Document and File Retention

Document and file retention is addressed in the CPABC Code of Professional Conduct in Rule 218 ‘Retention of documentation and working papers’:

A registrant shall take reasonable steps to maintain information for which the registrant is responsible, including retaining for a reasonable period of time such working papers, records or other documentation which reasonably evidence the nature and extent of the work done in respect of any professional service.

The term “registrant” is used throughout the Code and means a designated member, registered CPA firm, a professional accounting corporation, or a student.

The additional guidance to Rule 218 is as follows:

1. Cases may arise where a registrant may be required to substantiate procedures carried out in the course of providing professional services. If the files do not contain sufficient documentation to confirm the nature and extent of the work done, the registrant concerned may well have great difficulty in showing that proper procedures were in fact carried out. The importance of adequate documentation cannot be over-emphasized; without it, a registrant’s ability to outline and defend professional work is seriously impaired.
2. There is an obligation to keep the documentation for a reasonable period of time. Unfortunately, it is not possible to give an all-encompassing guideline as to what is reasonable. What is reasonable varies with the circumstances. One of the problems is that an action based in negligence arises, not when the negligent work is done, but when the damage caused by the negligent work becomes known to the person who is harmed.  Documentation should not be destroyed until legal advice has been obtained with respect to the limitation periods in force in the registrant’s jurisdiction.
3. Further, registrants should retain documents for a period of time to provide professional services effectively and to properly serve clients and employers. That time period will depend on the risk associated with the professional service provided and the nature of the specific information that is contained in the files. While a general guideline of 10 years is suggested as the minimum time period, some documentation may need to be retained indefinitely. Such documentation could include:
   • financial statements;
   • agreements, contracts and leases;
   • minutes;
   • investment/share capital information;
   • written opinions;
   • tax files and assessment notices;
   • detailed continuity schedules for such items as fixed assets and future taxes;
   • estate plans, wills and similar documents; or
   • other files, information and records as appropriate.
4. Registrants may find it helpful to take reasonable steps to segregate information that is property of the client (“client information”) from information that is proprietary to the registrant (“proprietary information”) or to ensure that they have the ability to easily segregate such client information. The client may choose to engage another professional service provider in the future, or access to the client information may be demanded through litigation discovery or other legal means. Therefore, it is in the interest of the registrant to be able to provide client information without also disclosing proprietary information. For example, a registrant in public practice should either segregate or be able to easily separate client information, including books and records, general ledgers, account groupings, account compositions, continuity schedules and similar client information from audit or review programs and working papers, tax review documentation and other proprietary information.
5. When the registrant maintains the client’s books and records on behalf of the client, it will be particularly helpful if such client books and records are maintained separately from documentation related to any other service that the registrant may provide to the client. Copies of the books and records should be provided to the client on a timely and regular basis.
6. Registrants are reminded that Rule 208 establishes, among other things, requirements for registrants to maintain and protect confidential information and limit access to it.