FWIW:
This consultant cited by OP is simply guilty of "Mission Creep" by substituting his own interpretation (more onerous than most) for the loosey goosey one accepted in most venues.
Obviously, there are some strictures which "might" be imposed on records by
- government statute (FDA for example)
- customers (you still have a choice whether to alter YOUR system or to simply reject such customer)
- normal prudence (are you dealing with situations where documents are handled frequently and graphite from pencil might rub off where ink soaks into the fibers of the paper and has more permanence?)
- fear (will some saboteur or other malcontent alter documents for nefarious purposes?)
The reality is that ANY document, regardless of materials used in the original, can probably be forged or altered in some way to make detection between genuine and bogus impossible except by extreme forensic measures. The question then becomes whether the document merits extreme protective measures to make it economically unfeasible for "baddies" to attempt alteration or forgery.
There was an
article in our local news (Chicago area) this week about the rash of excellent forgeries of state-issued IDs. My understanding is these are available for around $100.00 (USD)
Apart from teenagers seeking IDs to drink alcohol, how about terrorists flying on planes with phony ID? How about identity theft of the schmuck who gives up his personal data to get an ID to match his other documents? How about drunk drivers with suspended licenses who get new licenses to flash if stopped by a cop?
With all the things facing individuals and organizations today, minor issues
(especially such a picayune item as pencil versus ink) probably shouldn't be in the curriculum of even an average consultant without making it clear that good judgment and common sense should prevail and that an organization which adopts security measures intended for super sensitive documents (patents, contracts, top secret plans, etc.) for EVERY document, no matter how trivial, is setting itself up for a big cost drain with no resultant value derived.
In my thinking, even an OFI by an auditor would be overkill without clear indications that alteration or loss of legibility would be more than extremely remote possibilities and rarely can folks cite a situation where such alteration or loss of legibility would be a probability without the organization also adopting other security measures (lock and key?) for sensitive documents.