Request Quote
What is Sarbanes-Oxley?

What is Sarbanes-Oxley?

08 May 2017

While the Sarbanes-Oxley Act is mandatory, compliance does not have to feel like a daunting task. To successfully comply, your data handling process must provide a solid trail for auditing. We’ve compiled the most important information to keep you up to date.

What is the Sarbanes-Oxley Act of 2002?

Effective as of 2004, all public companies are required to submit an annual assessment of the effectiveness of their internal financial auditing controls to the Securities and Exchange Commission (SEC). Additionally, each company’s external auditors are required to audit and report on the internal control reports of management, in addition to the company’s financial statements.

Why was the Sarbanes-Oxley Act passed?

The Sarbanes-Oxley Act of 2002, also known as SOX, was passed due to the accounting scandals at Enron, WorldCom, Global Crossing, Tyco and Arthur Andersen, that resulted in billions of dollars in corporate and investor losses. These huge losses negatively impacted the financial markets and general investor trust. The Sarbanes-Oxley Act mandates a wide-sweeping accounting framework for all public companies doing business in the US.

What companies need to comply with Sarbanes-Oxley?

All publicly-traded companies in the United States, including all wholly-owned subsidiaries, and all publicly-traded non-US companies doing business in the US are affected. In addition, any private companies that are preparing for their initial public offering (IPO) may also need to comply with certain provisions of Sarbanes-Oxley.

When did Sarbanes-Oxley requirements take effect?

All parts of the Sarbanes-Oxley Act with the exception of Section 409 are effective now. For Section 404, public companies with a market capitalisation over US $75 million needed to have their financial reporting frameworks operational for their first fiscal year-end report after 15 November 2004, then for all quarterly reports thereafter. For smaller companies, compliance is required for the first fiscal year-end financial report, then for all subsequent quarterly financial reports after 15 July.

What does Sarbanes-Oxley compliance require?

All applicable companies must establish a financial accounting framework that can generate financial reports that are readily verifiable with traceable source data. This source data must remain intact and cannot undergo undocumented revisions. In addition, any revisions to financial or accounting software must be fully documented as to what was changed, why, by whom and when.

How does TIMG help your organisation comply with Sarbanes-Oxley in regards to storage, auditability and retrievability of digital information?

Sarbanes-Oxley requires organisations to have adequate internal control structures and procedures for financial reporting as well as maintaining all audit or review work papers for a period of 5 years. Companies are prohibited from altering, destroying, mutilating, concealing, covering up or falsifying records.

Accordingly, TIMG has developed an auditable and trackable process for managing digital records, off-site storage and all data management. In addition to data security, TIMG provides destruction services compliant to the Sarbanes-Oxley Act and the strictest international standard.

While we can only control how information is tracked and reported from our end, the trail within your organisation is crucial to maintain as well. At TIMG, we can provide a list of reasonable steps for your employees to take to ensure full compliance, resulting in a trail detailing how information was handled.

Accessing More Sarbanes-Oxley Information

You can access the Sarbanes-Oxley Act online here. And here.

Sarbanes-Oxley Sections that affect Off-site Tape Storage

The following sections are examples of how Sarbanes-Oxley affects companies in relation to the storage, auditability and trackability of digital assets.

Sec. 404 Management Assessment of Internal Controls


The Commission shall prescribe rules requiring each annual report required by section 13 of the Securities Exchange Act of 1934 (15 U.S.C. 78m) to contain an internal control report, which shall:

1- State the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

2- Contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.


With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

Sec. 802 Criminal Penalties for Altering Documents


Chapter 73 of title 18, United States Code, is amended by adding at the end the following: Sec. 1519 Destruction, alteration, or falsification of records in Federal investigations and bankruptcy.

Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.

Sec. 1520 Destruction of corporate audit records


1- Any accountant who conducts an audit of an issuer of securities to which section 10A (a) of the Securities Exchange Act of 1934 (15 U.S.C. 78j-1(a)) applies, shall maintain all audit or review work papers for a period of 5 years from the end of the fiscal period in which the audit or review was concluded.

2- The Securities and Exchange Commission shall promulgate, within 180 days, after adequate notice and an opportunity for comment, such rules and regulations, as are reasonably necessary, relating to the retention of relevant records such as work papers, documents that form the basis of an audit or review, memoranda, correspondence, communications, other documents, and records (including electronic records) which are created, sent, or received in connection with an audit or review and contain conclusions, opinions, analyses, or financial data relating to such an audit or review, which is conducted by any accountant who conducts an audit of an issuer of securities to which section 10A(a) of the Securities Exchange Act of 1934 (15 U.S.C. 78j-1(a)) applies.

(b) Whoever knowingly and wilfully violates subsection (a)(1), or any rule or regulation promulgated by the Securities and Exchange Commission under subsection (a)(2), shall be fined under this title, imprisoned not more than 5 years, or both.

(c) Nothing in this section shall be deemed to diminish or relieve any person of any other duty or obligation, imposed by Federal or State law or regulation, to maintain, or refrain from destroying, any document.

(d) CLERICAL AMENDMENT The table of sections at the beginning of chapter 73 of title 18, United States Code, is amended by adding at the end the following new items:

Sec. 1519

Destruction, alteration, or falsification of records in Federal investigations and bankruptcy.

Sec. 1520

Destruction of corporate audit records.

If you have any questions about management of your records as applies to the Sarbanes-Oxley Act, please contact one of our local team members today.

© Copyright 2019, The Information Management Group