What client documents should CAM audit partners treat as confidential?

Treat the lease, amendments, reconciliation statements, rent rolls, invoices, findings reports, dispute drafts, and related correspondence as confidential client information. Even when a lease memorandum is public, the engagement file and analysis should be handled as confidential professional work product.

What should partners disclose before uploading documents to CAMAudit?

Partners should disclose that CAMAudit receives and processes the documents needed to perform the CAM audit analysis, that the analysis is based on the documents provided, and that the client should remove unrelated sensitive information where practical before upload.

How long should partners retain CAM audit engagement files?

Retention depends on the partner firm policy, client contract, insurer requirements, and state professional rules. A practical baseline is to retain the signed engagement letter, source documents, findings report, dispute drafts, and resolution notes for the applicable professional-liability limitation period, then delete or archive according to the firm retention schedule.

Client confidentiality and data handling for CAM audit partners

CAM audit engagements involve sensitive client material: leases, amendments, rent ledgers, annual reconciliations, landlord backup, findings reports, and dispute communications. A partner firm should treat those materials the same way it treats tax workpapers, financial statements, or legal-support records. The analysis may be operational, but the file is still confidential client information. Pair this workflow with the partner E&O insurance and liability checklist before scaling delivery.

Good data handling is not just a security habit. It is part of the professional promise the partner makes when a tenant trusts the firm with occupancy-cost records. It also reduces the chance that a useful CAM finding becomes a client-service problem because documents were shared too widely, retained too long, or uploaded without consent.

This guide covers the minimum controls a partner should put around a CAMAudit-powered engagement.

What belongs in the confidential engagement file

Treat the following as confidential unless the client has authorized disclosure:

Executed lease and amendments.
Annual CAM, tax, insurance, and operating-expense reconciliations.
Landlord backup, invoices, general ledger exports, and occupancy schedules.
Rent ledgers, payment history, and correspondence about disputed charges.
CAMAudit findings reports and calculation support.
Draft and final dispute letters.
Internal partner notes about legal escalation, settlement posture, or client risk.

Do not assume a public record exception solves confidentiality. A recorded memorandum, SEC filing, or franchise disclosure document may be public, but the fact that your client is asking for a CAM audit and the findings produced from that review should still be handled as client-confidential information.

Client consent before upload

Before uploading documents to CAMAudit, the partner engagement should disclose three things:

Purpose. The documents are uploaded so CAMAudit can extract lease and reconciliation terms and identify potential CAM billing discrepancies.

Scope. The analysis depends on the documents provided. Missing amendments, side letters, landlord backup, or prior settlements can affect the results.

Third-party processing. CAMAudit processes the documents as the technology provider supporting the engagement. The client should know the platform is involved before the partner uploads confidential materials.

For recurring partner work, put this disclosure in the engagement letter or master services agreement. For one-off referrals, include it in the intake email and require written client authorization before upload.

Minimization and redaction

Upload what the audit needs, not the entire client file. A CAM audit usually needs the lease, amendments affecting operating expenses, reconciliation statements, and relevant backup. It usually does not need unrelated payroll records, tax returns, bank statements, medical files, or employee data.

Where practical, redact unrelated sensitive information before upload. The goal is not to make the document unusable. The goal is to remove information that has no role in the CAM analysis.

Access controls inside the partner firm

Restrict access to the people delivering the engagement. A sensible access pattern is:

Engagement owner: full access.
Reviewer: full access to source documents and findings.
Administrative support: limited access only when needed for scheduling or billing.
Sales or marketing staff: no access to client-identifying findings unless the client has approved anonymized use.

If the firm also serves the landlord, property manager, or a related entity, the access control should be stricter. Use separate teams and document the restriction in the conflict memo.

Retention and deletion

Keep enough documentation to defend the work, then follow the retention schedule. The core record should include the signed engagement letter, uploaded source documents, generated findings report, final client deliverable, dispute letter drafts, and resolution notes. Retain the file for the period required by the firm policy, insurer, client contract, and applicable professional rules.

When the retention period ends, delete or archive according to the firm's written procedure. Do not leave ad hoc copies in downloads folders, shared drives, email attachments, or personal cloud storage.

Source Notes

AICPA Code of Professional Conduct, ET Section 1.700, Confidential Information.
AICPA and CIMA, Professional Responsibilities resource, including confidentiality and client-consent expectations.
AICPA Code of Professional Conduct, ET Section 1.110, Conflicts of Interest, for engagements where confidential information from multiple clients may overlap.

Client confidentiality and data handling for CAM audit partners