Criminal Penalties for Altering Documents

“Criminal penalties for altering documents” is a requirement you operationalize through process and proof. SOX Section 802 targets intentional conduct: knowingly changing, destroying, or falsifying records with the intent to impede or influence an investigation (Public Law 107-204). Regulators and prosecutors rarely need you to have a perfect filing system; they need to see that your organization prevents intentional obstruction, preserves evidence when required, and can demonstrate what happened to records over time.

For a Compliance Officer, CCO, or GRC lead, the practical challenge is that this requirement touches multiple teams and systems: Finance, Internal Audit, Legal, IT, HR, Security, and any third party that creates or stores your company’s records. It also intersects with the day-to-day reality of email, chat, shared drives, endpoint storage, audit platforms, and ticketing systems.

This page gives requirement-level guidance you can put into action quickly: who the rule applies to, what controls to implement, what evidence to keep, what auditors/examiners tend to test, and where implementations break. The goal is a program that can withstand scrutiny when stakes are highest: during an investigation, subpoena, whistleblower matter, or regulatory inquiry.

Regulatory text

Excerpt (SOX Section 802): “Whoever knowingly alters, destroys, or falsifies records to impede an investigation shall be imprisoned up to 20 years. Audit workpapers must be retained for five years.” (Public Law 107-204)

Operator interpretation (what you must do)

1. Prevent and detect intentional obstruction. You need controls that reduce the chance that people can deliberately alter or destroy records to interfere with an investigation, and mechanisms to detect suspicious changes or deletion patterns (Public Law 107-204).
2. Preserve records when an investigation is reasonably anticipated. Once you have notice or a credible expectation of an investigation, you must suspend normal deletion/destruction for relevant records through a legal hold process (Public Law 107-204).
3. Meet the audit workpaper retention requirement. Registered public accounting firms (and, operationally, your audit function as applicable) must retain audit workpapers and other documents for a period of five years (Public Law 107-204).

Plain-English requirement

If someone knowingly destroys or changes records to get in the way of an investigation, that can be a criminal act (Public Law 107-204). Your job is to make that behavior difficult, detectable, and clearly prohibited, and to make preservation routine when Legal says “hold.” Separately, audit workpapers have a defined retention period: five years (Public Law 107-204).

Who this applies to (entity and operational context)

Primary scope

• Public companies (issuers). You need enterprise controls for records integrity, retention, and preservation tied to investigations and audits (Public Law 107-204).
• Registered public accounting firms. You must retain audit workpapers and other documents for five years (Public Law 107-204).

Operational scope (who inside the company is implicated)

• Finance and accounting: journal support, reconciliations, close packages, management representations, schedules, and supporting documentation.
• Internal audit: workpapers, testing evidence, issue logs, remediation validation.
• Legal and compliance: investigations, hotline matters, litigation, regulatory inquiries, legal holds.
• IT and security: email and collaboration tooling retention, access logging, eDiscovery, backups, endpoint controls, admin privileges.
• HR: employee relations investigations and personnel files.
• Third parties: outsourced accounting, external consultants, managed service providers, eDiscovery providers, and any cloud provider storing company records.

What you actually need to do (step-by-step)

1) Define what “records” include, then map where they live

Create a records inventory that includes:

• Systems of record (ERP, consolidation, close tools)
• Collaboration (email, chat, file sharing, wikis)
• Audit tooling (GRC/audit management systems)
• Ticketing/case management (ITSM, hotline platforms)
• Endpoints and removable media risk areas

Output: a records/system map that ties each record category to an owner, storage location, and retention rule.

2) Establish a retention schedule with documented disposition rules

Build a retention schedule that states:

• Record category
• Minimum retention period (include the five-year audit workpaper rule where applicable) (Public Law 107-204)
• Authorized destruction method
• Responsible owner
• System implementation method (policy-only is weak; system enforcement is stronger)

Keep it practical: fewer categories that people can follow beats a complex taxonomy that nobody uses.

3) Implement a legal hold process that triggers quickly and leaves an audit trail

Your legal hold process should specify:

• Trigger criteria: who can declare a hold and what events qualify (e.g., subpoena, regulator inquiry, credible allegation, whistleblower report escalation).
• Scope definition: custodians, systems, date ranges, keywords where relevant.
• Preservation actions: suspend deletion for mailboxes, chats, file shares, and relevant apps; preserve relevant structured data; restrict editing where possible.
• Acknowledgement workflow: recipients confirm receipt and understanding.
• Release workflow: formal release when counsel approves, then resume normal retention/destruction.

Evidence matters here. You should be able to show exactly when holds were issued, to whom, what was covered, and what preservation steps IT executed.

4) Put access, change control, and logging around high-risk records

Focus controls where alteration risk is highest:

• Role-based access control (RBAC): limit who can edit or delete key finance and audit repositories.
• Privileged access management: restrict admin access that can bypass retention settings.
• Immutable logging: retain logs that show access, edits, exports, and deletions for key repositories.
• Versioning and write-once controls where feasible: for audit evidence repositories, prefer systems with version history and restricted deletion.

The goal is not perfect immutability everywhere. The goal is reliable reconstruction: who did what, when, and from where.

5) Train for intent and scenarios, not policy recitation

Training should cover:

• What “obstruction” looks like in real workflows (editing timestamps, “cleaning up” files after receiving an inquiry, deleting chats)
• What to do when you receive a hold notice
• How to escalate if someone asks you to “make it go away”

Have targeted training for Finance, Internal Audit, Legal, IT admins, and executives.

6) Extend controls to third parties that store or process your records

Contractually require third parties to:

• Follow your retention and legal hold instructions
• Preserve records upon notice
• Provide logs and evidence of preservation
• Disallow unilateral deletion during a hold

Operationally, maintain a list of third parties in scope for legal holds and test the notification process.

7) Test the program with preservation drills

Run periodic “legal hold tabletop” exercises:

• Issue a mock hold
• Validate system actions (mailbox holds, chat retention adjustments, file share preservation)
• Validate audit trail completeness
• Confirm ability to export relevant data for counsel/eDiscovery

Required evidence and artifacts to retain

Maintain a package that stands alone in an audit or investigation:

• Records retention policy and retention schedule (including audit workpaper five-year requirement where applicable) (Public Law 107-204)
• Records inventory/system map with owners and retention implementation method
• Legal hold policy and procedures (issue, scope, preservation actions, acknowledgements, release)
• Legal hold register (holds issued, dates, custodians, systems, status)
• Copies of hold notices and acknowledgement logs
• IT preservation runbooks and completion tickets (what was placed on hold, by whom, when)
• Access control matrix for finance/audit evidence repositories
• Audit workpaper retention procedure for audit functions and/or coordination with external auditors (Public Law 107-204)
• Training materials and completion records for in-scope roles
• Exception register (approved deviations, compensating controls, and approval trail)

Common exam/audit questions and hangups

Expect auditors/examiners to ask:

• “Show me your retention schedule and how it is enforced in systems, not just in a policy.”
• “Walk me through the last legal hold: when did you issue it, which systems were preserved, and what proof do you have?”
• “Who can delete audit evidence? How do you monitor or log deletions/exports?”
• “How do you ensure audit workpapers are retained for five years?” (Public Law 107-204)
• “How do you handle chat and collaboration tools where users assume messages are ‘informal’?”

Hangups that slow teams down:

• Unclear ownership between Legal and IT for preservation actions
• “Retention” implemented only through manual processes
• Inability to identify custodians and systems quickly
• Third parties not included in hold workflows

Frequent implementation mistakes and how to avoid them

1. Mistake: Treating backups as a legal hold. Backups help recovery; they usually do not provide targeted, defensible preservation with chain-of-custody.
   Avoidance: Use legal hold/eDiscovery features for primary systems and document preservation steps.

2. Mistake: Letting users self-preserve. Telling employees “don’t delete anything” without technical controls invites accidents and credibility problems.
   Avoidance: Pair notices with IT-enforced preservation in the systems that matter.

3. Mistake: Ignoring collaboration tools. Teams often preserve email but forget chat, shared docs, and project tools.
   Avoidance: Maintain a system map and include collaboration platforms in every hold scoping checklist.

4. Mistake: Weak deletion permissions. If broad groups can delete or overwrite key evidence, you inherit obstruction risk even without bad intent.
   Avoidance: Tighten RBAC, require approvals for deletion in sensitive repositories, and monitor privileged actions.

5. Mistake: No proof of execution. Having a policy without tickets, logs, and acknowledgements fails under scrutiny.
   Avoidance: Require artifacts as part of “definition of done” for retention and holds.

Enforcement context and risk implications

SOX Section 802 sets criminal exposure for intentional obstruction through document alteration or destruction, with penalties up to 20 years imprisonment (Public Law 107-204). That framing changes the risk conversation: failures during an investigation can become personal-risk events for employees and executives, and corporate-risk events that can cascade into broader control, disclosure, and governance consequences.

30/60/90-day execution plan

Because you cannot use calendar-day estimates safely across organizations, treat this as phased execution.

First phase (immediate stabilization)

• Assign clear owners: Legal (hold authority), IT (system preservation), Compliance/GRC (governance and evidence).
• Publish a short “do not destroy” escalation rule for investigations, tied to the legal hold process (Public Law 107-204).
• Inventory systems where financial reporting and audit evidence live; identify deletion/admin risks.
• Confirm how audit workpapers are retained for five years with your auditors and/or internal audit function (Public Law 107-204).

Second phase (build defensible process and controls)

• Approve and roll out a records retention schedule that maps to systems and owners.
• Implement legal hold workflow with acknowledgements, register, and preservation runbooks.
• Tighten access control and enable logging/versioning for sensitive repositories.
• Update third-party contract templates for preservation and legal hold cooperation.

Third phase (prove it works and keep it working)

• Run a legal hold drill and close gaps with corrective actions.
• Add monitoring for high-risk deletions/exports and privileged actions.
• Train high-risk teams with scenario-based modules.
• Centralize evidence in a system of record (many teams use Daydream to track controls, artifacts, legal hold evidence, and third-party obligations in one place).

Frequently Asked Questions

Does SOX Section 802 only apply to public companies?

It applies to public companies (issuers) and also includes specific requirements for registered public accounting firms around audit workpaper retention (Public Law 107-204). Operationally, many private companies adopt similar controls because investigations and litigation create the same preservation pressures.

What exactly triggers a legal hold?

SOX Section 802 focuses on intent to impede an investigation, so your trigger should be tied to credible anticipation or notice of an investigation or proceeding (Public Law 107-204). Define triggers in your procedure and route decisions through Legal.

Are “audit workpapers” only what external auditors produce?

The text specifies auditors must retain audit workpapers and other documents for five years (Public Law 107-204). As a company operator, align Internal Audit practices and coordinate with external auditors so retention expectations and access paths are clear.

Can we rely on our standard retention policy if we have an investigation?

No. A legal hold suspends normal destruction for relevant records because continuing routine deletion after notice can create obstruction risk under the statute’s intent standard (Public Law 107-204). Document the hold and preservation actions.

How do we handle chat tools and ephemeral messaging?

Treat chat as a record source if it contains business decisions, approvals, or investigation-relevant facts. Configure retention and eDiscovery/legal hold capabilities where available, and prohibit ephemeral settings for in-scope populations during a hold.

What evidence will auditors actually accept that a hold was executed?

Provide the hold notice, custodian acknowledgements, the legal hold register entry, and IT tickets or admin logs showing preservation steps taken in each system. Add export logs and access logs for sensitive repositories where feasible.