How do auditors check whether an agency is actually capturing email records under the Capstone approach?
The Capstone approach lets an agency manage email by the role of the account holder rather than by classifying each message. Email from senior officials in designated “Capstone” accounts is captured and preserved as permanent records, while other accounts follow shorter, time-based dispositions. Because the method relies on accounts being correctly identified and reliably captured, auditors focus less on individual emails and more on whether the system as a whole works as designed.
What Auditors Look For
Auditors generally test the program against its own documented policy and the disposition authority the agency obtained. Common areas of review include:
- Account inventory. Is there a current, complete list of which accounts are designated Capstone (permanent) versus non-Capstone, and does it match the agency’s actual senior roles and org chart?
- Coverage of officials. When someone joins, changes roles, or leaves, is their account status updated so records are not lost during transitions?
- Automated capture. Does the email system actually preserve messages from designated accounts, including attachments, sent items, and metadata, rather than relying on individuals to file their own mail?
- Scope. Are non-official messaging channels (texts, chat, personal accounts used for business) addressed by policy, since email rules alone do not cover them.
How They Test It
Verification typically combines document review with sampling. Auditors examine the policy, the approved retention schedule, and configuration settings, then pull samples to confirm that emails from selected officials and dates are genuinely retained and retrievable. They may check that messages flagged for deletion under shorter schedules are not being destroyed prematurely or held indefinitely without authority.
Auditors also review evidence of governance: training, periodic self-assessments, and how the agency responds to discovery, FOIA, or litigation holds. An inability to produce a senior official’s email on request is a strong signal that capture is failing in practice, regardless of what policy claims.
Why It Matters
Capstone shifts risk from message-level decisions to system-level reliability. If accounts are mislabeled or capture silently breaks, permanent records can be lost without anyone noticing. Strong audits therefore emphasize repeatable, documented controls over one-time spot checks.
For related guidance, see the email and messaging records topic hub.
Sources & further reading
Authoritative government and non-profit references.
- Records management policy and guidance — National Archives (NARA)
- Records management (NARA) — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). How do auditors check whether an agency is actually capturing email records under the Capstone approach?. Records Management University. https://www.recordsmgmt.org/questions/how-do-auditors-check-whether-an-agency-is-actually-capturing-email-records-under-the-capstone-approach/
MLA
RM University Editorial. "How do auditors check whether an agency is actually capturing email records under the Capstone approach?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/how-do-auditors-check-whether-an-agency-is-actually-capturing-email-records-under-the-capstone-approach/.
Related questions
- Are emails between teachers and parents considered education records under FERPA?
- Are emails in my Sent folder and Inbox both records, or just one copy?
- Are emails on my personal phone discoverable in a lawsuit?
- Are ephemeral or disappearing messages legal to use for work, or do they violate recordkeeping rules?
- Are text messages and chat business records?