Global companies often must comply with multiple compliance regulations that have differing data retention rules. The Sarbanes-Oxley Act has one set of data retention rules that is different from other compliance regulations, such as Basel II. An organization may have to comply with these regulations on an SAP NetWeaver platform that is interoperable with Microsoft .NET and IBM WebSphere. How do you control multiple data retention policies?

In this article, I focus on four steps an organization needs to reach the goal of controlling multiple data retention policies effectively, each one for a different compliance regulation. The steps I cover are to:

• Step 1. Identify data retention mandates for a compliance regulation
• Step 2. Identify retention controls and anticipated cultural changes to the controls on SAP NetWeaver
• Step 3. Prioritize cultural changes to multiple data retention policies
• Step 4. Develop a plan to control multiple data retention policies affected by cultural changes

Step 1. Identify Data Retention Mandates for a Compliance Regulation 

Sarbanes-Oxley is not the only legislation driving data retention rules. It is not at all uncommon for a large public company to have multiple compliance regulations, each with a different set of data retention, collection, analysis, and reporting rules.

For instance, a large financial institution in the US may have to comply with Sarbanes-Oxley (as a public company), Gramm-Leach Bilely Act (as a financial company), CA 1386 (for California customers), Payment Card Industry (PCI for credit card processing), Basel II (European risk management), SEC Rule 17a-4 (financial services), and the local privacy regulations enacted in other countries of the world.

This financial institution might also choose to comply voluntarily with the International Financial Reporting Standards (IFRS). Most companies have to convert from US Generally Accepted Accounting Principles (US GAAP) beginning with the fiscal year 2014. When the financial institution is in the process of converting financial reports in the IFRS format to the new system from a legacy financial system, it needs to ensure the conversion does not affect the retention rules mandated by Sarbanes-Oxley and other compliance regulations.

I’ll discuss how data retention is handled by some common standards.

Sarbanes-Oxley Act

Sarbanes-Oxley specifies minimum retention periods for all accounting records, work papers, communications, file attachments, and documents whether transmitted via email, instant messaging, or other message modes. Sections 103, 801(a), and 802 are the core of Sarbanes-Oxley’s record retention rules. Section 103 focuses on audit work papers and evidence. Sections 103(a) and 801(a) require public companies and registered public accounting firms to maintain all audit-related records (including electronic records) for at least seven years.

Section 802 states it is a crime for a company to intentionally destroy, alter, or falsify any records, documents, or tangible objects that are or could be involved in a US government investigation or prosecution or in a Chapter 11 bankruptcy filing. This rule applies to both public companies and private companies that are acquired by public companies or do business with public companies.

Section 802 stresses the importance of maintaining policies on record retention and destruction of a company’s electronic copies of documents, including tamper-proof, encrypted, and digitally signed email and attachments retained on storage media, servers, and Web sites. Electronic storage media must preserve the records in a non-rewritable, non-erasable format as defined in the Security and Exchange Act of 1934 (also known as Rule 240 [17a-4]).

If the documents cannot be converted or are not economically feasible to convert to an electronic format, you need to secure the original and hard copies in locked cabinets or vaults. The retention and destruction policy must state that any employee who knows the company is under investigation, or suspects that it might be, must stop all document destruction and alteration immediately.

Also important are Sections 302 and 404. Section 302 requires CEOs, CFOs, or persons performing similar functions to certify in each annual or quarterly report that the signing officer has reviewed the report. Section 404 requires CEOs, CFOs, and auditors to confirm the effectiveness of internal controls for financial reporting on retained data.

Basel II Capital Accord

The goal of Basel II is to get banks and banking regulators to approach risk management uniformly across national borders. Basel II uses three pillars: minimum capital requirements, supervisory review process, and effective use of market discipline. To satisfy their minimum capital requirements, banks need to retain seven years of risk data. They must have sufficient assets to offset any risk they may file, represented as an eligible capital to risk aggregate ratio of eight percent.

If the risk data for a bank becomes greater than its capital reserves, the supervisors must intervene. They must increase capital reserves and use safeguards effectively to lower risks to a more acceptable level via a risk management program. The banks must disclose what their assets, risk profile, and risk policies are to potential investors to allow them to determine if the banks have sufficient reserves and risk management systems in place.

The Basel III accord is anticipated in the near future. The goals of this project are to refine the definition of bank capital, quantify further classes of risk, and further improve the sensitivity of the risk measures.

Security and Exchange Act Rule 17a-4

This requires retaining all account records for six years after they are closed. The first two years must be easily accessible by the auditors. One way of allowing an erasable disk or tape storage system to provide for non-rewritable and non-erasable or write-once, read-many (WORM) storage media is to use integrated control codes to prevent overwriting or erasure of the records for the designated retention period during the recording process.

All data must be stored off site. The offsite and the originating locations must not be in the same geographical area subject to the possibility of the same types of disasters (e.g., hurricanes and earthquakes).

Step 2. Identify Retention Controls and Anticipated Cultural Changes to the Controls on SAP NetWeaver 

Data retention controls for different compliance regulations are designed to ensure that data is retained according to federal guidelines. If auditors identify a significant weakness in the implementation of data retention rules, you’ll need to take corrective actions. Make sure all transactions are entered into the system once with no errors and database updates and output reports are complete in SAP NetWeaver.

In this step I show you sample records with retention periods. I’ll then cover international cultural effects on IFRS conversion and filing deadlines and the challenges of converting records in the IFRS format that you need for mandated reporting under Sarbanes-Oxley. To prepare for anticipated cultural changes to multiple data retention rules, your company needs to ensure its accounting departments and outside auditors are adequately trained for IFRS conversion and controls through the conversion process, such as new policy approvals and reviews of conversion calculations.

Sample Records with Retention Periods 

Table 1 shows sample records with associated data retention periods under Sarbanes-Oxley. Note that three sample records have a retention period of five years while four records show a retention period of seven years. Five records are considered permanent. How long they should be permanent depends on the document type, business policy, and the advice of legal counsel (e.g., a union agreement).

Table 1

Sample records in descending order of data retention periods

When the retention periods change due to the passage of legislative amendments to Sarbanes-Oxley, they may have an effect on existing data retention rules. This can result in, for example, new expiry dates for records stored in SAP NetWeaver. The system blocks record deletion or alteration until the new expiry date is reached. At expiry or after the retention period, you can delete the records from the system, thereby freeing space in SAP NetWeaver.

International Cultural Impact on IFRS 

More than 100 countries permit or require IFRS reporting, each with different filing deadlines. Since 2005, all companies incorporated and listed in each member state of the European Union have been required to use it. In some countries, more than one accounting oversight body has issued standards modifying IFRS as issued by the International Accounting Standards Board (IASB).

In the US, the SEC allows financial institutions to report financial results based on IFRS as issued by the IASB. The SEC allows large US financial institutions to convert voluntarily on a limited basis on or after December 15, 2009, and mandates IFRS reporting beginning with fiscal year 2014. The IFRS for small and medium enterprises taxonomy is being developed by the IASC Foundation (the oversight body of the IASB) eXtensible Business Reporting Language (XBRL) team and is due to be released by December 2009.

The SEC has permitted foreign private institutions to file audited financial statements prepared in accordance with IFRS without a US GAAP reconciliation, but it has required them to use IFRS as issued by the IASB rather than home-country variations of IFRS.

In Canada, financial institutions must meet the 2011 IFRS conversion deadline, three years earlier than the US SEC’s recommended mandate for IFRS reporting. Fiscal year 2010 will likely become the last year for which the companies report under existing Canadian financial reporting standards. At the same time, the companies must generate IFRS-compliant comparative financial statements for 2010. This creates two parallel retention rules — one for the legacy financial system based on Canadian financial reporting systems and one for the other system in the process of being converted to IFRS accounting standards.

Challenges of IFRS Conversion

Conversion to IFRS will pose several challenges for a company accustomed to reporting with US GAAP, particularly data retention requirements in the areas of governance, employment training, systems overhaul, and internal controls. Under Sarbanes-Oxley, the CEO and CFO of every public company filing Securities and Exchange Act reports must ensure the financial statements in each annual or quarterly report are accurate. The accounting departments and outside auditors must be adequately prepared for conversion to IFRS. Conversion may require software upgrades or other adjustments to SAP NetWeaver to ensure that data for IFRS reporting are properly being gathered.

Sarbanes-Oxley requires management to assess the effectiveness of the company’s internal control over financial reporting. This includes internal controls in anticipation of IFRS conversion. The company may need to modify or add controls. Management also must ensure that the company’s independent auditor is satisfied with management’s reassessment of controls.

Anyone responsible for internal control over financial reporting (ICFR) under Sarbanes-Oxley Section 404 and operational audits needs to know how the company plans to apply IFRS. If they find operational risks and the risk of material weakness in ICFR, they can take appropriate actions to correct the problems before applying IFRS. 

Step 3. Prioritize Cultural Changes to Multiple Data Retention Policies 

You need to prioritize cultural changes to data retention rules and policies by organization type, mandated dates, and the number of oversight bodies in a country. You can review business impact analysis documents for any indications or priorities of current or anticipated cultural changes. Examples include strategic IFRS planning changes in resources, system documentation, and risk mitigation of parallel processing during the IFRS conversion.

Organization Type

In complying with Sarbanes-Oxley, you must first state the organizational type of your financial institution and which financial institutions with whom you do business. Some examples include:

• Large public company headquartered in the US or in a foreign country
• Foreign subsidiary of a US company
• Foreign financial institution conducting business with both US private and public companies
• Small US private company to be merged with a foreign or US public company or to become a public company one day

Mandated Dates 

You must then state the mandated dates for your financial institution and the other institutions it is doing business with to complete IFRS conversion. Is a foreign public financial institution mandated to complete IFRS earlier than a US public financial institution (e.g., 2011 in Canada and 2014 in the US)? Will there be changes in the mandated dates?

Oversight Accounting Bodies 

In the US, the SEC has permitted foreign private institutions to file audited financial statements prepared in accordance with IFRS without a US GAAP reconciliation. As stated above, it has required them to use IFRS as issued by the IASB rather than home-country variations of IFRS.

If a foreign public company is in the process of converting to IFRS that varies from the IASB, how will it do business with US public companies required to convert to IFRS as issued by the IASB? The foreign public company should document how much its home-country variation of IFRS differs from the IFRS issued by the IASB. If the differences are minor, this company should consult with a US public company or vice versa to note where the differences are in the financial statements. If the differences are major, the foreign public company should maintain two standards — a home-country variation of IFRS and IFRS issued by the IASB.

Step 4. Develop a Plan to Control Multiple Data Retention Policies Affected by Cultural Changes 

In developing a plan to control multiple data retention policies, the first step is to set up strategic IFRS planning questions for ICFR (Sarbanes-Oxley) management. You need to consider resources, system documentation, increased controls testing, and risk mitigation during the conversion process.

For instance, you need to determine how many resources should be assigned to the IFRS conversion project team and if the personnel has adequate accounting training on how US GAAP differs from IFRS. You need to ensure that current Sarbanes-Oxley 404 systems documentation is adequate to help the company determine change impact (e.g., parallel processing). Are there enough resources to handle parallel processing and the increasing controls testing during the conversion? Is the storage and memory capacity large enough to retain all the required financial information?

You need to ensure an erasable disk or tape storage system provides for a non-rewritable and non-erasable or WORM recording process using integrated control codes that meet the conditions of SEC Rule 17a-4. You also need to store a specified expiry or retention period with each record or file system. Then, program the system to block record deletion or alteration by any manner of intervention until the expiry is reached or the retention period has lapsed. At expiry or after the retention period, you can delete the records from the system, thereby freeing space for reuse.

The company must ensure it has the capacity to enter data into two parallel systems. Because risks may increase for systems modification in the parallel accounting period, you need to have a program on risk mitigation of change management in place.

Lastly, the company must ensure it can connect core products, including SAP NetWeaver Application Server, that match up SAP NetWeaver with another company’s SAP NetWeaver system in processing IFRS reports affected by cultural changes. SAP NetWeaver is designed to be interoperable with Microsoft .NET, Sun Java EE, and IBM WebSphere. Companies using IBM WebSphere can easily access existing business objects and integrate their applications with any SAP application.