Protect your firm with an effective record destruction policy
Keeping records too long increases risk for your firm.
Many CPA firms like to keep active client records forever, but that may not be in your best interest.
Look at all types of records in your firm, and consider how to schedule destruction. You will want to develop an audit procedure to assure that destruction is happening.
First, a caution: It is better for your firm to have no records retention policy at all than to have one and not follow it.
Ideally, you should have a records retention policy that is reviewed annually. You will want to be sure that you invest money for training and auditing to assure that the policy is followed.
Your record retention policy should cover both paper and electronic records. A sample records retention policy is downloadable from www.totallypaperless.com.
So, how do you have high confidence that you have a policy that works for your firm? How are you disposing the paper records?
With either internal shredding capability or by using a contractor such as Shred-It, you can safely dispose of paper records.
However, for those of you who have made the leap to document management systems or maintain file servers in-house or off-site, how do you assure that these magnetic records and files are being handled properly?
Most of you have years of experience in practice, as I do in information technology. However, a personal "aha" revelation last year made me realize that backup media – particularly tapes, USB sticks or thumb drives, and removable disks – were nearly always in violation of a good retention policy.
If your firm is following historical procedures for either a grandparent-parent-child tape rotation or a 10-tape rotation with a backup for every day of the week, one for every Friday and end-of-month, and keeping the end-of-month forever, then you are probably not following your own records retention policy.
All of these old tapes have files that are expired, according to the records retention policy, and they are discoverable in litigation. Only if your firm has very sophisticated backup software that automatically expires old files and manages a tape library will you not be in violation of your policy. I do not know of a single firm in the country that has spent the extra money to purchase the more sophisticated backup library management software, but I'm sure some exist.
To answer this problem, you have two major choices:
- Using disk backup software that has records expiration policies
- Placing all of your files in an electronic content management (ECM) system
Many of you have simple paperless systems that do not provide content management. If you do have an ECM system, such as Interwoven WorkSite, you still have to watch that renegade users in the firm don't keep files on their local hard drives or in other creative methods that would circumvent your records retention policy.
When an ECM system is used properly, all live, working files including Word and Excel documents, are kept in the system using version control, in addition to using the system to publish the final work product.
Some of you may be able to simulate records retention with CCH Document, using some of this system’s policies. Remember to set the system up to handle exceptions such as litigation hold.
If you are using a disk backup system, make sure that your software can handle the records retention approach. Some systems that make backups on a file-by-file basis do not include this feature.
E-mail is another example of content that can easily slip outside of your retention policy and cause your firm issues during litigation.
Individuals might copy e-mail locally, storing old messages in files, typically in .MSG or .PST format in the Microsoft Exchange world. This often happens because the firm makes a decision to limit mailbox size, and users fend for themselves copying messages locally.
With public mail stores that can easily capture a copy of e-mail, for example in .Gmail or in data stored on cell phones, you may have firm data in many places you don't expect. All of these files are also discoverable in legal action.
Once you know that electronic records are ready to be destroyed – whether they are on a file server, on a backup media or in your content management system – you need to make sure that they are completely erased and removed from your system. A simple delete is not enough.
Your IT team can assure the destruction of tapes, disks and the like, but check to see that they are doing complete Department of Defense (DoD) 5220.22-M erase procedures. We usually recommend bulk magnetic erasers after using these utilities, but we like to err on the side of caution.
Randolph P. Johnston, Executive Vice-President
Network Management Group, Inc., K2 Enterprises
Do you want to read more articles like this? We have an archive of Brainstorming, Humbling Moments and other articles that might interest you.