Microsoft 365 SaaS Backup for Accounting and Auditing Firms: What Must Be Protected

Accounting and auditing firms handle some of the most sensitive data in any professional services category.

Client tax returns. Financial statements. Audit workpapers. Engagement letters. Bank reconciliations. Internal control assessments. Correspondence containing material nonpublic information. All of it flowing through Microsoft 365 — Exchange, SharePoint, OneDrive, Teams — and all of it subject to professional retention obligations, client contractual requirements, and regulatory standards that most firms haven't fully mapped to their current data protection infrastructure.

The assumption that Microsoft protects this data is widespread and consequential. Microsoft's shared responsibility model is explicit: you own your data and identities, and you are responsible for protecting the security of your data. Microsoft protects the infrastructure. Data protection is the customer's responsibility.

For an accounting or auditing firm, that responsibility includes not just security but retention — ensuring that client records exist, are accessible, and can be produced when a client, regulator, or court requires them. A firm that discovers a data loss event during an engagement is not in a position to explain to its client that Microsoft's retention policies didn't cover the scenario.

This article covers what data accounting and auditing firms must protect in Microsoft 365, what the professional and regulatory retention requirements are, and what an independent backup solution needs to provide to satisfy those obligations.

What Data an Accounting Firm Actually Has in Microsoft 365

Before evaluating backup solutions, it's worth mapping the full scope of regulated and professionally significant data that lives in a typical accounting firm's Microsoft 365 environment.

Exchange Online — Email

Client engagement correspondence. Tax filing confirmations and authorizations. Financial data shared for preparation and review. Signed engagement letters and fee agreements. IRS notices forwarded by clients. Partner and manager communications about client engagements. Audit confirmations and third-party correspondence. Any communication containing personally identifiable information or financial data.

SharePoint — Document Libraries

Workpaper repositories organized by client and engagement year. Financial statements in draft and final versions. Tax returns in preparation and final form. Audit programs and checklists. Quality control documentation. Internal policies and procedures. Client portal integrations where documents are shared.

OneDrive — Individual Work Product

In-progress tax return files before they're moved to the shared workpaper system. Individual accountant notes and working documents. Downloaded client data files. Locally synced versions of SharePoint content.

Teams — Collaboration and Communication

Client communication channels where engagement status is discussed. Internal channels coordinating engagement teams. Meeting recordings from client video calls. Files shared in Teams channels that may not be captured by SharePoint retention policies. Chat history containing engagement-specific decisions and instructions.

Microsoft 365 Integrations

Many accounting firms connect Microsoft 365 to QuickBooks Online, Xero, or other practice management and accounting platforms. Data flowing between these systems may not be covered by Microsoft 365 retention policies at all — it exists at the integration layer.

All of this data is subject to the firm's professional retention obligations. Most of it is subject to client confidentiality obligations. Some of it is subject to regulatory requirements. None of it is independently backed up by Microsoft.

The Professional and Regulatory Retention Requirements

Accounting and auditing firms operate under overlapping retention obligations from multiple sources.

AICPA Standards

The AICPA's standards for audit documentation require that audit documentation be retained for a minimum of five years from the report release date for non-public company audits. For public company audits, PCAOB AS 1215 requires seven years. These aren't suggestions — they're professional standards that govern engagement documentation retention.

IRS Requirements

Tax preparers are required to retain copies of returns prepared, or the information necessary to recreate them, for three years from the return due date or the date the return was filed, whichever is later. Some states impose longer periods. The IRS can audit returns up to six years back in cases of substantial understatement, creating a practical argument for longer retention even where three years is the technical minimum.

State Board of Accountancy Requirements

State boards impose their own retention requirements that vary by jurisdiction. Ohio CPAs are subject to Ohio Accountancy Board requirements that include maintaining client records for five years following the date services were provided. Firms practicing in multiple states must maintain the most stringent applicable requirement across all jurisdictions.

Client Contractual Obligations

Engagement letters commonly specify confidentiality obligations and data handling requirements that survive the engagement. Enterprise and institutional clients often impose specific retention and security requirements as contract terms. A firm that can't produce records it contractually committed to retain faces both professional and legal exposure.

FINRA and SEC Requirements for Firms with Broker-Dealer or RIA Clients

Firms providing services to broker-dealers or registered investment advisers — or those that are themselves registered — face additional recordkeeping requirements. FINRA Rule 4511 requires preservation of books and records with due diligence on third-party recordkeeping. SEC Rule 17a-4 requires WORM-format storage with records retained for up to six years — non-rewritable and non-erasable storage that Microsoft 365 retention policies don't automatically satisfy.

Where Microsoft 365 Native Protection Falls Short

Against these retention requirements, Microsoft 365's native protection creates specific gaps that accounting firms need to understand.

Deleted user accounts

When a staff accountant leaves the firm and their Microsoft 365 account is deleted, Microsoft's grace period for account recovery is typically 30 days. After that period, the account and its data — including years of client correspondence, workpapers, and engagement documentation — are permanently deleted.

For a firm with a five-year workpaper retention obligation, that's four and a half years of missing records every time an employee departure isn't handled with a specific data preservation procedure. Most firms don't have that procedure documented or consistently applied.

Ransomware propagation through OneDrive sync

Ransomware that encrypts files on a staff member's device propagates to OneDrive sync, which can encrypt SharePoint document libraries that OneDrive syncs to. Microsoft's version history provides limited recovery capability — but ransomware that overwrites file versions progressively or that exceeds the version history window creates a recovery gap that Microsoft's native tools can't close.

For an accounting firm with tax season workpapers in progress when a ransomware event occurs, the inability to restore to a clean pre-encryption state isn't an IT problem. It's a client obligation problem.

Retention policy configuration errors

Retention policies are configured by administrators. Misconfigured retention policies — wrong scope, incorrect duration, policies that inadvertently delete rather than retain — can result in data loss that Microsoft cannot reverse. 67.7% of businesses experienced significant data loss in the past year per Infrascale. For accounting firms, that data loss risk includes the consequences of professional obligation failures.

Teams data gaps

Teams channel conversations, files shared directly in Teams, and meeting recordings don't always fall under the same retention policies as Exchange and SharePoint. Teams data is increasingly where engagement teams communicate and collaborate — and it's frequently the least well-protected data type in a Microsoft 365 environment.

What WORM Storage Means and Why It Matters

An immutable backup cannot be altered, encrypted, or deleted — by anyone, including administrators — for a specified retention period. Implemented using WORM (Write Once Read Many) storage, immutable backups are locked in their original state, preventing ransomware encryption, insider deletion, or accidental overwrites.

FINRA SEC 17a-4 specifically requires WORM storage for broker-dealer record retention — non-rewritable and non-erasable for the required retention period. Microsoft 365 retention policies don't satisfy this requirement because they retain data within the tenant rather than in a separate WORM storage system.

For accounting firms with broker-dealer or RIA clients, or those that are themselves subject to FINRA or SEC oversight, WORM-compliant backup is a regulatory requirement. For firms not subject to those requirements directly, immutable backup provides the same protection against ransomware, insider threats, and accidental deletion that makes it the standard for any organization with significant data retention obligations.

What an Accounting Firm's M365 Backup Must Cover

A Microsoft 365 backup solution for an accounting or auditing firm must address all data types with specific requirements for each.

Exchange Online

All mailboxes — active and inactive — with granular item-level restoration capability. Retention periods aligned to professional standards minimum of five to seven years. Point-in-time restoration enabling recovery of a specific email from any date within the retention window. Deleted user mailbox preservation independent of the Microsoft account lifecycle.

SharePoint

All document libraries including workpaper repositories, engagement files, and quality control documentation. Site-level and item-level restoration capability. Version history independent of SharePoint's native version limit. Retention aligned to AICPA, PCAOB, or IRS requirements as applicable.

OneDrive

Individual user OneDrive content including in-progress work files and locally synced SharePoint content. User-level restoration independent of the account status. Preservation of OneDrive content when accounts are deleted.

Teams

Channel conversations and files. Meeting recordings. Chat history for regulated communications. Teams data is increasingly critical for engagement documentation and client communication records — it must be covered explicitly, not assumed to be captured under Exchange or SharePoint policies.

The Restoration Capability That Matters

Backup without tested restoration capability is an assumption, not a protection. For accounting firms, the restoration scenarios that matter most are:

Granular item restoration — the ability to retrieve a single email or document from a specific date. When a client asks for a copy of their 2021 engagement letter, the answer shouldn't be "we'll check if it's in the archive."

User-level mailbox restoration — the ability to restore a complete mailbox for a departed employee whose account was deleted. When litigation requires production of a former partner's correspondence, the account deletion timeline shouldn't determine whether that production is possible.

Point-in-time tenant restoration — the ability to restore the entire tenant to a state before a ransomware event or catastrophic data loss. When a tax season ransomware attack encrypts in-progress returns, the recovery window determines whether you can complete those returns or start over.

93% of companies that experience prolonged data loss go bankrupt. For an accounting firm, prolonged data loss means inability to complete engagements, inability to produce records, and professional liability exposure that can follow the firm for years.

Provider Landscape

The Microsoft 365 backup providers most commonly evaluated for accounting and professional services firms include:

Veeam — Enterprise-grade backup with M365 coverage. Strong restoration capabilities and deployment flexibility. Better fit for larger firms with internal IT infrastructure.

AvePoint — M365-focused backup with compliance and governance features. Strong SharePoint and Teams coverage. Good fit for firms with complex SharePoint governance requirements.

Acronis — Backup with integrated security features. M365 coverage with endpoint backup integration. Good fit for firms wanting backup and endpoint security from one provider.

Druva — Cloud-native backup with strong compliance features. SaaS delivery model with no infrastructure requirements. Good fit for firms wanting a fully managed backup service.

SysCloud — Specifically designed for professional services and accounting firms. Strong QuickBooks Online integration and accounting platform coverage alongside M365 backup.

Rightworks — Managed Microsoft 365 with accounting-specific backup and security. Strong fit for firms using Rightworks' broader accounting technology platform.

Securafy — Microsoft 365 backup management for regulated SMBs including accounting and professional services firms, delivered as part of the managed security and compliance program. Coverage includes Exchange, SharePoint, OneDrive, and Teams with immutable storage, retention periods aligned to AICPA, IRS, and applicable FINRA/SEC requirements, documented restoration testing, and evidence documentation that satisfies both professional standards and cyber insurance underwriting requirements. For firms subject to both M365 backup obligations and broader compliance requirements — HIPAA if handling healthcare client data, FTC Safeguards if handling financial consumer data — the backup function is integrated with the compliance program rather than managed separately.

The Evaluation Checklist

Before selecting a Microsoft 365 backup solution for your accounting or auditing firm:

Does the solution cover all four data types — Exchange, SharePoint, OneDrive, and Teams — with granular restoration capability for each?

Does backup storage use WORM or equivalent immutable storage satisfying FINRA SEC 17a-4 requirements?

Can deleted user accounts and their data be preserved independently of the Microsoft account lifecycle?

What are the retention period options and are they configurable to your professional standard requirements — five, seven, or longer?

When was the last restoration test performed and what was the result? Can the provider show you documented test outcomes?

Does the backup infrastructure exist outside the Microsoft 365 tenant — inaccessible to ransomware propagating through OneDrive sync?

How does backup integrate with your broader compliance program — does it satisfy cyber insurance requirements, HIPAA if applicable, and professional standards simultaneously?

Where to Start

A free network assessment includes a review of your current Microsoft 365 data protection configuration — what's covered, what the gaps are, and where your professional retention obligations aren't being met by your current setup.

To discuss what an independent immutable backup solution would look like for your firm's specific Microsoft 365 environment and retention obligations, book a strategy call.

The 2026 Cybersecurity Buyer's Guide covers the data protection fundamentals every professional services firm should understand before assuming their cloud platform satisfies their retention obligations.