The Sarbanes-Oxley Act of 2002 (SOX) is a rather extensive piece of legislation comprised of 11 titles. However, this blog will exclusively cover the archiving compliance requirements outlined in Section 802: Criminal Penalties for Altering Documents. For information on the other aspects of SOX compliance, you can read the law in its entirety here.
What is SOX?
The Sarbanes-Oxley Act, commonly known as SOX, is a U.S. law mandating the reporting of internal accounting controls and the retention of documents related to financial audits and reviews. The law was created to "protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws." In effect, the law aimed to increase transparency in corporate financial records.
Who has to comply with SOX?
While some SOX measures apply to private and public companies alike, only publicly traded organizations within the U.S. have to comply with the law in its entirety. Notably, private corporations are also penalized for knowingly destroying or falsifying financial records.
What are SOX archiving compliance requirements?
SOX stipulates that organizations have to retain “relevant records such as workpapers, documents that form the basis of an audit or review, memoranda, correspondence, communications, other documents, and records (including electronic records) which are created, sent, or received in connection with an audit or review and contain conclusions, opinions, analyses, or financial data relating to such an audit or review.” These records must be kept for seven years after the fiscal period in which the audit or review concludes.
Who oversees compliance?
The U.S. Securities and Exchange Commission (SEC) is responsible for implementing and enforcing the mandates set out by SOX. The requirements outlined are incorporated into larger SEC compliance requirements.
What is the penalty for SOX non-compliance?
One of the main aims of the law is to detour and penalize those who malignly falsify or omit financial records. To that end, SOX outlines specific guidelines to direct the punishment for those who do not comply. Notably, they outline two main avenues of non-compliance. The first being “altering, destroying, mutilating, concealing, falsifying records, documents or tangible objects with the intent to obstruct, impede or influence a legal investigation,” which comes with penalties of fines and or up to a 20-year sentence. The second being fines and or up to a 10-year sentence for anyone “who knowingly and willfully violates the requirements of maintenance of all audit or review papers.”