May 13, 2008
 
About the AICPA
Member Service Center
Membership Information
AICPA Mission
Corporate Governance
Understanding the Organization
Frequently Asked Questions
Media Center
People and Places
Jobs at the AICPA
Vision Project
Legal Briefs
Professional Resources
Accounting and Auditing
Accounting and Auditing Technical Help
Accounting Standards
Audit and Attest Standards
Audit Committee Effectiveness Center
Authoritative Standards
Business Reporting Assurance & Advisory Services
Enhanced Business Reporting
GAAP Codification
Private Company Financial Reporting
Sarbanes-Oxley Resources
SEC Regulations Committee
XBRL
Tax
Business, Industry, and Government
Financial Management Center
Audit Committee Effectiveness Center
Audit Committee Matching System
Public Accounting Firm Resources
CPA Marketing Toolkit
Center for Audit Quality
Employee Benefit Plan Audit Quality Center
Governmental Audit Quality Center
PCPS Firm Practice Center
Small Firm Corner
Peer Review
AICPA Peer Review Program
Peer Review Public File
Center Peer Review Program
Peer Review Transparency
Professional Ethics/Code of Conduct
Code of Conduct
Disciplinary Actions
Professional Ethics
Personal Financial Planning
Forensic and Valuation Services
Information Technology
Antifraud Resource Center
Financial Literacy
Exposure Drafts
Conferences, Publications, CPE & the AICPA Library
AICPA Conferences
CPE
Publications
AICPA Library
Magazines and Newsletters
The CPA Letter
Journal of Accountancy
Journal of Accountancy Classified Ads
Newsletters
The Tax Adviser
Weekly News Updates
Copyright Information
Becoming a CPA/Academic Resources
Accounting Education Center
CPA Candidates and Students
Minority Initiatives
Careers in Accounting
Career Development and Workplace Issues
What's New
Career Advice
Job Search Tools
Mentoring Guidelines
Women in the Profession
Work-Life Balance
Young CPA Network
Consumer Information
360 Degrees of Financial Literacy
Antifraud Resource Center
Audit Committee Effectiveness Center
Audit Committee Matching System
Disciplinary Actions
Find a CPA
Peer Review Public File
Web Trust
Media Center and Video Library
Media Center
Video Library
Legislative Activities and State Licensing Issues
Congressional and Federal Affairs
Mobility and State Licensing Issues
State News and Info
  Home · Online Publications · The Practicing CPA · March/April 2005 · The Risk Management Resource — Spring 2005 · Record Retention and the Paperless Office
 
  Record Retention and the Paperless Office
 

After much hype and anticipation, the age of the paperless office is here. Most CPA firms today use technology to render client services, communicate internally and externally, and manage and store business data. But are you aware of the potential risks associated with creating, maintaining, and destroying electronic documents? To protect yourself and your firm, it’s important to understand the technology you use, to establish and update guidelines for the use of electronic communications, and to implement appropriate controls over the record retention processes your firm employs.

Common Electronic Communication Methods
Some of the tools commonly used by CPA firms include:

  • Telephones
    Generally speaking, telephone conversations are not saved electronically on computer storage devices; however, they can be recorded. Federal law (The Electronic Communications Privacy Act) permits recording if at least one party to the call has given consent, but state law varies. Most states allow recording provided that at least one party to the conversation consents to the recording, but some states require the consent of both parties prior to recording. Before recording or retaining a copy of any telephone conversation, be sure to consult with your attorney regarding applicable state laws. Voicemail is another popular workplace technology. CPAs use both firm and client voicemail systems to send and receive information relevant to client engagements. Relying on voicemail as documented evidence in rendering client services is not recommended. Voicemail is a handy means of exchanging information quickly, but it is not particularly secure. Notwithstanding the client’s implied consent to be recorded by leaving a voicemail message, the possible application of federal and state privacy laws, along with a CPA’s duty to maintain client confidentiality under the AICPA Code of Professional Conduct and state board of accountancy regulations, suggest that using voicemail as a means of document storage and retrieval is ill-advised. After listening to a voicemail from a client, delete it promptly, and verify the information via a follow-up telephone conversation or written communication with the client.
  • E-mail
    E-mail is the communication tool of choice in many CPA firms, and it is used extensively in client communications. Like all other computer data, e-mails are subject to discovery. Accordingly, CPA firms should have an e-mail usage policy in place. The policy should be simple, clear, and define the circumstances under which e-mail use is or is not authorized. Additionally, the policy should include guidelines on deleting or retaining e-mails at the time they are sent or received, depending on the nature of the e-mail.

    Once an e-mail is created and sent, it continues to exist on both the sender’s and recipient’s computers and servers due to backup mechanisms. E-mails should be retained in accordance with the CPA firm’s general document retention policy, and there should be a control in place to monitor compliance with the policy. Consult with your information technology specialist on the use of e-mail "shredding" software, which actually overwrites data to render it unreadable. Such software should comply with Department of Defense standard DoD 5220.22-M, which is the industry standard for this type of software.

  • Instant Messaging (IM) Applications
    IM applications enable instant communication. However, IM is not a secure method of communicating confidential information, and it leaves an electronic data trail on the computers and backup storage systems involved. Like all other data that exists on firm computers and backup systems, this information is subject to discovery for production in professional malpractice lawsuits. Additionally, because IM is used as a conversation tool and an alternative to the telephone, users often do not consider the content of their messages prior to sending them.

    Additionally, it is difficult to monitor the ongoing use of IM. For these reasons, from a risk management perspective, IM is not recommended for use within CPA firms and should not be employed to retain and store information relevant to client engagements.

Electronic Documents
CPA firms use a variety of software applications to create documents. All applications should record when and by whom the document was created, when it was changed, and who changed it. Users should recognize that because these documents are often critical to a CPA’s working paper files, it is important to preserve evidence of this information. Duplicate or superseded electronic documents should be deleted at the conclusion of each client service. To do so, consult with your information technology specialist regarding backup systems and document disposal.

Document Imaging and Storage Systems
The marketplace offers a variety of document imaging and storage systems designed to assist CPA firms in managing electronic documents. Some systems include off-site data storage or storage via the Internet using a third-party service provider. Others are scanning and storage devices, or network appliances designed to allow firms to store and retrieve all types of documents.

Regardless of the technology used, document imaging systems should feature a password-protected design that authenticates the date and time a document is imaged and indicates the person who executes the imaging. If your firm is already using such a system, it is important to conduct regular training classes and monitor compliance with your firm’s policy on system use and record retention. If you are considering purchasing a system, investigate the following:

  • Cost
  • Design
  • Ease of use
  • Background, experience, and continued viability of the vendor
  • System and off-site security
  • References from other CPA firms that are using the system


Paperless Working Papers
Paperless applications are widely used for preparing tax returns, performing bookkeeping and audit services, and generating client financial statements. Each application is generally designed to stand alone and allow CPA firms to retain both client data and working papers electronically. Historically, there has been much consolidation within this part of the software application industry, and products are often superseded. From a document retention perspective, it is critical that each application be saved in a secure environment so that data saved in accordance with a firm’s document retention policy can always be retrieved, even if the software provider is no longer in business.

Most CPA firms use multiple software applications and may use more than one storage and backup method as well. Additionally, new applications are constantly being integrated into the practice. Firm management, regardless of whether the firm is a sole practitioner or has multiple offices, must catalog the various software applications and storage systems in use. Consider requirements to retain working papers by reviewing the regulations of the U.S. Treasury Department, state departments of revenue and other state and federal agencies, as well as state board of accountancy rules and regulations applicable to client industries (including the industries of former clients).

The use of electronic documents can significantly affect document storage and retrieval. That’s why it’s important to consult with an information technology specialist to determine if your firm’s existing record retention policy must be updated to include specific guidance about the use of electronic communications and the retention, storage, retrieval, and destruction of electronic documents. In the long run, this not only aids firms in maintaining documents that may be needed to assist clients or defend malpractice claims, but also allows firms to maximize the use of their existing systems.


For more information about document retention, consult the practice management guide Retaining Engagement Records and Responding to Requests for Records: A Guide for CPA Firms, available exclusively to AICPA Professional Liability Insurance Program policyholders at no charge in the Policyholder Resource Center of the AICPA Insurance Programs website at www.cpai.com.

Protect Your Firm (Executive Summary):
There are legal liability issues associated with creating, maintaining, and destroying electronic documents. To protect yourself and your firm:

  • Understand the technology you use.
  • Establish guidelines for the use of electronic communications, and monitor compliance.
  • Implement appropriate controls over the record retention processes your firm employs.
  • Consult with an information technology specialist about updating your firm's existing record retention policy to include specific guidance about the use of electronic communications.

January 2005
By Joseph Wolfe, Assistant Vice President, Risk Control, Accountants/Lawyers/Realtors Professional Liability, CNA Center, Chicago, IL 60685

Additional Resources

Document Retention in the Electronic Workplace, by Michael R. Overly and Chanley T. Howell, Pike & Fischer, Inc., 2001

http://www.willyancey.com/electronic_evidence.htm#Email (a web page containing a useful list of links to articles and other materials about Electronic Evidence and Records Retention, maintained by Will Yancey, PhD., CPA)

“A Paperless Success Story,” by Sarah Phelan, Journal of Accountancy, October 2003

Guide to Paperless CPA Firm Administration, by Tom C. Davis and Roman H. Kepczyk, available at www.accountingweb.com

 

  
 
To ensure that you can receive email messages from the AICPA, remember to update your member profile. Also, add the AICPA's email domains ("aicpa.org" and "email.aicpa.org") to your Sender Safe List, or contact your IT administrator to update your firm's email software.

©2006-2008 The American Institute of Certified Public Accountants, ISO 9001 Certified
AICPA Privacy Policy and Copyright Information | Jobs at the AICPA | Contact Us
AICPA, 1211 Avenue of the Americas, New York, NY 10036
Trusted Commerce