SOX Professionals Group

 View Only
  • 1.  SOX Retention

    Posted 09-10-2024 10:17 AM

    What are your requirements for control owners to retain control documentation? Is it the same 7 years as the auditor has to maintain audit evidence? Or do you have a separate internal policy? 



    ------------------------------
    Paige Testerman
    Lead Auditor
    Evergy
    ------------------------------


  • 2.  RE: SOX Retention

    Posted 27 days ago

    Ideas for two facets of the problem:

    • IT can implement a retention policy to avoid deletion / removal (for instance, Box.com has an option to prevent actual file deletion - so "deletion" removes it from view but is recoverable for the full set duration can be set to 7 years).
    • From an organizational and ease of access standpoint, solutions can range from folder management (users / testers can drop support into folders with upload only rights that are organized to support goals or posting / attachment to a testing platform (Audit board / Workiva / etc.,) is great for supporting organization/ loss prevention.

    Hope this helps! 



    ------------------------------
    Michael Monahan
    SOX Senior Manager
    Altus Power, Inc.
    ------------------------------



  • 3.  RE: SOX Retention

    Posted 27 days ago

    Thanks so much! Our testers use AuditBoard, which is very helpful. This inquiry is more around the retention requirements for control owners for items that our testers don't sample. How long do your control owners maintain evidence of the operation of the control? Do they have to maintain the same 7 years as Audit does for testing purposes, or do you have a policy that outlines different expectations? Thanks!



    ------------------------------
    Paige Testerman
    Lead Auditor
    Evergy
    ------------------------------