A CPA firm may keep years of client tax files, payroll records, financial statements, bank documents, workpapers, and scanned source documents. Much of that information contains Social Security numbers, tax IDs, account numbers, payroll data, and other confidential details. When those records are no longer needed, the firm still has to control them.
Accounting firm data destruction is the secure disposal of paper records, digital files, and storage media containing client financial or personal information after required retention periods have expired. For CPA firms, that process should be documented, repeatable, and tied to the firm’s record retention schedule.
This is where many firms create unnecessary risk. A banker’s box left in a storage room, old client files placed in regular recycling, or retired hard drives stored in a closet can all become data security problems. For managing partners, office managers, and compliance officers, accounting firm data destruction should be treated as part of the firm’s compliance program—not as a cleanup task.
For accounting firms, consistent disposal procedures are especially important when records cross office locations, client jurisdictions, or state privacy requirements. A defensible process should answer four basic questions: what records are kept, how long they are kept, who approves destruction, and how the firm proves destruction was completed.
Why Client Record Destruction Matters for CPA Firms
CPA firms receive information that clients would not share with most other vendors. Tax returns, payroll reports, estate documents, audit workpapers, loan records, and bank statements all require careful handling. That responsibility does not end when the engagement closes or the retention period expires.
The FTC Disposal Rule applies to businesses that maintain or possess consumer information for a business purpose. It requires reasonable measures to protect against unauthorized access during disposal. Examples include shredding paper records, destroying or erasing electronic media, and using a qualified destruction vendor after appropriate due diligence.
This applies directly to accounting firms because client records often contain consumer financial information and personally identifiable information. A small CPA practice with years of archived client files may face the same disposal risk as a larger firm if those records are not secured and destroyed properly.
New England firms also need to account for state privacy obligations. Massachusetts 201 CMR 17.00 establishes minimum standards for businesses that own or license personal information about Massachusetts residents. Northeast Data Destruction also notes that Massachusetts businesses must protect personal information and that secure document shredding is one way to support compliance.
CPA Record Retention Comes Before Destruction
Before a firm destroys anything, it needs to know whether the record is eligible for destruction. CPA record retention should be handled through a documented procedure that reflects tax rules, professional obligations, client agreements, litigation holds, insurance expectations, and state law.
IRS guidance explains that records supporting income, deductions, or credits should generally be kept until the period of limitations for the return expires. In many routine situations, that period is three years. Longer periods apply in other cases, including seven years for claims involving worthless securities or bad debt deductions, six years when more than 25% of gross income was omitted, indefinite retention for fraudulent returns or unfiled returns, and at least four years for employment tax records after the tax becomes due or is paid.
For CPA firms, IRS guidance is only one part of the policy. The AICPA states that a written document retention policy for a firm is a “must-do,” including guidance for client records and taxpayer record retention. Firms should also consult legal counsel and professional liability advisors before finalizing accounting record destruction rules.
A workable records schedule should separate records by category. Tax preparation files, attest workpapers, payroll files, bookkeeping records, engagement letters, client correspondence, administrative files, scanned source documents, and digital media may all have different retention needs. Each category should have a defined retention period, an owner, and an approved destruction method. Firms should avoid using one blanket retention period for every client file, because record type, jurisdiction, engagement terms, and legal holds can change the requirement.
What Should Accounting Firms Shred?
A good operating rule is simple: treat client-related paper as confidential unless the firm has clearly classified it otherwise. That reduces the chance that staff make judgment calls at the recycling bin, especially during tax season or office cleanouts.
Our compliance guidance recommends listing the types of documents, digital files, and other materials that require secure destruction and using shredding as the standard method for paper documents and data-bearing media.
For accounting firms, secure shredding for accountants should generally include:
- Outdated client tax files and supporting schedules approved for destruction
- Payroll reports, W-2 and 1099 records, direct deposit forms, and benefits records
- Bank statements, canceled checks, loan documents, and brokerage statements
- Draft financial statements and working copies
- Old engagement letters, client correspondence, and printed emails
- Estate, trust, valuation, and business transaction documents
- Internal reports that include client names, account numbers, tax IDs, or financial data
- Notes, worksheets, and duplicate copies generated during tax season
Some firms use an “all shred” approach for office paper. This helps staff avoid deciding whether a document is confidential in the middle of a busy workday. Our business document shredding service provides locked containers for confidential and non-confidential documents, reducing the chance that sensitive material ends up in the trash by mistake.
Digital Records Need a Separate Destruction Process
Paper files are only one part of the issue. CPA firms also store client information on laptops, desktops, servers, backup drives, external hard drives, USB drives, phones, scanners, copiers, and other office equipment. Deleted files and reformatted drives may still leave recoverable data behind.
The FTC Disposal Rule includes electronic media and computer equipment when consumer information is stored on that medium. It also identifies destruction or erasure of electronic media so the information cannot practicably be read or reconstructed as a reasonable disposal measure.
A digital destruction process should address how devices are identified, who approves destruction, how media is secured before pickup, and how destruction is documented. For firms replacing laptops, upgrading servers, closing offices, or merging practices, hard drives and other media should be included in the same data destruction program as paper records.
For firms reviewing retired drives, servers, and portable media, NEDD’s guide on secure hard drive destruction methods explains why deleting files or relying on DIY destruction methods may not be enough for business data.
Q&A: Common CPA Questions About Record Destruction
How long should CPA firms keep client records?
There is no single retention period for every CPA firm record. IRS guidance commonly points to three years for many tax records, but longer periods apply in specific circumstances, including employment tax records, bad debt or worthless securities claims, substantial income omissions, unfiled returns, and fraudulent returns.
CPA firms should use IRS rules as a baseline, then account for professional standards, state requirements, client agreements, litigation holds, insurance expectations, and legal advice. The important point is consistency. A documented CPA record retention schedule is easier to defend than decisions made file by file during a storage cleanout.
Can we destroy client documents after scanning them?
In some cases, yes. Before destroying originals, the firm should confirm that the document does not need to be kept in original form, that the scanned version is complete and readable, and that the digital copy is protected by the firm’s retention and access-control procedures.
Scanning does not remove the duty to protect the information. It changes the format of the record. The digital version still needs to be retained, secured, backed up where appropriate, and destroyed when it reaches the end of its retention period.
What should never go into regular recycling?
Any document that includes client names, Social Security numbers, tax IDs, bank account numbers, payroll information, health insurance information, credit information, financial statements, or confidential business information should not go into regular recycling. NEDD’s document shredding guidance notes that recycling is not an adequate alternative for information destruction because businesses lose control over how the paper is handled.
Regular recycling may be appropriate for non-sensitive office material, but it should not be used for client records or internal documents that contain personal, financial, or business-confidential information.
Who should approve client record destruction?
Approval should be assigned to a specific role, such as a managing partner, firm administrator, compliance officer, records manager, or designated department lead. NEDD’s compliance guidance recommends choosing a point person for data destruction compliance and documenting that person’s responsibilities so the process is not left to assumption.
Do we need certificates of destruction?
Yes. Certificates of destruction help show that records were destroyed through a controlled process. They are useful for internal audits, client questions, insurance reviews, and compliance documentation.
We recommend keeping logs of each pickup and requesting Certificates of Destruction after every shredding session. Our piece on data destruction compliance explains why destruction records matter and how businesses can track secure disposal activity.
For accounting firms, certificates should be stored with the destruction log and tied to the date, material type, office location, vendor, and approving person. This is especially important after tax season purges, office moves, partner retirements, mergers, or client file transitions.
Building a Formal Accounting Firm Data Destruction Program
A formal program does not need to be complicated, but it does need clear rules. CPA firms should classify records by type, assign retention periods, confirm who approves destruction, secure records before pickup, and keep documentation such as destruction logs, chain-of-custody records, and Certificates of Destruction.
This process helps prevent rushed decisions during office cleanouts or post-tax-season file purges. Client records should not be destroyed simply because storage space is limited. A designated person should confirm that the retention period has passed and that no litigation hold, client request, or other restriction applies.
When CPA Firms Should Schedule Destruction
Many accounting firms wait until storage becomes a problem. A better approach is to schedule destruction around normal business activity, such as after tax season, at year-end, during technology refreshes, or before an office move, merger, acquisition, or partner retirement.
Scheduled destruction also helps reduce over-retention. Keeping records longer than required may seem safer, but it can increase exposure if those records contain personal or financial information and are later lost, accessed, or mishandled.
How NEDD Helps CPA Firms Formalize Secure Destruction
Accounting firm data destruction works best when it is built into normal firm operations. We help CPA firms manage that process with scheduled shredding, one-time file purges, locked collection containers, hard drive and media destruction, chain-of-custody support, and Certificates of Destruction.
For New England accounting firms, the goal is to protect client confidentiality, meet retention and disposal obligations, and keep documentation that can be reviewed later. When your firm is ready to review its file destruction process, update its CPA record retention workflow, schedule secure shredding for accountants, or plan destruction for retired drives and media, contact us.