AS A matter of good governance, many nonprofits have adopted informal records- retention policies. But, with the advent of Sarbanes-Oxley (SOX), more and more nonprofits are asking, "What records should be kept and what should be tossed?"
Records-retention policies depend on nature of the organization. Factors such as donor base, resources, asset mix, and legal and statutory requirements should be considered.
There is no "one-size-fits-all" records-retention policy for nonprofit organizations.
Records retention came to the forefront of media and public attention following the Enron scandal, when important documents were intentionally destroyed. As a result, SOX was passed into law in 2002. SOX outlines corporate governance provisions for public companies and dictates criminal penalties for hiding and destroying documents.
Although the act is not currently directly applicable to nonprofit organizations, the records-retention policy defined under SOX is one of the several critical policies nonprofits may consider adopting.
Establishing a records- retention policy is part of best practices for both for-profit and nonprofit entities, alike. Regardless of the nature of your Hawaii business, there should be prudent policies and procedures in place to dictate processes for capturing, collecting and maintaining historical data and knowledge.
Beyond establishing best practices, nonprofits are required by donors and other funding sources to provide an ongoing trail of expenditures and evidence. And, with an organization's tax-exempt status comes additional scrutiny from the Internal Revenue Service and state and local tax entities.
THERE are several steps all nonprofits should follow when implementing or updating their record retention policy.
» Make a list: Put together a focus group to list all the internal and external factors that affect records-retention within the organization.
» Evaluate: What needs to be retained? For how long? Look at retention requirements your donor base and funding sources dictate. If you receive federal or state funding, those statutory elements apply, as well.
Lay out categories of retention, which could include:
* Permanent retention for institutional documents, such as articles of incorporation, bylaws, licenses, and annual financial statements; and
* Seven-year retention documents including ledger detail, accounts receivable/payable detail, time sheets, grant documents, committee records and proposals.
When assessing categories, documents related to transactions and assets -- including property sales, property developments, patents, and trademarks of multiple entities -- should also be considered.
Occupancy and storage costs should be discussed at this stage, as well. Costs associated with storage and employee or volunteer time dedicated to retaining documents can add up. To contain costs, the records-retention policy may allow for or require electronic storage instead of physical storage.
» Implement: Categorize documents and store using identified processes. Also, establish a disposition policy that identifies when documents are to be removed.
To ensure accountability, document how items are to be destroyed, by whom, and under what process. This ensures a paper trail of evidence. The timeline to destroy documents depends on the risk factors involved.
» Inform: As with any internal controls-related process, everyone in the organization needs to be informed of the policy. The records-retention policy should be included as part of the organization's personnel booklet and should be reinforced by senior leadership on a recurring basis.
A RECORDS-retention policy shouldn't be looked at as a shield against getting sued. However, good record-retention should be viewed as part of prudent business procedures to protect the organization's assets and achieve the organization's overall mission.
Lawrence Chew is an assurance group senior manager in the Honolulu office of Grant Thornton LLP. He can be reached at firstname.lastname@example.org