How do IT controls map to accounting firm compliance rules?

Retention, encryption, access logging, role-based access, tested backups, breach response documentation, and endpoint security provide the technical evidence for CRA six-year retention, FINTRAC record-keeping, PIPEDA, BC PIPA, and CPABC rules on client records.

Compliance Reference · Accounting Firm · BC

Accounting Firm Compliance in British Columbia: Client Records, FINTRAC, and IT Security Requirements

Q: Who enforces accounting firm compliance in BC?

CPABC regulates CPAs in BC under the Chartered Professional Accountants Act. FINTRAC enforces federal anti-money laundering obligations on accountants who perform trigger activities. CRA enforces the Income Tax Act. OIPC BC enforces BC PIPA. The OPC enforces PIPEDA.

Q: Does Hexafusion provide legal advice?

No. Hexafusion is an IT services provider, not a law firm or compliance advisory firm. We implement and document technical controls that support your regulatory obligations. Consult CPABC, qualified counsel, and your firm's compliance officer for compliance advice.

Q: How does accounting compliance overlap with cyber insurance?

Cyber insurance underwriters require multi-factor authentication, endpoint detection and response, tested backups, phishing training, an incident response plan, and documented patching. These controls also support CPABC, FINTRAC, and privacy obligations.

Q: What records must my accounting firm retain?

CRA requires books and records to be retained for at least six years under s. 230 of the Income Tax Act. CPABC rules and bylaws set professional obligations for client records. FINTRAC sets record-keeping obligations for triggered activities. Confirm specific durations with each regulator.

Q: When does FINTRAC apply to accountants?

FINTRAC obligations apply to accountants and accounting firms when they engage in specific trigger activities on behalf of clients, such as receiving or paying funds, purchasing or selling securities or real property, or giving instructions in respect of those activities. Confirm current triggers and thresholds with FINTRAC.

This is a reference guide for BC accounting and CPA firms summarising the federal, provincial, and professional regulatory frameworks that govern client records, anti-money laundering obligations, and privacy. Hexafusion is an IT services partner, not a legal advisor or compliance advisory firm. Confirm current obligations with CPABC, FINTRAC, CRA, and qualified counsel.

Federal regulatory framework

Area	Statute or Regulator	IT relevance
Privacy (federal)	PIPEDA, OPC	Safeguards and breach reporting for cross-border and federally regulated activities.
Cybercrime	Criminal Code, ss. 342.1 and 430(1.1)	Unauthorised computer access and mischief to data.
Anti-spam	CASL	Consent tracking for firm newsletters and client communications.
Tax records	Income Tax Act, s. 230, CRA	Six-year retention for books and records.
Anti-money laundering	Proceeds of Crime (Money Laundering) and Terrorist Financing Act, FINTRAC	Client identification and record-keeping when trigger activities apply.
Corporate registry	Canada Business Corporations Act	Individuals with significant control registers for federally incorporated clients.

BC provincial framework

Area	Statute or Regulator	IT relevance
Privacy (provincial)	BC PIPA, OIPC BC	Private-sector personal information regime.
Employment	BC Employment Standards Act	Payroll records.
Workplace safety	Workers Compensation Act, WorkSafeBC	Office safety records.
Human rights	BC Human Rights Code	Accommodation records.
Corporate	BC Business Corporations Act	Transparency register for BC-incorporated clients.
Consumer protection	Business Practices and Consumer Protection Act	Engagement letter and billing disclosures.
Premises liability	Occupiers Liability Act	Physical access control.
Provincial tax	Provincial Sales Tax Act, Employer Health Tax Act	Provincial tax filings and records.

Accounting firm regulators and statutes

The Chartered Professional Accountants of British Columbia (CPABC) regulates CPAs in the province under the Chartered Professional Accountants Act. A nationally unified CPA framework continues to evolve; confirm the current status of federal and provincial CPA governance directly with CPABC. (Status as of early 2026, verify current wording with the regulator.)

Chartered Professional Accountants Act (BC). Enabling statute for CPABC.
CPABC Code of Professional Conduct. Covers professional competence, confidentiality, objectivity, independence, and quality management.
CPABC bylaws and rules on client records. Set professional obligations regarding client records, file retention, and working paper custody. Use the generic reference and confirm current wording with CPABC.
CRA audit record retention. Income Tax Act s. 230 requires books and records to be retained for six years from the end of the last tax year to which they relate, unless written CRA permission is obtained for earlier destruction.
FINTRAC obligations. Accountants and accounting firms are reporting entities under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act when they perform trigger activities on behalf of clients, including receiving or paying funds, purchasing or selling securities or real property, and transferring funds. Obligations include client identification, record-keeping, reporting, and a compliance programme.
CPAB oversight. Firms performing reporting-issuer audits fall within the Canadian Public Accountability Board oversight regime.

Cross-cutting frameworks

PCI DSS for card-based billing.
HIPAA where US clients engage services that touch protected health information.
NIST Cybersecurity Framework and CIS Controls as benchmarks.
SOC 2 as due diligence for cloud tax, audit, and practice management vendors.
Cyber insurance underwriter expectations. Multi-factor authentication, endpoint detection and response, tested backups, phishing training, incident response plans, and vulnerability patching.

Accounting firms hold concentrated financial information about their clients, which makes them attractive targets for both fraud and ransomware. CPABC practice inspections, FINTRAC examinations, and CRA correspondence all probe the same underlying territory: can the firm produce the records, are those records reliable, are they protected against unauthorised access, and can operations recover after a disruption. Multi-factor authentication, endpoint detection and response, tested backups with an offline copy, phishing simulation and training, a written incident response plan, and documented vulnerability patching together form the baseline. Firms that add privileged access management, session recording for sensitive clients, and independent log review demonstrate the level of assurance that regulators and insurers increasingly ask about.

How IT controls map to the regulatory stack

Retention schedules aligned with CRA six-year, FINTRAC record-keeping, and CPABC working-paper expectations.
Access logs at the client-engagement level, with separation of duties between preparer and reviewer.
Encryption at rest and in transit across working papers, client portals, and backups.
Written breach response plan aligned with PIPEDA and BC PIPA, with FINTRAC reporting considerations documented.
Tested backups and disaster recovery for tax and audit engagement data.
MDR, EDR, MFA, and patching across partner, staff, and contractor endpoints.

Firms that handle these controls well tend to follow a small number of disciplines consistently: they document the current state of the environment, they match it against a control catalogue such as NIST CSF or CIS Controls, they assign a named owner for each control, and they schedule periodic testing rather than waiting for an examination to find a gap. Retention schedules are a particular trouble spot because working papers, tax files, FINTRAC records, and general administrative data all expire on different timelines, so the policy needs to reflect what each system actually does rather than aspirational language in a manual. Privileged access to accounting platforms is another common gap: too many firms still have single shared admin accounts for their practice management or tax software, which breaks both separation of duties and audit trail.

These controls translate directly into evidence for the reviewers who show up at your door. CPABC practice inspectors look at working-paper handling and client record management. FINTRAC compliance auditors look at the identification records, records of triggered transactions, and the compliance programme documentation. CRA auditors look at client books and records retention. Cyber insurance underwriters look at the technical and procedural safeguards. A firm whose IT architecture is designed to serve all four review audiences avoids duplicating evidence collection and reduces the chance that a shortfall in one area becomes a finding across all of them.

Where Hexafusion fits

Hexafusion operationalizes the IT controls that support BC accounting firms' professional and statutory obligations. That includes Microsoft 365 hardening for engagement data, client portal provisioning, encryption and key management, retention tuning inside practice management and document management, and the written evidence package that supports CPABC practice inspections, FINTRAC compliance reviews, and insurer questions. Our founder's PCI DSS Internal Security Assessor background informs how we document control evidence.

We do not interpret FINTRAC triggers, do not give tax advice, and do not act as your compliance officer. Those roles belong to CPAs, qualified counsel, and your designated compliance officer. Our role is the technical layer.

Common questions from BC accounting firms at the intake stage include how to run a secure client portal for working papers and tax documents, how to scope partner and staff access to sensitive files, how to structure email retention so that correspondence tied to audits is preserved for as long as the working papers, and how to document third-party cloud vendors for CPABC practice inspections. Each of these has a technical answer that flows from the same underlying architecture, and a firm that builds it once can respond to inspectors, auditors, and insurers without starting from scratch each time.

Related compliance resources

Frequently Asked Questions

Who enforces accounting firm compliance in BC?
CPABC regulates CPAs. FINTRAC enforces federal anti-money laundering obligations for trigger activities. CRA enforces the Income Tax Act. OIPC BC enforces BC PIPA. OPC enforces PIPEDA.

Does Hexafusion provide legal advice?
No. We are an IT services provider. Legal and compliance interpretation belong to qualified counsel, CPABC, and your firm's compliance officer.

How do IT controls map to accounting compliance rules?
Retention, encryption, access logging, role-based access, tested backups, breach response documentation, and endpoint security provide technical evidence for CRA, FINTRAC, privacy, and CPABC obligations.

How does accounting compliance overlap with cyber insurance?
Insurers require multi-factor authentication, endpoint detection and response, tested backups, phishing training, incident response plans, and patching. These controls also support professional and privacy obligations.

What records must my accounting firm retain?
CRA requires six-year retention under s. 230 of the Income Tax Act. CPABC rules set working-paper and client record expectations. FINTRAC sets record-keeping for triggered activities. Confirm specific durations with each regulator.

When does FINTRAC apply to accountants?
When accountants engage in trigger activities on behalf of clients, such as receiving or paying funds, purchasing or selling securities or real property, or giving instructions in respect of those activities. Confirm current triggers with FINTRAC.

Disclaimer

This reference guide provides general regulatory context for BC-based accounting firms. It is not legal or compliance advice. Confirm current requirements with CPABC, FINTRAC, CRA, and qualified counsel. Hexafusion is an IT services provider and does not provide legal advice. Administrative monetary penalties apply up to statutory maximums; confirm current amounts with the regulator.

Other compliance reference pages

Reviewed by Alex Barari, Founder, former PCI DSS Internal Security Assessor (ISA).

Need help with the IT side of compliance?

Request a scoped assessment. We review your technical safeguards against the evidence an assessor, regulator, or insurer expects, and deliver a written report.

Request a scoped assessment