Vol. 10, December 10, 2007
The Problem With Document Destruction
Organizations can overlook the importance of documents until things go wrong. Make sure document retention and destruction policies and procedures are being implemented before a disaster can occur.
CRAIG S. WRIGHT, MNSA, CCE, GCA
MANAGER OF INFORMATION SYSTEMS
Sound business practices dictate that document management be a priority for most organizations. However, the primary focus of managing information for many organizations centers around securing financial information against theft or unintentional release. While this is certainly a critical component of document management, organizations need to remember that the more routine, day-to-day documents created by employees at all levels can be just as critical to the success or failure of the business. What organizations keep and what they destroy should be a well thought-out process and managed appropriately.
The importance of such materials is evidenced by the growing number of regulatory requirements targeted at nonfinancial information such as the Anti-terrorism, Crime and Security Act 2001 introduced by the UK government following the terrorist attack in New York on September 11, 2001. This act encourages service providers to follow a voluntary code of practice, where e-mail is held under a six-month retention period. Other cases where internal documents and e-mails have played an important role are with Enron, WorldCom, Parmalat, and Royal Ahold. Such requirements and court cases also illustrate the changing complexities of document management, which must address both hardcopy materials as well as electronic data.
Organizations often realize the true value of proper document management when things go wrong, and previously overlooked items take on great significance. Within the internal audit department, one such example is source documents, which should be handled with special care in case they are needed to trace how audit findings, data collection, or transactions were conducted. Oral testimony, without evidentiary support, is not reliable and in a court of law, may be considered inadmissible. What documents organizations keep and what they destroy can send either positive or negative messages when faced with a challenging legal situation.
DESTROYING DOCUMENTS: BAD FOR BUSINESS OR ILLEGAL
Serious consideration should be given to the destruction of any document, and it should be noted that the destruction of documents in some cases is not just illegal but criminal. For instance, a company officer or director who destroys or falsifies a document affecting the company's property or affairs is liable to prosecution under the Australian Corporations Act 2001.
According to this law, if there is a suspicion of wrongdoing, individuals must prove that the destruction of documents was not done with the intention to deceive. In many cases, these are statutory strict liability offences. In other words, the prosecution only needs to prove the facts (i.e., that a defendant destroyed the documents). It is up to the defendant to disprove intent. This is not always easy to do in a court of law. In fact, according to section 1309 of the Australian Corporations Act 2001, it is an offence if an officer or employee fails to take reasonable steps to ensure the accuracy and protection of records.
In Victoria, Australia, recent changes to the Crimes Act 1958 have created "a new offense in relation to the destruction of a document or other thing that is, or is reasonably likely to be, required as evidence in a legal proceeding." This act, punishable by up to five years imprisonment, affects anyone who destroys or authorizes the destruction of any document that may be used in a legal proceeding (including potential future legal proceedings).
Under section 286(1) of the Corporations Act, a company must keep “written financial records that: correctly record and explain its transactions and financial position and performance; and would make true and fair financial statements able to be prepared and audited.”
If a dispute has previously arisen or is considered likely, it is hazardous to destroy any documents. Cases where provisions for litigation have been included in audit reports are a strong example. In instances where it is probable that a dispute may arise, or after a dispute has begun, a conscious choice to destroy documents could make one liable under the criminal offence of obstructing justice.
Ask any forensic accountant; the existence of omitted documents is usually easy to trace because they are referred to in existing documents. If the case goes to court, it is necessary to list not only documents in one's possession, custody, or power but also those that once existed and have been destroyed.
The destruction of documents can adversely influence a case through inference, as demonstrated in the United Kingdom, Infabrics v. Jaytex. After the commencement of the case, it was discovered that most of the invoices, stock records, and similar documents had been destroyed. The judge stated that he was "not prepared to give the defendants the benefit of any doubt or to draw an inference in their favor where a document, if not destroyed, would have established the matter beyond doubt."
DOCUMENT MANAGEMENT CONSIDERATIONS
With the increasing requirements for electronic documents, companies should update their document retention policies. These policies should not be disorganized or ad hoc. In the past, there were definite limitations on how long files should be retained (with most professions keeping papers for at least seven years). However, recent decisions made by courts all over the world requiring organizations to keep records for a period after the final transaction, not from when the document was created, make establishing general guidelines more difficult.
Leading practices in the area of document management suggest that companies should adopt a document retention policy that ensures items are only discarded or destroyed in accordance with governing regulations and in a systematic manner. Developing a written policy on document destruction and retention, to be applied consistently, is a shrewd move on the part of any organization.
MINIMUM DOCUMENT RETENTION GUIDELINES
The minimum requirement for data retention varies widely across jurisdictions, countries, and oftentimes, business disciplines, as illustrated by some of the wide variations reflected in Figure 1 below.
APPLICATIONS TO INTERNAL AUDIT
Document management is not an issue confined to Australia and the UK. Rather, it is an ever-growing concern for organizations throughout the world. In particular, the increasing use and complexity of document management systems and databases is driving an invigorated need to implement effective controls. It is no longer enough for the internal IT auditor to rely on an isolated snapshot of the system. It is essential that an understanding of document retention requirements based on jurisdictional specifications be maintained.
There are a number of steps that internal auditors can use to aid in auditing electronic documents. By incorporating controls into databases and other systems, the audit staff are able to ensure that legislative requirements are being met. Some steps that may be undertaken include:
Classifying all documents that are scanned or electronically created using systems of automated controls and allocations. Electronic records management systems are becoming more commonly used for this task as they can automate the allocation of documents to a classification that best reflects the material they contain.
Using digital analysis techniques and data mining to search through system storage and data warehouses for keywords and classifications. The rise of data warehousing has led to the ability to configure automated searches for data that has been incorrectly classified or is past its retention period using text mining.
Configuring key fields in databases and making rules to create isolated copies of required documents. By configuring a centralized store of documents, key document recovery is a more efficient process. Many banks and credit unions have implemented processes that centralize and manage transaction confirmations, retirement information, loan applications, and even meeting notes or minutes.
Implementing formal policies and procedures. International Organization for Standards 27001, and 15489 (Information and Documentation — Records Management) and the Model Requirements for Management of Electronic Records provide guidelines for data retention.
Using network scanning for defined against classifications. An intrusion detection system may be configured to alert on key phrases and data sent on unauthorized streams (i.e., using unencrypted e-mails). Databases may be tested to ensure that sensitive data is only retained in secured tables.
Organizations and their internal audit departments need to stay vigilant in their oversight of the document management process, paying special attention to items that seem to get lower levels of attention than financial data. Also, it is wise for organizations to remember that e-mail has become a common means to distribute board minutes, reports, and other sensitive data. As such, the need to define data retention strategies has only increased. So don't wait until the next time your organization decides to purge files, e-mails, or other miscellaneous electronic documents — make sure document retention and destruction policies and procedures are being implemented before a disaster can occur. Remember, there is much more to document retention than managing disk space.
Craig Wright is a manager of information systems in Sydney, Australia. He is currently working on his tenth academic degree.
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.