Document Retention and Retrieval:
Do You Have a Policy?

by Raymond Thompson, PhD, CMA
Pursuit, December 2007

Today, more than 90 percent of business documents are created electronically, allowing organizations to save data with relative ease. These records can be searched using keywords and indices in a rapid, economical manner. Still, there are guidelines that must be followed when it comes to what and how long records must be retained and accessible.

The CPA profession’s quality control standards, issued by the Statements on Quality Control Standards (SQCS), require accounting firms to establish policies and procedures to maintain the safe custody, integrity, accessibility, and retrieval of engagement documentation. The guidance also prohibits alterations, additions, or deletions to the documents. SQCS recommends passwords and encryption to restrict access to data; backup procedures for electronic documentation; and policies that ensure confidential storage of hard copies of engagement documentation. SQCS indicates that a firm’s policies should:

• Facilitate retrieval and access during the retention period, and allow for technology changes and upgrades over time.
• Provide a record of changes made subsequent to the completion of the engagement.
• Enable authorized parties to access and review documents for quality control or other purposes.

Developing a sound organizational document storage and retrieval policy is complicated because retention considerations vary by jurisdiction. For example, companies working for the federal government are subject to more stringent requirements. Cost considerations are another factor, since the expense of storage and maintenance must be weighed against the likelihood that the information will be needed. Below are the six major elements of a document retention policy.

Purpose
The purpose is to balance the costs of retention with the benefits of retrieval.

Location and Custody
Records should be stored in a single, designated location. One person should assume responsibility for retaining documents.

Form of Records
Essential or enduring records should be retained in hard copy form. If the programs used to create them become obsolete, it may not be possible to restore them. Electronic copies of hard copy documents should also be maintained.

Retention Schedules
A document retention schedule should be developed to outline when document files are to be destroyed and by whom. Here
is a typical length of time for the retention of various kinds of
documents:

• Corporate records:
  Permanent
• Accounting records:
  Seven years
• Merger or acquisition records: Permanent
• Bank statements:
  Seven years
• Capital and fixed asset records: Life of the asset plus seven years
• Personnel records: Termination plus seven years
• Salary records: Six years
• Litigation and claims: Closure plus 10 years
• Correspondence:
  Completion of assignment plus 10 years

Destruction
Confidential documents should be shredded. Others may be recycled. CPA firms should attempt to take comparable steps with electronic equivalents.

Enforcement
Experts caution that it is not sufficient to simply create a document retention policy – it must be enforced consistently and supported by an ongoing training program. Administrators should provide employees with written instructions. Studies show that without ongoing training, employees tend to save documents that should have been destroyed. Instructions should also be provided on steps to take when a litigation hold is placed on materials.

No document retention policy offers guaranteed protection. However, a consistently applied policy is an essential component of an organization’s risk management effort and can greatly reduce the risk of spoliation charges.

For a model document retention policy, visit www.nspe.org/liability/in-home.asp.