Accounting and bookkeeping firms are data-intensive businesses by nature. They hold client bank statements, payroll records, tax returns, SARS correspondence, financial statements, and in many cases ID numbers for FICA verification. This makes them high-value targets for data breaches and high-risk organisations for POPIA compliance failures.
Received by email, stored in shared drives or email inboxes, sometimes forwarded to bookkeepers or junior staff. Bank statements contain account numbers, transaction history, and often enough information to enable identity fraud. Most firms have no formal process for how long they retain client bank statements after the tax return is filed.
Contain employee names, ID numbers, salaries, banking details, and sometimes medical or UIF information. Payroll files are some of the most sensitive documents in any organisation. In accounting firms, they are often stored in client folders accessible to multiple staff members without any need-to-know control.
Contain complete financial profiles of individual taxpayers or business owners. SARS correspondence and tax returns are routinely stored in unencrypted format in shared drives, emailed between team members, and sometimes uploaded to cloud storage without access controls.
Copies of ID documents and proof of address collected for FICA verification. Often retained indefinitely, stored in uncontrolled locations, and sometimes shared with third parties without authorisation.
Not every staff member needs access to every client file. Implement need-to-know access controls: each staff member can access only the clients they work on. This requires a document management system with permission settings, not just shared drives with open access.
Unencrypted email is not an appropriate channel for bank statements, payroll files, or tax returns. Implement a secure client portal for document exchange. Many accounting practice management platforms include this functionality. If you cannot afford a dedicated portal, use encrypted file sharing with expiry links.
Many accounting staff use ChatGPT and similar tools to draft letters, analyse financial data, or summarise reports. This must be explicitly governed. The policy must state: no client financial data, no payroll records, no bank statements, no SARS correspondence may be input into any AI tool that is not specifically approved and has a data processing agreement. This must be in writing, trained, and enforced.
SARS requires that records supporting a tax return be retained for five years after the tax year. FICA requires records to be retained for five years after the end of the business relationship. After these periods, client records must be deleted. Most accounting firms retain everything indefinitely. This is a POPIA retention violation and also creates unnecessary data breach risk.
A repository assessment reveals what personal information is held, where it is stored, who has access, and how it is named. For most accounting firms, the first assessment reveals significant surprise findings: client data in personal folders, unsecured financial records, and large volumes of data that should have been deleted years ago. The assessment converts an unknown risk into a manageable one.
ComplyBar helps businesses identify hidden risks in how information, AI tools, email, documents and cloud systems are used. A structured assessment gives management the visibility to know - not just assume.
Built for POPIA support, AI governance, data leak prevention, employee risk awareness, information governance and audit evidence.