Creating a document-retention policy: a how-to guide.

• Author: Box, Ron

CPA firms and their clients need to ensure that they have a document-retention policy in place that protects the confidentiality and integrity of documents and provides for their accessibility when needed. The following article offers guidance on developing and implementing an effective document-retention policy.

The orderly and systematic retention of documents is now a mission-critical issue. Failure to allocate sufficient resources to record-retention policies can have very serious ramifications and costly legal consequences. The regulatory requirements placed upon businesses by a host of local, state, federal, and professional agencies make creating and implementing well-conceived policies a fundamental necessity. Consider the volume of internally produced documents, e-mails, instant messages, incoming and outgoing letters or packages and the purpose of each. According to International Data Corporation, a global provider of technology research, more than 60 billion e-mails worldwide are created and sent each day. The media used to transmit or store documents may be paper or electronic, and multiple copies may be created at any processing point and at any location. Important documents may be stored on office or home computer hard drives, CDs, flash drives, PDAs, and BlackBerries. In the face of these realities, the challenge of implementing an effective document-retention policy is daunting.

Providing CIA

Organizations can implement an effective record-retention strategy. First, however, they must determine the ground rules. The program should provide confidentiality, integrity, and accessibility (CIA). In other words, organizations must determine who may be authorized to view a class of documents. They must take precautions to protect the stored information from unauthorized changes. The information also must be available to authorized users in such a way as to not interfere with the efficiency of normal work. As a final step, all documents should be assigned a life span. Most documents reach a stage when they are no longer required. At this point, the retention policy should call for an orderly, systematic, and well-documented process for their disposal.

In order to provide confidentiality many organizations maintain clear classifications of information sensitivity. The military structure for classification (top secret, secret, confidential, sensitive, and unclassified) is well known. A similar structure, ranging from confidential to public, exists for commercial business. Some information, such as trade secrets, is extremely important to some organizations' ongoing profitability. Other documents, medical records or personnel files, for example, may be confidential because of legal requirements. Organizations need to make a clear assessment of the types of information they handle in order to classify the sensitivity of each type. Employee access to classified documents should be based on their "need to know."

Authorized users should expect that only authorized changes to documents will be permitted within the system. The data from a general ledger used to create financial statements, for example, must be free of malicious entries intended to mislead managers or investors. The...