The Sarbanes-Oxley Act requires that companies perform a risk assessment on their internal controls over financial reporting. The question underscores the importance of communicating early and often with external auditors to ensure that they will be satisfied with the extent of management’s testing. Do you have to retain electronic records such as e-mail, voicemail and call detail records? If so, for how long? A recent study by Osterman Research indicated that fewer than 50 percent of companies kept critical e-mails.”]
Source: https://www.csoonline.com/article/2117232/sarbox-redux.html