The title of this post was a bit misleading. Email retention is just a small, and I mean SMALL part of the work required to stay compliant with SOX. From account procurement procedures, operations manuals for IT employees, environmental controls verification to security controls, the amount of work required to stay compliant is daunting. Just thought I would throw that out there so nobody reading this thought SOX was just about saving email. As an IT Director, my team has been audited every year for the last 8 years on our SOX compliance and it is quite a lot of work. It is also mostly good IT governance practice.