Thanks so much! Our testers use AuditBoard, which is very helpful. This inquiry is more around the retention requirements for control owners for items that our testers don't sample. How long do your control owners maintain evidence of the operation of the control? Do they have to maintain the same 7 years as Audit does for testing purposes, or do you have a policy that outlines different expectations? Thanks!
------------------------------
Paige Testerman
Lead Auditor
Evergy
------------------------------
Original Message:
Sent: 09-17-2024 08:19 AM
From: Michael Monahan
Subject: SOX Retention
Ideas for two facets of the problem:
- IT can implement a retention policy to avoid deletion / removal (for instance, Box.com has an option to prevent actual file deletion - so "deletion" removes it from view but is recoverable for the full set duration can be set to 7 years).
- From an organizational and ease of access standpoint, solutions can range from folder management (users / testers can drop support into folders with upload only rights that are organized to support goals or posting / attachment to a testing platform (Audit board / Workiva / etc.,) is great for supporting organization/ loss prevention.
Hope this helps!
------------------------------
Michael Monahan
SOX Senior Manager
Altus Power, Inc.
Original Message:
Sent: 09-10-2024 10:16 AM
From: Paige Testerman
Subject: SOX Retention
What are your requirements for control owners to retain control documentation? Is it the same 7 years as the auditor has to maintain audit evidence? Or do you have a separate internal policy?
------------------------------
Paige Testerman
Lead Auditor
Evergy
------------------------------