The ATO requires Australian businesses to keep most financial records for a minimum of 5 years. If a tax audit happens and those records are gone. Because your accounting software subscription lapsed, your hard drive failed, or you simply never backed anything up. You could face penalties and a very difficult audit process. Here's what the rules actually say, what counts as adequate record-keeping, and how to build a simple backup system that meets the requirement.
General information only. This article describes ATO record-keeping requirements as general background information. It is not legal or accounting advice. For obligations specific to your business structure, industry, or circumstances, consult a registered tax agent or your accountant.
In short: Keep all financial records for at least 5 years from when the transaction was completed. Digital records are accepted. Cloud accounting software alone isn't sufficient backup. You should have exported copies stored separately in case access is lost. A NAS or cloud backup provides automatic, reliable storage without needing to think about it.
What the ATO Actually Requires
According to the ATO (ato.gov.au), businesses must generally keep records for 5 years from when the records are prepared, obtained, or the transaction is completed. Whichever is latest. The key records include:
- Income and sales records (invoices, receipts, payment summaries)
- Expense records (supplier invoices, purchase receipts)
- Bank and credit card statements
- Employee records (payroll, superannuation, leave)
- Asset records (purchases, depreciation schedules)
- Business activity statements (BAS) and tax returns
Records must be in English, or readily convertible to English. Digital records are explicitly accepted. You don't need paper. The ATO can audit up to 4 years after an assessment in standard cases, and longer where fraud or evasion is suspected.
Why Cloud Accounting Software Isn't Enough on Its Own
Many small businesses rely entirely on Xero, MYOB, or QuickBooks as their record-keeping system. That works as long as the subscription is active and the provider stays in business. But there are real risks:
- Subscription lapses. If you fall behind on payments or cancel, your data becomes inaccessible. You may not be able to access 3-year-old invoices during an audit.
- Provider shutdowns or acquisitions. Software companies get acquired, pivot, or shut down services. MYOB has changed hands and restructured multiple times.
- Data export limitations. Some accounting platforms make it difficult to export complete records in a usable format. Check your platform's export options before you need them.
The ATO expects you to maintain access to records for 5 years regardless of what happens to your software provider. The safest approach is regular exports stored in a location you control. Not solely within a subscription service.
The Australian Privacy Act. A Second Layer
If your business handles personal information of clients, customers, or employees, the Australian Privacy Act 1988 adds a second set of obligations. Businesses with an annual turnover over AU$3 million are covered by the Privacy Act as a matter of law; smaller businesses may also be covered depending on their activities (health services, credit reporting, or handling of sensitive information).
The Privacy Act requires that personal information is stored securely and only retained as long as needed. This creates a tension with ATO requirements: the ATO says keep records for 5 years, the Privacy Act says don't retain personal data longer than necessary. Your accountant or legal adviser can help you navigate the overlap for your specific situation.
Cloud services typically store data in US or European data centres by default. For businesses with data residency concerns. Particularly in regulated industries. An on-premises storage solution keeps data under your direct control. This is one reason some Australian small businesses prefer a NAS over cloud-only storage.
How Businesses Actually Store Records. The Options
Cloud Accounting Software Only
Xero, MYOB, and QuickBooks all store your financial data in the cloud. This meets the ATO's digital records requirement as long as you can access the data for 5 years. The risk is subscription dependency. Mitigate it by exporting quarterly reports and transaction records to a separate storage location. Takes 30 minutes per quarter and gives you a backup that doesn't depend on the subscription remaining active.
Cloud Storage (Google Drive, OneDrive)
Good for storing exported accounting files, contracts, and document backups. Accessible from anywhere. Also USD-priced (Google One, Microsoft 365), subject to AUD exchange rate fluctuations. Data stored offshore by default. Business Starter plans run around AU$10/user/month for Google Workspace, or are included in Microsoft 365 Business subscriptions.
External Hard Drive
Simple and cheap. A 2TB external drive costs ~AU$100-150. If the drive fails or is in the office during a burglary or flood, records are gone. The Australian Consumer Law (ACL) covers drive replacement under warranty. But the drive manufacturer covers the hardware, not your data. For business records specifically, a single external drive as your only backup is not adequate protection.
A NAS. Automated Backup Without Monthly Fees
A NAS (Network Attached Storage) is a small box connected to your office network that automatically backs up files from all computers on the network. Set it up once and it runs nightly. Accounting exports, contracts, client files, everything. Without requiring anyone to remember to do it manually.
For businesses in the 2-15 staff range, an entry-level 2-bay NAS starts around AU$350-450, plus drives. With RAID 1 (mirroring), you have two simultaneous copies. If one drive fails, records are still intact. Remote access is built in, so your accountant or employees can reach files from home if needed.
What a NAS is and how it works is explained here. Including whether it suits a small business setup.
The 3-2-1 Rule for Business Records
Regardless of what the ATO requires, the standard for business backup is the 3-2-1 strategy: 3 copies of your data, on 2 different types of storage, with 1 copy offsite. For a small business, that might look like: records in Xero (1), nightly backup to a NAS in the office (2), and weekly sync of the NAS to cloud storage (3, offsite).
If your office floods or burns down, the offsite cloud copy survives. If your cloud provider has an outage, the NAS copy is intact. If the NAS fails, you have two other copies. The 3-2-1 backup strategy explained in full walks through how to implement this for Australian home and business users.
Related reading: our NAS buyer's guide.
Use our free Backup Storage Calculator to size your backup storage correctly.
How long does the ATO require me to keep business records?
The general rule is 5 years from when the record was prepared, obtained, or the transaction was completed. Whichever is latest. Some records have longer retention requirements (certain tax records relating to capital gains, for example). When in doubt, keep records for 7 years to be safe, and confirm specifics with your accountant.
Does using Xero or MYOB count as keeping records?
Yes, as long as you can access the records for the full 5-year period. The risk is subscription dependency. If access lapses, you lose access to records. Best practice is to export your transaction history, BAS records, and reports quarterly and store them in a location you control (external drive, NAS, or cloud storage) separate from the accounting platform.
Can I store ATO records digitally?
Yes. The ATO explicitly accepts digital records as long as they're in English (or readily convertible) and are accessible and legible for the retention period. There is no requirement to maintain paper copies if digital copies are kept. Scanned PDF versions of paper receipts are acceptable.
What's the penalty for not keeping adequate records?
Under the Tax Administration Act, failing to keep required records can result in penalties. Typically up to AU$1,100 per offence (1 penalty unit) under general provisions, but the practical cost of a disorganised audit is often much higher in accounting fees and time. The ATO may also estimate your tax liability if records are inadequate, which is rarely in the taxpayer's favour.
Does my business need to back up to an Australian data centre?
There's no blanket legal requirement for small businesses to store data in Australia, but the Australian Privacy Act requires that personal information be stored securely and that offshore providers handle it with equivalent protections. For regulated industries (health, finance, legal) or businesses handling sensitive client data, Australian data residency may be a compliance requirement. A NAS keeps data on-premises in Australia by default. Check your industry's specific requirements with your legal adviser.
Looking for NAS options that suit a small business? The Best NAS for Small Business Australia guide covers options from 2-bay home office setups to 4-bay business units.
See Best NAS for Small Business →