A recent decision by the Securities and Exchange Commission (SEC) could affect how publicly traded small businesses comply with data archiving and backup requirements under the Sarbanes-Oxley Act (SOX).
Passed in the aftermath of the Enron and Worldcom corporate scandals, SOX requires companies to strengthen audit committees, perform tests of their internal control over financial reporting (ICFR), and verify the accuracy of financial statements
SOX also directs public companies to use an independent external auditor to verify internal controls, policies, and procedures, including those for IT security, access controls, data backup, and change management. Data management and backup data are subject to the same SOX compliance rules, regardless of whether data is stored onsite, off-site, or by a third party.
Last month, the SEC voted to relax internal audit controls required by SOX for companies with less than $100 million in revenues. The change would end the requirement that smaller companies hire an independent external auditor to attest to the accuracy and effectiveness of their ICFR.
The decision extends the external auditor exemption beyond the five years currently granted to startups if the company stays below $100 million in revenue. The SEC said that it wanted to reduce the “unnecessary burdens and compliance costs” for smaller companies.
“These amendments would allow smaller reporting companies that have made it to that five-year point, but have not yet reached $100 million in revenues, to continue to benefit from that exemption as they build their businesses, while still subjecting those companies to important investor protection requirements,” said SEC Chairman Jay Clayton in explaining the decision, which takes effect on April 27.
Critics of the SEC’s move argue that reducing requirements for small companies could make it easier for them to lessen controls and alter documents and reports, particularly in the current environment in which many smaller companies are suffering economically from coronavirus restrictions.
“Without independent audits, company accounting systems remain unchallenged, and over time lead to deterioration of the quality of financial reporting,” Lev Bagramian, a securities policy advisor at Better Markets, told Reuters.
To comply with SOX, companies must be able to produce documents and emails and prove that those records have not been altered. SOX mandates strict data storage requirements and stringent data retention policies and procedures.
According to the SEC’s final rule on record retention under SOX, auditors should keep for seven years “workpapers and other documents that form the basis of the audit or review, and memoranda, correspondence, communications, other documents, and records (including electronic records), which are created, sent or received in connection with the audit or review, and contain conclusions, opinions, analyses, or financial data related to the audit or review.”
Electronic records related to communications would include email and metadata such as who sent the email, to whom, and when. This data should be archived and backed up in a secured format and should be searchable, discoverable, and accessible for SOX compliance.
The recent SEC decision does not alter these data archiving and backup requirements. Instead, it puts the burden squarely on small companies to ensure the requirements are met, since an external auditor is no longer required.
Dropsuite can help. We offer a cloud-based email archiving and backup solution that helps organizations store, safeguard, manage, and discover data from the most popular email systems, including Microsoft Exchange Online, Hosted Exchange, G Suite Gmail, and IMAP. Emails are backed up securely, archived using tamper-proof envelope journaling, and searchable, discoverable, and accessible.
Our solutions simplify compliance with SOX, as well as with the Health Insurance Portability and Accountability Act (HIPAA), the EU’s General Data Protection Regulation (GDPR), and other regulations. Visit us to review our compliance coverage.