How Long Should You Keep Tax Audit Documents? (ATO Guidance)

The ATO's record-keeping rules are clear in the legislation but frequently misunderstood in practice. Five years is the default, but the situations where the clock extends to fifteen or thirty years (or never starts running at all) are exactly the situations professional services firms encounter most often. Here's the definitive guide for Australian businesses and their advisors on how long tax audit documents actually need to be kept — and where the silent retention traps live.

The five-year rule, in plain English

The default rule under section 262A of the Income Tax Assessment Act 1936 is that records must be kept for five years from the date the relevant tax return is lodged, or the end of the transaction or act they relate to, whichever is later. For most businesses this means five years from lodgement date — so records for the 2024 financial year (lodged October 2024) must be retained until at least October 2029.

For GST records specifically, section 70 of the GST Act 1999 imposes the same five-year minimum, indexed off the date the relevant BAS is lodged. Most businesses run a single retention policy for both income tax and GST records aligned to the lodgement date.

When the clock extends past five years (the silent traps)

Several common situations extend the five-year clock — and most of them aren't obvious unless you go looking:

• Depreciating assets. Records relating to assets claimed as depreciation must be kept for five years after the LAST claim. For a 20-year effective life asset, that's potentially 25+ years of retention for the original purchase documentation.
• Capital gains tax. CGT records must be kept for five years after the asset is sold or disposed of. If you bought a commercial property in 2005 and sold it in 2024, you need records from 2005 right through to 2029 — a 24-year retention obligation.
• Trust records. Trust deeds and substantial trust resolutions are effectively indefinite retention items because the ATO can question the existence of the trust, the trustee identity, and the historical resolutions at any time during the trust's life.
• Losses carried forward. Prior-year tax losses can be carried forward indefinitely, but you must retain the records from the year the loss was incurred for as long as the loss is still being applied. For a company with a 2014 loss still being eaten down in 2026, that's 12 years and counting.
• Self-managed superannuation funds. SMSF records have their own regime under the SIS Act — generally 10 years for minutes and major decisions, indefinitely for the trust deed.
• Fraud or evasion. Section 170 of the ITAA 1936 says the ATO can amend assessments back without time limit where fraud or evasion is established. Practically speaking, assume that any record supporting a contested or aggressive tax position needs longer-than-default retention.

What counts as "records" — broader than you think

ATO TR 96/7 and TR 2018/3 give the most authoritative guidance on what constitutes a tax record. The list is broad and intentionally so:

• Invoices issued and received (must include ABN of supplier, GST status, date, amount)
• Receipts for deductible expenses
• Contracts and engagement letters
• Bank statements showing business transactions
• Stock records and stocktake working papers
• Motor vehicle logbooks (and the underlying odometer readings)
• Wage records, payroll tax filings, superannuation contribution evidence
• BAS statements with working papers showing how each figure was derived
• Email correspondence relating to tax positions (yes — emails count as records)
• Any working papers used to prepare tax returns, including draft calculations

If a document was used to support a tax position, it's a record. The conservative practice is to retain it for the maximum applicable period and not try to litigate the question of whether a particular email "counted" five years after the fact.

Format requirements — paper or electronic, but with strings attached

Records can be kept in paper or electronic form. Electronic records must satisfy section 262A(4AJ) conditions: they must be in English (or readily convertible), not modified or altered, and able to be shown to the ATO on request. The ATO explicitly accepts cloud-stored records, with two important caveats:

• You remain responsible. If your cloud provider experiences data loss, you bear the regulatory consequence, not the provider. The ATO won't accept "we lost it" as a defence.
• Cross-border storage triggers Privacy Act obligations. Storing client-related tax records on US infrastructure means APP 8 cross-border disclosure obligations layer on top of the tax retention obligation. Australian-resident storage avoids that compounding.

The practical question — where to store records

Once you've decided to keep records electronically (which almost every Australian business will), the question becomes where. The realistic options for an SMB firm are:

• Shared drives (Google Drive, OneDrive, Dropbox). Cheap and familiar, but no retention controls, no tamper-evident audit trail, recipient permissions sprawl over time, and most are not Australian-resident by default. The single most common cause of "we can't find the 2019 records" emails.
• Practice management systems (Xero Practice Manager, HandiTax, etc.). Better — built for accounting workflows, but record retention is usually scoped to the accounting engagement rather than the underlying source documents. Source PDFs, contracts, and correspondence still need somewhere to live.
• Purpose-built data rooms. Tamper-evident audit trail by default, Australian-resident storage, per-document retention controls, granular access logging. The compliance burden of section 262A is materially lower because the records are inherently better organised and recoverable.

Common mistakes

• Calculating five years from the financial year end instead of lodgement date. A 2024 return lodged in October 2024 doesn't reach the five-year mark until October 2029, not July 2029.
• Deleting records once the five-year clock runs out without checking for CGT, depreciation, or loss-carry-forward extensions. If the disposal hasn't happened yet, the records are still alive.
• Treating emails as ephemeral. Email correspondence about a tax position is a record. Set retention on the relevant mailbox, not just on the file shares.
• Relying on a single backup target. The retention obligation is for the records to be available — a single point of failure makes that obligation unenforceable.
• Ignoring the Privacy Act layer. Tax records contain personal information. Retention under section 262A doesn't override APP 11's security obligation — both apply.

What the ATO actually expects in a review

The ATO's published compliance approach factors record-keeping quality into how a review unfolds. Taxpayers who can produce well-organised, complete records quickly tend to get narrower reviews and faster resolution. Taxpayers who can't are more likely to face extended scope, additional years pulled into the review, and escalation. The single most cost-effective audit defence is having the records ready before the request arrives.

ShareAndGo was designed for exactly this. Sydney-resident storage, tamper-evident audit log, structured folders, recipient-level access controls. /use-cases/tax-audit walks through an ATO-facing audit response end-to-end. For accounting firms we've documented the workflow for managing dozens of client engagements simultaneously.

As always, this is general information, not tax advice. Check the ATO's published guidance (TR 96/7, TR 2018/3, ato.gov.au/business/record-keeping) or speak to your accountant for specific situations.