Skip to main content

Firm Management

Record Retention ‘in the Cloud’ Doesn’t Have to Be Risky

CPA firms have been slow to move some core business functions to the cloud for a variety of reasons. Besides the cost of storage, new applications and training time, concern over client data security and document retention are top of mind.


CPA firms have been slow to move some core business functions to the cloud for a variety of reasons. Besides the cost of storage, new applications and training time, concern over client data security and document retention are top of mind.

“In the event of a breach, liability for data loss is likely to fall much more heavily on the professional than the software vendor, because the CPA is viewed as ultimately responsible for protecting client data” says Bill Thompson, CPA, RPLU, risk management consultant with CPA Mutual. “But secure operations and record retention in the cloud can be reasonably accomplished with some tried and true principles, operating practices, and employee awareness.”

Most clients assume that CPA firms securely retain their documents and data forever — unless they are told otherwise. Although document retention is easier to manage electronically than in rows of filing cabinets, it is still subject to the same legal principles related to disclosure, retention, and consistency.* These principles help firms manage risk by keeping their clients and employees informed about how long to keep information and in what format.

As firms migrate core functions to the cloud or other electronic means, they will need to regularly review and update their document retention policies and practices, and promptly advise clients about any changes. They need to also understand and enforce the information protection and retention practices of the cloud provider, as well as maintain ownership and control of firm data residing in the cloud.

Keep these three principles in mind as you adopt new ways of managing and retaining client data.


Current or new record-keeping protocols should be disclosed to clients in engagement letters, tax organizers, firm booklets or other communications sent to clients. This explains and documents the protocols, and sets the appropriate expectation by clients of how long records are maintained. It avoids unrealistic assumptions of retention for all eternity.

Upon a change to the document retention policy, another round of disclosures should be sent to the client with the changed record retention policy and a grace period to allow the client to pick up records that may be on the destruction list. Talk to your vendor or IT department about safely and permanently deleting or destroying client data when it’s no longer relevant.


Records should only be kept as long as they are relevant.  Recommendations for tax return and return workpaper retention is the maximum six years statute of limitations for federal tax assessment (IRC 6501 [e]), plus the statute of limitations for malpractice suits in the state in which you reside or practice. Many firms adopt a seven-year standard which is a blend of the federal and state statutes of limitations.


There are, however, some exceptions to this rule of thumb, such as returns that generate NOLs, passive losses, capital losses or credits that may be carried forward for many years into the future before they are used. While the year may be closed for assessment purposes, the tax authorities can still audit the closed years and adjust the carryforward as it impacts an open year. These returns may need to be kept for a longer period.

Like carryforwards, other tax records may also have a relevant lifespan beyond tax assessment statute of limitations. Tax audit records, property basis records, 338 election records, tax reorganization records, tax correspondence, revenue agents’ reports, and 1031 exchange records, to name a few, may be relevant for many years after the six-year federal statute of limitations has expired. These actually should be maintained permanently.

Financial statements generally have a shorter period of relevancy than tax returns and there are few hard and fast rules for these. The period should be dictated by the client’s situation, any applicable regulatory framework that the client is subject to, number of equity holders, etc. Records involving employee benefit plans, such as actuarial reports, allocation and compliance testing, brokerage statements, Forms 5500 and financial statements should be maintained permanently.

Accounting firms are notorious for retaining records that are irrelevant. Not only does this consume costly storage space, but, more importantly, if compelled to produce the records, the expense of collecting and sifting through irrelevant documents can be substantial. In some instances, irrelevant documents such as gratuitous emails can be damaging. Firms should adopt policies or electronic means for removing documents that are not formally and necessarily part of a client file. When moving files to the cloud, it is a good time to sort through and discard irrelevant records properly.


Record retention guidelines at a CPA firm must be followed consistently until they are formally changed..Records are kept based on a policy that has rationale. Generally, the retention of tax records has three purposes: (1) to provide backup and detail for the return in case of an audit or inquiry; (2) to provide backup and detail in the event of a client malpractice claim related to the return advice; and (3) to provide backup and detail for successive tax years that have a connection to the old return (typically carryforwards, credits and the like).

When looking through these lenses at the differences between active and inactive clients, there doesn’t seem to be much reason to treat their historic returns differently. The only difference is that the retention period of active clients keeps pushing off into the future while the inactive client document retention eventually times out.

Although CPA firms can develop the best document retention policies and procedures in the industry, they don’t work unless employees are properly trained on them and their compliance monitored, Thompson emphasizes. “Employees need to understand and consistently follow security, retention and disclosure protocols to keep relevant client data safe for as long as the law or sound business reasons dictates. Review your retention policies annually as part of a healthy risk management practice,” he says.


*Contributing Sources: Murphy Pearson Bradley & Feeney,; NewGate Law, Peter Fontaine,


As President of CPA Mutual, Bill Thompson, CPA, RPLU, helps CPAs navigate the minefield of professional liability issues with practical risk management. Bill is also responsible for underwriting, reinsurance negotiations and placement, coverage and policy issues at CPA Mutual.