An Accountant's Roadmap for Records Retention
For firms looking to improve document management, these principles serve as a guide to creating and implementing an effective records retention policy.
Records retention may not be the most glamorous area of professional service firm management, but what it lacks in glamour it makes up for in importance. The cost of poor documentation, missing records, or regulatory write-ups can be massive.
A single missing contract, spreadsheet, or email can turn into a messy mistake. In fact, poor document management was identified as one of America’s most broken business processes in a 2018 study by Nintex where 49 percent of respondents identified locating documents as a key problem in their organizations.
Since records management is integral to successful firm management, it pays to do it well. Consistent and secure records retention is essential not only for a firm’s well-being, but also for the well-being of its clients.
The Risks of Retention Deficiencies
For their own sake, firms must be able to prove exactly what services were provided and actions were taken. For their clients, firms may be a source of documentation to help solve business, legal, or tax disputes. Clients should be advised that records are retained on a schedule, preferably in the annual engagement letter, and that they are responsible for keeping their own records independently and securely.
Of course, some records have no expiration date. “Typically, estate planning documentation, like wills, trusts, gift tax returns, partnership agreements, and life insurance policies, are deemed to be vital records and should be retained permanently,” cautions James A.J. Revels, a Philadelphia-based CPA and member of the American Institute of CPAs Personal Financial Planning Executive Committee. “If a firm is going to destroy estate planning documents, they should return the files to the client, or at the very least, inform the client of the scheduled destruction date and provide them the option to object.”
However, sound records retention does not mean serving as document storage for clients. There is no point—and a lot of risk— in retaining records unnecessarily. After all, document storage, whether paper or electronic, comes at a cost, and organizing and accessing documents becomes more complex and challenging as the number of documents increases. And, as Revels says, “The potential for professional liability can be a danger in maintaining records too long.”
One possible risk of holding certain documents indefinitely, or just too long, is creating a bigger honeypot for potential hackers, notes Brian Daly, CPA, a sole practitioner with Bottom Line Solutions Ltd. and a member of the Illinois CPA Society’s Taxation Practice & Procedures Committee. “If the firm realizes a cybersecurity breach, additional data could be available to criminals which exposes the firm to potential liability. The rule of thumb here is to keep records as long as necessary but not any longer,” Daly says.
Thorough records management, then, is not just about keeping records. A sound records retention system has three key components—schedule, policies, and storage—and once these components are in place, consistent implementation.
A Clearly Communicated Schedule
For the records retention schedule, every document is sorted according to class, and each class has its own timeline for retention. Some classes are retained indefinitely.
Others, such as 1099 forms or payroll tax returns, have minimum standards for retention. “The firm should determine the type of services that were provided that relied on general financial documentation. This will assist in determining the length of time this type of documentation should be maintained. Typically, this documentation is kept for six years,” Revels says.
Firms which focus on a few specialty services will quickly become familiar with the classes of records they handle most of the time. Firms with a wider variety of services and clients may need a broader range of classes.
For records which do not clearly fall into a primary records class, research is the only route. “Typically, records that are not deemed to be vital should be maintained for 10 years. However, various states have different laws and regulations so legal counsel may prove helpful,” Revels notes. “Consulting with an attorney to consider the state guidelines related to the statute of limitations is very important in creating a records retention plan.” For firms with clients in multiple states, this can become increasingly complex— further reason to speak to an attorney.
There is no cookie-cutter data destruction schedule. “Each firm may have a different need depending on its client makeup, the services it provides to its clients, and state requirements. The firm should contact its professional liability insurance provider and an attorney familiar with these issues for input on the design of the records retention policy,” Daly explains. “A schedule could have different dates or a keep-it-simple approach choosing the longest required date across the board for ease of management. The point is to have a schedule and adhere to it.”
Consistent and Straightforward Policies
Firm-wide policies for how documents are named, stored, organized, and accessed keep the system functional. Policies should be crystal clear and consistently applied. Even smaller firms benefit from documented policies: the fewer hours spent deciding on or explaining how to keep records, the more hours spent on helping clients.
A formal naming convention for all records maintains document organization and ensures that all firm members, present and future, will be able to locate needed records. Firms should also ensure that the final version of the document is retained and timestamped. Timestamp any other document versions retained to maintain a clear timeline of how the record evolved.
These days, many firms rely on paperless records retention exclusively, but some firms retain paper and digital versions of key documents. Designate whether electronic or paper versions of records are to be maintained. For records with an expiration date, detail each step, including client notification, server erasure, shredding, and use of outsourced document services. Daly notes that a certificate of destruction should be obtained if a third party is used for this service.
Safe and Secure Storage
Since paperless document storage is now standard business practice, the sheer physical space required to maintain records is no longer the issue it used to be. However, digital documents still require server space and come with their own set of security considerations. Fortunately, there are numerous digital document services which provide servers and security with cloud-based access for firms.
Firms with in-house IT personnel may prefer to create their own digital storage system: it’s more customizable and may be more budget-friendly over time. For smaller firms without an IT expert on hand, an all-in-one digital document management service may be best.
“When considering service providers, make sure they maintain policies and procedures that comply with industry regulations. Data should be encrypted, and consideration should be given to who is granted permission to access documents—and more importantly, who has actually accessed the documents,” Daly says.
It’s wise to give special consideration to how firm members deal with email. “Some firms have been injured in the defense of professional liability claims and may maintain a separate retention policy for emails,” Revels says. “Electronic documents should be stored in client files and not just kept as an attachment to an email. Likewise, emails that provide vital information should be saved in the client’s engagement file.”
Once the organization has created a schedule and policies, set up a storage system, and consulted with an attorney, the final step is firm-wide implementation. Inform employees of the schedule and policies. It’s a good idea to create “cheat sheets” that serve as guides and easy reference points.
It’s also important to appoint accountable staff members to oversee implementation and education in various areas of the firm. These people will also act as knowledge hubs to help answer any complex questions employees may have about records retention going forward. These in-house experts should schedule regular meetings to identify and solve issues, maintain consistency and update the records retention system as needed over time.
Records retention may not be particularly exciting, but it is foundational to every firm. Ensuring your firm’s system is secure, effective and up-to-date is key to remaining a trusted and relevant resource to your clients.
The original article appreared in Insight, the magazine for the Illinois CPA Society.
Annie Mueller, an experienced financial writer and principle of Prolifica Co, specializes in producing content that helps financial professionals establish their expertise, future-proof their firms, and effectively market to the right clients. She has worked with...