Among the new rules issued by the SEC to enforce the Sarbanes-Oxley Act is one that says an auditing firm must keep every document that influences its report about a client for at least seven years?everything from the CEO’s e-mail to a sticky note with some key figures on it?in case they are needed for an investigation. According to emerging legal interpretations of the rules, as a practical matter, every public company?and possibly some private ones?have to start keeping these records too if they wish to avoid liability in some unforeseen investigation. The rules take effect Oct. 31, giving CIOs seven months to deploy the capability to save records if they don’t already have it.
“The possible implications are far broader than some [experts] concluded initially, and the document management implications are probably greater than meets the eye,” says Randolph Kahn, a Chicago-based lawyer and regulatory compliance consultant.
Here are some tips for getting started with a document retention plan that meets the spirit and letter of the law.
1. Call the lawyers. Meet with your chief counsel and other executives, and create a document retention and destruction policy. Kahn says that companies need two policies: a business-as-usual policy, in which certain types of documents are regularly destroyed; and an emergency policy that specifies which documents must be saved at the first sign of litigation. Specific decisions about what gets saved and destroyed are up to each company, but it’s foolish to destroy accounting or financial records, says Ladd Hirsch, a Dallas-based securities lawyer.
2. Assess IT requirements. Figure out what IT investments are needed to support the policy. Saving e-mail is just the tip of the iceberg that includes spreadsheets, text files, voice mails and PowerPoint presentations, and just storing documents probably won’t pass muster with regulators. Document retention systems should index material by topic?such as contracts or accounting?rather than document format?such as PDF or Word?and should also be tamper-proof. Such a system may include audit trails, forbid overwriting and require passwords to access documents, says Kahn.
3. Train employees. E-mail won’t archive itself. Employees have to be familiar with retention and destruction policies and how to use the systems that support them. Recently, five brokerages agreed to $8.3 million in fines because employees deleted e-mail pertaining to a fraud investigation. While the fines stemmed from violations of a different securities law, Hirsch says to expect the same kind of fines under Sarbanes-Oxley. If employees break the rules, but the company can demonstrate that it provided adequate training, the company may reduce its liability.
4. Enforce the policy. Hirsch says that having a document retention policy and not enforcing it is worse than not having a policy at all. At the start of the Enron scandal, Arthur Andersen compounded its troubles by enforcing its document destruction policy only when investigators came calling. “You can’t babysit an entire workforce,” says Kahn, and enforcement isn’t just the CIO’s responsibility. But by putting in place the proper technology and providing the right training, he adds, “you can help them get it right.”
Which Records Must Be Saved?
Here’s how the SEC defines which audit-related records must be maintained:
“The final rule requires that the auditor retain records relevant to the audit or review, including work papers and other documents that form the basis of the audit or review of an issuer’s financial statements, and memoranda, correspondence, communications, other documents and records (including electronic records) that meet two criteria. The two criteria are that the materials: 1. are created, sent or received in connection with the audit or review; and 2. contain conclusions, opinions, analyses or financial data related to the audit or review.”