ITAudit   
Vol. 10, December 10, 2007

The Problem With Document Destruction

Organizations can overlook the importance of documents until things go wrong. Make sure document retention and destruction policies and procedures are being implemented before a disaster can occur.

CRAIG S. WRIGHT, MNSA, CCE, GCA
MANAGER OF INFORMATION SYSTEMS
SYDNEY, AUSTRALIA

Sound business practices dictate that document management be a priority for most organizations. However, the primary focus of managing information for many organizations centers around securing financial information against theft or unintentional release. While this is certainly a critical component of document management, organizations need to remember that the more routine, day-to-day documents created by employees at all levels can be just as critical to the success or failure of the business. What organizations keep and what they destroy should be a well thought-out process and managed appropriately.

The importance of such materials is evidenced by the growing number of regulatory requirements targeted at nonfinancial information such as the Anti-terrorism, Crime and Security Act 2001 introduced by the UK government following the terrorist attack in New York on September 11, 2001. This act encourages service providers to follow a voluntary code of practice, where e-mail is held under a six-month retention period. Other cases where internal documents and e-mails have played an important role are with Enron, WorldCom, Parmalat, and Royal Ahold. Such requirements and court cases also illustrate the changing complexities of document management, which must address both hardcopy materials as well as electronic data.

Organizations often realize the true value of proper document management when things go wrong, and previously overlooked items take on great significance. Within the internal audit department, one such example is source documents, which should be handled with special care in case they are needed to trace how audit findings, data collection, or transactions were conducted. Oral testimony, without evidentiary support, is not reliable and in a court of law, may be considered inadmissible. What documents organizations keep and what they destroy can send either positive or negative messages when faced with a challenging legal situation.

DESTROYING DOCUMENTS: BAD FOR BUSINESS OR ILLEGAL

     
   


Putting the Pieces Together

Forensics accountants and other investigators use evidentiary fragments to reconstruct transactions. In the absence of supporting documentation, it is often necessary to reconstruct transactions and contracts. The parol evidence rule, however, precludes the introduction of ancillary evidence which contradicts a written contract. In the absence of the written contract, evidentiary fragments may be used. Because anything outside of a written contract is parol evidence (including testimony about what was said during the negotiations, proposals, or recordings of conversations), the failure to maintain the original records could result in a detrimental judgement. This judgement could be diametrically opposed to what was intended in the written contract.

 
     

Serious consideration should be given to the destruction of any document, and it should be noted that the destruction of documents in some cases is not just illegal but criminal. For instance, a company officer or director who destroys or falsifies a document affecting the company's property or affairs is liable to prosecution under the Australian Corporations Act 2001.
According to this law, if there is a suspicion of wrongdoing, individuals must prove that the destruction of documents was not done with the intention to deceive. In many cases, these are statutory strict liability offences. In other words, the prosecution only needs to prove the facts (i.e., that a defendant destroyed the documents). It is up to the defendant to disprove intent. This is not always easy to do in a court of law. In fact, according to section 1309 of the Australian Corporations Act 2001, it is an offence if an officer or employee fails to take reasonable steps to ensure the accuracy and protection of records.

In Victoria, Australia, recent changes to the Crimes Act 1958 have created "a new offense in relation to the destruction of a document or other thing that is, or is reasonably likely to be, required as evidence in a legal proceeding." This act, punishable by up to five years imprisonment, affects anyone who destroys or authorizes the destruction of any document that may be used in a legal proceeding (including potential future legal proceedings).

Under section 286(1) of the Corporations Act, a company must keep “written financial records that: correctly record and explain its transactions and financial position and performance; and would make true and fair financial statements able to be prepared and audited.”

If a dispute has previously arisen or is considered likely, it is hazardous to destroy any documents. Cases where provisions for litigation have been included in audit reports are a strong example. In instances where it is probable that a dispute may arise, or after a dispute has begun, a conscious choice to destroy documents could make one liable under the criminal offence of obstructing justice.

 


Leveraging Technology to Manage Document Retention

One way for organizations to manage their process is to leverage readily available advanced technologies, such as scanners to preserve files. Coupled with optical character recognition (OCR), scanned images can be stored both as an original copy for evidentiary purposes and as a tagged document with keywords for searching. Use of this technology minimizes the risk associated with paper records, especially when searching through paper documents within certain date ranges. Furthermore, scanned images can be dated and automatically marked for deletion at the end of their retention period.

 
Ask any forensic accountant; the existence of omitted documents is usually easy to trace because they are referred to in existing documents. If the case goes to court, it is necessary to list not only documents in one's possession, custody, or power but also those that once existed and have been destroyed.

The destruction of documents can adversely influence a case through inference, as demonstrated in the United Kingdom, Infabrics v. Jaytex. After the commencement of the case, it was discovered that most of the invoices, stock records, and similar documents had been destroyed. The judge stated that he was "not prepared to give the defendants the benefit of any doubt or to draw an inference in their favor where a document, if not destroyed, would have established the matter beyond doubt."

DOCUMENT MANAGEMENT CONSIDERATIONS

With the increasing requirements for electronic documents, companies should update their document retention policies. These policies should not be disorganized or ad hoc. In the past, there were definite limitations on how long files should be retained (with most professions keeping papers for at least seven years). However, recent decisions made by courts all over the world requiring organizations to keep records for a period after the final transaction, not from when the document was created, make establishing general guidelines more difficult.

Leading practices in the area of document management suggest that companies should adopt a document retention policy that ensures items are only discarded or destroyed in accordance with governing regulations and in a systematic manner. Developing a written policy on document destruction and retention, to be applied consistently, is a shrewd move on the part of any organization.

MINIMUM DOCUMENT RETENTION GUIDELINES

The minimum requirement for data retention varies widely across jurisdictions, countries, and oftentimes, business disciplines, as illustrated by some of the wide variations reflected in Figure 1 below.


Examples of Data Retention Requirements

  Web activity data

  4 days retention period

  Basic Commercial Contracts

  6 years after discharge or completion

  Deeds

  12 years after discharge

  Land contracts

  12 years after discharge

  Product liability

  A minimum of 10 years

  Patent deeds

  20 years

  Trademarks

  Life of trademark plus 6 years

  Copyright

  50 years after author’s death

                                   Figure 1

APPLICATIONS TO INTERNAL AUDIT

Document management is not an issue confined to Australia and the UK. Rather, it is an ever-growing concern for organizations throughout the world. In particular, the increasing use and complexity of document management systems and databases is driving an invigorated need to implement effective controls. It is no longer enough for the internal IT auditor to rely on an isolated snapshot of the system. It is essential that an understanding of document retention requirements based on jurisdictional specifications be maintained.

   

International Organizations for Standards (ISO) Guidance on Document Retention 27001

ISO requirement 27001 states that records shall be established and maintained to provide evidence of conformity to requirements and the effective operation of the information security management system (ISMS). They shall be protected and controlled. The ISMS shall take account of any relevant legal or regulatory requirements and contractual obligations. Records shall remain legible, readily identifiable, and retrievable. The controls needed for the identification, storage, protection, retrieval, retention time, and disposition of records shall be documented and implemented."

There are a number of steps that internal auditors can use to aid in auditing electronic documents. By incorporating controls into databases and other systems, the audit staff are able to ensure that legislative requirements are being met. Some steps that may be undertaken include:
  • Classifying all documents that are scanned or electronically created using systems of automated controls and allocations. Electronic records management systems are becoming more commonly used for this task as they can automate the allocation of documents to a classification that best reflects the material they contain.
  • Using digital analysis techniques and data mining to search through system storage and data warehouses for keywords and classifications. The rise of data warehousing has led to the ability to configure automated searches for data that has been incorrectly classified or is past its retention period using text mining.
  • Configuring key fields in databases and making rules to create isolated copies of required documents. By configuring a centralized store of documents, key document recovery is a more efficient process. Many banks and credit unions have implemented processes that centralize and manage transaction confirmations, retirement information, loan applications, and even meeting notes or minutes.
  • Implementing formal policies and procedures. International Organization for Standards 27001, and 15489 (Information and Documentation — Records Management) and the Model Requirements for Management of Electronic Records provide guidelines for data retention.
  • Using network scanning for defined against classifications. An intrusion detection system may be configured to alert on key phrases and data sent on unauthorized streams (i.e., using unencrypted e-mails). Databases may be tested to ensure that sensitive data is only retained in secured tables.

GOING FORWARD

Organizations and their internal audit departments need to stay vigilant in their oversight of the document management process, paying special attention to items that seem to get lower levels of attention than financial data. Also, it is wise for organizations to remember that e-mail has become a common means to distribute board minutes, reports, and other sensitive data. As such, the need to define data retention strategies has only increased. So don't wait until the next time your organization decides to purge files, e-mails, or other miscellaneous electronic documents — make sure document retention and destruction policies and procedures are being implemented before a disaster can occur. Remember, there is much more to document retention than managing disk space.

Craig Wright is a manager of information systems in Sydney, Australia. He is currently working on his tenth academic degree.



All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.