Show
Technical helpsheet highlighting key considerations relating to document retention for accountants. IntroductionAccountants are required to retain a wide variety of documents and records in various formats to comply with legislative, regulatory and other requirements. Accountants will also hold a wide range of personal data and will therefore be subject to the requirements of the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The UK GDPR has not changed the need to hold personal data securely and appropriately but it has introduced the principle of ‘accountability’. This means that all organisations must not only ensure they are compliant with the GDPR but prove this too. This helpsheet highlights key considerations with regard to document retention in broad terms and is primarily focussed on client-related documents and records from a practitioner’s perspective. It is not intended to provide advice on documents and records relating to employees or to address retention of documents in the context of exercising a lien, guidance on which is available in the helpsheet Exercising liens. This helpsheet should be read in conjunction with any relevant guidance and policy wording issued by a firm’s insurer and is not a substitute for specific legal advice. Where there is any doubt, legal advice should be obtained. Members may also wish to refer to the following related helpsheets and guidance:
Establishing a document retention policyFirms should establish a clear written document retention policy and should ensure that all staff are familiar with it. The UK GDPR requires firms to adhere to the ‘accountability’ principle, which is primarily evidenced through documentation. With respect to both paper and electronic documents and records, document retention policies should clearly cover aspects including:
The policy should be reviewed on a regular basis, both to ensure that it is still in line with any legal or statutory requirements and to ensure that it is being adhered to by staff. Clients should also be made aware of the firm’s document retention policy (albeit a high level summary), perhaps in the letter of engagement and privacy notice (see Engagement letters and privacy notices helpsheet). Any variation to the general principles for the ownership of records should be agreed by the client, in writing wherever possible. Engagement letter and privacy noticeRather than providing lengthy retention policies and schedules to clients in an engagement letter, firms may wish to adopt a more generic approach (although firms would be expected to provide more details to clients if requested). In a privacy notice, wording along the following lines may be appropriate:
Firms may also wish to advise clients of when they will destroy/delete their documents and records. The following wording (see Engagement letters and privacy notices helpsheet paragraph 22.2 in the terms of business) is suggested:
Where clients do inform firms of their wish for the firm to keep documents for a longer period, this is for discussion between the firm and the client. OwnershipThe ownership of a document depends on the contract between the client and accountant, the capacity in which the accountant acts and the purpose for which the document is created. Please refer to the guidance Documents and records: Ownership, lien and rights of access for more details and seek legal advice if in doubt about the ownership of a particular document. Storage of documents and recordsFirms need to ensure that documents and records are stored securely to comply with the requirements of the GDPR in respect of personal data and the general principles of confidentiality contained within section 114 of the ICAEW Code of Ethics. Further guidance on data security is available from the Information Commissioner’s Office (ICO) on its security page. Paper documents and recordsFirms may wish to place documents, that are no longer current, in storage, perhaps using a reputable external storage provider. Firms should ensure that the instructions provided to a third party storing client records on their behalf are clear, that reasonable steps are taken to ensure client confidentiality will be preserved and that documents are held without deterioration. Firms should be able to retrieve files from such storage providers at short notice if required and should ensure that such providers are not able to destroy any documents without the authority of the firm. Careful labelling of files will be needed. Firms should also ensure that they know where the third party stores the records as if this is outside the UK or EEA then the firm will need to ensure that the data protection regime is deemed ‘adequate’. Electronic documents and recordsAs firms increasingly move to cloud computing and storage, it is extremely important that they have detailed contracts with their providers, not only to comply with the requirements of the GDPR, but to ensure that the responsibilities of both parties are clear. As with paper documents and records firms should also ensure that they know where the third party stores electronic documents and records. If this is outside the UK or EEA then the firm will need to ensure that the data protection regime is deemed ‘adequate’. If documents or other information is stored by means of licensed proprietary software (for example, taxation or accounts preparation software), firms must bear in mind that some software suppliers ’time bomb’ their software, rendering it unusable after the expiry date of the licence. If a firm relinquishes its licence for such software, they should confirm with the supplier whether it will still be useable to access old records. If not, firms should make timely arrangements to print out the information to be retained or, more commonly, export it into another electronic format. Firms need to ensure that they continue to have access to the appropriate hardware and software to enable them to recover, in readable form, the documents they have stored. In practical terms, this means ensuring that, as information systems evolve, firms either retain the technology to access redundant data-storage formats, or update the format in which the data is stored. Firms should also restore sample documents from time to time to ensure that retrieval systems and processes still work. Who should have access to documents and recordsAccess to documents and records should be restricted to those within the firm who have a genuine need to access the files for legitimate purposes. Ultimately, a firm needs to be able to identify who has access to client files and why they have such access. A firm also needs to have appropriate physical and/or technological security measures in place to prevent unauthorised access. Where hardcopy files are used, locked cabinets with appropriate key holders may be a sensible option. Where electronic files are used, user level access and/or password protected files to restrict access would be sensible. Further details can be found on the ICAEW Cyber security page. The helpsheet GDPR – Client files includes discussion on who within a firm may require access to client files. Retention periodsThe GDPR requires that personal data should be held only for as long as is necessary. Similar principles should be applied to documents and records not containing personal data as well. In practice, the ‘necessary’ period can usually be justified by reference to statutory retention periods, retention periods required by regulations and requirements of professional indemnity insurers. Additionally, where a firm has received (or has been notified of) a complaint, claim or inquiry, the retention period should be extended as necessary. Original documentsIn the majority of cases, original records will be retained by the client and should be returned to them as soon as practicable (with copies kept by the firm as appropriate). Whilst the responsibilities for maintaining records for statutory retention periods are usually those of the client concerned, firms would be wise to maintain their own copies of such documentation in line with the indicative retention periods below (plus any additional period specified by their insurers) to assist in the event of any potential claims. InsurersIt is also worth noting that some professional indemnity insurers include retention clauses within their policies. Failure to observe such clauses may affect the validity of your PII cover. At inception, it would be advisable to notify your insurer of your document retention policy. You should always review your professional indemnity cover before adopting or amending your retention policy, as requirements of your policy may go above and beyond other statutory or regulatory requirements. Indicative retention periodsWhilst it is not possible in this document to provide an exhaustive list of retention periods or explanations as to why such periods have been suggested (namely because some documents never cease to have value and others remain valuable for an undefined period of time), the table in the Appendix 1 provides suggestions and indicative guidance. Secure destruction after the end of the retention periodFor documents that the client owns, firms should not destroy documents and records prior to any period specified within the terms of their engagement letter. If the engagement letter is silent, firms should consult their client or seek legal advice prior to destroying documents legally owned by the client (see Documents and records: Ownership, lien and rights of access). For documents owned by the firm Appendix 1 offers indicative guidance. When destroying documents, reasonable steps should be taken to preserve the confidentiality of the client’s information in the destruction process. Paper documents and recordsIn the context of paper documents, careful thought should be given to secure shredding or incineration facilitates and clear instructions should be given to any third party destroying client information on the firm’s behalf. Electronic documents and recordsIn the context of electronic documents, consideration should also be given to backup and storage facilities as well as the ‘live’ copies of documents and records. Where portable devices or drives have come to the end of their life, they should be securely destroyed. In most cases it will be appropriate to use a specialist third party, as simply deleting a file from such a device does not, in itself, prevent data recovery. Where cloud computing facilities are utilised, contracts with such providers are required and care should be taken to ensure that providers adhere to the firm’s retention and destruction policies. CertificationFirms may wish to consider checking whether any third parties they use to provide destruction services hold BS EN 15713 Secure destruction of confidential material or another appropriate certification. If in doubt seek adviceICAEW members, affiliates, ICAEW students and staff in eligible firms with member firm access can discuss their specific situation with the Technical Advisory Service on +44 (0)1908 248 250, via webchat or e-mail . Appendix 1: Indicative retention periods
Terms and conditions © ICAEW 2022 All rights reserved. ICAEW cannot accept responsibility for any person acting or refraining to act as a result of any material contained in this helpsheet. This helpsheet is designed to alert members to an important issue of general application. It is not intended to be a definitive statement covering all aspects but is a brief comment on a specific point. ICAEW members have permission to use and reproduce this helpsheet on the following conditions:
For further details members are invited to telephone the Technical Advisory Service T +44 (0)1908 248250. The Technical Advisory Service comprises the technical enquiries, ethics advice, anti-money laundering and fraud helplines. For further details visit icaew.com/tas. What is the minimum period for which engagement documentation is to be retained?Retention of Audit Documentation
The proposed standard would have required an auditor to retain audit documentation for seven years after completion of the engagement, which is the minimum period permitted under Section 103(a)(2)(A)(i) of the Act.
What is the deadline for assembling and archiving audit documentation Pcaob?AS 1215 states that “a complete and final set of audit documentation should be assembled for retention as of a date not more than 45 days after the report release date.” In my discussions with clients and other firms, some have misunderstood the requirements to mean that engagement teams merely had to assemble a final ...
What is the documentation completion date?Documentation completion date.
The date, no later than 60 days following the report release date, on which the auditor has assem- bled for retention a complete and final set of documentation in an audit file.
What is timely preparation of audit documentation PSA 230 )?Preparing sufficient and appropriate audit documentation on a timely basis helps to enhance the quality of the audit and facilitates the effective review and evaluation of the audit evidence obtained and conclusions reached before the auditor's report is finalized.
|