Tampering with Records

SOX Section 1102’s tampering with records requirement means you must prevent, detect, and respond to any corrupt alteration, destruction, or concealment of records that could impair their availability for an official proceeding. Operationally, that translates into enforceable retention, legal hold, and controlled disposition processes with strong access controls, audit trails, and escalation paths. ¹

Key takeaways:

• You need a defensible records lifecycle: creation, classification, retention, legal hold, and disposal controls that cannot be bypassed quietly.
• Legal holds must stop deletion across systems (email, chat, endpoints, SaaS, shared drives), not just in your document repository.
• Evidence matters: logs, hold notices, acknowledgements, disposition approvals, and audit trails are what keep this from becoming a “trust us” program.

“Tampering with records” under SOX Section 1102 is a criminal exposure issue, not a policy hygiene issue. The law targets corrupt intent to impair a record’s integrity or availability for an official proceeding, and it applies to people, not just systems. ¹ As a Compliance Officer, CCO, or GRC lead, your job is to operationalize this into controls that make improper alteration or destruction difficult, detectable, and escalated quickly.

Most programs fail here for predictable reasons: retention is written but not enforced; legal holds are handled by email threads; employees can delete or “clean up” shared drives; third parties host critical business records without contractual hold/retention duties; and audit logs exist but no one reviews them. Your goal is a defensible mechanism: clear authority to issue holds, automated preservation where possible, separation of duties for disposition, and monitoring that creates accountability.

This page gives requirement-level guidance you can implement fast: what the requirement means in plain English, who it applies to, what to do step-by-step, what evidence to retain, where audits get stuck, and a practical execution plan to get to a working state.

Regulatory text

SOX Section 1102 (Tampering with records) — excerpt: “Whoever corruptly alters, destroys, or conceals a record to impair its availability for an official proceeding shall be imprisoned up to 20 years.” ¹

Operator interpretation (what you must do)

You must run a records preservation and integrity program that:

1. Prevents unauthorized or improper alteration, deletion, or concealment of business records that may be relevant to proceedings.
2. Stops routine deletion immediately when litigation, investigation, audit, whistleblower complaint, regulator inquiry, or other “official proceeding” risk becomes credible (legal hold).
3. Proves what happened to records through audit trails, controlled disposition, and documented decisions.

This is not limited to “financial statements.” Any record (including email, chat, contracts, approvals, system logs, and workpapers) can fall in scope if it could be needed in an official proceeding. ¹

Plain-English requirement (what “tampering” looks like in operations)

“Tampering with records” risk usually shows up as:

• Deleting email or chat threads after learning about an investigation.
• Backdating or editing approvals without traceability.
• Destroying draft analysis, workpapers, or spreadsheets used to make disclosure decisions.
• Asking a third party to “clean up” documentation before an audit.
• Disabling logging, overwriting logs, or shortening log retention after an incident.

Your control objective is simple: people should not be able to make records disappear (or change them) once the organization has a duty to preserve, and you should be able to demonstrate that you enforced that duty.

Who it applies to (entity + operational context)

Entities and individuals

• Public companies (issuers) and their controlled environments where corporate records are created and stored. ¹
• Officers and directors, plus any employee or agent who can access, alter, delete, or manage records. ¹

Operational contexts (where to implement)

Focus on systems and workflows that create or store “records” relevant to corporate actions and reporting:

• Finance close and reporting workpapers, consolidations, journal entry support
• Approval workflows (purchases, revenue recognition decisions, estimates)
• Corporate communications (email, collaboration chat, shared drives)
• Ticketing systems and incident records
• Board materials, committee packages, and executive decision memos
• Third-party hosted systems that store your data (payroll, ERP, CRM, HRIS, audit portals)

What you actually need to do (step-by-step)

1) Define “records” and map where they live

Create a practical records inventory:

• Record categories (financial reporting support, contracts, HR, compliance investigations, audit materials, system logs)
• Systems of record (SharePoint/Drive equivalents, email, chat, ERP, ticketing, endpoint storage)
• Data owners and administrators
• Default retention and deletion behaviors (including auto-delete and “versioning” settings)

Deliverable: Records and systems map tied to retention and hold capability.

2) Establish retention + controlled disposition (deletion you can defend)

Build a retention schedule and make it executable:

• Assign retention periods by record category (use your counsel and existing corporate records policy as inputs).
• Document authorized disposition: who approves deletion, under what conditions, and required checks (e.g., “no active legal hold”).
• Separate duties: the person who benefits from deletion should not be the sole approver.

Minimum control set:

• Documented retention schedule
• Disposal approvals recorded and retained
• Administrative controls that prevent ad hoc deletion outside the process

3) Implement legal hold that actually stops deletion

A legal hold process is only real if it affects systems behavior.

• Define triggers: regulator inquiry, subpoena, threat of litigation, internal investigation, audit escalation, whistleblower intake.
• Assign authority: Legal (or a delegated function) issues holds; IT and Records implement preservation; Compliance tracks acknowledgements.
• Make holds granular: custodian-based, matter-based, system-based.
• Cover “shadow IT”: shared drives, personal devices (where allowed), local downloads, messaging exports.

Operational requirement: once a hold is issued, normal deletion and cleanup processes must pause for in-scope data sources and custodians, and you must be able to show that the pause occurred.

4) Lock down access and preserve integrity

Controls to reduce “quiet edits”:

• Role-based access control for shared repositories and finance/reporting workspaces.
• Admin action logging enabled and protected from alteration.
• Version history where feasible for key repositories.
• Restrictions on local-only storage for critical workpapers (or compensating controls such as enforced sync, DLP, or managed endpoints).

5) Monitor and escalate suspicious record activity

Define what “suspicious” means and who gets paged:

• Bulk deletions, mass file moves, unusual permission changes, disabling audit logs
• Deletion activity by admins or privileged users
• Attempts to delete content under hold
• Gaps in logs (logging disabled, retention shortened without change approval)

Create an escalation runbook:

• Immediate preservation actions (snapshot/export, suspend deletion jobs)
• Notification list: Legal, Compliance, Security, Internal Audit, HR (as needed)
• Investigation steps and documentation standards

6) Train and bind third parties

Two practical requirements:

• Employee training: plain language examples of prohibited behavior and the “stop deletion on hold” rule.
• Third-party contract clauses: retention, legal hold cooperation, eDiscovery support, audit rights (as appropriate), and prohibition on altering/destroying your records outside instructions.

Where Daydream fits naturally: Daydream can centralize third-party due diligence evidence and contract compliance tracking so you can prove which third parties hold corporate records, whether they accepted hold/retention terms, and whether you collected required attestations and audit artifacts.

Required evidence and artifacts to retain

Keep evidence that shows design + operation. Store it in a controlled repository.

Governance and design

• Records management policy and retention schedule approvals
• Records inventory and systems map
• Legal hold policy and procedure (including triggers and roles)

Operational proof

• Legal hold notices, custodian lists, acknowledgements, release notices
• System preservation actions (tickets/changes approving holds, configuration screenshots/exports, retention policy settings)
• Disposition logs: what was deleted, when, by whom, under what authority, and proof of “no hold” check
• Audit logs for key repositories and admin actions (with protected retention)
• Investigation files for suspected tampering: timeline, evidence collected, decisions, and corrective actions

Third-party proof

• Contracts or addenda with hold/retention obligations
• Third-party data location register (which providers store which record categories)
• Attestations or support tickets showing holds were implemented by the third party (when applicable)

Common exam/audit questions and hangups

Expect auditors and investigators to push on “show me” questions:

• “How do you know records weren’t deleted after the triggering event?”
• “Who can delete finance close workpapers? Who approved that access?”
• “Show a legal hold from issuance to system preservation evidence.”
• “Do you cover chat, personal storage locations, and endpoints?”
• “Can an admin disable logging or shorten log retention without detection?”
• “How do you ensure third parties preserve records when you issue a hold?”

Hangups that slow audits:

• Legal holds documented in email but no system-level preservation proof
• Retention schedule exists but is not enforced in SaaS tools
• Incomplete system inventory; critical records sit in unmanaged team drives
• Logging exists but is not retained long enough to reconstruct events

Frequent implementation mistakes (and how to avoid them)

1. Policy-only retention.
   Fix: make retention and deletion run through tools/workflows with approvals and immutable logs.

2. Legal hold that doesn’t touch collaboration tools.
   Fix: scope holds across email, chat, file stores, and endpoints. Maintain a “hold coverage matrix” by system.

3. Admins can delete logs or change retention quietly.
   Fix: privileged access controls, change approvals, and independent monitoring of logging configurations.

4. No third-party hold pathway.
   Fix: add contractual obligations and an operational playbook for holds with each third party that stores your records.

5. Over-scoping holds without release discipline.
   Fix: define release criteria and execute hold releases with the same rigor as issuance.

Enforcement context and risk implications

SOX Section 1102 creates criminal penalties for corrupt alteration, destruction, or concealment of records intended to impair availability for an official proceeding, with imprisonment up to 20 years. ¹ For a CCO/GRC lead, that risk translates into three priorities:

• Reduce the opportunity for improper destruction or alteration.
• Create clear accountability and escalation.
• Preserve evidence that the program worked when it mattered.

Even without a public enforcement case at hand, you should treat tampering indicators as high-severity events because they can overlap with obstruction risk and undermine financial reporting confidence.

Practical execution plan (30/60/90-day)

You asked for speed. Use phases with concrete outputs.

First 30 days (stabilize and get visibility)

• Assign owners: Legal hold authority, Records owner, IT preservation owner, Security monitoring owner.
• Build a systems map for record storage and communications tools.
• Document current retention settings and auto-deletion behaviors in each system.
• Create an interim legal hold runbook that includes IT tickets and preservation checklists.
• Identify high-risk repositories (finance close, executive shared drives) and restrict deletion/admin rights.

Next 60 days (make it enforceable)

• Implement retention policies in primary systems where possible; set up controlled deletion approvals where not.
• Stand up a legal hold tracking register (matters, custodians, systems, dates, acknowledgements).
• Enable/administer audit logs for key systems and protect log retention from easy alteration.
• Add third-party hold/retention language to new contracts; triage existing critical third parties for amendments.

Next 90 days (prove it works)

• Run a tabletop: issue a mock legal hold and collect preservation evidence from each system and a sample third party.
• Test disposition controls: verify “no hold” checks before deletion and retain the deletion approval trail.
• Add monitoring and escalation for suspicious deletion/permission events; test the escalation path.
• Package an audit-ready binder: policies, maps, hold samples, logs, and evidence indexes.

Frequently Asked Questions

Does SOX Section 1102 apply only to finance and accounting records?

No. The text covers “a record” broadly when someone corruptly alters, destroys, or conceals it to impair availability for an official proceeding. ¹ Finance records are common, but email, chat, and system logs can matter too.

What counts as an “official proceeding” for purposes of operational controls?

Treat it as any credible legal, regulatory, or investigative pathway where records may be demanded. Your trigger definition should be set with counsel, then translated into a clear internal escalation and hold process.

If we have a retention policy, are we covered?

A written policy helps, but auditors will ask for evidence that retention and legal holds actually stop deletion and preserve integrity across systems. Keep hold notices, acknowledgements, system preservation proof, and deletion approval logs.

How do we handle collaboration tools (chat) where users delete messages?

Configure retention where possible, restrict deletion for regulated groups, and ensure legal holds can preserve messages for in-scope custodians. Document the tool’s capabilities and compensating controls if technical limits exist.

What evidence do we need to show a legal hold was effective?

Keep the hold notice, custodian acknowledgement, system preservation tickets/changes, and audit logs showing content was retained and deletion was blocked or suspended for the hold scope.

How should we manage third parties that store our corporate records?

Contract for retention and legal hold cooperation, keep a map of which third parties store which records, and require a repeatable process to confirm preservation actions when a hold is issued. Daydream can help you track third-party obligations and collect the supporting artifacts in one place.

Footnotes

1. Public Law 107-204