FAR 4.703(d), which was effective February 27, 1995, and Public Law 103-355 allow contractors to retain records in any medium or any combination of media if the following requirements are met:
- The requirements of FAR Subpart 4.7 are satisfied.
- The process used to create and store records must reproduce the original document, including signatures and other written or graphic images, completely, accurately, and clearly.
- The procedures for data transfer, storage, and retrieval protect the original data from alteration.
- A reliable computer medium (typically, this includes vendor supported benchmark data). You don't want to copy your data to cheap CDs that last just a few years.
- Documented procedures for data retention and transfer which provide reasonable assurance that the integrity, reliability, and security of the original hard copy data will be maintained.
- An audit trail describing the data transfer.
- A computer medium which cannot be destroyed, discarded, or written over. The contractor will need to consider appropriate transition, after exception reporting, to non-eraseable storage.
- A transfer process that includes all relevant notes, worksheets, and other papers necessary for reconstructing or understanding the records (this also includes appropriate back-up procedures).
- Adequate internal control systems, including segregation of duties, particularly between those responsible for maintaining the general ledger (and related subledgers) and those responsible for the transfer process.
- A procedure prohibiting record destruction during the implementation phase until it can be shown that the system is actually providing acceptable copies of the records being transferred.
- An acceptable system of continuing surveillance over the computer medium transfer system. This includes comparisons of the original records and the computer generated copies, as well as periodic internal control audits. The policies and procedures should provide for the maintenance of adequate evidence to support the nature and extent of the continuing surveillance.
- A requirement to maintain all original records for a minimum of one year after the date of transfer.
- Adequate procedures for periodic internal and external audit.
- Adequate procedures for labeling and storing the computer medium in a secured environment. The storage procedures should meet the minimum standards prescribed by the National Archives and Records Administration for maintenance and storage of electronic records.
- Adequate procedures for the random sampling and testing of all records retained in accordance with the requirements of the National Archives and Records Administration. Procedures should include provisions for notifying the contracting officer of any significant data losses on a timely basis.
- Procedures for retrieving retained records at the time of audit. Procedures should include provisions for printing a hard copy of any record. In addition, policies should include provisions for access by Government representatives, at the time of examination, to the necessary computer resources (terminal access, printer, etc.) that are necessary for the production of the retained records.
- Procedures for preventing the destruction of any hard copy records that are required to be maintained by existing laws or regulations.
Although the foregoing requirements sound onerous, many vendor's offerings are already compliant. The price entry point for the major players in this industry (e.g. Iron Mountain) seems to be somewhat high for many smaller Government contractors but there are less costly alternatives. We haven't had enough experience with such offerings to make any recommendations. If your company is spending too much time to track down and retrieve hard copy records and spending too much money to maintain and store those documents, you might be able to build a business case to switch over to electronic media.