By Sarah Wine, CPA, Clark Nuber
According to the Technology Association of Grantmaker’s State of Philanthropy Tech Survey, only 46% of foundations reported that they have a record retention policy. As a sector, we must do better.
Effective record retention is essential for community foundations to ensure compliance, transparency, and efficient operations. Without a crucial framework for identifying and maintaining your data for regulatory and compliance, as well as for when those data are ready for destruction, organizations may be open to legal and security risks. Not to mention, organizations without a policy, might be unnecessarily burdening themselves with obsolete and unnecessary data.
Maintaining trust with a variety of stakeholders internally and externally makes good data practices especially important for community foundations, which must handle a variety of documents, from donor records to grant agreements, financial statements, governance documents, and employee records. Proper management of these records can help identify areas for optimization, enhanced productivity, and cost-effectiveness. But, perhaps most importantly, proper storage and retention policies maintain the community foundation’s integrity and ability to advance its mission.
Importance of Record Retention
There are four main purposes for proper record retention:
1. Legal and Regulatory Compliance. Community foundations must adhere to legal and regulatory requirements for record retention, including federal, state, and local law guidelines and those set by the Internal Revenue Service (IRS). Retaining records for the appropriate duration ensures that the community foundation can provide evidence of its activities and decisions, which is essential for audits and legal inquiries.
2. Efficient Information Management. Every organization has to be able to access important documents when they need them. Good information management reduces precious time looking for documents. It also allows organizations to make better decisions and leverage historical data for greater insights and strategic planning.
3. Reduce Time and Money. By executing a retention policy, organizations can optimize storage and reduce “carrying costs” associated with keeping unnecessary data. Good record retention policies also enhance the overall operational efficiencies by ensuring information is readily available when it is needed.
4. Risk Management. Proper record retention minimizes the risks of data breaches, unauthorized access, and data loss. Additionally, it reduces the risks related to lawsuits or legal disputes by providing clear audit trails and documentation.
Types of Records to Retain
In addition to the day-to-day records used to manage projects and correspond with key stakeholders, most Community foundations will have the following key record types:
– Donor Records: These include donation receipts, donor agreements, and correspondence. Retaining these records helps track donor contributions and ensures accurate reporting.
– Grant Agreements: Documentation related to grants awarded by the community foundation, including applications, agreements, and progress reports. These records are vital for monitoring grant outcomes and compliance.
– Financial Statements: Annual financial reports, budgets, and audit reports provide a clear picture of the foundation’s financial health.
–Governance Documents: Board meeting minutes, bylaws, and policies demonstrate the foundation’s governance practices and decision-making processes.
– Employee Related Records: Such records include employee personnel file documents, employment eligibility documents, Family and Medical Leave Act (FMLA) records, payroll and tax records, and benefit records.
– Operational Documentation: This includes standard operating procedures, training materials, and other process-related documentation.
Record Retention Schedule
Your record retention schedule outlines the duration for which different types of records should be kept. How long and how you maintain records depends on the record. Depending on your organization’s files, you will need to develop a schedule that meets the needs of those records and the compliance required by your jurisdiction. The following are some general guidelines, but please research state-specific guidelines to ensure you are meeting your regulatory obligations:
– Donor Records: Retain for at least seven years to comply with IRS requirements. Fund agreements should be maintained for the life of the fund.
– Grant Agreements: Keep for the duration of the grant plus an additional three years.
– Financial Statements: Retain for seven years. Community foundations should maintain their audit reports permanently. This historical information may be referenced in future years for insight into historical transactions or benchmarking.
– Governance Documents: Maintain them permanently, as these are critical for the community foundation’s history and governance.
– Employee Related Records: Many employers use a seven-year rule for terminated employee records. Employment eligibility documents and FFMLA documents should be retained for at least three years. Payroll and tax records should be retained for at least four years, and employee retirement plan records should be retained for as long as the plan is in place plus six years from the termination of the plan.
Storage and Security
Community foundations must ensure that records are stored securely to protect sensitive information. This includes both physical and digital records. Implementing secure storage solutions, such as locked filing cabinets for physical documents and encrypted cloud storage for digital records, helps safeguard against unauthorized access and data breaches. In addition, organizations should maintain proper backups to ensure business continuity.
For digital documents, it is also important for the community foundation to have a data classification policy. Not all information is equal and, thus, does not require an equal level of security effort. Resources should be prioritized for the most sensitive information of an organization, so it is critical to establish guidance on prioritization.
Data classification may be documented in a table such as the following example:
| Data Type | Access Level | Examples |
| Public | Level 1: Public | Press releases, annual reports, published research, published marketing materials. |
| Low-Risk Confidential | Level 2: Internal Only | Intranet portals, department policies and procedures, training materials, work papers, building maps/layouts. |
| Medium Risk Confidential | Level 3: Confidential | Personnel records, IT source code, non-public financial records/statements, budget information, technical diagrams/architecture, donor information. |
| High-Risk Confidential | Level 4: Restricted | Personally Identifiable Information (PII), passwords/PIN details, private encryption keys, trade secrets, SSN, credit card numbers. |
| Reserved for Research Data | Level 5: Top Secret | Research data, formulas, or other information directly related to the ongoing nature of an organization. |
Implementing a data classification policy can also be effective in reducing the risk of unauthorized access and data breaches.
Disposal of Records
When records reach the end of their retention period, community foundations should dispose of them securely. Shredding physical documents and permanently deleting digital files ensure that sensitive information is not compromised. It’s important to follow best practices for record disposal to maintain confidentiality.
Identify a Responsible Person
Identify who within the community foundation is responsible for the different types of documents. The community foundation may choose to designate one person in the accounting department to retain accounting records and another in the human resource department to maintain employee personnel records.
Regular Review and Updates
Community foundations should regularly review their record retention policies and schedules to ensure they remain compliant with changing regulations. Periodic audits of records help identify any gaps in retention practices and provide an opportunity to update policies as needed.
Other Reminders
The following are additional tips we recommend your community foundation implement as best practices:
– Require draft documents to be destroyed as soon as the official signed versions are available.
– Remind employees that it is a crime under Section 802 of the Sarbanes Oxley Act to intentionally destroy, alter, falsify, etc., any records, documents, or tangible objects that are involved in or could be involved in a U.S. government investigation or prosecution of any matter or in a Chapter 11 bankruptcy filing.
– Create a system to halt all document destruction once the community foundation is aware that it is under investigation, or it may be subject to legal proceedings.
Having clear and consistent requirements surrounding record retention in a community foundation can ensure its compliance. Not only are these guidelines required by legal jurisdiction, but they also promote transparency and efficiency within the community foundation.
Written by Sarah Wine, CPA. Sarah is an Audit and Assurance shareholder at Clark Nuber P.S. She specializes in serving foundations and not-for-profit organizations and has 19 years of experience in the industry.
Clark Nuber PS is an award-winning CPA firm located in the Seattle area. Recognized as a Top 100 Firm by both Inside Public Accounting and Accounting Today, our 300+ professionals provide audit, accounting, tax, and consulting services to private companies, family businesses, not-for-profit organizations and the public sector, foundations, and high net worth individuals. In addition to the Pacific Northwest, Clark Nuber serves clients throughout the United States and around the world.
This article is sponsored content provided by the above mentioned organization. The views and opinions expressed are those of the author and do not necessarily reflect those of TAG. To learn more about our approach to sponsored content and partnership opportunities, please contact us.