Keep or toss? A guide to CPA firm record retention

By Jamie Yoo
This article originally appeared in the June 2020 issue of the Journal of Accountancy. Minor changes have been made to update claim data used herein. Advice provided in this article has been reviewed and remains current.
Practitioners often find themselves with years, even decades, of records, and ask themselves, "Do I really need all of this?" If your file cabinet is ready for some overdue spring cleaning, consider the role of record retention before you purge.


"If it's not documented, it didn't happen." This phrase is often cited by peer reviewers and others to convey the importance of documenting procedures performed or judgment applied to support a CPA firm's deliverable. Appropriate record retention can help:
  • Facilitate future engagements: Workpapers may include the practitioner's understanding of client processes or tax carryover information, which can be helpful in the execution of future engagements for the same client.
  • Respond to requests from regulators, authorities, and inspectors: Appropriate documentation facilitates the response to audits and inquiries from regulators, taxing authorities, or quality inspections such as peer review.
  • Defend against a professional liability claim: The records of a CPA firm, or lack thereof, can be its best friend or worst enemy in the event of a professional liability claim. Engagement workpapers are often critical to the defense of professional liability claims, helping to support the scope of the engagement, services delivered, and work product issued by the firm.


CPAs, commonly known for being risk averse, may not want to dispose of their records. But at what point does retaining records to err on the side of caution turn into records hoarding? When determining which records should be kept or purged, consider retaining items that document or support the firm's:
  • Client/engagement evaluation process: Such as signed engagement letters, client acceptance checklists, engagement acceptance approvals, and client disengagement letters.
  • Administrative records: Such as fee and billing records, firm and individual licensing information, and CPE attendance records.
  • Engagement delivery: Records retained by the practitioner should establish a clear and complete documentation trail of the service the practitioner was engaged to provide and be of sufficient detail to enable reperformance by a similarly experienced professional. Workpapers may include analyses performed, evidence and explanation provided by the client, or correspondence that supports the practitioner's conclusions or findings.
  • Engagement closure: Such as the firm's deliverables, including reports issued, management's representations, and assertions relied upon by the CPA, or work product transmittal letters.
  • The final version of documentation should be retained, rather than any superseded drafts.


One of the most dreaded, but satisfying, parts of spring cleaning is discarding long-neglected household items. Unfortunately, determining an appropriate retention period is not as straightforward as checking the expiration date of food items to clear out a refrigerator. How long records should be retained depends on a variety of factors including, but not limited to:
  • Type of service: The firm's areas of practice, and the professional standards that govern them, should be considered to identify any applicable record-retention requirements. For example, for tax, workpapers that support tax returns prepared should be retained as long as the returns may be audited by a taxing authority. It sounds simple, right? Not necessarily. The audit period can vary between taxing authorities, and other factors may extend the time period.
  • Statute of limitation and the discovery rule: In the event of a professional liability claim, engagement records and workpapers provide essential evidence of the work performed for clients. This is an important factor to consider when establishing a retention period. The statute-of-limitation period restricts the amount of time within which a plaintiff needs to file a lawsuit. It generally starts to run on the date the negligent act occurred. The discovery rule, however, provides an exception stating that a statute-of-limitation period does not begin to run until the date on which the client discovers or reasonably should have discovered that they were damaged by the negligent act. Statute-of-limitation periods and the applicability of the discovery rule to professional liability claims can vary from state to state. Both can be difficult and complex to identify, interpret, and apply. Accordingly, a CPA firm should always consult with an attorney to understand the state laws that govern the firm and its engagement.
  • Regulatory or contractual requirements: Practitioners whose clients are subject to governmental regulation or those that receive funding from government agencies may be subject to alternative retention periods. A client may request that the firm retain their records for a specified time period. In such cases, firms may be required to retain records for a stipulated period of time as provided by the agency or based on the applicable funding or engagement agreement.
Given the factors described above, a CPA firm may identify different retention periods for different clients and/or services. As a practical matter, it is recommended that CPA firms select the longest retention period and apply it consistently to all records to reduce the administrative complexities associated with maintaining records.


Whether a record is paper-based or electronic, the firm's record-retention policy should be applied consistently. Electronic documents evidencing work performed should be saved in both client and engagement files rather than as attachments to emails. All relevant client service information should be maintained in the engagement workpapers and other official firm files or storage media.
Additional care should be applied to emails. If necessary to demonstrate procedures performed or conclusions reached, email correspondence with clients or peers should be retained as part of the client engagement files, not in a team member's email folder or on an email server.
Many a professional liability claim defense has been thwarted by an email in which the tone was taken out of context. As such, firms may exercise additional judgment by applying a separate retention period for emails to help guard against this risk. Consult the article "Professional Liability Spotlight: How Social and Digital Media Can Be a #majorrisk," JofA, March 2016, which discusses the risks that CPAs may encounter with electronic communication and how using it appropriately can help to avoid potential liability exposure.


Disposing of records is not as simple as separating recyclables from other types of refuse. Just because the retention period has passed, it does not mean that the practitioner's duty to protect the confidentiality of client data has also expired. Proper disposal of records is key.
When it comes to destruction and sanitization of paper and electronic records and media, consult best practices defined in reputable sources such as the National Institute of Standards and Technology's Special Publication 800-88, Guidelines for Media Sanitization, or ISO 27001 A.8.3.2, Disposal of Media.
Many third-party service providers specialize in the collection and destruction of records based on regulatory or technological standards. However, using a vendor does not eliminate the practitioner's responsibility to maintain the confidentiality of client data. If an outside vendor is used, due diligence must be performed on the vendor's processes for keeping the data confidential. Consult the article "Professional Liability Spotlight: Due Diligence With CPA Firm Subcontractors," JofA, June 2015, which discusses a firm's legal and professional responsibilities related to third parties.
It is understandable that a CPA may accumulate client information during the course of providing services. While practitioners are expected to and should retain copies of this information for their own purposes and requirements, clients have the primary responsibility to maintain their own records. To avoid becoming your client's filing cabinet, remind clients of their obligation to keep their own records, and let them know that the firm's workpapers are not a substitute for the client's records.
Jamie Yoo, CISA, is a risk control consultant at CNA. For more information about this article, contact
This information is produced and presented by CNA, which is solely responsible for its content. Continental Casualty Company, a member of the CNA group of insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.
The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the authors’ knowledge as of the date of the article. Accordingly, this article should not be viewed as a substitute for the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA.
Any references to non-CNA Web sites are provided solely for convenience, and CNA disclaims any responsibility with respect to such websites.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.
“CNA” is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the “CNA” trademark in connection with insurance underwriting and claims activities.
Copyright © 2021 CNA. All rights reserved

How Helpful Was This Article?


Related Content

Moments That Matter

Related Products