Document Storage & Retention Regulations

Companies are required to retain and store certain records.
••• Jupiterimages/BananaStock/Getty Images

The Sarbanes-Oxley Act of 2002 provides the basis for most record retention regulations for all publicly traded companies. The records retention policy enables the government to ensure that companies are complying with statutory requirements. SOX encompasses a broad range of records that must be retained and stored. In addition to SOX, the Internal Revenue Service also has document retention requirements.

Policy and Performance

SOX requires companies to retain all documents that contain information about their policy and performance. This includes all documents gathered in preparation and in processing of a company audit. This includes all emails, email attachments, instant messages and documents retained on computers, servers, auxiliary drives, e-data and websites, as well as hard copies of all company records.


Under SOX the retention period depends on the type of document. Sections 103 (a) and 801 (a) require public companies and registered public accounting firms to maintain audit work papers, documents that form the basis of an audit or review, and all information supporting conclusions for at least seven years. Customer and vendor invoices and purchase orders must be retained for five years. Employee applications must be retained for three. Bank statements, charts of accounts, contracts and leases, legal correspondence, training manuals, union contracts and employee payroll must be retained permanently.

Digitally Stored

SOX has four requirements for digitally stored documents: The documents must be tamper proof, password protected and read-only, encrypted and digitally signed, and must be searchable and accessible by a third party designated to audit the company.


Sections 302 and 404 of SOX place the burden of ensuring accurate and thorough document retention and storage on the management of the company. The chief executive officer and the chief financial officer of a company will be personally responsible for the accuracy of their company’s quarterly and annual financial statements.

Internal Revenue Service

The IRS also has document retention requirements that apply to all businesses. If a taxpayer owes additional taxes or files a claim for a credit or refund after a return is filed, records must be kept for three years. All employment tax records should be kept for at least four years from the date the taxes were due or paid. If a taxpayer does not report income that should be reported and it is more than 25 percent of the gross income on the return, then records should be kept for six years. If a taxpayer files a claim for loss from worthless securities or bad debt deduction, the records must be kept for seven years. Records from a fraudulent return or failure to file a return must be kept indefinitely.

Related Articles