AICPA Professional Liability Insurance Program

Retaining Engagement Records and

Responding to Requests for Records

A Guide for CPA Firms July 2006

Retaining Engagement Records and

Responding to Requests for Records

A Guide for CPA Firms

July 2006

Table of Contents

I. Executive Summary…………………………………………………………………. 1

II. Why a Written Record Retention Policy?………………………………………... 2

III. Why Retain Workpapers and Records?…………………………………………. 3

IV. Other Records………………………………………………………………………… 4

V. Preparing a Record Retention Policy…………………………………………….. 5

VI. Putting a Record Retention Policy in Place……………………………………... 20

VII. Using a Record Retention Policy……………………………………….…………. 21

VIII. Responding to Requests for Workpapers and Records………………………. 22

IX. Impact of Organization Changes on Working Paper Retention……………… 30

X. Summary………………………………………………………………………………. 31

Appendix A: Guide to Paperless Document Management, Electronic Evidence, and Electronic Discovery

33

Appendix B: Sample Summary of Record Retention Periods 41

Appendix C: Sample File Disposal Log 42

Appendix D: Sample Letter to Clients Covering Newly Adopted Record Retention Policy and Procedures Regarding Old Workpapers and Files

43

Appendix E: Sample Transmittal Letter Accompanying Copies of Workpapers Furnished to a Client

44

Appendix F: Resources on Establishing an E-Mail Use Policy and E-Mail Management

45

Appendix G: CPA Firms and Privacy of Consumer Financial Information 46

Appendix H: Releasing Original Engagement Working Papers 49

Retaining Engagement Records and

Responding to Requests for Records

A Guide for CPA Firms

July 2006

I. Executive Summary

Preparing engagement working papers (“workpapers”) and related records is an important element of providing services to clients. Retaining these records after an engagement is completed, however, can be a costly and time-consuming endeavor.

Due to changes in digital technology, the business world moves much faster than it did a decade ago. Even small businesses now rely heavily on computerized recordkeeping and communications and engage in electronic commerce. These changes have affected CPA firms as well as clients. The distinctions between client records and CPA firm workpapers are becoming less obvious as CPAs generate financial reports or prepare tax returns electronically for clients by either accessing electronic client records or hosting client records on firm computers, network servers, or via the Web. Client records and firm workpapers are now being stored on firm servers, various storage media, or on equipment/devices maintained by a third-party service provider (TSP). This can challenge the CPA firm in maintaining the confidentiality and security of client information, and increases the complexities of managing firm records.

Increasingly, CPA firms maintain client records on their computers to perform services traditionally undertaken by the client, such as general ledger, payroll, and employee benefits administration. These changes require CPA firms to rethink their approach to record retention and create record retention policies that are cost effective, not unduly burdensome to establish and maintain, and simplify the purging and disposal of records no longer needed.

In recent years, corporate and accounting frauds and allegations of wrongful document destruction have prompted legislators, regulators, and others to establish new laws and regulations that impose civil and criminal penalties and other sanctions for mishandling certain types of records. The imposition of civil sanctions, including fines and awards of punitive damages for failure to preserve evidence or to comply with court orders to produce documents, require that CPA firms judiciously manage their paper and electronic records. Maintaining a documented policy which is consistently followed and monitored to prevent improper destruction of paper or electronic documents is an effective means of avoiding allegations or presumptions of improper document destruction when faced with a lawsuit or government inquiry.

1

II. Why a Written Record Retention Policy?

This guide addresses the types of records that CPAs typically prepare or obtain in providing client services and outlines matters that firms should consider in determining what records to retain and how long to keep them. Designing and implementing a written record retention policy is important in managing liability risk in a professional services firm. There are several reasons for this:

• A written policy provides clear direction to professional staff about which records should be maintained by the firm at the conclusion of an engagement, which should be returned to clients, and which should be destroyed. It also improves internal communications about records management by providing instructions on how long records should be maintained, how and where they should be maintained, and how they should be destroyed. While preparing a written policy will require an initial investment of time and effort, it provides the firm with a consistent approach to records retention that becomes an integral part of the firm’s quality control program and facilitates training of new employees.

• Storing records is both costly and time-consuming. Expenses include physical storage space and storage medium costs, such as filing cabinets and photographic and digital record storage devices. A written policy can help reduce these costs by eliminating unnecessary record retention. Staff time spent storing and retrieving documents can also be reduced.

• Providing clients with the firm’s written record retention policy helps eliminate misunderstandings about responsibility for maintaining records and notifies clients of the time frames for destruction of the firm’s records. It also demonstrates the firm’s commitment to client confidentiality and adherence to applicable record retention laws and regulations.

• Written policies can address the need for workpaper files to be appropriately organized for retention and destruction. Well-organized files facilitate research to respond to client inquiries, and provide important information needed to respond to client concerns about tax and accounting matters, billings, and more. Many client disputes can be resolved before claims develop simply by being able to readily refer to documents evidencing work performed and communications made.

• In the event of litigation involving clients, attorneys may request client engagement records and hire an expert witness to examine them in an attempt to determine if there is a basis for including the CPA firm as a defendant to the lawsuit. The timely destruction of records no longer needed reduces the risk that these records become subject to discovery.

2 2

III. Why Retain Workpapers and Records?

While providing services to clients, CPAs prepare various types of reports, workpapers, correspondence, and other records. The nature, content and extent of the workpapers and other documents are generally guided by the applicable professional and regulatory standards and the type of service being provided. For certain services (e.g., auditing and attest services), AICPA and Public Company Accounting Oversight Board (PCAOB) standards are explicit in describing the objectives and content of documentation to be prepared and retained.1 These standards describe the function, nature, content, ownership, retention term, and custody of workpapers. For other services (e.g., consulting services), the nature, content, and extent of the documentation prepared and retained is generally left to the discretion and judgment of the CPA. In any case, documentation and related records usually consist of information obtained from the client and others that is used during the engagement, analyses and evidence of work performed, conclusions reached, recommendations made, reports issued, and administrative correspondence and records produced (e.g., fee and billing information).

In addition to complying with professional standards and regulations and maintaining evidence of work done, CPAs generally retain workpapers and related records in order to satisfy other known or potential needs. These may include:

• Facilitating future engagements – Workpapers containing client background information, descriptions of client systems and controls, copies of client documents of continuing significance (e.g., by-laws, long-term contracts, etc.), along with workpapers indicating the scope, timing, and results of work done by the firm can be helpful in performing future assignments for the same client. For example, for tax return preparation engagements, it may be necessary to refer to prior tax files regarding items such as elections, net operating loss, and depreciation schedules to prepare current returns. Additionally, reviewing tax returns from prior years is a standard quality control practice in tax practices recommended in the AICPA Professional Standards under Statement on Standards for Tax Services No. 3, Certain Procedural Aspects of Preparing Returns.

• Responding to client requests – Workpapers may contain information that a client may seek in the future, and CPAs may want to be able to respond to such requests.

• Responding to inquiries by taxing authorities – Clients may request assistance in responding to audits and inquiries from taxing authorities. To respond to such inquiries, it is necessary to review prior tax records.

• Participating in peer or quality review and inspections – Workpapers are needed for peer or quality reviews and PCAOB inspections.

1 AICPA Professional Standards, SAS 103, Audit Documentation and AT Section 101.100-107, Attest Documentation, and PCAOB Auditing Standard No. 3: Audit Documentation.

3 3

• Complying with legal, regulatory, and contract requirements – Contracts covering engagements for certain governmental bodies, commissions, and agencies, as well as engagements performed to assist clients in complying with laws or regulations, may stipulate that a CPA’s workpapers be retained for a specified period of time and be available for inspection upon request.

• Responding to regulatory inquiry – If a client is subject to regulatory jurisdiction, workpapers may be needed to respond to a regulator’s inquiry. Workpapers may also be needed in responding to an inquiry from a professional ethics enforcement body or a state board of accountancy.

• Defending a malpractice claim or litigation – In the event of a malpractice claim, original engagement workpapers, records, and correspondence will be critical to the defense of the work performed. Judges and juries rely heavily on written and electronic evidence in malpractice litigation, and in the absence of such evidence, often make judgments based on oral testimony that can be confusing, contradictory, or incorrect. Based on fines and punitive damages awards in recent cases, there is a clear indication of a lack of tolerance by judges and juries for the failure to promptly and completely produce requested records. In United States v. Philip Morris USA, Inc. 327 F. Supp. 2d 21, 25-26 (D.D.C. 2004), a trial court fined Philip Morris $2.75 million and prohibited eleven corporate officers from testifying at trial after finding that the same corporate officials failed to adhere to the corporate document retention policy.

IV. Other Records

In addition to engagement workpapers and files, CPA firms maintain personnel records containing confidential employee data, firm policies pertaining to employment laws, staff evaluation reports and annual performance reviews, and general business records, such as firm financial statements, tax returns, and vendor contracts.

Employment law and laws governing professional partnerships and corporations must be considered in consultation with competent legal counsel in designing a retention policy for these records. Both federal and state laws typically apply, and state law varies substantially between jurisdictions. CPAs should consult with their state CPA society or bar association for referral to a law firm with partnership, corporate, and employment law expertise for assistance in this area. Additionally, practice management aids published by the AICPA, and others serving the accounting profession, address this issue in some detail.2

Employment records and human resource policy and procedure manuals can be subpoenaed in a professional liability lawsuit. Attorneys often subpoena these records if the working paper file reflects service problems during an engagement. Consult with an employment law attorney regarding retention of these documents.

2 AICPA, Management of an Accounting Practice Handbook, section 209.05 (5/04 Rev.), Records Retention.

4 4

V. Preparing a Record Retention Policy

A record retention policy should be designed to meet business needs, statutory requirements, and potential future litigation demands. It is a written statement that defines the “what,” “how,” “how long,” “where,” and “by whom” of records retention and destruction. Preparing a policy is not a simple task. A policy must be easy to understand and implement in order to facilitate compliance and prevent record-destruction errors and problems. A simple retention policy would have a limited number of broad subject matter (e.g., federal tax, state and local tax, international tax, and tax consulting), categories (e.g., tax, audit, and bookkeeping), and functions (e.g., engagement letters, workpapers, correspondences, and tax returns). It may offer specific guidance on such considerations as document review processes, backup and archival procedures, online storage repositories, the designation and responsibilities of record custodians, and a destroyed documents log. The end product should reflect the input of firm management, office administrators, information technology (IT) professionals, and competent legal counsel with experience in defending professional malpractice claims. Firms should also consider soliciting input from peer firms who have already developed and implemented a record retention policy. Other members of national associations of firms and professional organizations also can be good resources for such input.

For all practice areas, the files and records to be addressed and included in the policy should encompass both paper documents and files and records maintained electronically on other storage media. This would include, for example, microfilm or microfiche and electronic data on tape, computer hard drives and servers, personal digital assistants, and portable data storage devices, such as flash drives, hard drives, hard disks, floppy disks, and backup tapes. Electronic data includes, but is not limited to, e-mail and other electronic communications, word processing documents, spreadsheets, databases, calendars, telephone logs and voice-mail, contact manager information, Internet and computer usage files, network access information, and metadata3.

A firm’s policy should balance the need to retain information for future use with the potential costs and burdens of satisfying those needs. In deciding what data should be retained, the firm should consider the likelihood that the data will be needed in the future to provide client services or respond to a client inquiry, to respond to a regulatory inquiry, or to defend a potential malpractice claim. The time and costs associated with storing, searching, and retrieving data can be considerable. Accordingly, in drafting a policy, careful consideration should be given to storing data that will be needed for these purposes, restoring data in the event of a disaster to provide continued uninterrupted client service, and destroying data when it is no longer needed, based on specific written destruction criteria.

The policy should also provide specific guidance on when, why, and how data can be replicated and stored, and the type of storage media that should be used. For example, consider e-mails. E-mails typically reside on the hard drive of the computer or a company

3 Metadata (also known as embedded data) records an electronic document’s history including how, when, and by whom it was created, modified, and transmitted, and maintains the links between e-mails and documents.

5 5

server, but will also likely exist on multiple computer hard drives or personal digital assistants if forwarded, replied to, or copied to others in the firm. E-mails that support firm work products should be kept in client workpaper files. Firms may want to consider using an e-mail system that automatically deletes e-mails that are not stored in client electronic folders after a set time period to avoid the unnecessary storage of e-mails and to simplify searches for e-mails on a specific topic.

Other considerations include adopting a single record retention policy for current and former clients, assessing the costs to administer the policy, purchasing records management software and equipment, and maintaining (store, secure, destroy, and retrieve) firm records and the procedures to enforce compliance.

Record retention policies, firm policy statements, and procedures manuals addressing client service and the administration and conduct of engagements may be subpoenaed and examined by expert witnesses to determine if the firm violated its own performance standards. This data should be maintained permanently along with documentation of when these policies, statements, and procedures were instituted, updated, or replaced.

Contents of a Policy Statement

Definition of Client Records – During the course of rendering services, CPAs routinely examine and refer to original client documents and records. Under ET Section 501 of the AICPA Code of Professional Conduct, Interpretation 501-1, Response to Requests by Clients and Former Clients for Records (Revised, effective April 30, 2006), the definitions of client records and working papers are as follows:

“Client provided records are accounting or other records belonging to the client that were provided to the member by or on behalf of the client.

Client records prepared by the member are accounting or other records (for example, tax returns, general ledgers, subsidiary journals, and supporting schedules such as detailed employee payroll records and depreciation schedules) that the member was engaged to prepare for the client.

Supporting records are information not reflected in the client’s books and records that are otherwise not available to the client with the result that the client’s financial information is incomplete. For example, supporting records include adjusting, closing, combining, or consolidating journal entries (including computations supporting such entries) that are produced by the member during an engagement (for example, an audit).

Member’s working papers include, but are not limited to, audit programs, analytical review schedules, and statistical sampling results, analyses, and schedules prepared by the client at the request of the member.”

Client-provided records or client records prepared by a firm may include, for example, original W-2 forms, tax depreciation schedules, accounting records (for example, the general ledger),

6 6

debt agreements, bank and broker statements, purchase and sales contracts, and other legal documents. The policy statement should define and present examples of client records. In most cases, identifying such client records is easy.

However, as CPA firms increasingly render bookkeeping and tax services traditionally performed by the client and maintain client records electronically through use of computer software located either on the CPA firm’s computers, network servers, or on a host server maintained by a third-party, this distinction becomes less clear. Interpretation 501-1 provides guidance about what constitutes client records. In addition, Ethics Ruling No.189 under ET Section 591, Requests for Records Pursuant to Interpretation 501-1, provides guidance on whether or not a member has an obligation to provide records to other individuals associated with a client. It is important to note that if the CPA firm has been engaged to prepare and maintain original client records, such as general ledgers and tax depreciation schedules, these documents are client records and are the property of the client rather than the CPA firm.

For more information on this subject, see Client Record Retention and Tax Workpapers by Joseph Scutellaro, CPA and Steven F. Hollub, CPA, published in the September 2000 edition of The Tax Advisor. The article is accessible to members of the AICPA Tax Practice Section at http://www.aicpa.org/pubs/taxadv/online/toc0900.htm.

Most client services, such as bookkeeping or the preparation of financial statements and tax returns, are performed on a periodic and recurring basis. Some services are performed only on an “as requested” basis. In any case, when a client service is completed, original client records used by the firm during the course of an engagement should be returned to the client and not retained in the firm’s workpapers and files. If the CPA believes that an item needs to be retained for engagement documentation purposes, the firm should make a photocopy or electronic copy of the original for the file. Clients should be informed of their obligation to maintain original client records and should not be led to believe that the firm assumes any responsibility to maintain them. Only final versions of documents from completed engagements or the latest version of documents from uncompleted engagements should be kept in workpaper files. At the time an electronic document is updated, the prior version should be overwritten or deleted from all media storage devices where it may reside, including hard drives, network drives, portable media, and e-mail folders.

Definition of Firm’s Engagement Records – Engagement workpapers and files typically consist of the firm’s original workpapers, records of staff, and client communications regarding the engagement, correspondence with clients and third parties pertaining to the engagement, copies of the work product provided to the client, and copies of client documents. Absent a contractual agreement with a client (e.g., in an engagement to provide expert consulting services to an attorney where the attorney requires the CPA to turn over all workpapers at the end of the litigation service engagement) the firm’s workpapers are the property of the firm.

Engagement records may exist in electronic form, such as e-mails and electronic documents, and may be stored on computer hard drives, personal digital assistants, disks, backup tapes, and network servers. These records typically include metadata and may exist in network databases accessible to many users.

7 7

The types of records created or needed to perform an engagement vary substantially based upon the type of service rendered and the client’s industry. Therefore, it is not possible to formulate a single record retention policy that can be used by all CPA firms.

In order to develop a policy, the firm should start by inventorying the types of files and records it prepares and uses on engagements by areas of practice. Firm management in charge of each practice area (e.g., tax, accounting and auditing, information technology consulting) should participate in this inventory effort. The following are examples of the types of files that may be identified:

For an accounting and auditing practice:

• Annual engagement workpaper files, including both paper and electronic files and records. An audit workpaper file should include audit programs and other planning documents (e.g., see SAS No. 99), analyses/schedules, confirmations, representation letters, checklists, abstracts/copies of important documents, details/specifics of tests performed, and identification of documents examined (see PCAOB Audit Standard No. 3 and SAS No. 103 for guidance to the form, content, and extent of audit documentation.)4 An audit workpaper file should also include documentation of significant findings and issues, including actions taken to address them and basis for the conclusions reached, any departure from statements on auditing standards, and new information received after the date of the auditor’s report. The auditors should record the identification of the preparer of each workpaper, the date it was completed, and the identification of the reviewers who reviewed specified elements of the audit work performed and when.5 The workpaper file should include documentation of all of the field work performed, including work performed in response to a reviewer's comments.

• Annual report file containing the final report issued by the firm.

• Permanent files containing information that is carried forward from year-to-year and includes data that is of a continuing significance and use to the engagement team. Items included in a permanent file may include copies of

4 PCAOB Auditing Standard 3, Audit Documentation, applies to audit and review of quarterly and annual financial statements and SOX 404 internal control audits for all SEC issuers. The auditor should use judgment to determine the extent of the documentation required for the engagement. Audit documentation alone does not guarantee audit quality. The documentation should demonstrate that the work performed has met: 1) the objectives of an audit; 2) provide a clear link to significant matters; and 3) contain sufficient detail information for a clear understanding by an experienced auditor. An auditor should demonstrate that sufficient procedures were performed, sufficient evidence was obtained, and appropriate conclusions were reached. Oral explanation will not constitute persuasive other evidence and should be used only to clarify written evidence.

5 SAS No. 103, Audit Documentation.

8 8

the client’s bylaws and articles of incorporation, long-term debt agreements, client organization chart, etc.

• Correspondence file containing a copy of all letters, memoranda, and information sent to and received from the client, no matter what the mode of delivery. This includes correspondence sent or received via U.S. mail or commercial delivery services, as well as faxes and e-mails. The file also should contain documentation of oral advice and discussions with clients or third parties on significant matters related to the engagement.

• The software applications used to prepare general ledgers, trial balances and financial statements for clients, as well as software applications used to manage and generate electronic workpapers for compilation, review, audit, and other attest services engagements. In some cases, these applications are loaded and maintained on firm computers and servers, while in other cases they are accessed via the Internet from a vendor providing the software. In either case, CPA firms must maintain the capability to access and use the software to retrieve and view firm-generated client documents and firm workpapers during the document retention period applicable to these items. To the extent a firm chooses to replace existing software applications to facilitate client service, this must be considered prior to installing or using new software.

For a tax practice:

• Annual tax return workpaper files. These paper or electronic files may include information furnished by the client, such as tax organizers, engagement letters, client authorizations (e.g., IRS Forms 8878 and 8879 for e-filing of federal/state extensions and returns or Forms 2848 or 8655 for enrolling a client in EFTPS), firm-prepared workpapers such as checklists, tax research information developed in resolving tax return issues, questions from clients along with firm’s responses, workpapers containing calculations, and other schedules and statements prepared in support of the tax return.

• File containing the firm’s copy of the final returns submitted to the client for filing with the tax authorities and the electronic storage media containing the electronic files used to prepare and print the final returns.

• Permanent or carry-forward file containing information that will be needed on future return preparation engagements, such as loss/credit carry forward, elections, and fixed asset depreciation schedules, and copies of correspondence to/from taxing authorities, such as requests for rulings and responses thereto.

• File containing copies of all correspondence and information sent to and received from the client or a third-party involved in a transaction (e.g.,

9 9

attorney or appraiser), documentation of oral advice or discussion of significant matters, and memoranda prepared in connection with this client.

• The software applications used to prepare tax returns. Again, to the extent a firm chooses to replace existing software applications to facilitate client service, this must be considered prior to installing or using new software.

For a consulting and other services practice:

• For consulting and other services areas, the nature and content of workpaper files and records will vary significantly according to the type of service provided. Generally, these files will be prepared on a project-by-project basis and include documentation of work performed, recommendations made, conclusions reached, and reports issued. Correspondence files will also likely exist, depending on the firm’s particular needs. In the event a custom software application was used to analyze data and generate reports, access to the application must be maintained during the applicable record retention period.

When an engagement is complete and before the engagement workpapers are filed in the firm’s office, an experienced member of the engagement team should review the files to ensure that only those materials that evidence compliance with applicable standards and support the final engagement conclusions, recommendations, and reports are retained. Care must be taken to review both paper and electronic documents. Drafts, superseded, redundant, and other unnecessary material that do not support the final work product and have been viewed only by firm personnel should be destroyed as soon as they are no longer needed, and no later than the delivery date for the engagement work product (i.e., tax returns, audit reports) or the conclusion of the related service.

Firms occasionally prepare draft reports or tax returns for review by clients prior to preparing final reports or tax returns for filing. To the extent they were distributed to clients or third parties, these documents, as well as the transmittal letters that accompanied them, should be treated as original engagement workpapers and retained in accordance with the document retention policy.

Senior engagement personnel often write notes/review points to the staff containing inquiries or instructions during the performance of an engagement. The staff will respond as appropriate. Workpapers should clearly document the work performed, including any necessary notes in response to questions or issues raised by senior engagement personnel. However, as a general rule, the notes/review points themselves containing the inquiries or instructions should be destroyed once the issue has been addressed and the workpapers appropriately documented. Electronic review tick marks and review points on electronic audit workpapers and tax returns should be removed from the electronic files and backup tapes after the audit or tax return is completed. However, documentation should be retained in the workpaper file to evidence that the electronic document has been reviewed by the engagement team supervisory personnel (e.g., the reviewer would sign his/her initials next to

10 10

the electronic document listed on the checklist after completing the preliminary and final electronic review of the document).

Occasionally, firm personnel may keep “unofficial” or “desk” files in their offices or save client files on their office or home computer hard drives. The maintenance of such files should be prohibited. All relevant client service information should be maintained in the engagement workpapers and other official firm files or storage media. Strict adherence to this policy will not only enhance security over confidential client information but will facilitate locating documents when needed. Controlling and ensuring compliance with this policy can be difficult. Nevertheless, a proactive information and education program directed at all firm personnel that includes policy reminders and a summary of the risks associated with keeping “unofficial” files can be effective in maintaining compliance.

Always research applicable contract requirements, professional standards, regulations, and laws applicable to services performed and clients served prior to establishing a policy that defines firm engagement records to be retained. These contract requirements, standards, regulations, and laws may govern the types of records that must be retained and establish required record retention periods. They may also require CPA firms to preserve the ability to view electronic workpapers during the retention period. For instance, such requirements have been established by many governmental entities, the PCAOB, and state boards of accountancy in a number of states. This subject will be addressed in greater detail in the section titled Types of Services Rendered.

Retention Period – Deciding how long to retain client service records is not a simple task. Retention periods for workpapers and other records may vary by areas of practice. However, whenever possible, establish retention periods that are easy to understand and encourage compliance. Administratively, it is easier to manage only a few or even one document retention period, even if this results in certain types of documents being retained longer than needed. While this can increase the cost of storing data, it can reduce the cost of implementing and maintaining a record retention policy by minimizing the frequency with which professional and administrative staff will need to handle files to comply with the policy. Additionally, complexity increases the risk of errors. The policy should clearly identify differing retention periods and describe in detail the types of records to which each retention period applies.

There are several factors to consider in establishing a retention period:

• Statutes of Limitations – Statutes of limitations are important factors to consider in establishing a retention period. Such statutes impose a time limit or “limitations period” for filing a lawsuit. Statutes of limitations for professional malpractice claims and other causes of action vary from state to state. Additionally, each state typically applies different statutes of limitations to tort and contract claims against professionals. For example, a negligence claim may be subject to a three-year statute of limitations, while a breach of contract claim may be subject to a six-year limitations period. Additionally, in many states, the limitations period does not begin to run until the client incurs damages (for instance, after a taxing authority has issued a final determination in a tax

11 11

dispute), or until the client knew, or should have known, about the alleged wrongful act (the “discovery rule”).

In the event of a malpractice claim, engagement records and workpapers provide essential evidence of the work performed for a client. Attorneys specializing in the defense of CPAs recommend that these records be maintained at least as long as the limitations period that applies to the work performed by a firm. Firms that practice in more than one state or have clients domiciled in other states need to consider how each state’s statutes of limitation apply to them. Because multiple statutes of limitation exist in each state and vary by state, firms should always consult with their attorney before establishing retention periods.

• Regulatory or Contractual Requirements – CPA firms may perform work for clients who are subject to governmental regulation or that receive funding from government agencies. Such engagements may require firms to retain workpapers and records for a stipulated period of time as provided by the agency’s rules or based on the applicable funding agreement. For instance, federal regulatory agencies require that appraisals performed for their benefit conform to the Uniform Standards of Professional Appraisal Practice (“USPAP”) promulgated by the Appraisal Standards Board. USPAP requires that appraisers retain their workpapers for the longer of five years after preparation or two years after final disposition of any judicial proceeding in which testimony was given.

• Types of Services Rendered – The types of services provided to clients should be considered in establishing a working paper retention period.

Financial Statement Services – Retention of workpapers beyond the applicable statute of limitations may be appropriate due to professional standards or regulatory requirements, a need to respond to issues raised in a tax audit, or support conclusions impacting later reports. In recent years, federal regulators have enacted laws and regulations addressing document retention. The Sarbanes-Oxley Act of 2002 (SOX), Section 802 requires accountants to maintain certain corporate audit records or review workpapers for a period of five years from the end of the fiscal period during which the audit or review was concluded. Records to be retained include the accounting firm's workpapers and certain other documents that contain conclusions, opinions, analyses, or financial data related to the audit or review. Section 802 specifically requires the retention of electronic records that are created, sent, or received in connection with an audit or review. The section imposes monetary fines, up to ten years imprisonment, or both, if someone knowingly and willfully violates these provisions. Under 17 CFR §210.2-06, Retention of Audit and Review Records (January 30, 2003), the Securities and Exchange Commission (SEC) requires an accountant to retain, for seven years, records relevant to the audit or review of interim financial statements, including workpapers and other documents that form the basis of the audit or review, and memoranda, correspondence, communications, other documents, and records (including electronic records), which are created, sent, or received in connection with the audit or review, and contain conclusions,

12 12

opinions, analyses, or financial data related to the audit or review as required by standards established or adopted by the SEC or by the PCAOB. Furthermore, PCAOB Standard No. 3 has established detailed requirements on documentation of specific items tested, documentation of conclusions and significant matters, and identification of preparers, reviewers, and dates. The standard also requires seven-year retention of all audit documentation for incomplete engagements for which no report was issued after an auditor is terminated or withdraws from the engagement. The AICPA Statement on Auditing Standards No. 103 states that:

“[T]he auditor should adopt reasonable procedures to retain and access audit documentation for a period of time sufficient to meet the needs of his or her practice and to satisfy any applicable legal or regulatory requirements for records retention. Such retention period, however, should not be shorter than five years from the report release date.”

Lastly, some state boards of accountancy have established and others are considering record retention rules applicable to financial statement services performed by CPAs. Failure to comply with these rules can result in disciplinary action, so check the law in each state the CPA firm practices prior to establishing a record retention policy. Tax Services – Workpapers supporting tax return preparation services should be retained at least as long as the period of time the returns may be audited by the taxing authority. For federal income tax returns, the period of limitations for the assessment of a tax generally runs for three years after the return is filed.6 There are two major exceptions to this general rule. In the case of filing a false or fraudulent return with the intent to evade tax, tax may be assessed at any time. If income is understated on a return by 25% or more without adequate disclosure, tax may be assessed for six years after the return is filed.

Treasury Regulation §1.6107-1 (b) requires an income tax preparer to retain a copy or record of tax returns for a three-year period following the close of the return period with extensions. Generally, the IRS can assess more tax during the three-year period after a return is filed and the taxpayer can amend the tax return for corrections or to claim a refund of overpayment or credit within three years from the time the return was filed or two years from the time the tax was paid.7

6 I.R.C. §6501(a)

7 I.R.C. §6501(a) and §6511(a)

13 13

After returning original records to a client, firms should consider retaining their workpapers with copies of client tax returns and records for at least seven years.8 However, if a firm decides to retain clients’ returns/records for less than seven years, the firm should advise clients to keep 1) their tax returns/records for seven years if they want to file for credit or refund claims due to a bad debt deduction or loss from worthless securities, 2) their employment records for at least four years after the tax was due or paid, whichever was later; and 3) their asset records indefinitely even after the asset has been disposed.9 Clients should also be aware that IRC §6502(a)(1) establishes a statute of limitation collection period of ten years for the collection of the tax from the date the tax is assessed.

The audit period for other taxing authorities varies, and should be investigated prior to finalizing retention periods. Consider this issue carefully with respect to out-of-state tax returns that the firm prepares infrequently. In certain circumstances, a longer period may be necessary as practitioners may need to refer to tax returns and related schedules prepared for a client years earlier in order to prepare current tax returns or to amend prior year tax returns. For instance, this could be necessary in considering the application of a net operating loss carryover for a business client.

Further complicating this issue for tax practitioners is the fact that in some states, the limitations period does not begin to run until the client incurs or discovers the damages. The courts apply these rules based on the facts in each case. As a result, in these jurisdictions, statutes and case law may indicate that a tax client does not incur damages until tax authorities issue a final determination letter following an audit, or that a client can pursue claims based upon the discovery of an alleged error after expiration of the limitations period to amend a tax return. In such cases, the limitations period for filing a malpractice claim will not begin to run until these "trigger" events occur. Accordingly, CPA firms that practice in states that apply such rules should consult with their attorney on this issue prior to deciding on a retention period.

Some tax records are prepared in connection with services that potentially could result in malpractice litigation many years after services are rendered. These services include succession and estate planning services and the preparation of trust and gift tax returns. Such records should be retained permanently, even if the firm no longer serves the client for whom service was rendered.

Consulting Services – In some specialized consulting service engagements, the financial impact of actions taken by clients on recommendations made may not occur for many years. Financial planning and engagements concerning the design and implementation of employee benefit and retirement plans are examples. Such

8 See Rev. Proc. 97-22 & Rev. Proc. 98-25 for the basic requirements that the IRS considers essential in cases where a taxpayer’s records are maintained within a computerized system.

9 See How long should I keep records? at http://www.irs.gov/businesses/small/article/0,,id=98513,00.html

14 14

records should be retained permanently. For consulting service engagements that do not present this type of long-term exposure, retention periods based upon statutes of limitations may be appropriate.

An example of a format for summarizing retention periods is included in Appendix B.

How and Where to Store Records – How and where records are stored needs to be addressed in all policy statements. Generally, workpapers and related records are prepared either on paper or on personal computers.

If the firm prepares its workpapers on paper, they can be scanned for storage or saved in alternative storage media, such as a document management system (“DMS”). Prior to using a DMS, investigate the costs to convert, store, and retrieve records. Determine if records can be maintained in the firm’s offices and retrieved by professional staff, or if an off-site storage provider is required and outside personnel must be used to retrieve records. Weigh these costs against the costs of storing and retrieving paper documents, and compare the ease to locate and retrieve documents. Additionally, suppliers of alternative storage media may employ their own system to code documents for retrieval and disposal. Examine this as well prior to deciding on a particular storage medium. (Refer to Appendix A for guidance to how and where to store electronic records.)

Engagement workpapers that are created using personal computers can be stored electronically using a variety of media, such as compact discs (CDs), zip drives, hard drives, and network servers. Regardless of the medium used, electronic files should be backed-up regularly and maintained at a secure, off-site location that is protected against loss from fire, theft, water damage, computer hacking, and other hazards.

A firm may use different approaches to store various types of electronic records. Documents generated from standard business processes, such as expense requests, can be automatically routed to network storage. Storage of tax, bookkeeping, and financial statement service workpapers will likely be based upon the design of software used to render these services.

However, use, storage, and retrieval of e-mail communications require special consideration. Independent of implementing a record retention policy, firms should implement a written policy on the use of e-mail and monitor compliance with the policy. (See Appendix F for a list of resources useful in designing such a policy.)

Once an e-mail use policy has been developed, the technology to be used to store and retrieve e-mail communications should be determined by information technology specialists within the firm in consultation with firm management and attorneys with expertise in the rules of electronic evidence. Firms should maintain centralized control and oversight over the archiving of e-mails. Firms that do not have information technology staff with expertise in e-mail archival and retrieval should consult with external experts on this issue. In general, e-mails that evidence communications with the client or third parties regarding client services should be retained in accordance with the firm's document retention policy, but internal e-mails among firm staff should not be retained unless they contain evidence of work performed for

15 15

clients. Electronic documents evidencing work performed should be saved within electronic storage folders established for each client and engagement rather than as attachments to e-mails.

A firm should maintain appropriate controls over documentation to prevent unauthorized access or changes after a paper or electronic record is stored, to preserve a clear history of each document (i.e., when and by whom it was created, changed, or reviewed), to protect the integrity of the information contained within, and to allow access to the records only by authorized parties. A firm should adopt reasonable procedures and controls to maintain the confidentiality of client information contained in paper or electronic documents.

Under IRS Rev. Proc. 98-25, if a client’s books and records are maintained within a firm’s computer system, the IRS can request from the firm documentation of the processes that create, modify and maintain books and records; sufficient information to support and verify entries made on the client’s return and to determine the correct tax liability; and substantiation of the authenticity and integrity of the client’s books and records.

If the books and records are stored in an electronic storage system, Rev. Proc. 97-22 requires that the system must 1) ensure an accurate and complete transfer, indexation, storage, preservation, retrieval, and reproduction of the hardcopy or computerized books and records; 2) include reasonable controls and an inspection and quality assurance program to ensure the integrity, accuracy, reliability, and security of the system; 3) have the ability to reproduce legible and readable hardcopies; and 4) provide support for the client’s books and records.10

While the initial investment to establish an electronic document management system to archive and retrieve electronic copies of workpaper files can be substantial depending on the technology used, over time, storing records electronically is generally easier and less expensive than maintaining paper records, and it makes record retrieval easier. Firms must evaluate off-site storage for both paper and duplicate electronic client service records to allow for firm recovery of records and to provide uninterrupted client service in the event of a disaster, such as a fire, flood, hurricane, or computer hacking attack. In choosing off-site storage providers, firms should consider the following factors in addition to availability and cost:

• Dependability and accessibility

• Security and risk of loss due to theft, fire, and water damage, etc.

• Physical and technological protection of data stored on servers, computers, or other media storage devices

10 Document Retention, written by the AICPA Tax Practice Improvement Committee Working Group on Document Retention, provides guidance on document retention for tax practices. The guide includes a sample document retention policy and is available at http://tax.aicpa.org/NR/rdonlyres/2D83CDAB-3A39-487F-9F7D-57136FC61BBA/0/Document_Retention_Guide.doc

16 16

• The experience, reliability, and stability of the vendor providing the service

• Insurance coverage for these risks, both under the firm’s existing insurance policies and under policies issued to the storage vendor

Many firms have found that utilizing a combination of on-site and off-site storage best meets their needs. Firms should establish disaster recovery plans that provide for off-site storage of electronic copies of all documents that will be needed to maintain uninterrupted client service in the event of a disaster. Records that are no longer needed to render continuing client services also can be stored off-site. For more information on emergency planning, a free brochure developed by CNA Risk Control is available for download at: http://www.cna.com/downloads/risk_control/Exposure_Guides/EmergencyPlanning.pdf. Procedures for Records Retention and Destruction – The steps to be followed by the firm in carrying out the retention policy and the identification of firm personnel responsible for doing so should be a part of the written policy statement. Specific matters to be addressed include the following:

• Identification of firm personnel responsible for administration of the records retention policy. Generally, the firm administrator is responsible for carrying out the retention policy under the direction of the managing partner. For sole practitioners and smaller firms, this responsibility will rest with the owner.

• Labeling records for retention and destruction. All engagement workpapers and files should be labeled for retention and destruction at the end of the engagement before they are filed in the firm’s office. This can be simplified by employing standardized methods for indexing and filing workpapers. For paper records, consider the following possible methods:

- Applying hand stamps with a file description, using ink that is color coded for file type (e.g., attest, tax, consulting) and date wheels to specify destruction date

- Using colored file covers, paper, or labels for workpapers that correspond to a code for record type and retention period

Additionally, filing workpapers in numerical order can facilitate identification for later use. Numerical ordering can be based on a pre-assigned client number and then by engagement year.

Electronic records can be labeled by creating electronic folders and employing a system to file records by client name and engagement year.

Regardless of whether records are paper or electronic, it is critical to provide firm personnel with clearly worded and unambiguous instructions about labeling records and to provide training on doing so. With respect to electronic records, provide easy to follow instructions on organizing and maintaining documents in electronic cabinets and file folders, and naming conventions that should be used. Consistency in application is required to facilitate record storage and retrieval.

17 17

• Reviewing files for destruction. Before records are destroyed, they should be reviewed and approved for destruction, preferably by the engagement principal. A written file destruction log should be prepared evidencing this review and approval and the log should be retained as a permanent record of the firm. The log should include the client name, a brief description of the files, the person who authorized destruction, the date of destruction, and, if an outside vendor was used, the vendor that performed the service. An example of a file destruction log is included in Appendix C.

If records that meet policy criteria for destruction will be retained due to a special circumstance, the reason and approval for this exception should be documented. The status of such records should be reviewed each year to re-evaluate the need for continued retention. Some DMSs provide a one-time set up of retention periods and expiration dates for each type of document. A firm using this type of DMS should implement features in the system, which notify the user of impending document destruction and request a review of the document and confirmation before the destruction process is initiated. A record destruction log should be maintained for all records destroyed.

• Timing of records destruction. The policy statement should identify when files should be reviewed for destruction and when destruction should take place. Some firms schedule this to occur at specific times. The timing selected should be based on what is most convenient for the firm. When possible, schedule this on specific dates for the entire firm and provide the dates to staff well in advance. Provide staff with clear direction on preparing for file review and destruction, and provide deadlines for completing the process.

• File destruction procedures. The methods used to destroy engagement workpapers and files should be specified in the policy. Methods used for all record types (e.g., paper, electronic files, CDs, backup media, and microfilm) should be described. The firm has an obligation to maintain client confidentiality, and destruction methods should fulfill this obligation. Paper files should be shredded or incinerated. If an outside vendor is used, investigate their security methods for transporting and destroying documents. If they have their own system for recording the destruction of documents, obtain a written explanation of how it works, and ask to see a sample of file destruction documentation. Destruction of electronic files requires careful attention. Check with the developer of operating software used on firm computers on the appropriate method to permanently delete files. The method used should verify that duplicate files do not exist on computer hard drives or network servers.

Commercial software is available that is designed to overwrite selected computer data files and e-mails to render them unrecoverable even through the use of forensic methods. These products are generally marketed over the Internet. Investigate the background, experience, and reputation of the software developer, and obtain information on how the software works. Test the software on different types of files before implementing use of the software throughout the firm.

18 18

Extra caution must be exercised whenever computer hardware is being retired from service, as confidential client data is stored on these devices. Never sell, contribute, or dispose of computers, personal digital assistants or cell phones, including those that have been damaged or dismantled, without first consulting with an information technology specialist with expertise in ensuring that all data stored on drives on these devices has been overwritten and rendered unreadable. There have been numerous media reports of confidential client data being accessed by subsequent users when businesses have disposed of computer hardware without first considering this issue. By the same token, if storage media is being retired or discarded, these items must be physically destroyed or processed to render all data irretrievable.

• Verifying compliance with established policy statement. As part of its quality control program, a firm should establish steps to monitor compliance with its approved record retention policy. If the policy is not applied consistently and records are destroyed too soon, the firm will be hard pressed to defend its actions if the records later become the subject of a malpractice claim or professional inquiry. On the other hand, if records are retained beyond the destruction date, they will be available for discovery. As memories fade and the authors leave the firm, it may be difficult to reconstruct the context in which these documents were created.

Expected or Pending Litigation or Regulatory Inquiry (Refer to Electronic Discovery discussion in Appendix A) – Clients, or the firm itself, may become parties to litigation or regulatory inquiries that relate to services performed. Criminal investigations of clients may be initiated. The firm also may learn that lawsuits, regulatory inquiries, or criminal investigations concerning either the client or the services are likely to be initiated at a future date. The policy should clearly indicate that once the firm has learned of this, any engagement workpapers and files for that client should not be destroyed until the matter is resolved, even if a subpoena to produce records has not been issued. The firm may be called upon to provide information or testimony, and access to the workpapers may be critical to the response. Additionally, destruction of engagement workpapers or files when a lawsuit, regulatory inquiry, or criminal investigation is reasonably foreseeable can result in adverse consequences to the firm in future lawsuits and can result in fines, penalties, or even criminal charges. Always consult with competent legal counsel prior to responding to inquiries in such situations.

Legal Review – Before a new or modified record retention policy is instituted, the firm’s attorney should conduct a final review to ensure that all legal issues have been appropriately addressed.

Dealing with Past Records – Principals of firms that have never had a record retention policy often are concerned about how to deal with existing records that have accumulated over an extended period of time. While reviewing old files for retention and destruction in accordance with the new policy is the preferred method, this may not always be practical due to the volume of existing records. The simplest method for dealing with this problem is to select an implementation date for the new policy and to draft a letter to continuing and former clients of the firm that both informs them of the details of the policy and provides them with a grace period to contact the firm and request copies of records that qualify for destruction under the policy. Such a letter evidences several things with respect to these clients:

19 19

• That they were provided with a copy of the policy as of a specific date;

• That they were informed of the implementation date of the policy; and

• That they were given the opportunity to request copies of records prior to the implementation date and destruction of old records.

This requires the firm to identify and keep records that should be retained under the new policy, and to plan for the destruction of all other records after expiration of the grace period for clients to request copies. If this approach is used, the firm should maintain a spreadsheet listing the name and address (street or e-mail, depending on mailing method used) of each party to whom the letter is sent, and both the spreadsheet and a copy of the letter should be retained permanently as evidence that this communication was completed. This approach should only be followed after appropriate consultation with the firm’s legal counsel. An example of this type of letter is included in Appendix D.

VI. Putting a Record Retention Policy in Place

Once a record retention policy is prepared, the next step is putting the policy in place. This is basically a communications effort, but an important one nonetheless.

To be effective, the policy must be understood and supported by all concerned. This includes all professional and administrative staff that have document retention responsibilities as defined in the policy. When a policy is instituted, organize a staff meeting to explain the need for the policy, how it will work, and staff responsibilities. At a minimum, the written policy should be distributed to staff with an explanatory letter, and questions should be solicited. Firm management should indicate its expectation that everyone will support and cooperate with those charged with implementing the policy.

Additionally, to enhance client communications and prevent future misunderstandings, the firm should inform clients of its record retention policy provisions and benefits, including maintenance of client confidentiality. Common methods for communicating this include:

• Engagement letter

• Special letter or pamphlet on the subject

• Article in periodic firm newsletter

This communication can explain that clients are responsible for retaining their own personal or business records and that the firm’s policy is to return all original client records to the client after their use. The document also can explain that the workpapers prepared by the firm during an engagement are the property of the firm and will be retained in accordance with the firm’s established record retention policy.

20 20

A sample engagement letter paragraph for a business client might state the following:

“During this engagement we may need to refer to selected records of [company name] and may require a photocopy of these records for our workpapers. It is our policy to return all of your original records after our use. It is your responsibility to retain your records as you deem appropriate. Our workpapers, including any photocopies that we obtain from you, are our property and will be retained by us in accordance with our established record retention policy. A copy of our record retention policy is attached for your reference (or, is available upon request). This policy stipulates that, in general, we will retain these workpapers for a period of [x] years. After this period expires, the files will be destroyed.”

VII. Using a Record Retention Policy

Project Planning

In the first year of implementing a record retention policy, a firm should expect that the time and costs of implementation will generally be greater than in subsequent years. Hence, additional people, resources, and training should be committed to the project to ensure that it will be completed. It may be helpful for firm management to set up a timeline for the project and monitor progress against pre-established benchmarks and deadlines. Especially in the first year, firm management will have to be persistent in soliciting everyone’s cooperation in keeping the project moving forward.

Project Implementation

Assuming the records retention policy is prepared as described above, the actual implementation project should be relatively straightforward. The following is a high-level summary of the implementation steps that may be followed:

• Firm management plans and annual budgets for the project.

• Firm management explains project and procedures to firm and staff, including timing and identification of assigned participants. Importance of project is conveyed and cooperation of all firm members is requested.

• Firm administrator and assigned staff identify workpapers and files eligible for current review for retention or destruction based on guidelines in policy statement.

• Engagement principals review files in detail and approve destruction as defined in policy statement.

• Files identified by engagement partners as qualifying for an exception to the destruction schedule defined in the policy statement are set aside and the reason and approval for the destruction deferral is documented. (These files should be re-evaluated in the following year for possible destruction.)

21 21

• Assigned personnel complete the file destruction process.

• File destruction log is completed.

If an outside vendor is used to destroy records, the vendor should be required to list the files received from the firm and certify that these files were destroyed using the agreed-upon destruction method. The file destruction log should be maintained as a permanent record of the firm.

VIII. Responding to Requests for Workpapers and Records

CPAs may receive requests from clients, former clients, and third parties seeking permission to review or obtain copies of the firm’s workpapers and files.

In general, engagement workpapers and files are the property of the CPA firm. With respect to an audit engagement, professional standards indicate that “workpapers are the property of the auditor, and some states have statutes that designate the auditor as the owner of the workpapers….” 11 The CPA is prohibited from disclosing confidential client information without the specific consent of the client. Such consent should be documented in a client letter to the firm. This confidentiality duty is embodied in the AICPA Code of Professional Conduct,12 as well as in the rules and regulations of certain state boards of accountancy and regulatory and tax authorities.

An overriding concern with respect to workpapers and records is the need to preserve all client engagement records when the firm first learns that:

• A client, the firm, or a current or former employee of the firm is under civil, criminal, or regulatory investigation or expects to be investigated with respect to either client financial matters or services to the client, or

• The client or third parties inquire about services previously provided to the client, or allege directly or indirectly that the services rendered by the firm may have been incomplete or improper, or

• Litigation is pending or expected with respect to these matters, regardless of whether or not the CPA firm or its current or former employees are or are expected to be parties to such litigation.

Under such circumstances, all employees should immediately be advised to retain all firm records pertaining to the client, and to refer any requests for such records to firm

11 Id. at AU Section 339.10, Ownership and Confidentiality of Audit Documentation and 501-1, Interpretations Under Rule 501, Response to requests by clients and former clients for records

12 Id. at ET Section 301. Also see related Ethics Rulings on Responsibilities to Clients at ET Section 391 for discussion of how the rule should be construed and applied.

22 22

management, regardless of the source of the request. Management should consult with the firm's attorneys and professional liability insurer prior to replying to such requests. The subject of preservation of evidence is discussed in further detail in the E-Discovery Section of the Guide to Paperless Document Management, Electronic Evidence, and Electronic Discovery in Appendix A.

In considering requests to review or obtain copies of information contained in engagement workpapers, CPAs need to be knowledgeable about the application of confidentiality, privacy, and security rules and laws that apply to their practice, as this may impact responses to such requests. For instance, the FTC and the SEC have rules that apply to CPA firms, their employees, and their subcontractors if they render tax services to individuals or serve as investment advisers or registered representatives of a broker/dealer.13 Other federal agencies are responsible for enforcement of rules that apply to service providers to medical providers (HIPAA) and financial institutions regulators ( OCC, FDIC, OTS). Additionally, some states have passed consumer privacy laws affecting professional service firms, and others are considering doing so. Lastly, CPAs are required to comply with confidentiality provisions in the Internal Revenue Code and AICPA Professional Standards. As new rules and laws on these matters are constantly being considered at both the state and federal level, CPAs should consult with their state CPA society and the AICPA on a regular basis for current information on this subject. (For an overview on privacy rules that may apply directly to CPA firms and their employees, see CPA Firms and Privacy of Consumer Financial Information in Appendix G. For more information on the application of HIPAA to providers of service to medical providers, see: http://www.hhs.gov/ocr/hipaa/guidelines/businessassociates.pdf . For more information on the application of Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice to providers of service to federally regulated financial institutions, see New Data Safeguard Regulatory Requirements at: https://www.cpai.com/newsletter/newsletter_indexadmin.php?id=116 .)

In considering responses to requests for information contained in workpapers, CPAs need to consider whether the information requested constitutes engagement workpapers or client records. Guidance regarding retention of client records after a demand is made for them is contained in AICPA Professional Standards, ET Section 501, Interpretation 501-1. This interpretation states that:

“When a client or former client (client) makes a request for client-provided records, client records prepared by the member, or supporting records that are in the custody or control of the member or the member’s firm (member) that have not previously been provided to the client, the member should respond to the client’s request as follows:1

13 In July 2006, the Senate passed legislation, Financial Services Regulatory Relief Act of 2006 (S.2856), which contains a privacy notice exemption for accountants (Section 609, Exemption From Disclosure Of Privacy Policy For Accountants). The House of Representatives previously passed a bill containing a similar exemption. CPAs should monitor developments as the legislators work to prepare compromise legislation.

23 23

Client provided records in the member’s custody or control should be returned to the client.

Client records prepared by the member should be provided to the client, except that client records prepared by the member may be withheld if the preparation of such records is not complete or there are fees due the member for the engagement to prepare those records.

Supporting records relating to a completed and issued work product should be provided to the client, except that such supporting records may be withheld if there are fees due to the member for the specific work product.

Once the member has complied with these requirements, he or she is under no ethical obligation to comply with any subsequent requests to again provide such records or copies of such records. However, if subsequent to complying with a request, a client experiences a loss of records due to a natural disaster or an act of war, the member should comply with an additional request to provide such records.

Member’s working papers are the member’s property and need not be provided to the client under provisions of this interpretation; however, such requirements may be imposed by state and federal statutes and regulations, and contractual agreements.

In connection with any request for client-provided records, client records prepared by the member, or supporting records, the member may:

• Charge the client a reasonable fee for the time and expense incurred to retrieve and copy such records and require that such fee be paid prior to the time such records are provided to the client;

• Provide the requested records in any format usable by the client2; and

• Make and retain copies of any records returned or provided to the client.

Where a member is required to return or provide records to the client, the member should comply with the client’s request as soon as practicable but, absent extenuating circumstances, no later than 45 days after the request is made. The fact that the statutes of the state in which the member practices grants the member a lien on certain records in his or her custody or control does not relieve the member of his or her obligation to comply with this interpretation. In addition, certain states have laws and regulations that impose obligations on the member greater than the provisions of this interpretation and should be complied with.

24 24

1 The member is under no obligation to retain records for periods that exceed applicable professional standards, state and federal statutes and regulations, and contractual agreements relating to the service performed.

2 The member is not required to convert records that are not in electronic format to electronic format. However if the client requests records in a specific format and the member was engaged to prepare the records in that format, the client’s request should be honored.”14

Many firms receive requests from current or former clients for reports, tax returns, and other documents prepared for a client for which the firm has not been paid. While the firm may not be obligated to release work product that a client has not paid for, it is appropriate to respond to such requests in a dated and signed letter explaining why the documents are not being released. Such letters serve as critical evidence of the timing and explanation for withholding work product if the client later alleges they suffered damages as a result of not having access to the documents. If a client has paid for the services underlying the work product in question but there are other fee disputes pending, the firm should consult with its attorney and professional malpractice carrier prior to responding to these types of requests. Firms should refer to state board of accountancy regulations regarding retention of client records, as such regulations may be different from AICPA ethics standards. For example, Section 68 of the California Board of Accountancy Regulation states that “[U]npaid fees do not constitute justification for retention of client records.“

With the above background in mind, responding to requests for access to or copies of engagement workpapers and records is best considered by addressing such requests in five categories – 1) requests to reissue or furnish copies of previously issued auditor’s reports, 2) other requests from current clients, 3) requests from former clients, 4) requests from successor accounting firms, and 5) requests from third parties.

Requests Involving Previously Issued Audit Reports

Firms may receive requests from current or former clients to reissue or furnish additional copies of previously issued audit reports. Firms receiving such requests should determine why the request is being made, who will receive the reports, and how they will be used.

Firms may also be asked to consent to the inclusion of previously issued audit reports in a planned registration statement or private offering memorandum. In either case, firms receiving such requests should consult with an attorney with expertise in securities law prior to deciding how to respond given the expected new use of its report. Absent a prior understanding with the client as to the future use of the firm’s report, CPA firms are not obligated to consent to this type of request.

14 Refer to AICPA Code of Conduct, ET Section 501-1, Response to requests by clients and former clients for records, for the definitions of client records, working papers, and supporting records.

25 25

When new information relating to balances or disclosures in the financial statements has come to the attention of the CPA, further work may be necessary that requires adjustments to the statements or additional disclosures before the re-issuance can be completed. Additionally, when a previously issued audit report will be used, referred to, or included in a filing with a regulatory agency such as the SEC, additional auditor engagement responsibilities generally exist.15 Before consenting to re-issuance or use, the firm needs to address these requirements and responsibilities.

A signed and dated transmittal letter should accompany additional copies of previously issued audit reports furnished to a client or former client from the firm. The letter should indicate that the previously issued audit report was prepared solely for the use of the client and expected users known to the CPA firm at the time it was originally prepared, and should not now be used by any other parties.

Other Requests from Current Clients

Even if a CPA firm does not retain client records in its files, clients may request copies of workpapers, records containing general ledger account analyses, data included on replies to confirmation requests, and other information developed during the engagement. The firm is likely to deem most of these requests reasonable and will want to cooperate with the client. Review the requested workpapers prior to providing copies to the client. Never alter documents in the workpaper file. Upon discovering incomplete information that needs to be supplemented prior to providing copies, prepare separate documents dated and signed by the preparer along with an explanation of why supplemental documents were prepared. These documents should be reviewed and approved by the engagement principal. Include a transmittal letter with the copies sent to the client that lists and describes each working paper, including a statement that the information is for the client’s internal use only. An example of this type of letter is included in Appendix E. In no situation should the firm release its original workpapers or files. Any copying of the firm’s working papers or other records should be done under the firm’s supervision and control.

It is unusual for a client to request copies of a significant portion of a firm’s workpapers, audit planning or fieldwork workpapers, or documentation of analytical work in other practice areas. If this occurs, inquire why the records are being requested, how they will be used, and consult with legal counsel and your professional liability insurer before responding.

CPAs may receive requests for copies of individual tax returns and supporting information from clients who are separating or divorcing and have previously filed joint tax returns. Only one spouse may have furnished the information used to prepare the return, and the other spouse may request copies of previously prepared tax returns and related workpapers. In

15 Id. at AU Section 530.06-.08, Reissuance of the Independent Auditor’s Report. Also refer to Rule 2100, PCAOB Release No. 2003-007: Registration System for Public Accounting Firms (Rulemaking Docket 001).

26 26

preparing a joint return, both spouses are considered clients of the firm and have equal right to the information.16

A similar issue arises when requests for client records and other information are made by individuals associated with a client who are embroiled in an internal company dispute. The obligation of the CPA in such situations is to respond to requests from the previously designated client representative. An AICPA ethics ruling also indicates that “The member need only supply such information [as designated in ET Section 501.02] once and need not comply with subsequent requests from the representative, or from other individuals associated with the client entity, to again provide this information.”17 Consult with legal counsel and your professional liability insurer before discussing client business with parties to such a dispute.

Other Requests from Former Clients

CPAs may receive requests from former clients for copies of workpapers, previously issued reports, and tax returns. The guidance contained in AICPA Professional Standards, ET Section 501, Interpretation 501-1 also applies to these requests. If the documents requested do not constitute client records as described in the ethics interpretation, providing copies is at the discretion of the CPA firm. It is appropriate to charge for time and expenses incurred in responding to these requests and to require payment at the time of delivery of the copies.

• Copies of Workpapers – Any request from a former client for copies of a firm’s workpapers should be critically evaluated as to indicated need, planned use, and the extent of the request. If the workpapers relate to an engagement that was not completed and no report was issued, CPAs generally should not provide copies of its files. If the former client questions the extent or quality of services performed, consult with your professional liability insurer before proceeding.

• Copies of Previously Prepared Tax Returns – The above discussion regarding requests for copies of tax returns from current clients also applies to requests from former clients. Additionally, CPAs are not required to continue to provide copies of tax returns and supporting data that have previously been furnished to former clients.18 If available, a firm may provide additional copies and charge for its time and expenses in connection with this accommodation.

16 Id. at ET Section 391.031-.032, Disclosure of Confidential Information.

17 Id. at ET Section 591.377-.378, Requests for Client Records and Other Information.

18 AICPA Professional Standards, ET Section 501, Retention of Client Records. Also refer to your state board of accountancy regulations on this subject.

27 27

Requests from Successor Accounting Firms

In connection with a company’s change of auditors, certain communications are required between predecessor and successor firms.19 In connection therewith, the successor firm often seeks to examine and obtain copies of the workpapers of the predecessor firm. As indicated in the applicable professional standard, “It is customary in such circumstances for the predecessor auditor to make him or her available to the successor firm and make available for review certain of the workpapers. The predecessor auditor should determine which workpapers are to be made available for review and which may be copied…. The extent, if any, to which a predecessor auditor permits access to the working papers is a matter of judgment.”20

Before responding to any requests from the successor firm, the predecessor should obtain the written consent of the client before proceeding. In addition, although not required by the professional standards, it is recommended that the predecessor obtain an acknowledgement letter from the client documenting the scope and purpose of the successor’s communications and working paper access.

A sample of such a letter is included in Appendix A to the standard.21 Also, as indicated in the standard, “…the predecessor auditor should reach an understanding with the successor auditor as to the use of the workpapers.”22 Although not required to be in writing by the professional standard, a recommended practice in this regard is to obtain an acknowledgement letter from the successor. A sample of such a letter is contained in Appendix B to the standard.23

Although the above discussion and the referenced professional standard only applies to predecessor and successor firms in connection with an auditing engagement, from a risk management perspective, this guidance should also be followed when requests are received from successor firms in connection with bookkeeping, compilation, review, attest, and tax return preparation engagements.

Requests from Third Parties

CPAs may receive requests from third parties for access to or copies of workpapers and other engagement records. For purposes of this discussion, a “third-party” is any individual or entity other than a client or a former client. Third-party requests may come from parties such as

19 Id. at AU Section 315, Communications Between Predecessor and Successor Auditors.

20 Id. at AU Section 315.11, Other Communications.

21 Id. at AU Section 315.24, “Appendix A, Illustrative Client Consent and Acknowledgement Letter.”

22 Id. at AU Section 315.11, “Other Communications.”

23 Id. at AU Section 315.25, “Appendix B, Illustrative Successor Auditor Acknowledgement Letter.”

28 28

mortgage brokers and lenders,24 attorneys, financial institutions, the IRS, state revenue departments, federal and state regulatory and enforcement agencies or corporate shareholders who are not part of client management, and generally arise from financial statement or tax return preparation services.

In most circumstances, a CPA should not provide access to or copies of any of its workpapers or records to third parties. Even if a client or former client concurs with a third-party request and provides written consent to the CPA, the firm should consider the reasons for the request and the legal liability implications of complying. In some jurisdictions, CPA firms that permit third parties access to workpapers or provide copies to them may erode privity defenses that can be used to defeat third-party claims alleging malpractice.25

In some circumstances, firms may be required by law, regulation, or contract to provide access to and copies of workpapers to a regulator. In such cases the CPA should still advise the client of the request and that the firm intends to comply with it. The firm should not agree to surrender original workpapers to a regulator, and should maintain control over the workpapers during the access/copying process to insure confidentiality of client information and the continued integrity of the workpapers.26

CPAs that practice before the IRS should be familiar with their duties to provide information to the IRS and the Director of Practice. Treasury Department Circular No. 230 states that no practitioner shall neglect or refuse to submit records or information upon proper request, unless he or she believes in good faith and on reasonable grounds that the information is privileged.27 In addition, upon request, practitioners need to maintain and make available to the IRS district director copies of tax returns, refund claims, lists of taxpayers and taxpayer ID numbers for returns, and refund claims prepared.28 Further, CPAs must retain and make available a list of tax preparers employed and their identification numbers.29

Requests Based on Subpoena or Administrative Summons

CPAs also may receive a subpoena or summons to testify or produce workpapers and other records. The subpoena or summons may relate to a current or former client’s involvement in

24 See http://www.cpai.com/ for Risk Management Alert, CPA Letters for Loan Brokers and Lenders.

25 Refer to AICPA Tort Reform Issues in the Uniform Accountancy Act for state privity law available at http://www.aicpa.org/download/uaa/Tort_Reform.pdf.

26 Id. at AU Section 9339, Providing Access to or Copies of audit Documentation to a Regulator, and AT Section 9191.56-.59.

27 Treasury Department Circular No. 230, Regulations Governing the Practice of Attorneys, Certified Public Accountants, Enrolled Agents, Enrolled Actuaries, and Appraisers before the Internal Revenue Service, Sec. 10.20.

28 IRC Sec. 6107(b).

29 IRC Sec. 6060(a).

29 29

civil or criminal litigation, an IRS inquiry or tax audit, a regulatory inquiry, or a lawsuit wherein the CPA firm is a party. Upon receipt of a subpoena or summons to testify about client services or produce client engagement records, a CPA firm should immediately consult with its professional liability insurer and attorney prior to responding to the request. Note that grand jury subpoenas are confidential and that the CPA firm may be prohibited from contacting the client under the terms of the subpoena.

CPAs that have rendered services to an attorney as a consulting or testifying expert in connection with anticipated or pending litigation who are subsequently subpoenaed as part of that litigation should consult with that attorney regarding their response. On the other hand, CPAs who receive a subpoena pertaining to this work following the settlement or final adjudication of the subject litigation should follow the above guidance.

An overriding concern faced by CPAs in responding to a subpoena or summons is complying with the professional standards requirement that “a member in public practice shall not disclose any confidential client information without the specific consent of the client.”30 This guidance also indicates, “This rule shall not be construed…(2) to affect in any way the member’s obligation to comply with a validly issued and enforceable subpoena or summons, or to prohibit a member’s compliance with applicable laws and government regulations….”31 Additionally, CPAs are prohibited from disclosing tax return information without the client’s consent. The unauthorized disclosure or use of information received in connection with tax return preparation is punishable by a fine of not more than $1,000 or imprisonment for not more than one year (or both), together with the costs of prosecution.32

The Internal Revenue Service Restructuring and Reform Act of 1998 provides a privilege of confidentiality to certain communications between CPAs and their clients. The confidentiality privilege is similar to the attorney-client privilege, but is limited in significant respects to only certain tax advice. Practitioners need to address the requirements and limitations associated with the confidentiality privilege and consider its requirements before responding to a subpoena or summons.33

IX. Impact of Organization Changes on Working Paper Retention

Personnel Leave Firm

When firm principals leave the firm to join or form a separate practice, or a firm dissolves, the question of who should retain the existing workpapers and related files is often raised. Often, the departing individuals take some or all of their clients with them, and access to historical

30 AICPA Professional Standards, ET Section 301.01, Confidential Information.

31 Id.

32 AICPA Tax Practice Management Manual, par. 302.2.1 and IRC Sec. 7216.

33 IRC Sec. 7525

30 30

information and data in the workpapers is important to effectively continue service to these clients.

Client workpapers are owned by the firm that has provided services to a client, not by the individual doing the work or serving as the primary client contact. Firms should maintain custody of all original workpapers, which may be needed to respond to questions posed by former clients regarding prior services, audits of tax returns prepared the firm, regulatory inquiries, or to defend the firm in the event of a claim. The firm should be able to assert that the original workpapers have been under its control since they were prepared.

Custody of workpapers should be addressed in firm partnership and incorporation documents, as well as dissolution or separation agreements. Responsibility for maintaining custody of firm workpapers should be spelled out in detail. If departing individuals need certain information in the workpapers to continue client service, arrangements should be made to copy the relevant workpapers. The parties should reach agreement about responsibility for copying costs before this is done, and the firm should obtain written permission from the client prior to providing copies to the departing individuals.34

It is sometimes proposed that departing individuals take the original workpapers and provide written assurance to their old firm that they will make the files available in the event of a malpractice claim or regulatory inquiry. While on the surface this may appear to be a solution, it does not guarantee that the workpapers will be available if needed by the original firm, and the firm will not be able to attest to the continued integrity of the workpapers subsequent to their release, which could become an important issue in the litigation.

Sole Practitioner Terminates Practice

If a sole practitioner terminates his or her practice, the workpapers and files should be retained and disposed of in accordance with the firm’s record retention policy. If the practice is sold to another firm, the sale agreement should spell out responsibility for maintaining the seller’s original workpapers in accordance with their record retention policy. Consult with competent legal counsel when drafting a sale agreement. If the workpapers will be maintained by the buyer, the sale agreement can provide the seller with legal remedies in the event the seller is exposed to legal liability due to the buyer’s failure to retain the workpapers in accordance with the seller’s records retention policy and the sale agreement.

(For more information on this subject, see the article Releasing Original Engagement Working Papers in Appendix H.)

X. Summary

The preparation and retention of engagement workpapers and related files is an important element of providing professional services to clients. Such records are critical not only as evidence of adherence to applicable professional and regulatory standards, but also are

34 AICPA Professional Standards, ET Section 301.01, Confidential Client Information.

31 31

important in providing efficient ongoing client service. However, most engagement workpapers and files need not be retained forever. Besides the obvious impact permanently retaining all such files can have on a firm’s space and storage needs, keeping all records can be costly, make file research difficult and time-consuming, complicate the maintenance of security of client information, and potentially be detrimental in the event of litigation involving a client or the firm.

CPA firms are encouraged to carefully consider the needs of their practice with respect to retaining engagement workpapers and files and to develop and implement a written records retention policy. Adopting a written policy that is well thought out and consistently followed will yield long-term benefits to the firm and its clients.

32 32

Appendix A – Guide to Paperless Document Management, Electronic Evidence, and Electronic Discovery

Document Management System (DMS) - With advances in digital technology, many CPA firms have changed or are planning to change from a paper records environment to electronic records. A number of vendors specializing in electronic document imaging and electronic data input and storage systems have developed DMSs to facilitate this migration and support an all-digital records environment going forward. Generally, these software systems categorize, store, locate, and retrieve electronic copies of scanned paper or computer-generated documents and create electronic records/documents. Some systems can interface with other software applications, making them more user-friendly. A good DMS can help a firm reduce filing, distribution, and storage costs, improve and protect access to information, comply with government regulations, and provide operation efficiencies. At the same time, using such software can facilitate teamwork, information sharing, and the secure distribution and storage of documents.

The design and cost of a DMS varies widely. Some systems are designed primarily for storing and retrieving records, while others are designed as a network application that maintains both current and past records and allows easy access to all records electronically. Many of these systems also provide solutions that are designed to analyze the current costs of storing and retrieving records and compare those costs to the costs of the new system.

Requirements of a DMS – The firm should consider the following in evaluating its DMS needs:

• Review the guidelines set forth in The Sedona Guidelines: Best Practices Guidelines & Commentary for Managing Information & Records in the Electronic Age, at http://www.thesedonaconference.org/publications_html. These guidelines promote effective approaches to address the key issues of electronic records management.

• Establish a planning committee with representation from all affected groups, including information technology (IT) and legal departments. IT personnel can help:

o Determine if the existing IT infrastructure is capable of handling a DMS

o Verify the requirements needed for a DMS to be technically compatible with the existing network infrastructure

o Evaluate DMS capability to interface with other applications and additional resources when needed for expansion and improvement

• Recommend appropriate data security and recovery systems. Internal or outside legal counsel should be consulted on the litigation process, development of policies and procedures to respond to subpoenas or requests for discovery of electronic evidence, and software requirements to permit fast and easy retrieval of electronic documents from a centralized and non-rewritable e-mail depository.

33 33

• Focus on how the firm operates and how information is used and documents are shared by various groups. First, the firm should create a record of all the hardware and software in use and the locations of all electronic data. The firm should also create a record of all properties applied, such as naming conventions, version control, storage locations, and backup routines/tape rotation for both completed (finished or archived) and incomplete (work-in-process or can be modified) data/documents, in addition to the firm's document retention policy. This should be completed for all firm data, not just workpaper files for client engagements.

• Define needs and requirements (e.g., the number and size of documents expected to be processed per day.) Other considerations include document size and content, locations where documents will be created, the number of documents to be imported into or exported from the DMS, the number of users that will access documents within the system, and the types of access controls necessary to protect sensitive and confidential documents.

• Prepare a committee report explaining how correspondence and document flows would change and how the system should be managed. Before selecting a DMS, the firm must decide the extent to which paperless work applications should be implemented in the organization. This is a significant decision which must account for the time and costs associated with installing the system and conducting required training, and the ability of firm staff to adapt to new systems. While for many CPA firms the path of least resistance is to consider a DMS that will work effectively with the various software applications the firm is currently using, firm management should use the committee report as a reference document to facilitate a discussion about the firm's strategic plans for developing and growing the practice. Consider how the firm would like to use both paperless work applications and the DMS to improve work flow, firm communication, and collaboration within the firm, and the capital investment required to achieve these improvements. Consult with other CPA firms that have implemented the use of different types of paperless work applications and DMSs to facilitate this discussion.

Selection of a DMS – The process of selecting a DMS begins with the evaluation of the experience, reputation, longevity, and attributes of each vendor, and any recommendations or endorsements by a legitimate third-party. Firm management should gain an understanding of the features and functions of each DMS to determine which one would meet its budget, needs, and situation. After doing so, the firm should create a written workflow process analysis to assist in the design of a document control hierarchy to manage the distribution of electronic documents. Under the hierarchy, the electronic documents should be organized and stored with search features so they can be distributed or retrieved easily.

In general, a DMS has three main functions that should be considered: digitizing, managing, and retrieving.

• Digitizing - A firm has several choices to digitize paper documents, including the use of a manual feed scanner a multifunction product with automatic feeders that can scan documents at high speed and handle two-sided documents. For electronic

34 34

documents, a digital sender that is attached to a network and can send electronic files directly to document management software can be used for processing. The choice depends on the volume of documents to be converted to electronic form and the indexing system to be used to retrieve documents. An indexing system built into the imaging software will enable a DMS to find a document using key words.

The first option for indexing is "image only." This allows documents to be retrieved through a descriptive file name or index code that is typed onto the image as the document is fed into a scanner. The second option utilizes optical character recognition (OCR) software that enables searches for any word or number on the image and retrieval or reproduction of any part of the document. The third option allows the user to select "image only", OCR, or both, based on the type of documents to be stored and how detailed the user wants the indexing to be. In addition, the codes of extensible markup language (XML) or extensible business reporting language (XBRL) can be added to the data, which will accelerate the retrieval process as these technologies become more widely used.

Conducting a search by keywords is an effective method for finding related documents within a predetermined document control hierarchy. For a CPA firm, search engines which permit search by client or engagement will also be needed to facilitate document search and retrieval.

• Managing -The next decision is where or how to store documents. After the documents have been scanned and digitized, the data files can be filed based on a typical tree format with branches and sub-branches and stored in local file servers, Web servers, and specialized storage servers. The decision depends on the workflow processes used (i.e., how electronic documents are certified, electronically signed, and how they flow through the organization).

The firm should have a written policy on regular and systematic backup procedures. The system should be backed-up daily to protect against information loss, since the paper originals will be destroyed soon after scanning. As part of the firm’s disaster recovery plan, a second copy of the data should be stored off-site, and two copies of the data using a different storage medium, such as CDs, optical disks, or digital video discs, should be made and stored safely both on-site and off-site.

The FTC and other federal and state regulators have issued security and safeguard requirements for private personal information under their regulations. The firm should establish policies to define who has access to which documents and who can view, modify, print, forward, or delete certain documents in the DMS. User logs should be maintained to track and provide evidence of which users have accessed which document(s), and what the user did with the document(s). Secure, computer-generated, time-stamped audit trails that automatically record the date and time of operator entries, and actions that create, modify, or delete electronic records/documents are preferred methods to preserve evidence regarding use of electronic documents.

35 35

Refer to the previous section on How and Where to Store Records? and the following section on E-Discovery for additional considerations.

• Retrieval - The DMS retrieval software should allow any authorized user to instantly retrieve a document after it has been indexed and stored. Both current and archived electronic documents should be available to those with proper access. The retrieval software should have auto-archiving functions and track the location of records, who has access to them, and when they should be destroyed.

An overview of electronic document imaging and storage systems can be found in the April 2005 article Document Management Software Review by Barry Knaster of Accounting Technology magazine, accessible at https://www.cpa2biz.com/News/Selected+Features/Document+Management+Software+Review.htm.

Electronic Evidence - As noted earlier, original engagement workpapers, records and correspondence (including e-mails and instant messages) are critical in the defense of accounting malpractice claims. Prior to converting and storing written documents in an electronic format, it is important to consider how this could impact the defense of a malpractice lawsuit or a response to a legal or regulatory inquiry.

The admissibility of computerized business records as evidence has been litigated extensively. Under the Federal Rules of Evidence, which many states have adopted, records that were created electronically (such as e-mails and spreadsheets) are admissible, provided that:

• The document does not amount to hearsay under applicable rules of evidence (there are hearsay exceptions applicable to electronic documents),

• The document can be authenticated properly as an original record, and,

• Evidence can be presented establishing who created the document, the contents of the document, how the document was created, and that it was not altered, either intentionally or unintentionally.

In addition to meeting these criteria, electronic records that were created as scanned or faxed copies of original paper documents present additional hurdles to get admitted as evidence. Rules 1002 and 1003 of the Federal Rules of Evidence state the following:

“To prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required, except as otherwise provide in these rules or by Act of Congress.

A duplicate is admissible to the same extent as an original unless (1) a genuine question is raised as to the authenticity of the original or (2) in the circumstances it would be unfair to admit the duplicate in lieu of the original.”

36 36

Although electronic documents are regularly presented as evidence in courts, courts have broad discretion to interpret how applicable rules of evidence apply to electronic documents. Written documents are often relied upon by CPAs in forming opinions or conclusions, and it is important to preserve the right to produce a record of these documents as evidence in the event of malpractice litigation. Examples of these types of documents include (in an audit engagement) corroborating evidential matter, such as minutes of board meetings or responses to confirmation requests.

Certain electronic documents should be preserved without alteration for the entire required period of record retention (e.g., an electronically filed tax return.) Controls should be in place within the firm to verify the completeness of electronic documents and detect any alterations. Any record bearing an electronic signature should contain the name of the signatory, the date and time of signature, and any information that explains the meaning of the affixed signature. In addition, there should be controls in place to prevent the signature from being detached, copied, or otherwise altered.

Prior to purchasing an electronic document imaging and storage system, ask the vendor or manufacturer to provide a copy of any legal analysis prepared on the admissibility into evidence of documents that have been duplicated or stored by their system. Have an attorney with expertise on rules of evidence review these materials prior to investing in a system.

Electronic Discovery (E-Discovery) – As the legal community recognizes the significance of electronic evidence (e-evidence), courts routinely require litigants to identify and produce discoverable electronic information. All litigants have a preservation duty (i.e., “a duty to preserve what it knows, or reasonably should know, is relevant in the action, is reasonably calculated to lead to the discovery of admissible evidence, is reasonably likely to be requested during discovery, and/or is the subject of a pending document request”35). Once a party (firm or client) reasonably anticipates litigation, the firm must suspend its routine document retention and destruction policy and put in place a “litigation hold”36 to ensure the preservation of relevant documents.37 The firm should monitor the continuous compliance of the preservation obligation and reinforce litigation hold instructions from time to time.

Under 18 USC §1519, fines may be imposed on anyone who knowingly destroys any document with the intent to impede, obstruct, or influence the investigation or proper administration of any matter under the jurisdiction of any department of the U.S. government or in relation to or contemplation of any such matter or case.

Two provisions of SOX that affect accountants serving publicly traded companies have a major impact on electronic documents:

35 Thompson Co. v. General Nutrition Corp., 593 F Supp. 1443, 1455 (C.D. Cal. 1984) 36 A litigation hold is a process used by companies to advise their employees of pending or anticipated litigation and of their obligation to preserve relevant records and to suspend their normal records-destruction policies as they relate to potentially relevant records. 37 In Zubulake v. UBS Warburg, 220 F.R.D. 212 (SDNY 10/22/03) (Zubulake IV), spoliation was found when backup tapes containing e-mails of key players were lost and e-mails were deleted.

37 37

• Document alteration or destruction. SOX §802 provides that fines or imprisonment of up to twenty years, or both, can be imposed if people knowingly alter, destroy, mutilate, conceal or falsify any document or tangible object with the intent to impede, obstruct or influence proceedings involving federal agencies or bankruptcy proceedings.

• Obstruction of justice. SOX §1102 prohibits an individual from acting or attempting corruptly to alter or destroy a record or other object with the intent to impair the object’s integrity or availability for use in an official proceeding. Any violation is punishable with fines and/or imprisonment of up to twenty years.

In many businesses, electronic information is automatically purged every day when backup tapes are recycled and deleted files are overwritten by new data. Whether intentional or inadvertent, discoverable information may be destroyed. Accordingly, firms should consult with attorneys with expertise in the rules of electronic evidence regarding appropriate data backup and preservation, especially with regard to e-mail, which has served as critical evidence in legal and regulatory matters.

Investigations conducted in recent corporate and accounting scandals revealed that e-mails and other e-evidence, such as data stored on backup tapes and metadata, have an impact on the outcome of litigation. Firms may be required to track, control, and/or record all communications (including instant messaging) by their employees for record retention and preservation, unauthorized disclosure prevention, search and retrieval, and privacy protection purposes. Each member of a firm should treat e-mails and other electronic communication as potential evidence. They should not contain commentary the sender would not want to read on the front page news or in a courtroom, where it may be presented out of context. A number of cases have been won and lost on the discovery of a single unguarded comment recorded in a long-forgotten e-mail between co-workers. Although an e-mail may be deleted, replicated electronic footprints of that e-mail are available through routine backup files, copies blind-copied or forwarded to others, or other media.

As discussed earlier, consideration of e-discovery should be a major factor in selecting a DMS. Without a powerful search engine, it will be a daunting task to search through large volumes of electronic data for discovery. Moreover, the cost of identifying, reviewing, organizing, and producing electronically stored information can be exorbitant.

Consequently, in the event a firm becomes aware that client workpapers or other data are likely to be requested in connection with expected or actual civil, criminal or regulatory investigations or litigation, the firm should take reasonable steps to identify all sources of potentially relevant information, to preserve information it knows or should know is discoverable, to prevent the destruction of information in violation of an order for preservation, and to produce information that is discoverable.

Some procedures that should be considered to identify and capture discoverable information while litigation is pending include:

38 38

• Issuing a litigation hold (an order to preserve documents relevant to the subject matter of the litigation);

• Identifying backup media containing potentially relevant information and removing them from the recycling process;

• Identifying individuals who are most likely to have generated or received potentially relevant information, and making copies of all of their e-mails and electronic files (current and archived) stored in hard drives and on networks to preserve the information;

• Taking possession of all desktop and laptop computers, personal digital assistants, external drives and other storage media that do or may contain relevant data; and

• Documenting the procedures performed to preserve and collect the information.

Courts have imposed both monetary sanctions and default judgments against parties for failing to preserve information in litigation. In Coleman (Parent) Holdings Inc. v. Morgan Stanley & Co. Inc.38, the jury awarded Coleman $1.45 billion ($604.3 million in compensatory damages and $850 million in punitive damages) for Morgan Stanley's failure to comply with a court order requiring the company to search and produce e-mails contained on its backup tapes. In Metropolitan Opera Association v. Local 100, Hotel Employees & Restaurant Employees Int’l Union39, the Court entered a judgment against the defendant and found its counsel grossly negligent (amounting to intentional misconduct) when he consistently represented that all documents were produced without a reasonable basis or adequate search. For CPA firms, the implications are significant. While attorneys may be retained to represent the firm in responding to court orders to preserve and provide data, the firm itself is responsible for taking appropriate action to comply with the orders, based on the attorney’s instructions. Failure to comply can result in sanctions and damage awards for which there may be no coverage under professional liability insurance policies.

It is crucial for each firm to designate a member of firm management as the overseer of e-discovery policies and procedures and to appoint a litigation response team. The team should include the firm's outside counsel, senior management, firm principals in charge of human resources and the firm's practice specialties, and senior personnel in charge of information technology. The firm should establish an action plan for litigation that includes the suspension of the firm’s routine document retention and destruction policy, notification to “key players” and employees involved with the litigation hold (at the outset of litigation or whenever litigation is reasonably anticipated), and other necessary steps to monitor compliance so that all sources of discoverable information are identified and searched. Before developing an action plan, the firm should refer to The Sedona Principles: Best Practices Recommendations & Principles for

38 Fla. Cir. Ct. Mar. 23, 2005

39 212 F.R.D. 178, 221-22, 231 (S.D.N.Y. 2003)

39 39

addressing Electronic Document Production, written by a think tank of leading jurists, lawyers, experts, academics, and others.40

Sometimes record retention policies and enforcement threats may not be sufficient to maintain consistent control over the handling, retention, and destruction of firm data. There may be a need to modify existing business practices. Firms may utilize software to electronically enforce compliance, using techniques such as monitoring usage or non-compliance, sending automatic messages to reiterate policies on usage and/or consequences of non-compliance, setting up controls and parameters for usage (who, which, and when), and logging and tracking document usage.

40 http://www.thesedonaconference.org/publications_html

40 40

Appendix B – Sample Summary of Record Retention Periods

ABC, CPAs Summary of Record Retention Periods for

Engagement Workpapers and Files

Engagement & File Description

Total Retention Period

Retention in Office

Retention in Storage

Audit Engagements: Annual Working Paper Files

X Years

Y Years

Z Years

Audit Engagements: Carry-Forward Workpapers

Existing Clients: Permanent

Former Clients: X Years

Permanent

N/A

N/A

X Years

Audit Engagements: Firm’s Copy of Audit Reports Issued

Permanent

Y Years

Permanent

Audit Engagements: Correspondence File

Permanent

Y Years

Permanent

Tax Engagements: Annual Income Tax Return Preparation Workpapers

X Years

Y Years

Z Years

Tax Engagements: Carry-Forward Workpapers

Existing Clients: Permanent

Former Clients: X

Years

Permanent

N/A

N/A

X Years

Tax Engagements: Firm’s Copy of Income Tax Returns Prepared

X Years

Y Years

Z Years

Tax Engagements: Firm’s Copy of Trust & Gift Tax Returns Prepared

Permanent

X Years

Permanent

Etc.— Files For Other Service Areas

41 41

Appendix C - Sample File Disposal Log

ABC, CPAs Engagement Files and Records Disposal Log

Client Name

File Number

File Title/Description Signature of Principal

Reviewing File & Authorizing Disposal

DEF Company DEF1996-1 Financial Statements Review-12/31/1996

XYZ Partnership, Ltd. XYZ1998-1 1998 Federal Income Tax Return Workpapers

Disposal Certification

I certify that the files listed above were destroyed by me or others under my supervision on_______________ as specified in the firm’s record retention policy dated July 31, 200X.

___________________________________________ ____________________ Signature Date

42 42

Appendix D – Sample Letter to Clients Covering Newly Adopted Record Retention Policy and Procedures Regarding Old Workpapers and Files

ABC, CPAs 123 Any Street Anytown, USA

June 1, 200X

XYZ Client 456 Any Street Anytown, USA

Dear_______:

Our firm has recently adopted a record retention policy covering our firm’s engagement workpapers and related files. I am enclosing a summary of this policy for your information. Beginning August 1, 200X, we will begin implementing this policy. In this initial implementation period, we will be reviewing old files not falling within the specified retention period and destroying those records. In destroying records, we will employ appropriate safeguards to protect client confidentiality.

As you know, it has been our policy for some time to return to you at the conclusion of each engagement all of your original records that we may refer to during the course of our work. We will continue to do so under our new policy. You continue to be responsible for maintaining the necessary accounting, tax, and other records in support of your financial statements and tax returns.

If you wish to obtain copies of work products we previously provided to you or additional copies of supporting documentation you provided to us pertaining to services rendered to you or your company prior to January 1, 199X, we must receive your written request listing the specific documents you are requesting no later than July 1, 200X. If we anticipate that our time to research and retrieve the requested documents will exceed one hour, we will contact you to discuss this. You will be billed at the rate of $ XX per hour for the time incurred to research and retrieve records, plus XX¢ per page for copies.

On August 1, 200X, we will begin the scheduled destruction of engagement workpapers and related files per the enclosed record retention policy. If you have further questions, please contact our office.

Sincerely,

43 43

Appendix E – Sample Transmittal Letter Accompanying Copies of Workpapers Furnished to a Client

ABC, CPAs 123 Any Street Anytown, USA

June 1, 200X

XYZ Client 456 Any Street Anytown, USA

Dear_______:

As you requested, I am enclosing the following copies of schedules from our workpapers for the (engagement description):

(Include description of each working paper copy including title, date, working paper index (if available), description of information presented and number of pages)

The enclosed copies are for your company’s internal use only in (describe the client’s stated purpose or need for the workpapers) and are not to be distributed to any third-party. If these workpapers become the subject of any subpoena, summons, or court order that you receive, you agree to notify us immediately before complying with such order.

Sincerely,

44 44

Appendix F – Resources on Establishing an E-mail Use Policy and E-mail Management

• Creating Corporate Policies for Internet E-mail, Tumbleweed Communications, available at http://uk.builder.com/whitepapers/0,39026692,60041867p-39000928q,00.htm

• AHI’s Employment Law Resource Center, Electronic Communications, available at http://www.ahipubs.com/cgi-research/show_research_items.pl?TopicID=7&SubTopicID=69

• Overcoming E-Mail Overload: Techniques and Tips for Avoiding Malpractice, Streamlining, and Improving Effectiveness, James A. Calloway and Richard G. Ferguson, available at http://www.abanet.org/abastore

• E-mail Management, Dennis Kennedy, March 2006, available at http://www.abanet.org/abastore

• Tips for Mastering E-mail Overload from Harvard IT available at http://hbswk.hbs.edu/item.jhtml?id=4438&t=srobbins

• E-mail Management Tips from Microsoft Work Essentials available at http://office.microsoft.com/en-us/FX011315911033.aspx

• Your Inbox Spilleth Over? E-Mail Management Strategies That Work available at http://www.abanet.org/lpm/lpt/articles/bot07062.shtml

• Managing Incoming E-mail: What Every User Needs to Know available at http://www.goodexperience.com/reports/e-mail/

• The 10 Commandments of E-mail available at http://www.ismckenzie.com/07/12/the-10-commandments-of-e-mail/

• 7 tips of handling your E-mails without feeling overwhelmed from LifeHack.Org available at http://www.lifehack.org/articles/lifehack/7-tips-of-handling-your-e-mails-without-feeling-overwhelmed.html

• E-mail Overload by Itzy Sabo available at http://itzy.wordpress.com/

45 45

Appendix G: CPA Firms and Privacy of Consumer Financial Information

Gramm-Leach-Bliley Act

Practitioners that provide tax and financial planning services to individuals are subject to the rules implemented by the Federal Trade Commission (FTC) as a result of passage of The Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (“Act”). The Act imposes prohibitions and requirements on all financial institutions regarding the disclosure of private consumer financial information. Two sets of rules, called The Financial Privacy Rule and the Safeguards Rule apply to practitioners and businesses that are “significantly engaged” in providing tax, compliance and financial planning services to individuals, and to any third-party service providers they utilize to provide these services.

CPAs and CPA firms that render tax services to individuals are required to comply with these rules. The Financial Privacy Rule, Privacy of Consumer Financial Information, can be found in the May 24, 2000 Federal Register (16 CFR Part 313) and can be downloaded from the FTC web site at http://www.ftc.gov/os/2000/05/65fr33645.pdf. The rule requires that certain disclosures regarding the privacy policy and practices of a service provider must be made to the consumer either in writing or, if the consumer agrees, electronically. The regulation requires a one-time disclosure to new clients and an annual disclosure to all continuing clients. [Note: In July 2006, the Senate passed legislation, Financial Services Regulatory Relief Act of 2006 (S.2856), which contains a privacy notice exemption for accountants (Section 609, Exemption from Disclosure of Privacy Policy for Accountants). The House of Representatives previously passed a bill containing a similar exemption. CPAs should monitor developments as the legislators work to prepare compromise legislation.]

The Safeguards Rule, Standards for Safeguarding Customer Information, can be downloaded at http://www.ftc.gov/os/2002/05/67fr36585.pdf. The standards require these practitioners and businesses and any third-party service providers they utilize to maintain adequate safeguards to prevent the disclosure of customer information to others without the express consent of the client.

SEC Privacy Regulation

Some CPA firms employ individuals who are investment advisers or representatives of a broker/dealer. The Securities Exchange Commission (SEC) enacted Regulation S-P, Final Rule: Privacy of Consumer Financial Information, applicable to the enforcement of the Act. This regulation applies to investment advisers registered with the SEC, brokers, dealers, and investment companies. Like the Financial Privacy Rule, Regulation S-P applies to services rendered to individual clients, and requires a one-time disclosure to new clients, and an annual disclosure to all continuing clients. The regulation can be downloaded from the SEC web site at no charge at http://www.sec.gov/rules/final/34-42974.htm . SEC staff responses to questions about Regulation S-P can be found at http://www.sec.gov/divisions/investment/guidance/regs2qa.htm . Investment advisers registered with the SEC and broker/dealer representatives should consult with their affiliated investment advisory firm or broker/dealer and competent legal counsel regarding compliance with this regulation.

Helpful additional guidance about complying with consumer privacy rules promulgated by various federal agencies to enforce the provisions of the Act is available at http://www.complianceheadquarters.com/Privacy/Privacy_Q_A_Archive/privacy_qa_archive.html . This is a commercial web site sponsored in part by CCH Incorporated.

46 46

AICPA Privacy Professional Standards

Extensive ethics rules also prohibit CPAs from disclosing confidential client information to third parties. Rule 301 of the AICPA Professional Standards prohibits AICPA members in public practice from disclosing confidential client information without the specific consent of the client. Under, Ethics Ruling No. 112 - Use of a Third-Party Service Provider to Assist a Member in Providing Professional Services, AICPA members are required to enter into a contractual agreement with any third-party providers to ensure that the providers agree to maintain information as confidential, and to establish the proper procedures to do so (see http://www.cpai.com/newsletter/newsletter_indexadmin.php?id=112; http://www.aicpa.org/download/ethics/Sample_Disclosure_Notification.pdf, & http://www.aicpa.org/download/ethics/Outsourcing_Basis.pdf.)

As a service to AICPA members and the accounting profession, the AICPA has published a practice guide containing recommended language for required privacy disclosure notices to individual tax clients. The practice guide can be downloaded from the AICPA web site at no charge at http://ftp.aicpa.org/public/download/news/ftc.doc .

IRS Privacy Laws and Regulations

Tax practitioners are subject to criminal and civil penalties under I.R.C. §7216 for knowingly or recklessly disclosing or using confidential client information supplied to prepare a tax return. In December 2005, the IRS proposed amendments to the regulations under §7216 (§301.7216-1, §301.7216-2, & §301.7216-3) to address current common industry practices, such as electronic preparation or filing of tax returns and outsourcing of tax return preparation. The proposed amendments include a broader definition of “tax return preparer” than under §7701 (e.g., persons providing secretarial services at an accounting firm can be tax return preparers). A proposed revenue procedure was issued concurrently to provide guidance to tax return preparers on the format and content of consents to disclose and consents to use tax return information under the proposed §301.7216-3 and how to obtain a taxpayer electronic signature on an electronic consent. Tax practitioners should monitor the progress of these proposed regulations and revenue procedure to ensure compliance with the final rules.

State Privacy Laws

In addition to the federal Financial Privacy Rule, many states have already passed consumer identity theft protection laws, or are considering new consumer privacy laws or amending existing laws to conform to the provisions of the Act. State laws may impose additional requirements on businesses regarding privacy of consumer financial information. Regulations promulgated by state boards of accountancy also prohibit the dissemination of confidential client information without the client’s express consent. Practitioners should consult with their state CPA society regarding compliance with both the FTC rules and state consumer privacy statutes.

Virtually all CPA firms are required to initiate action to comply with consumer privacy statutes. Before publishing and distributing privacy disclosure notices, firms should have them reviewed by competent legal counsel.

May 2006

By Joseph Wolfe, Assistant Vice President, Accountants Professional Liability, CNA, Chicago, IL 60604

The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the author’s knowledge as of the date of the article. Accordingly, this article should not be viewed as a substitute for

47 47

the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA.

Any references to non-CNA Web sites are provided solely for convenience, and CNA disclaims any responsibility with respect to such Web sites. To the extent this presentation/article contains any descriptions of CNA products, please note that all products may not be available in all states. Actual terms, coverages, amounts, conditions and exclusions are governed and controlled by the terms and conditions of the relevant insurance policies.

Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.

CNA is a service mark registered with the United States Patent and Trademark Office. Copyright © 2006 CNA. All rights reserved.

Reference:

General guidance on federal, state, and other privacy regulations available at:

http://infotech.aicpa.org/Resources/Privacy/

http://www.pirg.org/consumer/credit/statelaws.htm

http://www.bbbonline.org/UnderstandingPrivacy/library/fed_statePrivLaws.pdf).

48 48

Appendix H: Releasing Original Engagement Working Papers

When a CPA firm undergoes an ownership change, the question of who should retain the existing engagement working paper files and work product files is often raised. This may occur, for example, when:

• One or more firm principals leave one firm to join another existing firm or to start a new firm. In such situations, they may take some or all of the clients they serviced with them to their new firm. These individuals will want to take the working papers with them because they may need access to historical information and data about the clients to continue to service them effectively.

• A sole practitioner sells his practice to another firm. The buyer wants access to the existing working papers to ensure continuity of service to the clients.

Before addressing the issue of who should retain custody of original working papers, three points need to be stated.

• The firm that serviced the client (hereafter the predecessor firm) owns the working papers and related files, not the individual who brought the client to the firm, performed the work, or served as the primary client contact.

• The predecessor firm is responsible for maintaining the confidentiality of client information in its working papers and files.

• In the event of a malpractice claim or a professional or regulatory inquiry, the predecessor firm is responsible for maintaining the original working papers, and having access to them will be critical in effectively responding to such claims or inquiries.

From a risk management perspective, the recommended practice in these circumstances is for the predecessor firm to retain possession of the original working papers in accordance with its record retention policy. If few clients will be transferred to the new firm (hereafter, successor firm), the relevant working papers can be copied for the successor firm upon receipt of written authorization from the clients to release this confidential information. If a large number of clients will be affected, consider sending an authorization letter to each affected client with a stamped return envelope to facilitate the transfer of information. See the sample authorization letter at the end of this article that could be requested from those clients which will be serviced by the successor firm in the future. In the event the practice (or a portion thereof) is being sold, consider the cost of this activity prior to reaching a final agreement on the terms of the sale. In addition, the separation or sale agreement between the predecessor firm and departing individuals should describe any file transfer agreements and address responsibility for performing the copying and paying related costs. Copying of working papers should always be done under the control and supervision of a continuing employee of the predecessor firm.

Separation or Sale Agreement

Continuing access to original working papers by a successor firm may be necessary for tax return preparation engagements but not for audit, attest and consulting engagements. In many cases if access to tax files is needed, it is not practical to copy all of the relevant files. If the predecessor firm decides to release the original working papers to the successor firm, it is essential that the separation

49 49

or sale agreement between the parties specifically address the responsibilities of the successor firm with respect to maintaining and making the working paper files available to the predecessor firm.

The predecessor firm's attorney should draft these provisions into the agreement. The following provisions should be considered:

• The predecessor firm is the exclusive and continuing owner of working papers generated by the predecessor firm. The successor firm will maintain custody of the working papers exclusively for the purpose of providing professional services to the client, and in accordance with all other terms of the agreement.

• The successor firm will maintain the working papers in accordance with the confidentiality requirements of AICPA professional standards, applicable board of accountancy rules and regulations, and other applicable laws, rules and regulations.

• The successor firm will maintain the working papers files in their current state and format. Nothing will be added and nothing will be removed. Any documentation prepared by the successor firm will be maintained separately.

• The successor firm will maintain and dispose of the working papers in accordance with the predecessor firm’s record retention policy. The predecessor firm’s record retention policy should be attached as an exhibit to the agreement.

• The successor firm will immediately notify the predecessor firm in writing if any persons or entities, including the client and their representatives, request access to or copies of the working papers of the predecessor firm, whether by subpoena or otherwise.

• The successor firm will not release the working papers of the predecessor firm to any party without the express written authority of the predecessor firm. This prohibition does not apply to providing a client with copies of work product previously produced for the client and provided to the client by the predecessor firm.

• The successor firm will give the predecessor firm unrestricted access to the working papers upon their written request. They also will return original files as requested by the predecessor firm that may be needed to respond to any subpoena, threatened or actual claim or lawsuit, criminal, civil or regulatory investigation, professional inquiry, peer review, or other similar inquiry or investigation.

• The successor firm will indemnify the predecessor firm and hold it harmless with respect to any and all claims, lawsuits, fines, and penalties arising from the successor firm’s failure to provide the predecessor firm in a timely manner with unrestricted access to its original working papers, provided that the predecessor firm or its legal representatives first submitted a written request for such access to the successor firm.

• If the successor firm ceases to practice, merges, or sells its practice, it will immediately notify the predecessor firm in writing of this and return the predecessor firm’s working paper files to the predecessor firm. If the firm acquiring or merging with the successor firm requests the subject working papers, it should be required to sign a new agreement with the original firm about maintaining working paper files prior to being provided with these files.

50 50

• If any portion of the predecessor firm’s working papers are lost, damaged, or destroyed, the successor firm will promptly notify the predecessor firm of this in writing, and to the extent possible, identify the working papers affected.

Addressing the preceding issues on a timely basis is an important risk management activity for the predecessor firm, and is important to the successor firm in providing continuing client service. Failing to plan for the day when access to original working papers is necessary by a successor firm could be damaging to the predecessor firm in the event of a professional or regulatory inquiry, or a claim.

Sample Client Authorization for Working Paper File Access/Copying

(Predecessor Firm Letterhead)

Date:

To: ABC Client

Dear Mr. & Mrs. ABC:

It has been a privilege to provide tax services to you over the last several years. Thank you for the opportunity to work with you.

Effective (insert date) XYZ CPA firm has purchased certain assets of our firm, which include the right to provide professional services to you and/or your company. In connection with this transaction, Mr. XXXX will be terminating his employment relationship with our firm.

As Certified Public Accountants we have a duty to maintain client confidentiality. To the extent you wish to grant permission to our firm to provide copies of our relevant working papers relating to your engagements to XYZ CPA firm and Mr. XXXX, please sign the authorization on the enclosed copy of this letter and return the copy to us by (insert date) in the enclosed addressed envelope.

Sincerely,

Predecessor

------------------------------------------------

To: Predecessor CPAs:

We are engaging XYZ CPAs to provide services to us in the future. Please provide them with copies of your relevant working papers to facilitate the transition to this successor firm.

____________________________________________________________

Client Signature Date

51 51

September, 2006

By John McFadden, CPA, CFE, Risk Control Consulting Director, and Joseph Wolfe, Assistant Vice President, Risk Control, CNA, Accountants Professional Liability, , Chicago, IL 60604.

The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the author’s knowledge as of the date of the article. Accordingly, this article should not be viewed as a substitute for the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA.

Any references to non-CNA Web sites or articles are provided solely for convenience, and CNA disclaims any responsibility with respect to such Web sites. To the extent this article contains any descriptions of CNA products, please note that all products may not be available in all states. Actual terms, coverages, amounts, conditions and exclusions are governed and controlled by the terms and conditions of the relevant insurance policies. The examples used in this article are fictional and any similarity to an actual claim is unintentional and purely coincidental.

CNA is a service mark registered with the United States Patent and Trademark Office. Copyright © 2006 CNA. All rights reserved.

52 52

53

The AICPA Professional Liability Insurance Program is underwritten by Continental Casualty Company, one of the CNA insurance companies, and is administered by Aon Insurance Services.

The Program is endorsed by the AICPA and is monitored by the AICPA Professional and Personal Liability Insurance Committee for practicing CPAs nationwide.

For more information on the AICPA Professional Liability Insurance Program, contact: Aon Insurance Services

1-800-221-3023

For AICPA Program policyholders, a toll-free hotline is available to respond to risk management and claim questions. For service, contact:

CNA 1-800-262-8060

53

The information, examples and suggestions presented in this material have been developed from sources believed to be reliable, but they should not be construed as legal or other professional advice. CNA accepts no responsibility for the accuracy or completeness of this material and recommends the consultation with competent legal counsel and/or other professional advisors before applying this material in any particular factual situations. This material is for illustrative purposes and is not intended to constitute a contract. Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All products and services may not be available in all states.

Any references to non-CNA Web site or articles are provided solely for convenience and CNA disclaims any responsibility with respect to these sites/articles.

Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.

Aon Insurance Services is a division of Affinity Insurance Services, Inc.; in CA, MN, and OK,

(CA Insurance License #0795465) Aon Insurance Services is a division of AIS Affinity Insurance Agency, Inc.; and in NH and NY, is a division of AIS Affinity Insurance Agency.

CNA is a service mark registered with the United States Patent and Trademark Office. Copyright © 2006 CNA. All rights reserved.

54