How long do I Keep my Internal Controls Documentation?

Posted by Teresa Bockwoldt on May 29, 2011

Exclamation PointWe are often asked how long company's must keep their internal controls documentation and when we tell them, we are often met with shocked stares but here is your answer:

  • You must keep your Internal Controls / Sarbanes-Oxley related documentation for 7 (seven) years.

To avoid any financial risk or personal risk that may be associated with the accidental destruction of your documentation prior to the allowed dates, we at Vibato recommend writing the destruction date on your binders (if you keep them) or in the name of your network folders. 

Here is a snippet discussing this reqirement from the sec.gov website:

Final Rule:

Retention of Records Relevant to Audits and Reviews

Securities and Exchange Commission

17 CFR Part 210

[Release Nos. 33-8180; 34-47241; IC-25911; FR-66; File No. S7-46-02]

RIN 3235-AI74

Retention of Records Relevant to Audits and Reviews

Agency: Securities and Exchange Commission.

Action: Final rule.

Summary: We are adopting rules requiring accounting firms to retain for seven years certain records relevant to their audits and reviews of issuers' financial statements. Records to be retained include an accounting firm's workpapers and certain other documents that contain conclusions, opinions, analyses, or financial data related to the audit or review.

Dates: Effective Date: March 3, 2003. Compliance Date: Compliance is required for audits and reviews completed on or after October 31, 2003.

Supplementary Information: We are adding rule 2-06 to Regulation S-X.

I. Executive Summary

As mandated by section 802 of the Sarbanes-Oxley Act of 2002 ("Sarbanes-Oxley Act" or "the Act"), we are amending Regulation S-X to require accountants who audit or review an issuer's financial statements to retain certain records relevant to that audit or review. These records include workpapers and other documents that form the basis of the audit or review, and memoranda, correspondence, communications, other documents, and records (including electronic records), which are created, sent or received in connection with the audit or review, and contain conclusions, opinions, analyses, or financial data related to the audit or review. To coordinate with forthcoming auditing standards concerning the retention of audit documentation, the rule requires that these records be retained for seven years after the auditor concludes the audit or review of the financial statements, rather than the proposed period of five years from the end of the fiscal period in which an audit or review was concluded. As proposed, the rule addresses the retention of records related to the audits and reviews of not only issuers' financial statements but also the financial statements of registered investment companies.

Read the rest of the ruling via this link: http://www.sec.gov/rules/final/33-8180.htm

Tags: Internal Controls, financial risk, Controls Testing, personal risk, compliance