The Sarbanes-Oxley Act of 2002: Major Provisions, Critical Reception & How It Affects Email Retention
What is the Sarbanes-Oxley Act of 2002?
The Sarbanes-Oxley Act (SOX) was enacted in 2002 as a direct response to the highly publicized court trials of large corporations, such as Enron, that participated in fraudulent financial reporting and suspect business practices. These corporations were also accused of altering and destroying documents during legal proceedings.
The U.S. Securities and Exchange Commission (SEC), which governs the Sarbanes-Oxley Act, both enforces legislation that affects corporate finances and mandates rules for document retention and the storage of electronic records, including email.
The SEC specifically addresses document tampering and the requisite length of document retention in Section 802 of SOX. Sec. 802 also describes the types of documents that must be retained and the consequences of non-compliance. Sections 802(a)(1) and 802(a)(2) outlines SOX’s email retention policy guidelines.
Watch Our 15-minute Demo to See How We Help Businesses Meet Regulatory Compliance Standards.
Table of Contents
- Major Provisions of the Sarbanes-Oxley Act
- Record Tampering
- 5-Year Records Retention Policy for Public Companies
- Relevant Records
- Retaliation Against Informants
- Critical Reception of the Sarbanes-Oxley Act
- Ensure SOX Compliance with Intradyn
Major Provisions of the Sarbanes-Oxley Act
The Sarbanes-Oxley Act is organized into 11 sections, also known as titles or provisions. Three of the most significant provisions included in SOX are as follows:
Section 302: Corporate Responsibility for Financial Reports
SOX Section 302 states that the officers of a public company must personally attest to the accuracy of their company’s financial reports. Should an officer sign off on a financial statement that they know to be inaccurate, they will be subject to criminal penalties. In order to comply with Sec. 302, it is in a company’s best interest to create a reliable record of proof for all financial information, including information contained in emails.
Section 404: Management Assessment of Internal Controls
SOX Section 404(a) states that the officers of a public company are required to establish internal accounting controls and to publish the details of these controls and their procedures for financial reporting within their annual financial reports. Sec. 404(b) requires external auditors to “attest to the accuracy of the company management assertion that internal accounting controls are in place, operational, and effective.” SOX Section 404 is, perhaps, the most controversial of all Sarbanes-Oxley Act provisions due to the assertion that the costs incurred from auditing and other administrative requirements deter capital formation. However, studies indicate that companies that comply with Sec. 404 have a lower cost of capital than those that do not.
Section 802: Criminal Penalties for Altering Documents
As we’ve already discussed, SOX Section 802 establishes rules pertaining to recordkeeping. For the sake of this article, we are interested in three of these rules
- Section 802(a), which prohibits the destruction and falsification of records
- Section 802(a)(1), which specifies the retention period for storing documents
- Section 802(a)(2), which provides a definition for relevant work papers
For an in-depth breakdown of each of these rules, keep reading.
Record Tampering
In regard to record tampering, Sec. 802(a) states that:
“Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.”
Put simply, any organization suspected of tampering with records under the authority of any U.S. agency or pertaining to a court case are subject to severe penalties. This title is also cited in SEC 1102 as the Corporate Fraud Accountability Act of 2002.
5-Year Records Retention Policy for Public Companies
Sec. 802(a)(1) stipulates that any accountant who audits an issuer of securities must maintain all audit and review work papers for a period of five years, starting at the end of the fiscal period in which the audit or review was concluded. To see a full list of retention laws by industry, take a look at our blog post on the subject.
Relevant Records
Sec. 802(a)(2) describes relevant work papers as:
“…documents that form the basis of [an] audit or review, and memoranda, correspondence, communications, other documents, and records (including electronic records), which are created, sent, or received in connection with [an] audit or review, and contain conclusions, opinions, analyses, or financial data related to [an] audit or review.”
It also warns that:
“…whosoever knowingly and willfully violates subsection (a)(1), title, or any rule or regulation promulgated by the SEC under subsection (a)(2) shall be fined under this title, imprisoned not more than 10 years, or both.”
Retaliation Against Informants
Sec. 151, Title 18 amended the United States Code, adding protections for informants. It states that:
“Whoever knowingly, with the intent to retaliate, take any action harmful to any person, including interference with the lawful employment or livelihood of any person, for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any federal offense, shall be fined under this title, imprisoned not more than 10 years, or both.”
Critical Reception of the Sarbanes-Oxley Act
As with any federal legislation, the Sarbanes-Oxley Act has had its supporters and its detractors. Although early critical reception of the Act skewed negative, businesses have come to realize its benefits over time.
Corporate Drawbacks of SOX
Corporate executives have criticized the Sarbanes-Oxley Act, citing the cost of maintaining compliance — especially as it pertains to Section 404 — as a major pain point. Many have also argued that the Act is unfair — that it serves as widespread retribution for the bad behavior of a select group of corporations. Early critics of the Sarbanes-Oxley Act have also claimed that its passage was politically motivated and could stunt business growth.
Corporate Benefits of SOX
Despite initial criticism, the Sarbanes-Oxley Act has largely benefited businesses, motivating them to implement better financial practices, standardize processes, improve documentation, and improve corporate and consumer relations. Studies have also shown that the increased transparency and disclosure resulting from the Act’s passage have enhanced investor confidence.
Ensure SOX Compliance with Intradyn
Intradyn’s email archiving solution enables companies to achieve regulatory compliance by providing a reliable capture and audit trail of all email messages, as well as a way to quickly search and retrieve those messages as needed. We store and encrypt all email messages for safe and secure email archiving that meets or exceeds all requisite Sarbanes-Oxley Act email retention policies.
The rules outlined in the Sarbanes-Oxley Act may well pertain to anyone doing business today and are designed to protect corporations and consumers alike from unethical business practices and breaches of security. If your organization is a publicly traded company, obtains financial or personal customer information, or could be at risk of litigation, it is advisable to implement a solution that can verify the authenticity of a document and reproduce it in a timely manner. This is especially important in the case of an audit, investigation, litigation or other formal proceedings.
Given that email is the primary form of communication for most businesses, it is crucial to create and enforce policies that authenticate, store and manage all electronic records and communications in accordance with required retention periods.
For more information about email and electronic records retention regulations, please see the following:
- SEC Rules 17a-3 and 17a-4
- Gramm-Leach-Bliley Act
- FDA 21 CFR Part 11
- Health Information Portability and Accountability Act
