Skip to main content
 Compliance & Best Practices 

Best Practices                                                                               Industry Specific Information

>Generally Accepted Privacy Principles                                     >Financial Planning

>Document Retention Policy Guidelines                                    >Accounting

>Boxes, Packaging, Indexing, Delivery

>General Document Retention Time Frames









Integrating Privacy Using Generally Accepted Privacy Principles  
Below is a link to a white paper that discusses the importance of designing privacy into an organization's records management program and how that can be accomplished using Generally Accepted Privacy Principles (GAPP). This publication:
   -explains what personal information is and why privacy is an important business issue;
   -identifies privacy concerns regarding records management;
   -explains how GAPP can be used to integrate privacy into a records management program.
    Click here to download the paper.


Document Retention Policy Guidelines

  • All Documents Must Be Included in the Policy
Historically, paper files were the primary means of documenting work. Now electronic documents in the form of files, work papers, emails and final work products are maintained in digital format. Document retention policies must include all documents, whether paper or electronic, and businesses must adhere to these policies in a systematic manner.  Consistent guidelines should be followed to ensure that files are properly stored for easy retrieval and so that client information is safeguarded.
  • Documents to be Retained
In relation to the services / products that the business provides, the businesses' policy must be to retain documentation necessary to support the work product.  In addition to traditional accounting, administrative and corporate documents, such documents might also include opinions, resolution of differences, conclusions and research utilized in analysis, correspondence with employees / clients / venders, and other items of continuing significance. Drafts or other documents not utilized should not be retained. Documents transmitted as attachments via email should be considered separately from the email messages to which they are attached.
Documents attached to and transmitted by email should be stored in machine readable format in the organization's electronic document management system in the appropriate client folders. Those email messages which actually contain material pertinent information should be copied in PDF or other machine readable format and included in the source documents files.   Email messages not saved for filing in the correspondence file or other appropriate folder should be deleted in accordance with the established retention protocal for emails retained on email servers. Established policies pertaining to the retention and destruction of email documents should mirror the policy for documents in other electronic or paper formats.
  •  Retention and Purging Policies Should be Dutifully Followed
Whatever the organization's policy may be, it should be carried out consistently, both in the retention of documents and the discarding of documents no longer required to be kept. When a organization learns that a government agency is conducting an investigation or that private litigation is pending or threatened (even if the organization is not directly involved), the organization should be careful to retain all relevant records, even if they are slated for destruction under a periodic purging policy and even if no request for records has been made. 
A solid and consistently followed retention and purging policy also provides a defensible position, should it be needed, when requests are made for records that have been appropriately destroyed in accordance with firm and regulatory guidelines.
  • Destruction and Control
Destruction of documents is as important as their storage. Paper documents which are not to be retained in the organization's files must be shredded or incinerated if they contain confidential information or sensitive data. Any paper with a social security number, a federal ID number or a client name on it must be destroyed in this manner; never just dropped documents in the trash. Electronic documents are destroyed by deleting them from the medium on which they are stored, and then purging the medium itself. A written list of files (both paper and electronic) to be destroyed should be reviewed prior destruction to take into account potential issues that may require information to be retained for a longer than usual retention period. Any exceptions to the established retention policy should be approved by management in writing on a document retention exception log.  To protect yourself from future legal exposure, destruction policy exclusions should be very limited and the reason should be clearly documented.  A list of files destroyed should be maintained permanently.  Where appropriate, customers should be notified in writing that the businesses' policy is to destroy files, and that they may request copies of any data contained therein subject to approval.
Boxes, Packaging, Indexing, Delivery
Boxes that are 10"(H) x 12"(W) x 15"(L) are best. They can store 8.5” x 11” pieces of paper “one way”; and legal size (11 x 13) pieces of paper or file folders the other way. These boxes can also be used to store CDs and physical items. See our box section for more information on boxes.
The number one rule is “don’t over-pack the box”. This will cause the box to fail in a very short period of time; and after only several “lifts” or “moves”. Additionally, it is very hard to get files out of a box that is over-packed. Folders should be packed like they are in a filing cabinet. The box should be packed with enough folders so that the folders don’t slide down. Try to pack items by year, since this is the most common retrieval criteria.
Records should be indexed sequentially in the box by last name, identifying number, date or any other criteria relevant to your business. Avoid skips in sequencing. As an example, if you were packing by alphabetical order, all the “C” should be together in sequential boxes. They shouldn’t be in boxes with other letters. Leave room for adding two or three records that may be added later. The content should be recorded in a separate “content file document” called an index. This “indexing” will improve or reduce the amount of time required to find a box in which a record exists. It also allows for identifying the proper box without being in the storage area. Each box will have a number that corresponds to the index file. Example: Box 32 contains employee records with last names beginning with A or B. Every file can be listed in an index file document. This however is very time consuming and can be very costly.
When requesting delivery, indicate if you want the entire box, or just a file in the box. If a box is returned to the storage site without a file, a marker paper should be placed in the box indicating what file has been removed.

General Document Retention Time Frames

Where applicable retention periods commence immediately following the date of the financial statements or the taxable year in the case of tax returns, work papers, etc.

  Holding Period1
Accounting Records  
  Accounts receivable / payable reports 7 years
  Annual general ledger detail 7 years
  Annual financial reports 7 years
  Bank statements & cancelled checks 7 years
  Bookkeeping files 7 years
  Client billing statements 7 years
  Depreciation schedules 7 years  
  Employee expense reports 7 years
  Employee time sheets 7 years
  Equipment records & invoices 5 yr (after disposition)
  Forecasts & projections 7 years
  Monthly financial reports 7 years
  Payroll files and related reports 7 years
  Tax returns Permanent
  Valuations 7 years
  Vendors' invoices & paid bills 7 years
  W-2 and 1099 forms 7 years
  Work in progress reports 7 years
Administrative Records  
  Accident reports and claims 7 yr (after)
  (post accident / settlement)  
  Client files 7 yr (after term)
  Continuing Professional Education (CPE) records 7 yr (after term)
  Proprietary publications, newsletters & alerts 7 years
  Insurance documents & policies 7 yr (after term)
  Equipment / facility leases and contracts 7 yr (after term)
  Government agency reports / requests 7 years
  Litigation support files 3 years
  Personnel files (post-employment) 7 yr (after term)
  Retirement plan (e.g. 401k) info Permanent
Corporate Documents / Agreements  
  Minutes / Bylaws Permanent
  Operating Agreements Permanent
  Partnership Agreements Permanent
  Certificate of Incorporation Permanent
  Shareholder documents, agreements & contracts Permanent
  Tax exemption documents / application Permanent

1: All holding periods are estimates.  Individuals should confirm appropriate / required holding periods with their attorney or the appropriate regulatory body.  The above table is meant as a general guide and should not be relied upon as definitive advice.


Financial Planners
CFP? Board of Standards Rules of Conduct do not appear to specifically address a records retention policy in terms of how long client records should be kept or specific requirements of facilities within which client records are stored.  However, the following CFP? Rules of Conduct may serve as a useful guide:

-Rule 3.2 discusses security for document retention:  "A certificant shall take prudent steps to protect the security of information and property, including the security of stored information, whether physically or electronically, that is within the certificant's control."

-Rule 3.5 discusses record keeping:  "A certificant shall identify and keep complete records of all funds or other property of a client in the custody, or under the discretionary authority, of the certificant."

Outside of the general record retention guidance in Rules 3.2 and 3.5, The CFP? Board does not appear to maintain any specific requirements on record retention. While CFP? Board does not maintain specific requirements, respective broker/dealers may maintain specific requirements.  Therefore, the following Rule may also be relevant:
-Rule 5.1 which states:  "A certificant who is an employee/agent shall perform professional services with dedication to the lawful objectives of the employer/principal and in accordance with CFP Board's Code of Ethics."  Accordingly, your broker/dealer Compliance Department may be a useful resource regarding specific records retention policies.
Excerpts taken from the information prepared by the Tax Practice Improvement Committee Working Group on Document Retention.
Accounting firms are advised to adopt a written retention policy, share it with all firm personnel, and inform clients of the retention policy. Accounting firms are further advised to obtain the necessary legal counsel to ensure that various federal, state and local regulatory requirements are met. Not only should firms consider the state in which they reside, but also states where significant clients are located.
General Guidelines
   -Internal Revenue Service and Other Regulatory Body Requirements
An important aspect of an accounting firm's overall document retention policy is obviously compliance with Internal Revenue Service and other regulatory body requirements since all taxpayers are required to keep books and records sufficient to establish the amount of gross income, deductions, credits, or other matters required to be shown by the taxpayer in a tax return.1
For federal income tax purposes, books and records are required to be retained so long as the contents may become material in the administration of the tax laws, although "material" is not defined.  For practitioners this generally means information relied on in the preparation of the clients' returns. The books and records must be retained, at a minimum, until the expiration of the statute of limitations, including extensions, for each tax year.2
The IRS has issued guidance with respect to computer document retention and electronic document storage, applicable to both business and individual taxpayers whose tax records are computerized or electronically stored.
Published guidance specifies the basic retention and documentation requirements that the IRS considers to be essential in cases where a taxpayer's books and records are maintained within a computerized system.3 Recommendations for document management and maintenance also are provided. The requirements pertain to all tax matters, including income, excise, employment, and estate and gift taxes, as well as employee plans and exempt organizations.
Although applicable specifically to taxpayers with assets of $10 million or more and other taxpayers who maintain computerized records not available in hardcopy, much of the computer document retention guidance addresses business taxpayers. The IRS routinely reminds business taxpayers of their responsibilities for computer document retention at the beginning of an audit.4
The taxpayer must maintain and make available to the IRS, upon request, documentation of the processes that:
      1.      create the retained books and records;
2.      modify and maintain the books and records;
3.      provide sufficient information to support and verify entries made on the taxpayer's return and to determine the correct tax liability; and
4.      evidence the authenticity and integrity of the taxpayer's books and records.
The taxpayer must provide, at the time of an examination, the resources that the IRS determines are necessary to process the taxpayer's computer books and records.  
The IRS has provided guidance on the maintenance of books and records on an electronic storage system that either images hardcopy or transfers computerized books and records to electronic storage media.5 Books and records maintained in an electronic storage system that complies with the IRS requirements will constitute books and records as required by the tax law and regulations. 
The general requirements are that an electronic storage system must:
1.      ensure an accurate and complete transfer, indexation, storage, preservation, retrieval and reproduction of the hardcopy or computerized books and records;
2.      include reasonable controls, and an inspection and quality assurance program to ensure the integrity, accuracy, reliability, and security of the system;
3.      the ability to reproduce legible and readable hardcopies; and
4.      provide support for the taxpayer's books and records.
The taxpayer must provide, at the time of an examination, the resources that the IRS determines are necessary to process the taxpayer's computer books and records.  
Destruction of hardcopy books and records and deletion of original computerized records are permitted after testing of the system is completed and procedures are implemented to ensure compliance with IRS guidance. In any case, books and records must be retained, at a minimum, until the expiration of the statute of limitations, including extensions, for each tax year.
1 Regs. Sec. 1.6001-1(a)
2 Rev. Proc. 98-25, Section 5.01
3 Rev. Proc. 98-25
4 Form 4564, Information Document Request, issued by an IRS Computer Audit Specialist
5 Rev. Proc. 97-22
The Local Document Storage Solution: Simple, Safe & Affordable.

Lancaster, Pennsylvania        717.842.2005