What client documents should CAM audit partners treat as confidential?

Treat the lease, amendments, reconciliation statements, rent rolls, invoices, findings reports, dispute drafts, and related correspondence as confidential client information. Even when a lease memorandum is public, the engagement file and analysis should be handled as confidential professional work product.

What should partners disclose before routing documents through CAMAudit?

Partners should disclose that CAMAudit receives and processes the documents needed to perform the CAM audit analysis, that the analysis is based on the documents provided, and that the client should remove unrelated sensitive information where practical before upload.

How long should partners retain CAM audit engagement files?

Retention depends on the partner firm policy, client contract, insurer requirements, and state professional rules. A practical baseline is to retain the signed engagement letter, source documents, findings report, dispute drafts, and resolution notes for the applicable professional-liability limitation period, then delete or archive according to the firm retention schedule.

Client confidentiality and data handling for CAM audit partners

A CAM audit job uses private client files. CAM means common area maintenance, the shared property costs a tenant helps pay. The files include leases, amendments, and rent ledgers. They include yearly reconciliations, the landlord's year-end cost statement. They include landlord backup, findings reports, and dispute notes. Treat them like tax workpapers or financial statements. The work may be routine. The file is still private client data. Pair this with the partner E&O insurance and liability checklist before you scale.

Good data handling is more than a security habit. It is part of the promise you make. A tenant trusts your firm with their cost records. Good handling keeps a useful finding from turning into a client problem. Files get shared too wide, kept too long, or uploaded with no consent. That is what you avoid.

This guide covers the basic controls to put around a CAMAudit job.

What belongs in the confidential engagement file

Treat the following as confidential unless the client has authorized disclosure:

Executed lease and amendments.
Annual CAM, tax, insurance, and operating-expense reconciliations.
Landlord backup, invoices, general ledger exports, and occupancy schedules.
Rent ledgers, payment history, and correspondence about disputed charges.
CAMAudit findings reports and calculation support.
Draft and final dispute letters.
Internal partner notes about legal escalation, settlement posture, or client risk.

Do not assume a public record makes the file open. A recorded memorandum, SEC filing, or franchise disclosure may be public. But your client hired you for a CAM audit. Keep that fact and the findings private.

Client consent before upload

Before you send files through CAMAudit, tell the client three things.

Purpose. You upload the files so the tool can read the lease and reconciliation terms. It then flags possible CAM billing errors.

Scope. The review rests on the files you give it. Missing amendments, side letters, or backup can change the result. So can prior settlements.

Third-party processing. The tool handles the files as the tech that supports your work. The client should know the tool is in the loop before you upload private files.

For ongoing work, put this in the engagement letter or master services agreement. For one-off referrals, put it in the intake email. Get written client consent before you upload.

Minimization and redaction

Upload what the audit needs, not the entire client file. A CAM audit usually needs the lease, amendments affecting operating expenses, reconciliation statements, and relevant backup. It usually does not need unrelated payroll records, tax returns, bank statements, medical files, or employee data.

Where practical, redact unrelated sensitive information before upload. The goal is not to make the document unusable. The goal is to remove information that has no role in the CAM analysis.

Access controls inside the partner firm

Restrict access to the people delivering the engagement. A sensible access pattern is:

Engagement owner: full access.
Reviewer: full access to source documents and findings.
Administrative support: limited access only when needed for scheduling or billing.
Sales or marketing staff: no access to client-identifying findings unless the client has approved anonymized use.

If the firm also serves the landlord, property manager, or a related entity, the access control should be stricter. Use separate teams and document the restriction in the conflict memo.

Retention and deletion

Keep enough documentation to defend the work, then follow the retention schedule. The core record should include the signed engagement letter, uploaded source documents, generated findings report, final client deliverable, correction drafts, and resolution notes. Retain the file for the period required by the firm policy, insurer, client contract, and applicable professional rules.

When the retention period ends, delete or archive according to the firm's written procedure. Do not leave ad hoc copies in downloads folders, shared drives, email attachments, or personal cloud storage.

Source Notes

AICPA Code of Professional Conduct, ET Section 1.700, Confidential Information.
AICPA and CIMA, Professional Responsibilities resource, including confidentiality and client-consent expectations.
AICPA Code of Professional Conduct, ET Section 1.110, Conflicts of Interest, for engagements where confidential information from multiple clients may overlap.

Client confidentiality and data handling for CAM audit partners