According to the Sarbanes-Oxley Act of 2002, or SOX, companies are required to keep all documents that contain information about a company's policy or performance. Any document relevant to the auditing process that contains information about a company that can be represented with words or numbers is considered a document that must be retained for auditing purposes.
To emphasize this point, Section 802 of the act stresses that document retention rules applies to all of a company's e-mail, e-mail attachments and documents retained on computers, servers, auxiliary drives, e-data and websites, as well as hard copies of all company records. Generally accepted accounting principles (GAAP) also require that companies retain business records.
Under SOX, there are four key components that must be met to ensure that digitally stored documents meet document retention policies. Those components are:
- The documents, including emails must be "tamperproof."
- Digitally stored documents must be password protected, read-only and cannot be deleted.
- The digital documents that are stored must be encrypted and digitally signed.
- The digitally stored documents must have the ability to be audited by a third party, and have search capability.
The American Institute of Certified Public Accountants, an organization that is integral to setting the GAAP, also has certain suggestions regarding appropriate controls for digitally stored documents. Copies of emails and other digital copies used during the course of business should be retained both digitally and in hard copy. When documents are stored digitally, it is required that proper internal controls be exercised. Some required internal controls are that the IT personnel responsible for storing digital documents must be independent, and hard copy of security logs must be stored.
Under Sarbanes-Oxley, companies face more significant exposure to the charge of spoliation if their digital recordkeeping is inadequate. Spoliation, the willful or negligent destruction of records, can result in severe sanctions and fines, because the lack of carefully preserved records can deny opposing parties their rights in a potential litigation.
SOX guidelines require permanent retention of the following type of documents: Bank statements, chart of accounts, payroll records, contracts and leases, union agreements, legal correspondence and employee training manuals. AR and AP ledgers, product inventories, tax returns, and time cards should be retained for seven years. Purchase orders and invoices should be retained for five years, and employment applications should be stored for three. (See also: An Inside Look at Internal Auditors.)
This question was answered by Chizoba Morah.