How serious can a failure in record retention policy be?

A convincing argument can be made that the root cause of Arthur Andersen’s collapse was a failure to follow prudent record retention procedures. While there were many other issues involved that might have had serious consequences, it was the ill-conceived, hasty document shredding that first raised a public outcry and created an appearance of wrongdoing and cover-up -- whatever the reality might have been.

The Sarbanes-Oxley Act (SOX), written in the post-Enron climate, focuses an extraordinary amount of attention on records. More significantly, SOX includes penalties of fines and imprisonment of up to 20 years for anyone who intentionally "alters, destroys, mutilates, conceals, covers up, falsifies or makes a false entry in any record, document or tangible object" so as to "impede, obstruct or influence" an investigation.

"Federal sentencing guidelines under SOX are enough to deter anyone from breaking the rules," says Hayes MacArthur, Director of Human Resources at Amper, Politziner & Mattia in Edison. Amper, a firm that does audit work for Securities and Exchange Commission (SEC)-regulated clients, has, over the last 18 months, undertaken a complete review of its record retention policies and practices to assure compliance, MacArthur notes.

Most accounting firms don’t have to worry about SEC-mandated regulations, but they still face the threat of malpractice suits, and every company faces general legal challenges. John Raspante, CPA, of Camico Mutual Insurance Company, an organization that offers liability insurance for CPA firms, believes that every organization should have at least one person designated to coordinate the development of a record retention policy and its compliance. That’s not what is happening, however. "Occasionally you find someone with that responsibility," Raspante says. "But that’s the exception."

The biggest challenge, as Raspante sees it, is keeping up with the demands of all the relevant jurisdictions. For example, the New York State Board of Accountancy requires practitioners to retain records related to an attest engagement for seven years. The state board in Missouri only requires a four-year period. New Jersey doesn’t specify any retention period. 

Another example Raspante cites that affects record retention policies is the length of time a negligence suit can be filed. In New York, it is three years from the time a client relies on the CPA’s work product. In New Jersey, it is six years from the time the cause of action (the accounting error, for example) was discovered or should have been discovered. "Any firm doing business in New York should consider specifying in its engagement letter that New York law applies," Raspante adds.

Every organization must also comply with state regulations for retaining employee information. The movement to digital information storage and the challenges of proper data management and destruction add additional layers of complexity. Add to it the reality that, while management is responsible for the record retention policy, it is the administrative staff that actually does most of this kind of work. Even small organizations face a major challenge.

Best practices for record retention

The first step any organization needs to take to create a sound record retention policy is to inventory the records it maintains and to review current procedures. "Next, decide what audit documentation you want to keep, and keep it for at least seven years from the report release date," says William Kraut, CPA, Director of Professional Standards and Quality Assurance at Amper, Politziner and Mattia.

In considering complex situations, Kraut suggests solutions based on common sense. Should a firm retain every email message that goes through its mail servers? Kraut says no. "We create electronic work papers," he points out. "We don’t save email unless it relates to those work papers. If it relates, it’ll be in there."

A summary of Kraut’s recommendations, which would serve as a good start for any organization grappling with the issues involved in record retention, is: "Set a policy. Be as specific as possible. Adhere to your policy. And be sure your staff is well-trained."