The Sarbanes-Oxley Act was signed into law nearly two decades ago after a series of infamous corporate fraud incidents. Yet this legislation, intended to govern for-profit entities, inherently affects not-for-profit entities as well.
One clause in particular guards against fraud by requiring all organizations (including nonprofits) to retain crucial organizational documents. These documents span from tax statements to meeting minutes.
New nonprofits who need a document retention policy may find the task overwhelming, especially if they don’t know where to start. This guide is designed to help nonprofits create an effective and efficient policy for their organization.
What Exactly is a NonProfit Document Retention Policy?
“A document retention and destruction policy identifies the record retention responsibilities of staff, volunteers, board members and outsiders for maintaining and documenting the storage and destruction of the organization’s documents and records.” — IRS and Council for NonProfits
6 Tips for a Successful NonProfit Document Retention Policy
- Clearly define all activities in your policy, and ensure they are available to employees, board members and stakeholders alike.
- Use feedback from employees and stakeholders to update your policy.
- Carefully assess your electronic data storage practices. Should you be using cloud or on-premises? If you use a DIY solution, how much will the upgrades and yearly maintenance cost?
- Specify each document type with language that is clearly understood by the entire organization. For example using the term “tax forms” is too broad, but “tax worksheet I-9” is specific.
- Be sure each document is assigned a document storage method, location and time frame. Don’t leave any details up for guessing in later years.
- Clearly identify the personnel responsible for document retention, destruction and access. These documents should be secure, and only handled by select staff.
To Keep or Not to Keep?
While states have separate regulations, federal law dictates that nonprofits must keep the following records for the specified time period. Not every organization will have all of these records, yet most of the documents are applicable to most nonprofits.
Permanently Keep:
- Audit reports
- Articles of incorporation, minutes, bylaws and charter
- Chart of accounts
- Check copies for important payments and purchases
- Copyright, trademark and patent registrations
- Correspondence, legal and important matters
- Deeds, mortgages and bills of sale
- Depreciation schedules
- Employee discrimination reports
- Financial statements (year-end)
- General ledgers, year end trial balance and journals
- Insurance records, accident reports and claims
- Mission statements and strategic plans
- Program or project files
- Property records, appraisals and blueprints
- Tax returns and worksheets
- Training manuals
Keep for minimum of seven years:
- Accident reports
- Accounts receivable, payable, and notes receivable and payable
- Bank statements, checks, deposit records and reconciliation
- Contracts, mortgages (expired)
- Contracts (until 7 years after expiration)
- Donation Documentation
- Expense Analyses
- Garnishments
- Grants funded (7 years after closure)
- Invoices
- Inventory records
- Payroll records
- Personnel files (terminated employees)
- Purchase orders
- Sales records
- Stock and bond certificates (cancelled)
- Vouchers for payments to vendors, employees, etc.
- Withholding tax statements
Three years and under:
- General correspondence (1 year)
- Administrative correspondence (3 years)
- Customer and vendor correspondence ( 2 years)
- Employee demographic records (3 years)
- Grants, unfunded (1 year)
- I-9s (3 years after hire date)
- Insurance policies (3 years after expiration)
- Internal audit reports (3 years)
- Petty cash vouchers (3 years)
How does an organization manage such a file lifecycle? Typically nonprofits will create a document retention and destruction committee (also known as records management) that oversees and sometimes executes all activities in this area.
The committee is comprised of individuals spanning administration, IT and legal or business consultants (typically already active in your organization) to help answer any questions and approve activities.
How Do I Store the Information?
There is no specific requirement for how records should be stored. However, your records must be readable, even decades later. If your organization is audited, you must produce all the required documentation as well as cease destruction of existing records.
When storing records, know that choosing physical storage may require upgrades. Saving records on floppy disks may have seemed like a great idea at the time, but imagine staff members converting records into CD and USB collections now. Despite the disadvantages of switching storage methods, physical copies are not ideal either.
Physical copies not only require a large storage warehouse or space, but are susceptible to disasters such as fire or flooding. Thus physical copies must generally be scanned into a back-up system. This leads to unnecessary redundancy.
Finally, electronic storage is the chosen method for many nonprofits. Though convenient, electronic storage poses a problem: how do I securely manage records and record access?
Hiring A Bouncer: Record Security Must-Haves
So you want to store your documents electronically. Great! Now the question is: cloud, on-prem or hybrid? Cloud allows simple access from anywhere in case stored files (or current files) are needed. Plus, using the cloud is a great way to reduce infrastructure costs. If you don’t have any on-premises tools currently in place and need a quick solution, cloud is certainly a valid option.
On the other hand, on-premises allows for the security of having your files located onsite, providing you more options to regulate who has access (meaning less chance of data breaches). Using on-premises infrastructure also means your data sits behind your firewall, providing added benefits. Additionally, an on-premises deployment lets you use your existing storage or SmartFile’s native storage, giving you more flexibility.
Finally, a hybrid cloud can be used at various points across your infrastructure, while still remaining behind your secure firewall. Hybrid allows you to backup to the cloud or solve some bandwidth issues if you’re dealing with extremely large file sizes that are constantly accessed by internal and external parties.
Regardless of the final method you choose, SmartFile ensures your organization can set granular user permissions and monitor activity logs. This becomes especially important for the document destruction clause in the document retention policy.
Spring Cleaning: Document Destruction
You’ve reached the point where your two-to-three year documents no longer need to be retained. Now what? This is where granular user permissions and activity logs are especially helpful.
For the best security, only certain staff members should have the ability to delete records. Furthermore, each time a record is deleted this must be recorded in a worksheet or other form of your choosing. An activity log for the cloud or on-prem solution will automatically account for user activity such as login, downloading, uploading or deleting. This can ease the burden on a records management committee.
Finding a Product for Your Storage and Document Management
Choosing a storage solution is difficult. Ideally, the solution should allow granular user permissions, activity logs, and an on-premise option if you so choose. Remember this cannot simply be a vault in which to put archaic files.
Instead, choose the solution that allows both file sharing and file management. Keep in mind that services that charge by data usage may not be a great fit depending on the scope of your document storage.
If your organization is looking for the ideal device for your nonprofit document retention policy, SmartFile offers multiple options to handle any situation.