on the company's internal environment. This includes assessing that the company's records support the transactions, positions, and financial results of the company.
A narrow implication of the mandate is that public accounting firms (and internal auditors) will now be auditing the maintenance and management of financial records
Included among the broader implications of the mandate are that public accounting firms (and internal auditors) are likely to audit records management programs. Public companies should be developing (if not already in existence) records that reflect all transactions and have records management programs that retain all those records for adequate periods and enable the company to locate the records when needed.
Whistleblower Mandate
Sarbanes-Oxley gives greater responsibility to a company's audit committee as overseers of company management. One of these responsibilities is ensuring there is a clear 'Whistleblower' process for employees. Any employee should be able to put forward a concern or complaint regarding management override, company fraud, questionable accounting transactions, etc.
This means that companies are now also required to implement recordkeeping programs for such complaints. In a broader sense, the Whistleblower mandate will lead to a heightened sensitivity to the integrity of financial reporting and an increase in internal scrutiny.
Audit Work Papers Mandate
Sarbanes requires that all public accounting firms keep audit work papers as records for 7 years. This includes both paper and electronic records such as e-mail.
The narrow implication of the mandate is that public accounting firms are now required to establish recordkeeping programs for audit work papers and related documents for public accounting firms.
However, from a broader view, it indirectly requires recordkeeping programs for audit work papers for corporations. The mandate also requires e-mail retention/archiving of audit materials, including correspondence and related financial data, for both public accounting firms and corporations. Because Sarbanes-Oxley empowers the PCAOB to subpoena from issuers documents on which an audit is based, issuers may have the same de facto seven year requirement
Destruction of Records
Sarbanes-Oxley prescribes hefty penalties in the event of inappropriate destruction of business records. For willful destruction of corporate audit records, the punishment can include imprisonment of up to 10 years. Destroying or altering records to impede a federal investigation or bankruptcy case, tampering with records, or impeding an investigation are all punishable by prison terms of up to 20 years.
The narrow implication of this mandate will be the ad hoc suspension of records destruction, either in anticipation of litigation or across the board as a protective measure.
Broad implications of the mandate will be that regulation around records destruction now warrants the design and implementation of formal 'litigation hold' programs and formal records retention programs to identify retention and disposal requirements of records.
Getting Started
CEOs and boards of directors now have no practical choice but to implement compliant records management programs. The components required to successfully implement or upgrade your records management program are the same as any other key corporate program, including:
- Senior executive support
- Appropriate resources
- Clearly defined goals
- Accountability
- Expertise
- Employee training
- Follow up communications and enforcement
Brian Murphy
Executive Vice President
Iron Mountain
Brian Murphy is an executive vice president of Iron Mountain and leads the company's Records Management Consulting Services, a professional service organization that helps businesses implement compliant and legally credible records management programs.
Engagements are customized to each client's needs and include: records retention program development and implementation for both paper and digital records, inventory cost reduction, records management gap analysis, benchmarking, and business process re-engineering.
|
|
|
|
|
