Keep or toss? A guide to CPA firm record retention
Practitioners often find themselves with years, even decades, of records, and ask themselves, “Do I really need all of this?” If your file cabinet is ready for some overdue spring cleaning, consider the role of record retention before you purge.
“If it’s not documented, it didn’t happen.” This phrase is often cited by peer reviewers and others to convey the importance of documenting procedures performed or judgment applied to support a CPA firm’s deliverable. Appropriate record retention can help:
CPAs, commonly known for being risk averse, may not want to dispose of their records. But at what point does retaining records to err on the side of caution turn into records hoarding? When determining which records should be kept or purged, consider retaining items that document or support the firm’s:
The final version of documentation should be retained, rather than any superseded drafts.
One of the most dreaded, but satisfying, parts of spring cleaning is discarding long–neglected household items. Unfortunately, determining an appropriate retention period is not as straightforward as checking the expiration date of food items to clear out a refrigerator. How long records should be retained depends on a variety of factors including, but not limited to:
Given the factors described above, a CPA firm may identify different retention periods for different clients and/or services. As a practical matter, it is recommended that CPA firms select the longest retention period and apply it consistently to all records to reduce the administrative complexities associated with maintaining records.
Whether a record is paper–based or electronic, the firm’s record–retention policy should be applied consistently. Electronic documents evidencing work performed should be saved in both client and engagement files rather than as attachments to emails. All relevant client service information should be maintained in the engagement workpapers and other official firm files or storage media.
Additional care should be applied to emails. If necessary to demonstrate procedures performed or conclusions reached, email correspondence with clients or peers should be retained as part of the client engagement files, not in a team member’s email folder or on an email server.
Many a professional liability claim defense has been thwarted by an email in which the tone was taken out of context. As such, firms may exercise additional judgment by applying a separate retention period for emails to help guard against this risk. Consult the article “Professional Liability Spotlight: How Social and Digital Media Can Be a #majorrisk,” JofA, March 2016, which discusses the risks that CPAs may encounter with electronic communication and how using it appropriately can help to avoid potential liability exposure.
Disposing of records is not as simple as separating recyclables from other types of refuse. Just because the retention period has passed, it does not mean that the practitioner’s duty to protect the confidentiality of client data has also expired. Proper disposal of records is key.
When it comes to destruction and sanitization of paper and electronic records and media, consult best practices defined in reputable sources such as the National Institute of Standards and Technology’s Special Publication 800–88, Guidelines for Media Sanitization, or ISO 27001 A.8.3.2, Disposal of Media.
Many third–party service providers specialize in the collection and destruction of records based on regulatory or technological standards. However, using a vendor does not eliminate the practitioner’s responsibility to maintain the confidentiality of client data. If an outside vendor is used, due diligence must be performed on the vendor’s processes for keeping the data confidential. Consult the article “Professional Liability Spotlight: Due Diligence With CPA Firm Subcontractors,” JofA, June 2015, which discusses a firm’s legal and professional responsibilities related to third parties.
It is understandable that a CPA may accumulate client information during the course of providing services. While practitioners are expected to and should retain copies of this information for their own purposes and requirements, clients have the primary responsibility to maintain their own records. To avoid becoming your client’s filing cabinet, remind clients of their obligation to keep their own records, and let them know that the firm’s workpapers are not a substitute for the client’s records.
Jamie Yoo, CISA, is a risk control consultant at CNA. For more information about this article, contact specialtyriskcontrol@cna.com.
Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.
This article provides information, rather than advice or opinion. It is accurate to the best of the author’s knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.
Research & References of Keep or toss? A guide to CPA firm record retention|A&C Accounting And Tax Services
Source