What is the Sarbanes-Oxley Act?

Enacted following a series of high-profile accounting scandals in the United States, most notably Enron and Worldcom, the Sarbanes-Oxley Act of 2002 (SOX) is intended to enhance corporate responsibility and financial reporting as well as combat corporate and accounting fraud. It is one of the most complex pieces of legislation passed in the United States in recent years and includes some of the most far-reaching reforms of American business practices since the 1930’s.

SOX is administered by the U.S. Securities and Exchange Commission (SEC), the organization responsible for protecting investors and maintaining the integrity of US
financial markets.

Who is affected?
The law applies to public companies in the United States including those based in other countries that are traded on US stock exchanges such as the New York Stock Exchange and NASDAQ. SOX also affects related businesses including the accounting, legal and records/information management professions who work with companies on financial and corporate reporting.

What does SOX have to do with information management?
Sarbanes-Oxley includes rules about the way companies and their auditors retain, control, manage and use information. For example, it outlines what type of information must be kept, for how long and who is responsible for ensuring the information is available.  Companies are also required to have information and records management policies and procedures and to halt regular document destruction if they expect the company will face a government investigation, audit or other official proceeding.

SOX Section 802 addresses these issues:
1520. Destruction of corporate audit records – Any accountant who conducts an audit of an issuer of securities to which section 10A (a) of the Securities Exchange Act of 1934 (15 U.S.C. 78j–1(a)) applies, shall maintain all audit or review workpapers for a period of 5 years from the end of the fiscal period in which the audit or review was concluded. (2) The Securities and Exchange Commission shall promulgate, within 180 days, after adequate notice and an opportunity for comment, such rules and regulations, as are reasonably necessary, relating to the retention of relevant records such as workpapers, documents that form the basis of an audit or review, memoranda, correspondence, communications, other documents, and records (including electronic records) which are created, sent, or received in connection with an audit or review and contain conclusions, opinions, analyses, or financial data relating to such an audit or review, which is conducted by any accountant who conducts an audit of an issuer of securities to which section 10A(a) of the Securities Exchange Act of 1934 (15 U.S.C. 78j–1(a)) applies. The Commission may, from time to time, amend or supplement the rules and regulations that it is required to promulgate under this section, after adequate notice and an opportunity for comment, in order to ensure that such rules and regulations adequately comport with the purposes of this section.

What do companies have to do to comply with SOX?
As noted above, SOX requires companies to have a record and information management policy. Companies should create formal written policies and procedures outlining the process and identifying the specific tasks and roles within the process, including procedures related to document destruction and how the company would go about stopping destruction should it anticipate an investigation.  Of course, these policies should be regularly reviewed by the company’s lawyers.

Penalties for non-compliance are also outlined in Section 802:
1519. Destruction, alteration, or falsification of records in Federal investigations and bankruptcy – Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.

1520. Destruction of corporate audit records (b) Whoever knowingly and willfully violates subsection 1520 (a)(1) [see above] or any rule or regulation promulgated by the Securities and Exchange
Commission under subsection (a)(2), shall be fined under this title, imprisoned not more than 10 years, or both.

How can we help?
Capital Paper can help public companies comply with the Sarbanes-Oxley Act by implementing a document destruction schedule and protocol to ensure the secure destruction of corporate records once the required retention period ends.

For more information:
U.S. Securities and Exchange Commission
VANLIT Library: 261761.2
This document does not constitute a legal opinion or legal advice. Do not rely on any of the information in this document without first obtaining legal advice.