A written document-retention policy, consistently monitored over time, is essential for protecting the organization’s records of its governance and administration, as well as business records that are required to demonstrate legal compliance. Such a policy also helps to protect against allegations of wrongdoing by the organization or its directors and managers. Board members, staff and volunteers should be made thoroughly familiar with the policy and informed of their responsibilities in carrying it out.

• The board should understand the difference between document destruction during an investigation and document purging as a normal management process.
• A schedule for document retention is a necessary tool to ensure the retention of documents needed for legal or business purposes. 
• The board should understand how an official investigation is defined and how to ensure the organization abides by the laws. 
• An efficient filing system is critical for all organizations.

• The document destruction clause in the Sarbanes-Oxley Act of 2004 in Section 802 applies to nonprofit organizations. 
• It can be illegal to destroy any documents if the organization expects to be investigated or is already under official investigation. 
• IRS Form 990 inquires whether an organization has a document retention and destruction policy.

Federal, state and local laws and regulations require both for-profit and nonprofit organizations to retain certain business records—such as applications for employment and payroll records, tax forms and contracts—for specified lengths of time. Failure to maintain such records may subject the organization and/or individuals to penalties and fines and may compromise the organization’s position in litigation. 

The Sarbanes-Oxley Act provides that it is a federal crime, punishable by a fine and up to twenty years in prison, for any corporate agent, whether of a for-profit or nonprofit corporation, knowingly to alter, destroy, mutilate, conceal, cover up, falsify, or make a false entry in any record with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of a federal department or agency or any bankruptcy case.¹ The same penalty applies to anyone who alters, destroys, mutilates, or conceals a record, or attempts to do so, with the intent to impair the object’s integrity or availability for use in an official proceeding, regardless of whether such proceeding is pending or about to be instituted at the time of the offense.²

Other federal laws, such as the Privacy Act of 1974 and the Health Insurance Portability and Accountability Act of 1996 (which affects health care providers), establish rules for all types of organizations for the collection, maintenance, use and dissemination of personal information to protect the privacy of individuals. State laws vary considerably from state to state and may supersede federal laws where the state law is more restrictive.

¹ Id., § 802 and United States Code Title 18, § 1519.  

² Id., § 1102 and United States Code Title 18, § 1512.

1. How can we assess whether we’ve established the necessary processes and procedures for managing and maintaining documents and then determine whether these steps are currently being followed?
2. How recently have we done a “document audit” in order to verify that all organizational documents are accessible and accounted for?
3. Do our document retention and destruction policies cover both our electronic and physical documents? 
4. If we were ever under investigation, or if there is even a potential of being investigated, are we confident that we understand what we must do at that point? 
5. Documents can provide some protection against allegations of wrongdoing.When assessing the risks our organization faces, have we considered what documents might assist in managing or minimizing these risks?

6  Protection of Assets

18 Review of Governing Documents