Thu, May 11, 2023

We live and do business in a highly regulated, litigious society. It’s an inevitable but beneficial consequence of our pluralistic, capitalist system. In such a society, it’s never a bad idea to “save your receipts.”

Every well-run organization, whether for-profit or non-profit and regardless of the industry, should develop, implement and maintain companywide document retention procedures.

What Qualifies as a Document or Record?

To develop a document retention framework, a “document” or “record” means information, whether electronic (digital) or written (hard copy), that’s been created or received to facilitate business and/or litigation activities and/or as evidence of such activities.

Most information collected or created — letters, forms, photos, ledgers, drawings, charts, reports, etc. — can be considered a business document. Record retention policies will determine which ones are important.

Active Vs. Inactive

An Active Record

An active record pertains to current (ongoing) company business or active litigation. In short, an active record may need to be produced at a moment’s notice.

An Inactive Record

Inactive records pertain to past, stalled or abandoned business activities and/or settled litigation. Inactive records may still need to be available but are less likely to be required on a time-sensitive basis.

Why Have a Document Retention Policy?

The first and foremost reason to create a set of document retention procedures and follow document retention best practices is that most firms are legally required to do so.

Federal and state regulators impose strict document retention requirements if a company operates in the financial industry, including investing, banking, accounting, tax preparation (and more). The same goes for medical companies and businesses that manufacture, use or transport hazardous material. Most organizations with employees and public customers have at least some document retention procedures they must legally follow.

Staying compliant with the law might be the most pressing reason to develop (or update) document retention policies, but it is not the only one. Although the following list is not complete, some of the top benefits are listed below:

  • Clutter is avoided.
  • Document retention policies do more than tell a business what documents and records they must keep. These policies also indicate which ones they can throw away. Far from causing clutter, concise document retention policies help organizations unclutter.
  • Accounting, audit and risk procedures are better. 
  • Nothing can impede the audit process like missing documents or records. Document retention integration goes a long way toward making the job of accounting and risk professionals easier.
  • High-risk litigation is protected. 
  • Document retention can prove invaluable if a firm is accused of a crime or is defending itself in a high-stakes lawsuit. Producing vital records and documents can make the difference between winning or losing in court and the public eye.
  • Protection against unauthorized access is in place. 
  • Organizations can mitigate risks such as identity theft, data breaches, hacking, corporate espionage and loss of company secrets (proprietary information) by applying high-quality record retention policies.
  • Disaster recovery is in place.
  • In the event of a natural disaster, such as a hurricane, earthquake or flood, or a manmade calamity like terrorism or vandalism, business continuity can be maintained if access to critical documents and records is maintained. If not, any disaster will be compounded.

Document Retention Policy Essentials

Retention Periods

The essence of a document retention integration plan is the setting and (firmwide) communication of record retention periods, which is the categorization of documents and a determination of exactly how long each record must be retained. Retention periods should consider applicable laws and the expected needs of the business.

The following codes are recognized as standard. We recommend their use but encourage companies to supplement them with custom codes as necessary.

  • P — Permeant. A (virtually) permeant record to be maintained for 25 years.
  • PS — Purpose Served. A record that may be destroyed when it becomes inactive.
  • UTC — Until Tax Close or Under Active Audit/Investigation. A record that can not be disposed of without IRS, regulator, or court permission.
  • TA — Term of Agreement. TA indicates a document that must be held until the relevant contract, license, permit, or other formal agreement expires.
  • US — Until Superseded. Documents marked US may be discarded upon the creation of a successor document.
  • PLUS — Term of agreement + [a number of] years. To be held until contract expiration (see TA) plus a designated term (e.g., TA + 3 years).

Incidentally, records should only be retained as long as necessary. Holding defunct documents creates excess liability. A business won’t be held liable for any information that was contained in legally destroyed documents. It can, however, be expected to know what’s in any files under its control, even if those files were eligible for destruction.

Destroy on or After

Many firms find it helpful to mark documents with a specific “destroy” date and have a system to ensure timely disposal.

A Catalog (List) of Retained Documents

Good document retention procedures require a centralized, searchable list or catalog of which documents, records and files are being maintained. This catalog should be electronically cross-referenceable by subject matter, division and department, customer, applicable employee(s), and other relevant categories. Neglecting this element can and eventually will result in endless, possibly fruitless, searching to comply with document requests.

Restricted Access

Record retention policies should have policies on highly sensitive documents. Safeguards should be in place that limit the access of these documents to authorized personnel only.

Location and Access Procedures

A comprehensive document retention policy will mandate where and how (digital and physical) records should be maintained, who can access them, and under what circumstances, as well as procedures for fast and easy access when necessary.

Procedures should be different for active and inactive records, with active records being more accessible than inactive ones.

Subpoena Procedures

Every employee who handles incoming communications should know how to handle a subpoena, official information request, formal complaint (that might escalate), lawsuit and/or a court-ordered injunction (especially a document retention order).

In most cases, the procedure will be to document the initial receipt by notation and a time stamp and forward it up the chain of command to (ultimately) the legal department.

Disposal Methods

It may seem counterintuitive, but methods and procedures for document disposal are essential to document retention best practices.

Should hard copies be shredded or incinerated, or is it ok to toss them in the recycle bin? How do you get rid of old computers? Is it enough to delete electronic files from local hard drives, or should remote servers and “the cloud” also be targeted?

How an organization disposes of sensitive material — at the appropriate time — is just as important as how the sensitive material is stored.

Policy Exceptions

There should be a few exceptions to a well-thought-out document retention framework. If there are exceptions, they should be unambiguous. The people within an organization authorized to make exceptions should be noted, and the process for making exceptions should be listed.

Dissemination

Virtually every employee can create, receive or come in contact with potentially important documents and records. Therefore, it is the responsibility of management — at all levels — to make an organization’s document retention policy freely available to (almost) everyone.

Audit

Even the best policies are only helpful if integrated diligently and adequately followed. Ensuring document retention compliance requires a robust audit program and a system of strictly and fairly dealing with noncompliance.

KnowledgeLeader

Records retention is just one aspect of the tough job of the audit, accounting and risk professional. KnowledgeLeader exists to make that job easier.

We offer our two full and customizable document retention policy templates in a single helpful source. Download our Document Retention Program Policy here.

0 Comments

Topics

Document Retention Compliance Audit Planning

Read More

Do You Have Adequate Documentation for Your Business Processes?
How to Ensure a Robust Compliance Policy
Internal Audit: How to Guarantee an Increase in Performance