A former client disputes the advice you gave them three tax seasons ago. Your IT person confirms the email thread was deleted when you migrated to a new server. Your malpractice carrier wants the documentation. You don’t have it.

This scenario plays out more often than most small CPA firms expect, and it almost always traces back to the same oversight: treating email like a messaging tool instead of a professional record.

The Problem: Email Is a Business Record, and Most Firms Don’t Treat It That Way

Walk through the compliance checklist of an average small CPA firm and you’ll find encryption policies, multi-factor authentication (MFA) requirements, maybe a SOC 2 report from a cloud vendor. What you rarely find is a written email retention policy that actually specifies how long client communications must be kept, in what format, and who is responsible for ensuring they survive a system migration, a staff departure, or a platform switch.

The gap exists for understandable reasons. Email feels informal. Partners assume someone else is handling it. Cloud providers market their platforms as “always-on” storage, which firms confuse with compliant archiving.

The result is that firms routinely delete or lose email records that multiple regulatory frameworks require them to keep. And unlike a missing paper file, a missing email thread is invisible until someone asks for it, at which point “we didn’t know we had to keep that” is not an acceptable answer to the Internal Revenue Service (IRS), a state board of accountancy, or a plaintiff’s attorney.

The specific risks include:

  • IRS audit exposure. If a client is audited and the IRS requests correspondence related to a position you advised them to take, you need to produce it.
  • Malpractice claims. Email is frequently the primary evidence in professional liability disputes. Gaps in the record cut against the firm.
  • State licensing reviews. Several state boards have begun scrutinizing record retention practices as part of peer review and disciplinary proceedings.

Why This Matters for CPA Firms: The Overlapping Regulatory Framework

Here is where many small firms get into trouble: they assume one set of rules governs their records. In practice, three separate frameworks can apply simultaneously to a single client engagement.

AICPA standards. The American Institute of Certified Public Accountants (AICPA) Statement on Standards for Tax Services (SSTS) and its broader Code of Professional Conduct require members to maintain documentation sufficient to support the professional services rendered. While the AICPA does not specify a universal email retention period, its standards create an implicit expectation that client communications exist and are retrievable.

State board of accountancy rules. Rules vary by state, but most require CPAs to retain client records and workpapers for a minimum of five to seven years. In California, the California Board of Accountancy (CBA) requires licensees to retain records for at least five years from the date of the report. Email correspondence that informed your professional judgment on a matter is arguably part of that record.

IRS preparer regulations. Under Treasury Department Circular 230, tax preparers are subject to ethical and documentation standards enforced by the IRS Office of Professional Responsibility. Additionally, the IRS can request documentation during an audit going back three years for standard returns and six years when substantial understatement of income is at issue. If the taxpayer’s position was discussed over email, that email is relevant documentation.

These frameworks do not cancel each other out. They stack. A single client file may require you to satisfy the most restrictive retention period across all three.

How to Build an Email Retention Practice That Actually Works

Understand the Difference Between Backup and Archiving

This distinction matters more than most firms realize.

Email backup creates a snapshot of your mailbox at a point in time, typically for disaster recovery. Backups are overwritten on a rolling cycle (often 30 to 90 days), are not indexed for search, and are generally not admissible as a reliable business record in a legal or regulatory proceeding.

Email archiving captures every message in real time, stores it in a tamper-evident, indexed repository, and retains it according to a schedule you define. Archived email can be searched by sender, recipient, date, keyword, or custodian. It survives mailbox deletions. It survives staff turnover. It is the format that satisfies regulatory retention requirements.

If your firm is relying on nightly backups as your retention strategy, you do not have a retention strategy.

Use the Tools You Already License

Microsoft 365 (specifically the Business Premium and E3 tiers) includes Microsoft Purview Compliance, which provides email archiving, retention policies, and litigation hold capabilities. Google Workspace Business Standard and above includes Vault, which does the same thing.

Most small CPA firms have already licensed one of these platforms. The tools exist. They simply have not been configured.

A basic configuration should include:

  1. Enable archive mailboxes for all users in Microsoft Purview or Google Vault.
  2. Set retention labels or policies that match your firm’s retention schedule (see below).
  3. Enable litigation hold for any active dispute or regulatory inquiry involving a specific client.
  4. Test recoverability quarterly by retrieving a sample of archived messages.

Build a Retention Schedule for Client Communications

Not every email has the same retention obligation. A practical framework groups communications by type:

Communication TypeSuggested Minimum Retention
Tax return correspondence7 years from filing date
Audit-related communications7 years from report date
Engagement letters and fee agreements7 years from engagement close
General client advisory emails5 years from last activity
Internal staff communications about client matters5 years from last activity
Vendor and administrative email2-3 years

These periods reflect the most conservative interpretation of overlapping IRS, AICPA, and California CBA requirements. Firms in other states should verify their specific board rules.

What to Look for in an IT Partner

Email archiving is not a set-it-and-forget-it task, but it is also not complicated when managed by someone who knows what professional services firms actually need from their compliance posture.

When evaluating an IT provider or managed services partner, ask these questions:

  • Do you have experience configuring Microsoft Purview or Google Vault specifically for accounting or legal environments?
  • Can you produce documented evidence that our archive policies are active and capturing messages?
  • How do you handle archive continuity during a platform migration?
  • Do you assist with litigation hold when a client matter becomes disputed?
  • Will you help us map our retention schedule to our specific regulatory obligations, rather than using a generic policy?

A provider who cannot answer these questions specifically is not equipped to manage compliance-grade email archiving for a CPA firm.

The Bottom Line

Email is not just communication. For a CPA firm, it is documentation of professional judgment, client advice, and engagement history. AICPA standards, IRS preparer rules, and state board requirements all create retention obligations that extend well beyond the end of a client engagement. The good news is that the tools to meet those obligations are almost certainly already in your Microsoft 365 or Google Workspace subscription. They just need to be configured correctly, by someone who understands what compliance actually requires.

Frequently Asked Questions

How long do CPA firms need to keep client emails?

The safest answer is at least seven years for tax-related correspondence, which aligns with the IRS’s maximum standard audit lookback period for substantial understatement of income. State boards, including the California Board of Accountancy, generally require a minimum of five years. Because these frameworks overlap, firms should apply the most conservative applicable period to each category of communication.

Is Microsoft 365 email archiving good enough to satisfy IRS record retention requirements?

Microsoft 365’s Purview Compliance archiving, when properly configured, creates a tamper-evident, indexed, searchable record that meets the functional requirements of business record retention under IRS and AICPA guidance. The key word is “configured.” Simply having a Microsoft 365 subscription does not mean archiving is active. A qualified IT provider should verify that retention policies are enabled and that archived messages are actually recoverable.

What is the difference between email backup and email archiving for a CPA firm?

Email backup is designed for disaster recovery and operates on a rolling overwrite cycle, typically 30 to 90 days. It is not indexed, not tamper-evident, and not reliable as a legal or regulatory record. Email archiving captures every message in real time, stores it permanently according to a defined schedule, and supports search and legal hold. Only email archiving satisfies professional record retention requirements for accounting firms.

Can deleting client emails create liability for a CPA firm?

Yes. Intentional or inadvertent deletion of client email records can create liability in at least three ways: it may impair your ability to defend a malpractice claim, it may constitute a failure to maintain records under state board rules, and it may be viewed unfavorably if the IRS requests documentation during a client audit and you cannot produce it. Courts and regulators apply the principle of “spoliation,” which can result in adverse inferences being drawn against the party that failed to preserve relevant records.

One82 provides managed IT, cybersecurity, compliance, and AI integration services exclusively for professional services firms in the San Francisco Bay Area. Schedule a 15-Minute Discovery Call to discuss your firm’s email archiving and compliance posture.