Just curious as to what others are doing about retention to evidence the resolution of red flags. If it was an Id theft incident, then 5 years after the date of detection? If it wasn't Id theft, then until the next audit? are you separating out the address discrepancy red flags for the compliance exams?