According to Sarbanes Oxley Act (SOX), companies are required to keep all documents that contain information about a company's policy or performance. Any document relevant to the auditing process that contains information about a company that can be represented with words or numbers is considered a document that must be retained for auditing purposes. To emphasize this point, section 802 of the act stresses that document retention rules applies to all of a company's e-mail, e-mail attachments, and documents retained on computers, servers, auxiliary drives, e-data, web-sites, as well as hard copies of all company records. Generally accepted accounting principles (GAAP) also require that companies retain business records.
Under SOX, there are four key components that must be met to ensure that digitally stored documents meet document retention policies. Those components are:
- The documents, including emails must be 'tamper proof'
- Digitally stored documents must be password protected, read-only and cannot be deleted
- The digital documents that are stored must be encrypted and digitally signed
- The digitally stored documents must have the ability to be audited by a third party, and have search capability.
The American Institute of Certified Public Accountants, an organization that is integral to setting the GAAP, also has certain suggestions regarding appropriate controls for digitally stored documents. Copies of emails and other digital copies used during the course of business should be retained both digitally and in hard copy. When documents are stored digitally, it is required that proper internal controls be exercised. Some required internal controls are that the IT personnel responsible for storing digital documents must be independent, and hard copy of security logs must be stored.
For more on SOX and auditors, see An Inside Look At Internal Auditors.
This question was answered by Chizoba Morah.