What Kind of Records Do I Need?
Management is responsible for maintaining reasonable support for its assessment. The SEC's guidance doesn't make this decision for you — because we recognize that what's reasonable will depend on the nature, size, and complexity of each company. It will also vary based on the internal control risk that management has identified.
A smaller company's management might determine that what already exists in the company's books and records is sufficient for its assessment. Alternatively, management may decide that it is better to keep separate copies of the evidence it evaluates. In all cases, the support that you rely on should include written records of the following:
- The design of the controls
- The way you gathered and evaluated the evidence
- The basis for your assessment of effectiveness
