Best practices for accounting firms

Data is the backbone of every service an accounting firm provides, from tax returns to financial statements to advisory insights. However, when that data is inaccurate, duplicated, inconsistent, or stored across different systems, it becomes a liability rather than an asset. That’s why a structured approach to data management in accounting is essential.

“Data management is critical for accounting firms because data is the foundation for every financial statement, report, and decision we make. Having data that is accurate, governed, up to date, and organized ensures not only reliable reporting and compliance but also enables automation and analytics to run efficiently,” said Amy Casey, director of Finance Master Data at Thomson Reuters.

Underscoring this point, the 2025 State of Tax Professionals Report by Thomson Reuters Institute found that 29% of firms cited a lack of data quality and consistency as a main barrier to automation.

To assist accounting firms, this article identifies common data management challenges, regulatory impacts, and best practices for cleaning internal and client accounting data.

Jump to ↓

Common challenges in accounting firm data management

Regulatory and industry requirements impacting data management

Best practices for cleaning up internal and client accounting data

Data security management in AI tax and accounting tools

Common challenges in accounting firm data management

Firms are the gatekeepers to vast amounts of critical and sensitive data, and there is a lot of pressure to ensure that this data is secure, compliant, and clean. However, each data type presents its own challenges and considerations for firms.

Managing client financial data

Client financial records form the foundation of accounting services; however, managing this information can be challenging. One major difficulty is the inconsistency in data formats. When submitting documents, clients may provide a mix of scanned files, handwritten receipts, and spreadsheets. These differences make it hard to ensure accuracy across reports and financial statements. Additionally, as clients grow or change their business structures, historical financial data can become siloed across systems.

Handling personally identifiable information (PII)

Firms handle large amounts of sensitive PII, such as Social Security numbers, bank account details, and personal addresses. They have a fiduciary responsibility to safeguard client data, and jeopardizing its security is a risk firms cannot afford to take. However, it can be difficult to track where PII exists across systems, especially when data has been shared or duplicated across multiple platforms over time. Without proper data hygiene, outdated PII can remain in systems long after it’s no longer needed, increasing the risk of security breaches and noncompliance.

Retaining internal records

Firms produce vast amounts of internal data, including employee records, project files, internal communications, and administrative documents. Deciding what to keep and for how long can be difficult. Without clear retention policies, systems can quickly become cluttered with outdated and redundant records, reducing efficiency.

Storing legacy data

Legacy data stored in outdated systems or formats presents a challenge for many firms. As firms adopt new technologies, they may find that historical data is kept in proprietary formats that modern systems struggle to access or interpret. This can hinder the use of automation and analytics tools that rely on consistent data structures. Furthermore, they might face difficult decisions about which legacy data to migrate to new systems. Moving everything forward can be cumbersome, while leaving data behind can create gaps in visibility and compliance risks.

Regulatory and industry requirements impacting data management

In today’s regulatory environment, accounting firms must adhere to various data security and privacy standards that directly influence how they handle, store, and protect sensitive information. This includes federal regulations, state-level requirements, and the implementation of industry-recognized security frameworks to show their commitment to data security.

Federal guidelines

The IRS Publication 4557 outlines safeguarding requirements for tax practitioners and best practices for securing client data.

In 1999, the Federal Trade Commission (FTC) enacted the Gramm-Leach-Bliley Act (GLBA). It was established to protect consumers’ private financial information and to regulate the collection and disclosure of clients’ financial data, mainly by financial institutions and other entities, including accounting firms.

State-level regulations

The California Consumer Privacy Act (CCPA), reinforced by the California Privacy Rights Act (CPRA), provides California residents with significant rights over their personal information, including the right to know what data is collected, request deletion, and opt out of the sale or sharing of their data. Firms outside California may be subject to these requirements if they handle data from California residents.

New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act requires businesses to develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information of New York residents. Accounting firms serving New York residents often handle client data that falls under the SHIELD Act’s protection.

Industry security standards

Service Organization Control 2 (SOC 2) is an auditing framework created by the AICPA that assesses a service provider’s controls for safeguarding customer data. For firms, this offers third-party assurance that a company’s systems and processes comply with strict security and compliance standards.

ISO/IEC 27001, often referred to as ISO 27001, is an internationally recognized standard for information security. It provides organizations with guidance on establishing, implementing, maintaining, and continuously improving an information security management system. For accounting firms, adopting this standard demonstrates a globally respected approach to protecting client data, reducing risks, and ensuring strong security governance.

The NIST Cybersecurity Framework (CSF) is a voluntary set of guidelines created by the U.S. National Institute of Standards and Technology (NIST) to help companies manage and minimize cybersecurity risks. Adopting the framework helps firms build a resilient security program and demonstrate due diligence.

The regulations and standards reinforce each other, and tax and accounting firms that take a holistic approach to data management can ensure compliance and improve their overall data security.

Best practices for cleaning up internal and client accounting data

To improve reporting accuracy, prepare for automation and AI-powered workflows, and minimize risk, firms can adopt strategies that boost data quality while simplifying operations. The following guidance should serve as a starting point on your data security journey.

1. Establish an effective data governance framework

Effective data cleanup requires a clear governance structure that outlines how data is managed, governed, and used throughout the organization. This framework should include data policies, quality standards, and well-defined roles for data oversight, Casey explained.

“For example, in our department, we’ve built this framework around strong principles for finance master data. We have data approvers within each business segment, subject matter experts for downstream systems, and data stewards who are responsible for accuracy and maintenance,” said Casey. “We also have data quality standards, assign security roles for view and edit access, and have audit checks built into our workflow for SOX compliance. This approach keeps data consistent, reduces risk, and supports accurate financial reporting.”

2. Purge unnecessary and outdated data

One of the most effective ways to maintain data hygiene is to avoid collecting unnecessary information from the start and to conduct regular data reviews to spot inactive records.

“Firms should only collect and retain data that is necessary for business or regulatory purposes. This starts with understanding internal and external stakeholder requirements, then putting the retention and archiving policies and procedures into place,” advised Casey. “In our organization, certain financial data must be retained for 10 years for compliance reasons. After that, we can archive it. We also perform regular data reviews to identify inactive records, which reduces system complexity and risk while improving system performance.”

3. Use technology solutions to maintain data

Technology can help firms keep internal and client data clean long after the initial cleanup is done. Use professional accounting software that can create a single platform for write-up, trial balance, payroll, and client accounting, so firms maintain one authoritative source of data instead of juggling disconnected systems.

Leverage a secure client portal solution to extend clean data structure to clients, centralizing document exchange and online accounting access in one place instead of email or shared drives. Clients will be able to easily send and receive personal financial documents and tax returns with peace of mind knowing their data is safe.

Accounting firms are increasingly adopting AI-powered solutions to improve efficiency and better serve clients.

The 2025 Future of Professionals report by Thomson Reuters found that 80% of professionals surveyed believe AI tools will have a high or transformational impact on their work over the next five years. However, that’s not to say that data security isn’t a concern.

The shift to AI increases both opportunities and risks; therefore, carefully selecting vendors and implementing security measures is essential for protecting sensitive client data.

“When evaluating AI or cloud-based tools, firms should prioritize vendors with a proven track record in data security, compliance, and transparency. This means ensuring they are SOC 2 and ISO 27001 compliant, have data encryption in place, and meet the company’s corporate and regulatory standards,” Casey said.

When migrating from a legacy system to a new platform, Casey noted, “It’s the perfect opportunity to rationalize, cleanse, and standardize data. During our move from SAP ECC to S/4HANA, we went through several data rationalizations to reduce our legacy data volumes before the migration, ensuring only required and clean data was brought forward.”

As firms adopt new technologies and face an increasingly complex regulatory environment, strong data management is imperative. Now is the time for firms to step back, reassess their data management strategies, and implement professional-grade AI tools that adhere to data regulations. To learn more, read our whitepaper “What every firm needs to know about AI tools and data security.”