For me, this time of year is busy trying to get my summer projects planned, the IT Budget finished, and updating policies. One policy that is of particular interest is Document Retention. Most people think of this policy in terms of legal issues but it is much more! I remember purchasing a server about 15 years ago and thinking: “That 30GB hard drive is more space than we will ever use!” Boy, was I wrong! We now measure space in terabytes! A good Document Retention Policy could help with this issue, but what do we mean by a ‘good’ policy?
As I started digging into our retention policy, I began looking at other CPA firms’ policies. When looking at them with an auditor’s eye, I saw some real problems with them all. All of the policies that I reviewed were focused on the length of time each document should be retained. This lead to a number of policies that were just a table of documents and how many years they were going to be kept. The first thing that jumped out at me was that they listed as many as 50 types of documents and almost all of them had the same life. So why list all these documents? Why not just say: “All documents will be maintained for 7 years, with the exception of…”?
Now is a good time for a disclaimer! I am going to use 7 years as my example. While that is commonly used in these policies, this should not be interpreted as being my recommendation. You need to discuss your retention periods with your attorney, IT Department, and other operational departments to make sure these lives make sense.
It was very apparent that a lot of time was spent on the topic of lives in all the policies I looked at. But none ever said when that date is calculated. If it is 7 years, then tell me 7 years from when? Should it be for the date you are reading the policy? 7 years for the end of the calendar year or fiscal year?
Another topic that seemed to be ignored was responsibility. Who is responsible for the destruction of the documents? Not that end users are irresponsible, but will everyone in your organization go through all the documents and destroy then at the end of their life in a timely manner? I think this is too much to expect.
LEARN MORE ABOUT OUR RISK ADVISORY SERVICES
In our industry, an engagement or project may take several months to complete and will likely span the end of the year. So if we were to destroy all files that are 7 years old, we could be destroying half of the files associated with an engagement. So you need to establish a ‘date of record.’ In other words, the life of the file is determined by the completion date of the project, even if the files are actually older than the retention period. Our biggest challenge was to determine this date. But the important issue here is to establish the proper date and stick with it consistently.
To summarize, the Document Retention Policy should establish the proper lives, the date to destroy the documents, and the people responsible for destroying these files. By doing this, you will not only protect yourself from legal issues but reduce the number of old files on your network and free up some drive space.
I have touched on the biggest issues I have seen in document retention policies. But there are plenty of other things to think about. For instance: don’t forget to consider paper documents as well as electronic. If you have other questions about your document retention policy, don’t hesitate to contact me. I will be glad to discuss.
Throughout his time at YHB Curtis has provided IT audit and consulting to clients, even while holding the position of the firm’s IT director for several years. Now, as head of the YHB Risk Advisory Services Team, Curtis focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services. Also, he frequently speaks and gives presentations on SOX compliance, internal controls, and data security.