Accounting Records Retention Plan

Document Sample
Accounting Records Retention Plan Powered By Docstoc
					Myth Busting:
A Records Retention Action Plan

Myth Busting: A Records Retention Action Plan                                                                                                             2


                                           An effective records retention program minimizes organizational risk by making clear what
                                           requirements apply, where they apply, and how to apply them. It sets standard time periods for
                                           how long to keep categories of records based on documented research of legal and operational
    Table of Contents
    • Introduction
                                           Because of this vital role that records retention scheduling plays in an effective RM program, it is
    • Electronic Records                   one of the most talked-about topics in information management. Unfortunately, it can also be one
      Can Be Records, Too                  of the most misunderstood concepts. Without the proper level of due diligence, ad hoc decision

      • The Official Version               making and vague assumptions about retention can threaten an organization’s compliance with
                                           legal and business requirements.
      • Why the Question

        Matters                            Here are just some examples of misconceptions that can become part of an organization’s
                                           business culture:
    • Cure the 7-Year Itch

      • Looking Beyond the                      m “We don’t need to worry about recordkeeping rules because we only have

        Default                                 	    electronic	files”
                                                m	 “Any	record	can	be	destroyed	after	seven	years”
    • Never Say Never
                                                m	 “We	can’t	throw	away	any	records	because	of	privacy	law	and/or	Sarbanes-Oxley”
      • What Sarbox Says                        m “That records retention stuff is okay for administrative records, but in our line of
      • The Privacy Element                     	    work,	we	have	to	keep	everything	forever”

      • Long-term vs.                           m	 “These	records	are	really	old,	so	we	have	to	keep	them	as	an	historical	archive”

        Permanent                          This white paper counters these misconceptions with a discussion of the real-world requirements
    • Perform Archival                     that apply to records. These requirements can vary greatly from one organization to the next,
                                           making the sweeping generalizations listed above all the more inaccurate. Also included in this
                                           discussion is an action plan for developing and implementing a records retention program that
    • A Records Retention
                                           addresses those same variations.
      Action Plan
                                           Electronic Records Can Be Records, Too
    • Records Retention:

      Worth the Effort                     There	are	many	immediate	benefits	associated	with	maintaining	recorded	information	in	electronic	
                                           format, such as faster retrieval and cheaper storage. But increased reliance on electronic media in lieu of
                                           paper	is	no	shelter	from	requirements	to	produce	evidence	or	retain	records.	In	defining	the	concept	of	
                                           a	“record,”	evidence	laws	and	rules	of	court	often	use	the	phrase	“in	any	format	or	medium.”	Some	laws	
                                           go	a	step	further,	defining	specific	criteria	for	establishment	of	an	“electronic	record.”	As	sophisticated	
                                           as some of these rules can be, a clear, simple theme emerges: assuming your organization’s
                                           information systems are secure and reliable, any electronic documents created or received on those
                                           systems through the ordinary course of business activities is a potential record of those activities.

Myth Busting: A Records Retention Action Plan                                                                                                             3

                                       The official version

                                       Electronic	records	may	even	take	precedence	over	paper	copies	as	the	“official”	record	for	legal	
                                       discovery and retention purposes. For instance, many laws state that records should normally be
                                       retained in their original format. The concept of originality is tied to the transactional exchange that
                                       led	to	the	record	being	made	or	received	in	the	first	place.	Money	is	exchanged	when	a	person	
                                       signs a check or performs an electronic funds transfer. Rights and responsibilities are exchanged
                                       when	a	person	signs	a	paper	contract	or	clicks	the	“accept”	button	on	a	secure	website.	 In	the	
                                       cases of the electronic funds transfer and the web-based agreement, the transaction occurs in the
                                       electronic environment, making the electronic record more original than any paper output.

    Any electronic                     Why the question matters

  documents created                    The	 identification	 of	 official	 records	 in	 either	 electronic	 or	 paper	 format	 is	 more	 than	 just	 an	
                                       academic question. With all of the legal and administrative requirements that apply to records, it
 or received on those                  is	critical	to	distinguish	official	records	from	duplicate	copies,	obsolete	drafts,	outdated	reference	
                                       material, and other non-records. Anecdotal sources estimate that non-record materials account
   systems through
                                       for	50%	of	most	organizations’	 paper	and	electronic	holdings.	 By	applying	official	record	status	
                                       selectively,	 your	organization	can	apply	records	storage	and	disposal	processes	more	efficiently	
  ordinary course of
                                       and cost-effectively.

 business activities is
                                       Cure the 7-Year Itch

 a potential record of                 The common default retention period of 7 years has some basis in reality. The accounting
                                       profession in particular is subject to a number of well known statutory and regulatory
   those activities.
                                       requirements	to	keep	invoices,	receipts,	and	other	financial	records	for	that	very	duration.	For	
                                       instance, Canada’s Income Tax Act has very clear, explicit instructions to retain relevant records
                                       for six years after the end of the year in which they are created. Factoring in time for an internal audit
                                       after the year-end has passed, we see a very convincing mandate to keep the records for 7 years.

                                       Looking beyond the default

                                       But even within the accounting industry, 7 years is by no means the entire picture. 7 years may
                                       suffice	for	records	relevant	to	certain	federal	income	tax	requirements	-	but	organizations	are	
                                       often subject to more than one tax. Companies who collect and remit the Canadian Goods and
                                       Services Tax are governed by the Excise Tax Act, which includes assessment periods of up to
                                       10 years. In order to manage the audit risks, affected organizations may need to retain certain
                                       accounting records for at least 10 years. Depending on how risk averse your organization is,

Myth Busting: A Records Retention Action Plan                                                                                                       4

                                       retention periods for tax returns and other tax relevant records may be even longer. Various
                                       sections of the United States Code allow for investigation of alleged tax fraud without time
                                       limitation,	allowing	for	a	possible	argument	that	certain	records	should	be	retained	indefinitely.	
                                       The complications associated with retention periods do not end with the number of years. Exactly
                                       how	 long	 a	 particular	 record	 is	 retained	 also	 depends	 on	 when	 the	 official	 retention	 period	
                                       actually	begins.	“Event-based	retention”	refers	to	retention	periods	which	do	not	even	begin	until	
                                       a	predefined	event	triggers	closure	of	the	file.	Common	examples	of	retention	events	include:

                                            m	 End	of	the	fiscal	year	in	which	records	were	created	and	subsequent	completion		                 	
     7 years may
                                                 of internal audit requirements for that year
                                            m Termination of an employment relationship
  suffice for records
                                            m Termination or expiry of an agreement

  relevant to certain                       m Completion and close-out of a project, such as facility construction or information
                                                 technology deployment
  federal income tax                        m Decommissioning of a plant or facility
                                            m Dissolution and winding up of the corporation
 requirements - but
                                       Some of these events occur less routinely than others. When years elapse before the event occurs,

  organizations are                    the	total	time	for	retaining	records	is	directly	impacted.	Consider	the	following	fictional	example:	A	
                                       collection	of	employee	files	have	a	records	retention	period	of	Termination	of	Employment	+	10	
   often subject to                    Years.	The	file	of	an	employee	who	quit	during	his	or	her	first	week	would	be	kept	for	ten	years.	
                                       Meanwhile,	the	file	of	an	employee	who	enjoyed	a	30	year	career	at	the	company	would	have	to	
 more than one tax.                    be retained no less than 40 years.

                                       Never Say Never

                                       Long-term retention requirements are one of the realities for records management, but to say that
                                       a particular collection of records can never be destroyed is more often than not an exaggeration.
                                       This reality becomes evidence when we zero in on some of the common arguments that
                                       organizational	personnel	may	make	for	keeping	records	“forever.”

                                       What Sarbox Says

                                       The Sarbanes-Oxley Act of the United States establishes records retention practices as a source
                                       of corporate accountability, but contrary to some popular assumptions, it does not outlaw
                                       all records destruction activity. Sarbanes-Oxley does make it an offence to destroy, mutilate,
                                       obscure or alter a record with the intent to obstruct justice. In other words, it is still perfectly
                                       legal to destroy records as long as the destruction is not intended to obstruct justice. Regular,

Myth Busting: A Records Retention Action Plan                                                                                                        5

                                       ongoing records destructions can still occur, as long as they are performed in accordance with
                                       an approved retention schedule and a review and authorization process that can capture
                                       any records responsive to audits, litigation or other proceedings even after their retention
                                       periods have lapsed. Retention schedules and disposal authorization forms work together as
                                       documented evidence that records were disposed of in the ordinary course of business, as
                                       opposed to attempts to obstruct justice by destroying evidence of illegal activity.

                                       The Privacy Element

                                       Privacy	 requirements	 are	 an	 even	 less	 effective	 rationale	 for	 keeping	 records	“forever”.	 	 Laws	
                                       such as Canada’s Personal Information Protection and Electronic Documents Act, Australia’s
  It is still perfectly                Privacy Act, and sections of the U.S. Gramm-Leach-Bliley Act apply only to personal information,
                                       which	is	typically	defined	as	potentially	sensitive	information	about	employees,	customers,	 health	
   legal to destroy                    care	patients,	 and	other	identifiable	individuals.	 Privacy	laws	help	ensure	certain	individual	rights,	
                                       such as the right to access one’s own personal information (subject to exceptions) or request
  records as long as                   corrections of any inaccuracies in personal information. Records retention policies can help
                                       ensure that personal information is retained long enough for individuals to exercise these rights,
  the destruction is
                                       but	that	does	not	mean	retaining	the	information	indefinitely.	 Most	privacy	laws	actually	make	it	
                                       an	offence	to	retain	personal	information	longer	than	necessary	to	fulfil	the	purposes	for	which	
   not intended to
                                       the information was collected and meet legally mandated retention requirements. For every year
                                       that an organization retains personal records in excess of actual requirements, it is breaching the
   obstruct justice.
                                       privacy rights of the persons whom those records are about. Compliance with privacy laws may
                                       therefore lead an organization to decrease rather than increase some records retention periods.

                                       Long-Term vs. Permanent

                                       Finally, there is a tendency in some organizations to equate very long-term records retention
                                       requirements with permanent retention requirements. While there are indeed sections of
                                       legislation	that	explicitly	require	keeping	specified	records	“permanently”	or	“indefinitely,”	they	are	
                                       rare	relative	to	the	event-based	retention	periods	discussed	under	Section	3.	 Retention	events	
                                       such as facility decommissioning and corporate dissolution may not occur for any number of years.
                                       Even once the event has occurred, there may be direct retention periods and legal liability periods
                                       which dictate keeping the records for a further number of years. The total retention period in
                                       each	case	is	quite	long,	but	an	end	is	possible.	Keeping	all	such	records	“forever”	often	misses	an	
                                       opportunity to dispose of large volumes of older records that really have no remaining retention

Myth Busting: A Records Retention Action Plan                                                                                                      6

                                       Perform Archival Selection

                                       Equating age with historical value is a fast track to disappointment. Many people have discovered
                                       this	first	hand	when	they	submit	old	coins	or	family	heirlooms	to	a	professional	appraiser.		 hese	
                                       items may be more than a hundred years old and hold great sentimental value, but unless they
                                       are very rare or contributed to well known history, they will not fetch a high price.

                                       The same principle applies to archival records. As a professional discipline, archival science
                                       emphasizes the techniques of archival selection and appraisal. Rather than retain every record
                                       for	 historical	 purpose,	 an	 archivist	 identifies	 those	 more	 unique	 records	 which	 document	 the	
  Rather than retain
                                       company’s organizational development, operational mandate, and relationships. Many routine
   every record for                    transactional records may not meet this grander vision. Even when transactional records do
  historical purpose,                  provide evidence of operations, various sampling techniques can identify a representative snapshot
                                       of otherwise huge collections.
     an archivist
                                       In short, many older records do hold great archival value for your organization and the communities
    identifies those
                                       in which it operates. But for every old record which meets this criteria, there are many records
 more unique records                   just as old which simply do not.
   which document
                                       A Records Retention Action Plan
    the company’s
                                       The different requirements discussed above may appear contradictory in places. It is not unusual
    organizational                     for requirements to vary from one statute or regulation to the next, and when we apply all those

     development,                      requirements to the same records, things get complicated. That complication can be addressed
                                       through careful research, documentation and application of different requirements in the form of
 operational mandate
                                       a records retention program.
  and relationships.
                                       In developing and implementing a records retention program, be sure to address the
                                       following tasks:

                                            m	 Establish	criteria	for	a	document	to	be	identified	as	an	official	record.	Such	criteria		       	
                                            	    should	provide	concrete,	specific	guidelines	to	support	daily	decision-making,	yet		          	
                                            	    remain	flexible	enough	to	provide	for	the	exceptions	that	can	occur	in	an	active		            	
                                                 business environment

                                            m Develop and implement a policy directive authorizing secure destruction of
                                                 non-record materials that are no longer immediately useful. In order to facilitate regular,
                                                 timely purging of such materials, non-records should require little more than the policy
                                                 itself to authorize their destruction

Myth Busting: A Records Retention Action Plan                                                                                                   7

                                           m Research and tabulate records retention requirements from all applicable statutes
                                                and regulations. Records retention requirements may appear as either a direct, explicit
                                           	    requirement	to	keep	a	given	record	for	a	specified	time	period,	or	indirectly	in	the		
                                                form of legal limitation periods

                                           m Investigate operational needs. The creators and users of records should play a role in
                                                identifying how long records will be needed as sources of recorded information to
                                                inform administrative processes and operational activities, possibly in excess of any
   The creators and                             legally mandated retention requirements

   users of records                        m Apply archival appraisal, selection and sampling techniques where appropriate.
                                                These processes can be integrated into retention schedule development, identifying
  should play a role
                                                upfront which categories of records have potential archival value
  in identifying how
                                           m Establish the retention schedule. Apply relevant legal, operational and archival
 long records will be                           requirements to categories of records. Industry-recognized standards in records
 needed as sources of                           management, such as ISO 15489, recommend that records categories be based on the
                                                business activities that give rise to records creation or receipt. Those same activities will
recorded information
                                                also help indicate applicable legal, operational and archival requirements. Records
       to inform                           	    	retention	periods	for	each	category	should	be	long	enough	to	meet	all	identified		
    administrative                              requirements, yet not so long as to introduce privacy non-compliance, undue storage
                                                costs, and other risks
     processes &
                                           m Implement disposal processes whereby records are reviewed regularly against
operational activities.
                                                retention schedules to identify their eligibility for destruction. The review should
                                                include input from stakeholders who can identify any possible legal or operational
                                                needs to retain the records in excess of their scheduled retention periods. Actual
                                                records destruction should be signed off on by those same stakeholders, performed
                                           	    in	a	secure	manner,	and	certified	as	having	been	performed	in	accordance	with		
                                                organizational retention policies

Myth Busting: A Records Retention Action Plan                                                                                                         8

                                          Records Retention: Worth the Effort

                                          Decisions about how long to retain records should never be based on vague assumptions or
                                          informal	office	culture.	 If	your	organization	ever	finds	itself	in	a	lawsuit	or	an	audit,	 it	will	need	
                                          to account for all records retention practices and provide a consistent, objective rationale for
                                          any disposals which have been performed. A formal records retention schedule supports this
                                          objectivity, provided it is developed based on due diligence and legal research well before any
                                          proceedings come to light.

                                          Developing	such	a	program	is	a	significant	undertaking,	but	organizations	should	not	be	daunted.	
                                          While developing a records retention program or overhauling an existing program is hard work to
   C O N TA C T O N E O f O U R
                                          say the least, the investment of time and other resources will more than pay for itself in improved
  R E P R E S E N TAT I v E S T O D Ay.
                                          legal	compliance,	risk	management,	and	business	efficiency.
          U N I T E D S TAT E S



              C A N A DA




               E U RO P E

            +31 20 6975333


Description: Accounting Records Retention Plan document sample