A Roadmap for Records Retention
For firms looking to improve document management, these principles serve as a guide
to creating and implementing an effective records retention policy.
By Annie Mueller | Fall 2020
Records retention may not be the most glamorous area of
professional service firm management, but what it lacks in glamour
it makes up for in importance. The cost of poor documentation,
missing records, or regulatory write-ups can be massive. A single
missing contract, spreadsheet, or email can turn into a messy
mistake. In fact, poor document management was identified as one
of America’s most broken business processes in
a 2018 study by
Nintex where 49 percent of respondents identified locating
documents as a key problem in their organizations.
Since records management is integral to successful firm
management, it pays to do it well. Consistent and secure records
retention is essential not only for a firm’s well-being, but also for the
well-being of its clients.
The Risks of Retention Deficiencies
For their own sake, firms must be able to prove exactly what
services were provided and actions were taken. For their clients,
firms may be a source of documentation to help solve business,
legal, or tax disputes. Clients should be advised that records are
retained on a schedule, preferably in the annual engagement letter,
and that they are responsible for keeping their own records
independently and securely.
Of course, some records have no expiration date. “Typically,
estate planning documentation, like wills, trusts, gift tax returns,
partnership agreements, and life insurance policies, are deemed
to be vital records and should be retained permanently,” cautions
James A.J. Revels, a Philadelphia-based CPA and member of the
American Institute of CPAs Personal Financial Planning Executive
Committee. “If a firm is going to destroy estate planning documents,
they should return the files to the client, or at the very least inform
the client of the scheduled destruction date and provide them the
option to object.”
However, sound records retention does not mean serving as
document storage for clients. There is no point—and a lot of risk—
in retaining records unnecessarily. After all, document storage,
whether paper or electronic, comes at a cost, and organizing and accessing documents becomes more complex and challenging as
the number of documents increases. And, as Revels says, “The
potential for professional liability can be a danger in maintaining
records too long.”
One possible risk of holding certain documents indefinitely, or just
too long, is creating a bigger honeypot for potential hackers, notes
Brian Daly, CPA, a sole practitioner with Bottom Line Solutions Ltd.
and a member of the Illinois CPA Society’s Taxation Practice &
Procedures Committee. “If the firm realizes a cybersecurity breach,
additional data could be available to criminals which exposes the
firm to potential liability. The rule of thumb here is to keep records
as long as necessary but not any longer,” Daly says.
Thorough records management, then, is not just about keeping
records. A sound records retention system has three key
components—schedule, policies, and storage—and once these
components are in place, consistent implementation.
A Clearly Communicated Schedule
For the records retention schedule, every document is sorted
according to class, and each class has its own timeline for retention.
Some classes are retained indefinitely. Others, such as 1099 forms
or payroll tax returns, have minimum standards for retention. “The
firm should determine the type of services that were provided that
relied on general financial documentation. This will assist in
determining the length of time this type of documentation should
be maintained. Typically, this documentation is kept for six years,”
Revels says. Firms which focus on a few specialty services will
quickly become familiar with the classes of records they handle
most of the time. Firms with a wider variety of services and clients
may need a broader range of classes.
For records which do not clearly fall into a primary records class,
research is the only route. “Typically, records that are not deemed
to be vital should be maintained for 10 years. However, various
states have different laws and regulations so legal counsel may
prove helpful,” Revels notes. “Consulting with an attorney to
consider the state guidelines related to the statute of limitations is
very important in creating a records retention plan.” For firms with
clients in multiple states, this can become increasingly complex—
further reason to speak to an attorney.
There is no cookie-cutter data destruction schedule. “Each firm may
have a different need depending on its client makeup, the services
it provides to its clients, and state requirements. The firm should
contact its professional liability insurance provider and an attorney
familiar with these issues for input on the design of the records
retention policy,” Daly explains. “A schedule could have different
dates or a keep-it-simple approach choosing the longest required
date across the board for ease of management. The point is to have
a schedule and adhere to it.”
Consistent and Straightforward Policies
Firm-wide policies for how documents are named, stored,
organized, and accessed keep the system functional. Policies
should be crystal clear and consistently applied. Even smaller firms
benefit from documented policies: the fewer hours spent deciding
on or explaining how to keep records, the more hours spent on
helping clients.
A formal naming convention for all records maintains document
organization and ensures that all firm members, present and future,
will be able to locate needed records. Firms should also ensure
that the final version of the document is retained and timestamped.
Timestamp any other document versions retained to maintain a
clear timeline of how the record evolved.
These days, many firms rely on paperless records retention
exclusively, but some firms retain paper and digital versions of key
documents. Designate whether electronic or paper versions of
records are to be maintained. For records with an expiration date,
detail each step, including client notification, server erasure,
shredding, and use of outsourced document services. Daly notes
that a certificate of destruction should be obtained if a third party is
used for this service.
Safe and Secure Storage
Since paperless document storage is now standard business
practice, the sheer physical space required to maintain records is
no longer the issue it used to be. However, digital documents still
require server space and come with their own set of security
considerations. Fortunately, there are numerous digital document
services which provide servers and security with cloud-based
access for firms. Firms with in-house IT personnel may prefer to
create their own digital storage system: it’s more customizable and
may be more budget-friendly over time. For smaller firms without
an IT expert on hand, an all-in-one digital document management
service may be best.
“When considering service providers, make sure they maintain
policies and procedures that comply with industry regulations. Data
should be encrypted, and consideration should be given to who is
granted permission to access documents—and more importantly,
who has actually accessed the documents,” Daly says.
It’s wise to give special consideration to how firm members deal
with email. “Some firms have been injured in the defense of
professional liability claims and may maintain a separate retention
policy for emails,” Revels says. “Electronic documents should be
stored in client files and not just kept as an attachment to an email.
Likewise, emails that provide vital information should be saved in
the client’s engagement file.”
Effective Implementation
Once the organization has created a schedule and policies, set up
a storage system, and consulted with an attorney, the final step is
firm-wide implementation. Inform employees of the schedule and
policies. It’s a good idea to create “cheat sheets” that serve as
guides and easy reference points.
It’s also important to appoint accountable staff members to oversee
implementation and education in various areas of the firm. These
people will also act as knowledge hubs to help answer any
complex questions employees may have about records retention
going forward. These in-house experts should schedule regular
meetings to identify and solve issues, maintain consistency, and
update the records retention system as needed over time.
Records retention may not be particularly exciting, but it is
foundational to every firm. Ensuring your firm’s system is secure,
effective, and up-to-date is key to remaining a trusted and relevant
resource to your clients.
If you need a cheat sheet, check out the one compiled by the
Illinois CPA Society’s Tax Practice & Procedures Committee at
www.icpas.org/recordsretention.