Record Retention

By Kenneth M. Parker, CPA

Co-Editors: Steven F. Holub, CPA; Jane T. Rubin, CPA

My firm recently learned a painful lesson in the value of record retention. We suffered a major data loss in September 2008 when Hurricane Gustav sent a power surge through the office at the same time that our system was being backed up. Not only did we lose our hard drive; we also lost the backup tape. The previous backup tape was 30 days old, so we lost 30 days of work and data storage. The system was not designed to handle a loss of the backup data storage device at the same time that the hard drives were lost. Our liability insurance allowed for the time to recreate lost and damaged data, but it did not allow for the nightmare of figuring out what data were lost.

The Basics of a Record Retention Policy

Every firm should have a record retention policy and should have its legal counsel review this policy to make sure that all legal areas are covered. The policy should spell out what records should be kept and for how long.

Data sources to consider protecting include voicemail messages, faxes, e-mails, instant messages, document images, electronic working papers, and paper documents. If a firm does not have a policy that is comprehensive enough to cover all these areas, it is time to update its record retention policy.

Within this policy, firms should address statutes of limitation, discovery rules, contract requirements, registration and filing requirements, state board of accountancy rules, and other applicable rules and regulations. Once the firm establishes a record retention policy, everyone in the firm should include it in engagement letters and in client communications that pertain to the specific services being rendered. Several large firms have published brochures describing their record retention policies, defining the holding period for each type of record, and include the brochure with their engagement letters and other correspondence sent to clients.

Document Imaging and Storage Systems

Electronic document imaging and storage is the newest method of data storage, replacing paper file cabinets and large storage areas. There are currently hundreds of types of software that a firm can use to scan, organize, and store records. The software will automatically convert tax returns, depreciation schedules, bookkeeping data, workpapers, and other documents to PDF format and save them in a virtual filing cabinet.

Some software programs allow clients restricted access to data files that reside in the virtual file cabinet so that they can obtain copies of their own tax returns, W-2s, and other supporting documents. This can be a real time saver when duplicate copies of items are needed. Another nice feature to have is the ability to e-mail documents, in encrypted format, directly to the client, who can then forward them to the intended party.

Any firm planning to implement a new data storage system will need to investigate cost, design, ease of use, vendor background and experience, and security. The firm should contact other CPA firms that the software vendor lists as references.

The most important part of this type of data storage is a secure environment that allows for offsite storage. Offsite storage is critical; if there is a problem at the office, the offsite facility must be able to restore the data immediately. The cost of this service is based on the amount of data being stored. Two items to consider when deciding on this method of backup are the cost and the ease of retrieving data from the offsite storage.

However, the use of such a paperless system makes having a record retention policy all the more important. The following suggestions cover how to handle specific types of electronic records.

E-mail has become the favored mode of communication in most offices. Like all other computer data, e-mails are subject to discovery in a lawsuit, so each firm should maintain its own policies about how and when to use e-mail from the office. The firm's record retention policy should provide guidelines on when e-mails should be deleted or retained, depending on their nature. Software is now available that will "shred" e-mails and make the data unusable. If used, such software should be set up so that it agrees with the office's general document retention policies.

All e-mails should have a disclaimer attached. For example:

In sending this e-mail, CPA Firm assumes no duty to perform professional services. No professional services will be undertaken prior to issuance of a written communication from our office confirming the scope of services to be rendered and the terms and conditions applicable to the engagement. In addition, while CPA Firm and its employees routinely communicate with others via e-mail, this communication does not constitute a professional service to any parties other than addressees of this message that have previously received a written communication from our office confirming our agreement to perform such services.
E-mail communications are subject to the Circular 230 rules, and many firms are also adding the standard Circular 230 disclaimer to all outgoing e-mail messages.
Normal office practice is to delete voicemail or answering machine messages immediately after the recipient has listened to them and to verify the information from these messages with followup phone conversations or written communications to clients.

Telephone conversations are generally not recorded or saved on computer. Federal laws allow for phone conversations to be recorded as long as one party has given consent, but state laws vary, so a firm's legal counsel should be consulted before recording and saving phone conversations.

Fax communication is rapidly becoming obsolete, although it is still used in many firms. In many cases, the fax machine has been replaced by software that allows the user to read and save the fax, along with the date, time, and other information, on the computer.

It is always a good idea to have a disclaimer at the bottom of the fax cover sheet, similar to the e-mail disclaimer, explaining that it is not to be considered a professional service or to be used by any party other than the intended recipient.

Most fax machines maintain records of what documents were sent and by whom, when, and where the documents were sent. These records should be purged on a routine basis. Most fax machines have setup options that allow users to change settings so data are not stored if the sender prefers that option.

Instant Messages
The newest form of electronic communication is the instant message, but it is not a secure form of communication. Instant messages leave a trail on the computers that route the information, so they should not be used to send confidential information.

Selection of Retention Periods

Probably the most important item a firm should address in its record retention policy is how long records need to be maintained. This decision depends on the types of documents, the services offered by the firm, and any laws or regulations that define the holding period. Since some rules differ from state to state, CPAs should consult with their legal counsel on these items.

The exhibit lists some recommended retention periods for various document types. A more comprehensive list is located at This is a good source to consult for questions about a particular type of document and the length of time it should be maintained.

Exhibit: Recommended record holding periods

Three Years
Auto mileage books
Bank deposit slips
Bank reconciliations
Cancelled checks
Charitable acknowledgments
Deposit slips
Entertainment records
Expense reports
Expired insurance policies
Interim financial statements
Petty cash vouchers
Sales invoices
Vendor invoices
Depreciation schedules (keep up to 3 years after
  the life of asset has expired)
Employee personnel records (keep up to 3 years after termination)

Six Years
Bank loans (after payoff)
Bank statements
Contracts (after expiration)
Employee payroll records
Insurance records
Leases (after expiration)
Mortgage and notes receivable (after payoff)
Seven Years
Accounts payable ledgers
Accounts receivable ledgers
Canceled checks (except as shown in permanent records below)
Employee time records
Inventory records (except LIFO)
Note receivable ledgers
Payroll tax records and reports
Subsidiary ledgers

Permanent Records
Annual audited financial statements
Canceled checks (for tax payments, fixed asset purchases, etc.)
Chart of accounts
Company minutes
Corporate stock records
General ledgers and journals
IRS audit reports
IRS elections
Legal correspondence
LIFO inventory records
Property appraisals
Real estate purchase and sell records
Retirement plan reports
Tax returns
Trademark registrations
Workpapers for tax returns

One consideration in determining how long to retain records is the statute of limitation, which governs the amount of time within which a plaintiff may bring a lawsuit against a CPA. This period is governed by state law and may vary depending on the type of action, such as malpractice or breach of contract. Normally the statute of limitation starts on the date that the client first had knowledge or should have known of the act, error, or omission that gave rise to the action. It is important to note that this is often not the date on which the CPA rendered the service.

Contracts that the CPA enters may define how long data are to be stored and maintained on behalf of the client. In some cases, a government unit or agency actually spells out the period of time that the CPA is required to maintain records and engagement workpapers. Securities and Exchange Commission rules require a CPA to retain relevant workpapers and other documents for seven years. Practitioners performing this type of work should make sure that these requirements are noted in the firm's record retention policy.

State boards of accountancy can also define the length of time that CPA firms are to maintain the supporting records—normally a minimum of seven years.

Client Retention of Records

Finally, do not rely on the client to keep source documents used in performing services. A firm will likely have little or no control over a client's record retention policies, and in some situations a client may not be willing to provide a needed document. The firm should maintain copies of documents that are necessary to support any conclusions reached in an engagement.


Each firm should consult with legal counsel to develop a retention policy based on its particular situation and requirements. The firm's insurance carrier will likely also have guidelines for record retention and storage based on its clients' claims experience. In addition, firms should uniformly and consistently follow the policy and monitor its ongoing application as part of an overall quality control program. A good source for more information on record retention practices is the AICPA Insurance Program's guide, Retaining Engagement Records and Responding to Requests for Records, available to AICPA insurance policyholders at the AICPA Insurance Program website, TTA



Steven Holub is a partner in Cherry Bekaert & Holland, LLP, in Tampa, FL, and is former chair of the AICPA Tax Division's Tax Practice Management Committee. Jane Rubin runs Educational Strategies Co. in St. Louis, MO, and is chair of the AICPA Tax Division's Tax Practice Improvement Committee. Kenneth Parker is with Parker & Associates CPAs, PLLC, in Jackson, MS, and is a member of the Tax Practice Improvement Committee. For information about this column, contact Mr. Parker at

Tax Insider Articles


Business meal deductions after the TCJA

This article discusses the history of the deduction of business meal expenses and the new rules under the TCJA and the regulations and provides a framework for documenting and substantiating the deduction.


Quirks spurred by COVID-19 tax relief

This article discusses some procedural and administrative quirks that have emerged with the new tax legislative, regulatory, and procedural guidance related to COVID-19.