What documents should be kept?
You must first identify types of documents that need to be retained or destroyed. Remember that every organization is different, and thus your organization may require retention of documents that aren't provided for in this column. All types of documents produced by your organization must be initially accounted for. This includes tangible and electronic documents, and is never limited to just financial documents. Accounting records, corporate tax records, bank records, employment records, employee records, various workplace records (including in-house e-mails and client correspondence), and legal records must be considered when constructing a DRP for your particular organization. Please check with your local counsel regarding specific state statutes requiring different periods.
Other factors to consider in identifying documents include member/constituent expectations, IRS regulations, business taxable income regulations, whether you receive financial assistance (for example, Office of Management and Budget circulars and Yellow Book requirements), standards under Sarbanes-Oxley, and internal factors (for example, change in board of directors, board resolutions, patents, copyrights, etc.).
Records typically generated by your company that reflect or materially relate to your professional services must also be identified in your DRP. For example, accounting and auditing firms should mention the retention and destruction of documents that make up client files such as client billing and payment records, correspondence, and time records.
Document storage
In this electronic age, most companies are backing up documents via disks and computers rather than filling file cabinets. Storage expense scares small businesses. Document storage companies are available for storing tangible documents, but can be costly. Hard-drive backup appears to be the most cost-efficient means of storage, but such requires companies to have the computer gusto to withstand large amounts of information.
Most importantly, you want your documents to remain safe (for confidentiality and destruction purposes) and be easily accessible for potential litigation and legal requests for documents.
Document destruction
Document destruction must cease when faced with potential litigation or if a legal document request is pending or imminent. Destruction under a valid DRP will be ineffective if documents weren't actually destroyed before the potential litigation trigger occurs. Thus, it's imperative that your DRP provides for complete destruction of documents that can be validly expunged during the proper periods under your policy. Documents should be destroyed by shredding or some other means that will render them unreadable. Similarly, a protocol for the destruction of electronic data should be in place to ensure that documents to be destroyed are actually destroyed. The deletion of e-mails or other files on one's computer doesn't mean that such records are removed from evidence.
DRP managers
Finally, to properly follow a DRP, someone with detailed knowledge of the DRP should be in charge of the policy and ensure that employees understand and follow it as designed. This individual should have the power to enforce the policy, and as such should be a senior-level employee. The DRP manager is responsible for:
Sample document retention policy
Following are the first two sections of a sample document retention policy.
SAMPLE DOCUMENT RETENTION POLICY
This is only a SAMPLE DOCUMENT RETENTION POLICY ("DRP"), and is NOT LEGAL ADVICE. It is only an example of a general DRP and should not be used without revision to meet the particular administrative and legal needs of your organization. There are many federal, state and local laws that require organizations to retain documents for a certain period of time that may not represented in this sample policy. All companies should contact counsel licensed to practice law in their state before implementing a DRP.
I. Purpose
To ensure the most efficient and effective operation of ORGANIZATION ("Organization"), we are implementing this Document Retention Policy ("DRP" or "policy"). The records of Organization and its subsidiaries are important to the proper functioning of Organization. Our records include virtually all of the records you produce as an Organization employee. Such records can be in electronic or paper form. Thus, items that you may not consider important, such as interoffice e-mails, desktop calendars and printed memoranda are records that are considered important under this policy. If you are ever uncertain as to any procedures set forth in this policy (e.g., what records to retain or destroy, when to do so, or how) it is your responsibility to seek answers from Organization's DRP Manager.
The goals of this DRP are to:
1. retain important documents for reference and future use;
2. delete documents that are no longer necessary for the proper functioning of Organization;
3. organize important documents for efficient retrieval; and
4. ensure that you, as an Organization employee, know what documents should be retained, the length of their retention, means of storage, and when and how they should be destroyed.
Federal and state laws require Organization to maintain certain types of records for particular periods. Failure to maintain such records could subject you and Organization to penalties and fines, obstruct justice, spoil legal evidence, and/or seriously harm Organization's position in litigation. Thus, it is imperative that you fully understand and comply with this, and any future records retention or destruction policies and schedules, UNLESS you have been notified by Organization, or if you believe that (1) such records are or could be relevant to any future litigation, (2) there is a dispute that could lead to litigation, or (3) Organization is a party to a lawsuit, in which case you MUST PRESERVE such records until Organization's legal counsel determines that the records are no longer needed.
"Records" discussed herein refers to all business records of Organization (and is used interchangeably with "documents"), including written, printed, and recorded materials, as well as electronic records (i.e., e-mails and documents saved electronically). All business records shall be retained for a period no longer than necessary for the proper conduct and functioning of Organization. No business records shall be retained longer than five (5) years, EXCEPT those that (1) have time periods provided for herein, (2) are in the Document Retention Schedule, found at Appendix "A," or (3) are specifically exempted by Organization's DRP manager.
II. Management
To ensure compliance with this DRP, Organization's DRP manager is responsible for the following oversight functions:
Organization's DRP manager shall annually review the DRP, modify it accordingly, and inform and educate all Organization employees on any such changes. All questions relating to document retention and/or destruction should be directly addressed to Organization's DRP manager.
The Association of Certified Fraud Examiners assumes sole copyright of any article published on ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be e-mailed to: FraudMagazine@ACFE.com
Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.
Read Time: 6 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 6 mins
Written By:
Felicia Riney, D.B.A.
Read Time: 7 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 6 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 6 mins
Written By:
Felicia Riney, D.B.A.
Read Time: 7 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
