Appendix C -
Record Retention Guidelines for E-billing
Appendix C
details FDIC requirements concerning record retention for E-billing
by Outside Counsel.
The FDIC Legal Division has established E-billing guidelines for
FDIC Outside Counsel, consistent with the FDIC Office of Inspector
General’s audit requirements and the capabilities of commercially
available time, billing and accounting software systems increasingly
utilized by law firms.
Audits of Outside Counsel have been an integral part of the Legal
Division’s internal control and risk management program. Beginning
in 1999, the Legal Division recognized the need for a program of
independent post-payment fee bill reviews to be conducted by an
organization within the Legal Division. To that end, the Risk
Management Group (RMG) was tasked with implementing the Legal
Division’s Post-Payment Review (PPR) Program to enhance the Legal
Division’s internal controls over payments made to Outside Counsel
and legal support services providers. The Legal Division also
determined that the RMG could effectively fulfill this Outside
Counsel audit function by examining e-invoices and corresponding
back-up documentation retained by Outside Counsel to ensure
compliance with the Legal Division’s policies and procedures.
To
facilitate such audit activities,
you are required to:
-
Retain all
E-invoice files, original underlying support documentation for
expenses, subcontractor invoices, original or electronic time
sheets, and time and expense adjustment records, for at least
three years after final payment under the legal referral.
-
Retain signed
copies of all budget and amended budget forms, as well as signed
copies of the Legal Services Agreement (LSA) and Amendments to the
LSA. Refer to Chapter 1 and
Chapter 7.
The Legal Division has also concluded that time billing and
accounting software available to the legal profession is able to
provide basic internal control features that are consistent with
generally accepted auditing standards. Controls deemed to be
critical include the following:
(1) unique identifiers (user identification) and/or passwords for
each user of the system;
(2) an access profile for controlling user access to each
application;
(3) identification of the individual who entered, changed or deleted
data;
(4) an audit trail that identifies dates of entry, change, or
deletion;
(5) information that shows the extent of the change or the reason
for the deletion; and
(6) provisions for a user identification code or other certification
when an E-invoice file is uploaded to the E-billing service
provider. These critical
internal controls are present in varying degrees in available
software packages and formats, but particular weaknesses may exist
regarding items (3) and (4) above.
To
address these weaknesses and weaknesses created where otherwise
adequate internal controls provided in the software are modified or
not implemented,
Outside
Counsel may need
to consider appropriate upgrading, supplementation or modification
of the software or maintenance of alternative manual documentation
as backup, in order to minimize or avoid significant questioned fees
and expenses. The
Legal Division reserves the right, should there be substantial
questioned costs raised on audit based on deficiencies identified in
a firm’s electronic timekeeping
system, to impose additional
documentation requirements to correct these deficiencies. These may
include, without limitation, requirements to add specific internal
controls through upgrades, supplemental programs, program
modifications, or maintenance of alternative manual documentation as
backup.
These guidelines are effective for legal fees and expenses incurred
on or after August 10, 2009, and are incorporated in the E-billing
Deskbook.