Sarbanes-Oxley: Records Management Implications for Public Companies and Their Auditors

This document is intended as a discussion of records management implications of Sarbanes-Oxley, not a comprehensive list of records management compliance requirements. The following information should not be relied upon as legal advice. Please consult legal and records management experts before developing and implementing a records management program for your organization.

Citation

Sarbanes-Oxley Act of 2002 - Pub. L. No. 107-204, 116 Stat. 745

Background

The Sarbanes-Oxley Act was passed by Congress on July 30, 2002 to implement changes in federal securities regulation, corporate governance, and the regulation of auditors. This far-reaching legislation was in response to the flurry of accounting scandals beginning, most notably, with the Enron/Andersen debacle.

Who is Affected

The entities regulated by this Act are:

• Registered public accounting firms
• Publicly traded companies
• Companies that are in the process of registering securities under the Securities Act of 1933

Entities that are not directly affected but may face future or indirect impact of the Act include:

• Private companies that may go public in the future
• Private companies that may be acquired by public companies
• Private companies in states considering adopting parallel legislation

What it Means

Establishment of Oversight Board
The Act establishes a Public Company Accounting Oversight Board ("Board") and provides the SEC with the authority to issue rules, set standards, and provide oversight and enforcement over the Board.

Public Accounting Firms
The Act requires all public accounting firms who wish to perform auditing functions for publicly traded companies to register with the Board. The Act also defines the scope of audit practice and reports, details investigations and disciplinary proceedings provisions, and defines conflict-of-interest prohibitions.

Publicly Traded Companies
The Act prohibits specified behavior regarding insider trades, loans to officers and directors, disclosure of information, and improper influence on audits. It also requires reporting companies to have at least one financial expert on their audit committee - or explain why they do not have a financial expert - and to adopt a code of ethics for the CEO, CFO and principal accounting officer. In addition, the Act imposes responsibility for financial reports on the CEO and CFO, requiring that they certify as to the fair presentation of results of operations and financial condition and other matters. Public companies must include in their periodic reports certifications by the CEO and CFO that disclosure controls and procedures, as well as internal control systems, are in place and functioning properly to provide accurate results of operations and statements of financial condition. The certifying officers must certify as to any significant changes in internal controls that were adopted, or any other factors that could significantly affect internal controls, and that they have reported to the audit committee and the company's outsider auditors any fraud committed by management or other personnel who have a significant role in the company's internal controls.

Records Management Implications

For Public Companies
The Act requires the following procedures to be implemented; demonstrating their implementation will require the involvement of the records management programs of public companies:

• Audit committees of issuers must establish procedures for the receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal controls, and auditing.
• Management is responsible for establishing and maintaining an adequate "internal control structure and procedures for financial reporting" and must include in the annual report an assessment of the effectiveness of the internal control structure and procedures. An issuer's outside auditor must attest to and report on management's assessment.

In addition, the various reporting and governance requirements imposed on publicly traded companies and their officers suggest that it would be a good practice to maintain thorough records concerning companies' efforts to comply with the reporting and governance features of the Act.

For Registered Public Accounting Firms
The Act requires the following provisions to be implemented in the records management programs of registered public accounting firms:

• Audit work papers and other information related to any audit report in sufficient detail to support the conclusions of that report must be retained for at least seven years.

In addition, the Act requires the auditors to evaluate the records management programs of the client firms to provide reasonable assurance that:

• All records that accurately and fairly reflect the transactions of the issuer are included.
• The transactions are recorded in a manner to permit preparation of financial statements in accordance with GAAP, documenting any material weaknesses in the controls.

Criminal Actions

Title VIII of Sarbanes-Oxley: Corporate and Criminal Fraud Accountability Act of 2002 makes it a felony to knowingly destroy or create documents to impede, obstruct, or influence any existing or contemplated federal investigation.

Title IX of Sarbanes-Oxley, also known as the White Collar Crime Penalty Enhancements Act of 2002: Makes it a crime to tamper with a record or otherwise impede any official proceeding.