The CYA letter, at a stable URL
A CYA (cover your assets) letter is a written communication sent to clients at year-end to document the scope of the engagement, the recommendations made, and what the client is responsible for doing next. Most CPAs, enrolled agents, and consultants still send them by paper mail or PDF email attachment -- a workflow that costs $2-4 per letter in direct costs and produces a document the client may never locate again when they need it.
This post gives you a copy-paste template for the letter itself, a table comparing delivery methods, and a three-step workflow for publishing the letter at a stable URL instead of printing it.
What a CYA letter is and why it protects your practice
A CYA letter is a written record of what you agreed to do, what you actually did, what you recommended, and what you are not responsible for -- created to protect both the practitioner and the client if questions arise 12 to 18 months after the engagement closes.
It is not the same as an engagement letter. An engagement letter comes at the start: it defines scope, fees, and mutual responsibilities before work begins. A CYA letter comes at the end: it documents what actually happened during the engagement and what actions the client must take. Both matter; neither substitutes for the other.
The letter creates a contemporaneous record. If a client later claims you never warned them about estimated payments, or that you were responsible for a filing you explicitly said was out of scope, the year-end letter is your evidence. That evidence is only useful if you can actually retrieve it. Under IRS Circular 230 Section 10.28, practitioners must promptly return to clients any records they need for tax compliance -- which can include correspondence documenting advice given. A letter filed in a paper cabinet and a letter at a stable URL both satisfy the record-keeping obligation, but only one can be re-delivered in under a minute.
What to include in a year-end CYA letter
A complete year-end CYA letter covers nine things: a scope statement, a reliance clause, the recommendations you made, a list of services not included, client action items with dates, a record-retention reminder, next-engagement timing, and a contact line. That structure turns the letter from a generic "thanks for being a client" note into a document that holds up if a question surfaces later.
The most commonly skipped section is the out-of-scope list. A generic CYA letter that doesn't specify what the firm did NOT do can actually create ambiguity rather than resolve it. If you prepared the federal return but not the state return, say so explicitly. If you provided planning advice but not IRS representation, say so. Anything left unstated is an invitation for a disagreement later.
The record-retention reminder is the other section most templates skip. Telling the client to keep their return and supporting documents for at least seven years is advice they will not get from anyone else, and it reinforces that the engagement produced real deliverables they should protect.
CYA letter template (copy-paste ready)
The template below is plain markdown. Copy it, fill in the bracketed placeholders, and you have a letter. Customize the out-of-scope list for your actual engagement -- a generic list copied verbatim from a template is better than nothing, but a specific list that matches what you actually discussed is what protects you.
## Year-End Client Letter
[Firm name]
[Date]
[Client name or entity name]
Tax year: [YYYY]
### Scope of engagement
We were engaged to [prepare your federal and state individual income
tax return / provide year-end tax planning advice / describe engagement].
This letter summarizes the work completed and our recommendations for [YYYY].
### Reliance on your information
Our work is based entirely on the information you provided. We did not
audit or independently verify the underlying records. If any information
you provided was incomplete or inaccurate, please notify us promptly so
we can assess whether an amended return or corrected advice is needed.
### Recommendations made during this engagement
The following planning recommendations were discussed and documented:
- Estimated tax payments: advised quarterly payments of $[X] beginning
[date]. Next payment due: [date].
- Retirement contributions: advised maximizing [IRA / SEP-IRA / 401(k)]
contribution by [deadline].
- Withholding: advised submitting updated Form W-4 to your employer by
[date].
- [Add additional recommendations here, one per line.]
### Services not included in this engagement
Unless separately agreed to in writing, the following services are NOT
included in this engagement:
- [Estate planning or trust return preparation]
- [State returns other than [list states covered]]
- [Bookkeeping or accounting services]
- [Payroll tax filings]
- [IRS examination representation]
- [Any other service not explicitly in scope]
### Action items for you
Please complete the following by the dates shown:
- [ ] Make Q4 estimated payment of $[X] by January 15, [YYYY+1]
- [ ] Gather [W-2s, 1099s, K-1s, brokerage statements] by [date]
- [ ] [Additional client action item with deadline]
### Record retention
We recommend retaining your [YYYY] tax return and all supporting
documents for at least seven years from the filing date. This covers
the IRS statute of limitations for most returns (three years) and the
extended period for substantial underreporting of income (six years).
### Next engagement
We plan to begin gathering documents for your [YYYY+1] return around
[month]. You will hear from us in [month] with a document checklist.
### Questions?
Contact us at [email] or [phone]. We are glad to walk through any
item in this letter.
[Firm name]
[Signatory name and credential, e.g., Jane Smith, CPA]
Paper mail vs. a stable URL: what actually changes
Sending a year-end CYA letter as a stable URL instead of a paper-mailed PDF cuts direct delivery costs from $2-4 per letter to near zero and gives the client a link they can re-read months later when a question comes up.
| Delivery method | Cost per letter | Client re-reads without login | Read confirmation | Update without resending | Practitioner can retrieve on demand |
|---|---|---|---|---|---|
| Paper mail | $2-4+ (USPS + printing + labor) | Only if they kept it | No | No -- reprint and mail | Only if you kept a copy |
| PDF email attachment | ~$0 | In their inbox (if not deleted) | Read receipts unreliable | No -- resend required | In your sent folder |
| Client portal (TaxDome, Canopy) | Bundled in $600+/year plan | Yes, but login required | Yes | Yes | Yes |
| Stable URL (Anchorify) | $0 (free tier) | Yes, no login needed | Yes (view count + time-on-doc) | Yes, same URL | Yes, always accessible |
The "update without resending" row is the one that changes behavior most. If you catch a date error in a mailed letter, you mail a correction. If you catch a date error in a URL-published letter, you fix the file, re-run the publish command, and the client's link shows the corrected version. No new email, no awkward "please disregard the previous letter."
The analytics row matters too. Anchorify's per-share analytics show view count and time-on-doc. When a client calls in March claiming they "never saw" the estimated payment recommendation from November, you have a timestamp that says otherwise.
One-time mailing costs add up. At $2 per letter loaded cost, a 100-client firm sends $200 worth of paper in December. At 200 clients, that is $400 -- plus 2-3 hours of staff time for printing, folding, and stamping. On a per-year basis it is not catastrophic, but it is a recurring friction cost for a document that could be a URL.
The workflow: from letter to client in three steps
The full workflow from writing the letter to the client reading it takes under five minutes once the content is ready.
Step 1: Write the letter. Use the template above. Save the file as something like smith-jane-2025-year-end.md. Write it as markdown -- it renders cleanly and is easy to update if anything changes.
Step 2: Publish it. One command returns a URL:
anchorify smith-jane-2025-year-end.md --slug smith-jane-2025-year-end
# Returns: https://anchorify.io/yourfirm/tax/smith-jane-2025-year-end
If the letter contains sensitive figures you would rather not leave open, set a password on the share from the dashboard before you send it. Each share has its own password; the client gets the URL and the password, and does not need to create an account. For letters that are more general (no specific dollar amounts or account numbers), leaving the link open is fine -- the URL is not guessable, and the client can share it with their spouse or business partner without you having to add anyone to a portal.
Step 3: Send the URL. Paste the link into your normal email or client-text workflow. No attachment. No permission dialog. The client clicks the link, reads the letter in their browser, and can bookmark it for later.
If you need to correct something after sending, update the file and re-run the same command. The URL stays the same. The client's bookmark still works.
Full setup is in the getting started guide. Solo consultants and advisors tend to find this pattern natural: one command per deliverable, one URL per client.
Frequently Asked Questions
The questions below cover the compliance, confidentiality, and retention issues that come up most often when CPAs and enrolled agents start sending year-end CYA letters at a stable URL.
Does Circular 230 require me to keep a copy of my year-end letters?
IRS Circular 230 (31 CFR Part 10) requires practitioners to promptly return to clients any records they need to comply with their federal tax obligations, including written correspondence that documents advice given (Section 10.28). Circular 230 does not specify how long practitioners must retain their own copies of client communications. AICPA guidance recommends seven years for client files, which covers the IRS's six-year statute of limitations for substantial underreporting. A stable URL is an accessible practitioner copy -- useful for re-delivery on request -- but it is not a substitute for your document management system. Keep offline copies too.
Can I send a different letter to each client?
Yes. Each anchorify command on a different file creates a separate URL. For 80 clients, you have 80 URLs. Name the files by client code and the URLs match. Each file stays on your local machine; the URL is the published version. If you use a consistent naming convention (e.g., [client-code]-[year]-year-end.md), your local folder and your published URLs stay organized in parallel.
What if the letter contains confidential financial figures?
Set the share to password-protected before sending the link. Each share on Anchorify can have its own password set from the dashboard or CLI. The client gets the URL and the password; no account creation required. For letters that reference raw return data (SSNs, full account numbers, complete return copies), keep those in your existing secure portal. A password-protected URL is appropriate for a CYA letter summary; a full return copy belongs in encrypted, authenticated storage.
How long should I keep year-end client letters?
AICPA guidance recommends retaining client files for seven years. The IRS's general statute of limitations is three years from the return due date or filing date, whichever is later. The statute extends to six years when a taxpayer omits more than 25% of gross income; it has no limit in cases of fraud or failure to file. Keeping letters for seven years covers the realistic exposure window for most clients. The specific retention period per client depends on the complexity and risk profile of their return.
Is a year-end CYA letter different from an engagement letter?
Yes. An engagement letter is signed at the start of the engagement, before work begins: it defines scope, fees, and the responsibilities of each party. A CYA letter is sent at the end: it documents what actually happened, what recommendations were made, and what the client must do next. Engagement letters are often signed (sometimes via e-signature). CYA letters are typically informational, not requiring a signature. Both documents belong in your permanent client file.
Sources
- IRS Circular 230 -- Tax Professionals overview
- 31 CFR 10.28 -- Return of client's records (Cornell LII)
- r/taxpros community on Reddit -- practitioner discussions on year-end letter workflows, including the BeachTax3 quote: "It was always crazy in December, preparing, printing, assembling, envelope stuffing, weighing, mailing. Time intensive AND stupid expensive."
- USPS business postage rates -- 2024 first-class letter rate ($0.68/letter; loaded cost $2-4+ with printing, envelope, and labor)
- IRS -- Understanding tax return preparer credentials and qualifications
Anchorify turns any markdown file -- including the CYA letter template above -- into a shareable URL with one command. Free during beta. Sign in at anchorify.io.
Last updated: 2026-05-24