By now most CPA firms fully understand how moving their core business functions to the cloud can streamline operations, yet many are still slow to make that move.
Besides the cost of storage, new applications, and training time, concern over client data security and document retention are top of mind. Everything from a stolen laptop left in the back of the car during happy-hour to a thumb drive mailed to the wrong address can pose a potential data breach for CPA firms in the digital age, and the probability that every firm will face one of these breaches at some time is very likely — as high as 70 to 80 percent according to Bill Thompson, CPA, RPLU, President of risk management and professional liability insurance firm CPA Mutual.
“In the event of a breach, liability for data loss is likely to fall much more heavily on the professional than the software vendor, because the CPA is viewed as ultimately responsible for protecting client data” Thompson says. “But secure operations and record retention in the cloud can be reasonably accomplished with some tried and true principles, operating practices, and employee awareness.”
Most clients assume that CPA firms securely retain their documents and data forever — unless they are told otherwise. Although document retention is easier to manage electronically than in rows of filing cabinets, it is still subject to the same legal principles related to disclosure, retention, and consistency. These principles help firms manage risk by keeping their clients and employees informed about how long to keep information and in what format.
As firms migrate core functions to the cloud or via other electronic means, they will need to regularly review and update their document retention policies and practices, and promptly advise clients about any changes. They need to also understand and enforce the information protection and retention practices of the cloud provider, as well as maintain ownership and control of firm data residing in the cloud.
Keep these three principles in mind as you adopt new ways of managing and retaining client data:
Current or new record-keeping protocols should be disclosed to clients in engagement letters, tax organizers, firm booklets, or other communications sent to clients. This explains and documents the protocols, and sets the appropriate expectation by clients of how long records are maintained. It avoids unrealistic assumptions of retention for all eternity.
Upon a change to the document retention policy, another round of disclosures should be sent to the client with the changed record retention policy and a grace period to allow the client to pick up records that may be on the destruction list. Talk to your vendor or IT department about safely and permanently deleting or destroying client data when it's no longer relevant.
Records should only be kept as long as they are relevant. Recommendations for tax return and return workpaper retention is the maximum six years statute of limitations for federal tax assessment (IRC 6501 [e]), plus the statute of limitations for malpractice suits in the state in which you reside or practice.
Many firms adopt a seven-year standard which is a blend of the federal and state statutes of limitations. There are, however, some exceptions to this rule of thumb, such as returns that generate NOLs, passive losses, capital losses, or credits that may be carried forward for many years into the future before they are used.
While the year may be closed for assessment purposes, the tax authorities can still audit the closed years and adjust the carryforward as it impacts an open year. These returns may need to be kept for a longer period.
Like carryforwards, other tax records may also have a relevant lifespan beyond tax assessment statute of limitations. Tax audit records, property basis records, 338 election records, tax reorganization records, tax correspondence, revenue agents’ reports, and 1031 exchange records, to name a few, may be relevant for many years after the six-year federal statute of limitations has expired. These actually should be maintained permanently.
Financial statements generally have a shorter period of relevancy than tax returns and there are few hard and fast rules for these. The period should be dictated by the client’s situation, any applicable regulatory framework that the client is subject to, number of equity holders, etc. Records involving employee benefit plans, such as actuarial reports, allocation and compliance testing, brokerage statements, Forms 5500, and financial statements should be maintained permanently.
Accounting firms are notorious for retaining records that are irrelevant. Not only does this consume costly storage space, but, more importantly, if compelled to produce the records, the expense of collecting and sifting through irrelevant documents can be substantial. In some instances, irrelevant documents such as gratuitous emails can be damaging.
Firms should adopt policies or electronic means for removing documents that are not formally and necessarily part of a client file. When moving files to the cloud, it is a good time to sort through and discard irrelevant records properly.
One of the largest claims CPA Mutual experienced -- a defensible claim at that -- Thompson says, fell apart due to a gratuitous note left in the audit file relating to reviewing and “cleaning” up the workpapers.
“The file actually had a header on it entitled ‘items to be removed from workpapers.’ This was nothing more than the predecessor firm (our member) preparing the files so they could be handed over to the successor auditor,” Thompson says. “But because we were in the midst of a lawsuit for failure to detect a defalcation, this note gave the appearance the firm may have been aware of the issues but just failed to meet professional standards and now they were trying to cover it up. It quickly became a plaintiff exhibit and we were left with little option but to settle for policy limits.”
Record retention guidelines at a CPA firm must be followed consistently until they are formally changed. Records are kept based on a policy that has rationale. Generally, the retention of tax records has three purposes:
- to provide backup and detail for the return in case of an audit or inquiry
- to provide backup and detail in the event of a client malpractice claim related to the return advice; and
- to provide backup and detail for successive tax years that have a connection to the old return (typically carry-forwards, credits and the like).
When looking through these lenses at the differences between active and inactive clients, there doesn’t seem to be much reason to treat their historic returns differently. The only difference is that the retention period of active clients keeps pushing off into the future while the inactive client document retention eventually times out.
Although CPA firms can develop the best document retention policies and procedures in the industry, they don’t work unless employees are properly trained on them and their compliance monitored, Thompson emphasizes.
To ensure all employees fully understand and consistently follow these procedures, Thompson says firms should review the document retention policy with all employees — once of course during the new hire orientation and then again at least once a year during team meetings along with other company policies.
Firm leaders can also reinforce document retention policies on an ongoing basis. During review of the final engagement work product, whether it’s a tax return or attest engagement, the partner in charge of the engagement should review the workpapers included in the file, Thompson says. Most firms are using a paperless document management system now so there should be no workpapers that are not required by professional standards or help form the basis of any opinion issued. No extemporaneous comments or references to concerns noted but not followed up on during the engagement should be noted anywhere in the files.
“Employees need to understand and consistently follow security, retention and disclosure protocols to keep relevant client data safe for as long as the law or sound business reasons dictates. Review your retention policies annually as part of a healthy risk management practice,” Thompson says.