Microsoft 365 gives you superb document storage and almost none of the governance. SharePoint, OneDrive and Teams handle files, versions and sharing brilliantly, but the controls that turn a pile of files into a defensible system of record — enforced approvals, records and retention, a tamper-evident audit trail, capture and findability — are left for you to assemble. This checklist walks the seven governance controls that matter, and for each one gives you the plain test for whether it is actually in place. Score yourself: every “no” is a gap an auditor, a client or a lost contract will eventually find.
1. One authoritative version
The single most important control: at any moment, one version of a document is the truth, its history is intact, and anyone can restore a prior version in a click. SharePoint gives you version history out of the box, so the failure is rarely technical — it is discipline. **The test:** can two people each believe they hold the “final” copy? If “final_v2_USE-THIS.docx” exists anywhere, you do not have version truth, you have hope. Major/minor versioning with required check-in and a clear current-version indicator is the fix.
2. Approval workflows that leave a record
Documents move: drafted, reviewed, approved, published, retired. Governance means that path is enforced and recorded, not improvised in email and chat. **The test:** for your last approved policy or contract, can you show who approved it, in what order, and when — without digging through inboxes? If approvals live in “looks good 👍” messages, they are not a record. You want configurable sequential or parallel approvals with e-signature where it counts, and the sign-off stored with the document.
3. Records declaration and retention
Some documents must be kept for a defined period and then defensibly disposed of; others must never be deleted early. Microsoft Purview can enforce retention, but it has to be configured and mapped to your document types. **The test:** does anything in your tenant expire and get retired on a schedule automatically — or do obsolete contracts, policies and SOPs simply accumulate forever? “We keep everything” is not a retention policy; it is a liability that grows every quarter.
4. A tamper-evident audit trail
When someone asks “who did what to this document, and when?”, you need an answer you can stand behind — create, edit, approve, move, delete — with actor and timestamp, that a user cannot quietly alter. **The test:** could a determined insider edit or delete a document and cover their tracks? If the answer is “probably,” your audit story fails the moment it matters. This is the control that separates passing an audit from dreading one.
5. Capture and OCR so paper is findable
Scanned contracts, signed forms and inbound PDFs are just pictures to the search index until their text is recognised. **The test:** search for a phrase you know is inside a scanned document from last year — does it come back? If scanned files are findable only by filename, half your archive is effectively invisible. Capture with OCR turns a digital junk drawer into a searchable record.
6. Metadata, naming and findability
Governance is only useful if people can find the governed document. Consistent content types, a small set of enforced metadata fields (document type, owner, status, client), and a naming convention people actually follow make retrieval reliable. **The test:** can a new team member find the current approved version of a key document in under a minute, without asking anyone? If finding things depends on tribal knowledge, the system will decay the day your best-organised person leaves.
7. Access, identity and security
Every control above assumes the right people — and only the right people — can act. Role-based access tied to your existing Microsoft 365 identity (Entra ID), least-privilege by default, and no second set of logins to manage. **The test:** if someone changes roles or leaves, does their document access change automatically with their M365 account, or is it a manual clean-up that never quite happens? Governance layered on the identity you already run is governance that stays correct.
Scoring yourself
Count your “no” answers. Zero or one: you have a genuinely governed system of record — rare, and worth protecting. Two to four: you have good storage with governance gaps that will surface under audit, litigation or a demanding client. Five or more: you have a shared drive wearing a Microsoft 365 badge, and the drift back into duplicate-folder chaos has already begun. None of this requires leaving Microsoft 365 — every control here is something SharePoint can support and simply does not hand you finished.
Closing the gaps without a second silo
The wrong response to a low score is to buy a separate document management system and migrate everything into a new home — a second login, months of change management, and files dragged out of the tools people already use. The better response is to add the governance layer on top of the Microsoft 365 you already run. That is exactly what Atronova DMS does: version control, approval workflows, records and retention, and a tamper-evident audit trail applied to SharePoint, behind Microsoft 365 sign-on, with no migration. If you scored yourself two or more, book a walkthrough and we will run the checklist against your own documents.