I was pleased to see that both Janie and Richard mention information security. Richard is on target with the exposure schools have to copyright laws in particular with the volume of students and faculty accessing various software and publications. The zero tolerance environment he mentioned is key to sending the message of compliance. As for records, I agree with Janie on the need to shred. As an auditor, I like to do a simple test - look for the shredder(s). Are they accessible? I have seen some schools actually have a personal size shredder in offices which print a lot of record information - it's just as convenient to toss something in the shredder than the trash. If you cannot find a shredder or it's in a remote location (different floor, etc.), it's a good idea to dig deeper to see if they have a process in place to batch records for daily shredding.