(312) 287-9854 info@xpezia.com.pk WhatsApp
Mon–Sat 10am–8pm  |  Response within 2 hrs
Compliance Guide

Tax Record Keeping Requirements
for International Businesses

A practical compliance reference for foreign founders and Non-Resident Pakistanis managing companies across borders.

This guide covers what records to keep, how long to keep them, how to organize them across jurisdictions, and what audit-ready documentation looks like for remote founders. If you run a company from outside the country where it's registered - or manage operations across multiple countries - this is the reference you need.

15 min read
Intermediate Level
Updated 2026
Multi-Jurisdiction
Quick Navigation
At a Glance

Key Takeaways

The burden of proof in a multi-jurisdictional tax review sits with you, not the tax authority. This guide helps you build a record system that meets that burden before it's ever tested.

Major advantages of strong record keeping:
  • Demonstrates genuine business substance to tax authorities
  • Reduces exposure during multi-jurisdictional reviews
  • Supports transfer pricing and withholding tax documentation
  • Provides evidence for Double Taxation Agreement (DTA) positions
  • Protects your business structure from challenge on management and control grounds
Major risks of weak record keeping:
  • Tax authorities can question where your business is actually managed
  • Missing retention periods trigger automatic non-compliance penalties
  • Currency conversion gaps create unexplainable income discrepancies
  • Digital management without documentation leaves no evidence of substance
  • Permanent Establishment risk increases when management activity goes undocumented
Scope of This Guide

Who This Guide Is For / Not For

This guide is built for NRPs who incorporated in the US, UK, UAE, or another jurisdiction while living and managing operations from Pakistan or a third country. It's also relevant for foreign founders who have team members, clients, or vendors spread across multiple countries and need a record system that holds up under scrutiny from more than one tax authority.

This guide is not built for businesses operating in a single country with straightforward domestic compliance. It's also not a substitute for jurisdiction-specific legal or tax advice. Nothing in this guide constitutes legal counsel.

This guide is for you if:
  • You are a Non-Resident Pakistani (NRP) managing a foreign-registered company from abroad
  • You operate across multiple tax jurisdictions
  • You need to document remote management activities for compliance
  • You want to build an audit-ready record system before problems arise
This guide is NOT for you if:
  • You are looking for legal defense strategies or audit dispute advice
  • You need country-specific step-by-step tax filing instructions
  • You are a resident business owner with operations in a single jurisdiction
This guide is not a substitute for jurisdiction-specific legal or tax advice. Nothing in this guide constitutes legal counsel.
Section 01

Global Record Keeping Rules and Retention Periods

Standard Retention Timelines: The 5-7 Year Rule

Most countries follow a 5 to 7 year retention window for core business tax records. The exact number varies by jurisdiction:

🇺🇸
3-7yrs
United States
Generally 3-7 years depending on document type; employment tax records require 4 years.
🇬🇧
6yrs
United Kingdom
6 years for companies - but this period starts from the statutory filing deadline, not the transaction date.
🇪🇺
7yrs
European Union
Varies by member state; 7 years is common for VAT and accounting records.
🇦🇪
5yrs
UAE (Free Zones)
5 years minimum for financial records.
🇵🇰
6yrs
Pakistan (NRPs with local obligations)
6 years under the Income Tax Ordinance 2001.
Safe Default: 7 Years Across All Categories

If you operate across two or more jurisdictions, keep records for whichever country requires the longest period. Don't apply different timelines to different document types and risk ending up with a gap.

One distinction that causes real problems: in the UK, the 6-year clock starts from the filing deadline, not from when the transaction actually occurred. A founder who deletes records 6 years after the transaction date may be deleting records that are still legally required. When in doubt, keep longer.

A transaction from early in your financial year may need to be kept significantly longer than founders assume - the UK filing deadline can add months beyond the transaction date before the 6-year clock even begins.

Tracking Cross-Border Transactions: Invoices, Receipts, and Contracts

Every cross-border transaction needs a complete paper trail. The following documents must be retained in full:

Sales and Revenue Records
  • Issued invoices with dates, currency, and client jurisdiction
  • Proof of payment received (bank statements, payment gateway exports)
  • Currency conversion records at the time of transaction
  • Any applicable VAT or sales tax documentation
Expense and Purchase Records
  • Supplier invoices and receipts
  • Proof of payment made
  • Description of business purpose
  • Vendor country and tax identification where applicable
Contracts and Agreements
  • Signed contracts with effective dates
  • Amendments or addenda with timestamps
  • Digital signing records including platform-generated certificates (DocuSign, Adobe Sign, or equivalent) showing signatory IP address, timestamp, and email
  • Service agreements for freelancers or contractors in other countries

For NRPs, contracts and payment records serve a second function beyond basic compliance. They document that real transactions occurred at arm's length, which supports your position on transfer pricing and DTA claims if questions ever come up.

Section 02

Documentation Framework for Remote Founders

Categorizing Records: Sales, Payroll, and International Expenses

A workable system divides records into four clear categories:

1
Revenue Records

All income by source country, client, and currency. This includes invoices, contracts, receipts, and any correspondence confirming the nature of the payment.

2
Payroll and Contractor Records

Employment contracts, payslips, contractor agreements, payment confirmations, and applicable withholding tax records for each jurisdiction where you pay people.

3
Operational Expense Records

Receipts, invoices, bank statements, and approval logs for all business costs - broken down by category and country where incurred.

Most Critical for NRPs
4
Management Activity Records

This category is absent from most generic compliance guides. It includes board meeting minutes, shareholder resolutions, signed approvals, digital login logs, and any record that documents where and when key business decisions were made. Without it, a tax authority can argue that your company is actually managed from your country of residence rather than where it's incorporated. That argument, if accepted, triggers local tax liability on foreign income and creates a Permanent Establishment exposure that could not otherwise exist.

A point many founders miss: your accounting software - whether Xero, QuickBooks, or anything else - is a ledger. It records financial outcomes. It is not your source documentation archive. The invoices, contracts, bank statements, signing certificates, and meeting logs that support those ledger entries must be maintained separately. If your only record system is your accounting platform, you don't have a compliant record system.

Digital Tools and Compliance Standards

If you store records digitally - which is the right approach for remote founders - the storage method itself is part of your compliance picture. GDPR applies to any business handling data belonging to EU residents, regardless of where the business is incorporated. Pakistan's Personal Data Protection Act and other jurisdictions have equivalent frameworks.

Cloud Storage Options That Support Compliance:

Google Workspace / Google Drive
Supports GDPR data processing agreements; allows access control by user and file; maintains version history.
Microsoft OneDrive / SharePoint
Enterprise-grade compliance features; supports retention policies and audit logs.
Dropbox Business
Provides access logs, version history, and admin controls.
Dedicated Document Management Systems
Tools like DocuWare and M-Files are built specifically for compliance-grade document retention.

When selecting a tool, verify three things:

  • 1 Where data is physically stored (some jurisdictions require local data residency)
  • 2 Whether the provider offers a Data Processing Agreement if you handle EU data
  • 3 Whether you can export all records in a standard format if required for an audit

Avoid storing compliance-critical records only in email folders or on personal drives. These aren't audit-ready environments and they don't provide the access controls or audit logs that a compliant system requires.

Special Focus: Digital Management Records for NRPs

This is the area most generic compliance guides fail to address for NRPs.

Documenting Digital Management Activity

When you manage a company remotely - approving contracts from Karachi, signing documents from Lahore, running board calls across time zones - each of those activities needs to leave a traceable record. Not because you're doing something wrong. Because the absence of that record creates ambiguity, and tax authorities treat ambiguity as evidence that management and control exists locally rather than abroad.

The concept at stake is "mind and management" - the legal test many jurisdictions use to determine where a company is genuinely controlled. For NRPs, documenting digital management activity is how you demonstrate that this control sits outside Pakistan.

What to document for remote management:

Board and management meetings
Calendar invites with attendee records, video call logs (Zoom, Google Meet, Teams), and written minutes that include the date, participants, and decisions made. Export and store these after every meeting. Zoom Cloud retains meeting logs with timestamps - download and archive them systematically.
Contract signings
Use a platform that generates a signing certificate showing the signatory's IP address, timestamp, and email. DocuSign and Adobe Sign both produce these. The IP address is objective evidence of where the contract was signed. Store the certificate alongside the signed document, not in a separate folder.
Payment approvals
Any payment above a defined threshold should have a written approval trail - an email thread, a Slack message exported to PDF, or a record from an internal approval system.
Director and shareholder resolutions
Keep these in a dedicated folder, signed and timestamped, covering every formal decision the company makes.

A board resolution on its own is a piece of paper. A board resolution paired with a Zoom meeting log showing non-Pakistani IP addresses and a DocuSign certificate confirming where it was signed is a documented management event. The difference between those two things is the difference between a record and evidence.

Organizing these by date and decision type in a cloud-based system accessible across time zones isn't optional for NRPs. It's the foundation of your substance documentation.

Section 03

Audit Readiness and Internal Controls

Creating Clear Audit Trails for Financial Statements

An audit trail connects every number in your financial statements back to a source document. For international businesses, that connection has to work across currencies, time zones, and jurisdictions.

A complete audit trail for a single international transaction includes:

Complete chain — every link required
1
Original Invoice or Contract
Source document establishing the transaction
2
Proof of Payment
Bank statement or payment gateway record
3
Currency Conversion Record
Exchange rate used and its documented source
4
Journal Entry
The corresponding entry in your accounting system
5
Financial Statement Line Item
The number as it appears in your statements

If any step in that chain is missing, the transaction becomes difficult to verify. At scale, missing links across dozens or hundreds of transactions become a real compliance problem.

For NRPs converting foreign income to a reporting currency: document the conversion rate at the time of the transaction, note the source of that rate (central bank rate, XE.com, your bank's posted rate), and apply it consistently. Switching conversion methods mid-year without documentation is a common audit flag. Third-party confirmation of the rate used - such as a central bank published rate - adds a layer of verifiability that strengthens your records considerably.

Regular Reconciliations and Version Control

Reconciliation means checking that what your records say matches what actually happened - bank balances against statements, payroll records against bank outflows, invoices against income entries.

For international businesses, reconciliation should happen monthly at minimum. At year-end, it should cover:

Bank Accounts
  • Bank accounts in each currency and jurisdiction
Invoices and Income
  • Outstanding invoices versus received payments
Payroll and Contractors
  • Payroll and contractor payments versus tax filings in each jurisdiction
Intercompany and BOI
  • Intercompany transactions and Beneficial Ownership Information (BOI) filings where applicable
Version Control for Revised Documents

Version control applies to documents that get revised over time - contracts with amendments, financial statements with corrections, board resolutions that supersede earlier ones. Every version should be stored, not just the final one. A reviewer looking at a multi-year period wants to see how decisions developed, not only where things ended up.

Section 04

Common Mistakes and Compliance Risks

1
Treating digital storage as compliance
Having files in a cloud folder is not the same as having a compliant system. If your records aren't organized by category - specifically keeping Management Activity Records separate from Operational Expense Records - you'll struggle to demonstrate substance in a review. Organization by category is what turns a document collection into a usable compliance archive.
2
Confusing accounting software with source documentation
Xero and QuickBooks record what happened financially. They don't retain the contracts, signing certificates, bank statements, and meeting logs that prove why those entries exist. Your accounting platform is the ledger. Your document archive is the evidence. Both are required. Only one usually gets maintained.
3
No documentation of remote management activities NRP Critical
The most common gap for NRPs. Without meeting logs, signed resolutions, and contract signing certificates, there's no objective record showing that management and control occurs outside Pakistan. This gap directly increases Permanent Establishment risk.
4
Misunderstanding when the UK retention clock starts NRP Critical
The UK's 6-year retention requirement for companies begins from the statutory filing deadline - not the transaction date. Founders who delete records 6 years after the transaction may be deleting records that are still legally required. Apply the longest applicable timeline and err toward keeping records longer.
5
Applying one country's retention rules across all records
If your company is registered in the UK but you have US clients and Pakistani co-founders, you may have record-keeping obligations across all three jurisdictions. The longest required period applies to all records.
6
Using personal accounts for business transactions
Personal bank accounts and payment apps used for business purposes make it nearly impossible to produce a clean audit trail. Keep business finances fully separate from personal ones in every jurisdiction.
7
Overlooking data privacy obligations for digital records
Storing client or employee data in a cloud system without a valid DPA - or without knowing where that data is physically held - creates GDPR exposure regardless of where your company is incorporated.
8
Assuming your accountant handles all of this
Your accountant files your returns. They're not automatically responsible for maintaining source documents across multiple jurisdictions. Be clear about who is responsible for what, and in which country.
Ledger vs Archive
Accounting software is not a compliance archive
UK Clock
Starts at filing deadline, not transaction date
Jurisdiction Rule
Apply the longest retention period across all records
Separation
Personal and business accounts must never mix
Section 05

Compliance Obligations Overview

This section provides a high-level view of ongoing compliance responsibilities for international businesses. It's not a procedural checklist - it's a summary of what you remain responsible for on a continuing basis.

Ongoing Filing Requirements
General
  • Annual financial statements or accounts (varies by jurisdiction)
  • Corporate tax returns in each jurisdiction where you have a filing obligation
  • VAT or sales tax returns where applicable
  • Payroll and employment tax filings for each country where you pay staff
  • Transfer pricing documentation if transacting between related entities
  • Double Taxation Agreement (DTA) documentation where treaty positions are claimed
Structural Obligations
Remote Founders
  • Maintain a registered address and local agent where required
  • Hold and document required meetings (annual general meetings, board meetings)
  • Keep your company register, share register, and statutory filings current
  • File Beneficial Ownership Information (BOI) where required (e.g., UK PSC register, US FinCEN BOI)
For NRPs Specifically
Non-Resident Pakistanis
  • Understand your treaty position between Pakistan and the country of incorporation
  • Assess whether your management activities in Pakistan create a Permanent Establishment risk
  • Maintain records that support your tax residency position under the FBR Income Tax Ordinance 2001
  • Document management activity with enough specificity to demonstrate that control of the company sits outside Pakistan

If any of these obligations are unclear for your situation, working with a qualified advisor is the right move. Multi-jurisdictional compliance is genuinely complex, and the cost of a missed obligation is usually higher than the cost of getting advice early. Explore our compliance services to understand how we support NRPs with cross-border tax record keeping.

Need Help Setting This Up Correctly?

Cross-border compliance record keeping is manageable once the system is in place.

Building that system from scratch - across multiple jurisdictions, currencies, and remote management scenarios - is where most founders run into real problems. Record keeping errors rarely surface immediately. They show up during funding due diligence, during a multi-jurisdictional review, or when you try to expand into a new market and find your records don't support your structure. By then, fixing the gaps costs significantly more than building the system correctly from the start.

Chat on WhatsApp
Frequently Asked Questions

FAQs

The standard range is 5 to 7 years depending on the jurisdiction. The UK requires 6 years for companies, starting from the filing deadline - not the transaction date. The US requires up to 7 years for certain records. Pakistan's FBR Income Tax Ordinance 2001 requires 6 years. If you operate across multiple countries, keep all records for the longest required period. For most international businesses, 7 years is the safe default.

The records that matter most are the ones that prove where and when management decisions were made. That means board meeting minutes with timestamps, exported video call logs, digital contract signing certificates showing the signatory's IP address and timestamp from platforms like DocuSign or Adobe Sign, written payment approvals, and director or shareholder resolutions. Together, these records demonstrate that management and control of the company occurs outside Pakistan.

For each payment subject to withholding tax, keep the original invoice, the gross amount, the withholding tax rate applied and its basis (DTA treaty provision or domestic rate), the net payment received, the withholding tax certificate from the paying party, and the corresponding bank record. File them together by transaction, not separately.

Yes. GDPR applies to any business that processes personal data belonging to EU residents, regardless of where the business is incorporated or where the founder lives. EU clients or employees means GDPR requirements apply to how you store and handle their data - including within your record-keeping system. Check whether your cloud storage provider has a valid Data Processing Agreement in place.

It's the single currency in which you prepare your financial statements. Every transaction in another currency has to be converted to this base currency using a documented exchange rate from a consistent, verifiable source. Undocumented rates or inconsistent conversion methods are a common audit flag for international businesses, so getting this right from the start matters more than it might seem.

Filing a return and maintaining a multi-jurisdictional audit trail are two different things. Most local accountants handle local filings. They're not automatically set up to maintain source documentation across multiple foreign jurisdictions, document remote management activity, or organize records to the standard required by UK Companies House or US federal requirements. Confirm exactly what your accountant covers - and figure out where the gaps are.

For NRPs, yes. The signing certificate generated by platforms like DocuSign or Adobe Sign is the most objective evidence available to confirm where a contract was signed. It records the signatory's IP address, the timestamp, and the email address used. In a substance review, that certificate is direct evidence that management activity occurred outside a specific jurisdiction. A printed contract with a signature tells you nothing equivalent.

Permanent Establishment (PE) risk arises when a tax authority determines that a company is sufficiently active in a jurisdiction to be treated as having a taxable presence there - even without being registered there. For NRPs managing foreign companies from Pakistan, undocumented management activity can contribute to a PE finding by the Pakistani tax authority. Keeping clear records of where decisions are made, where contracts are signed, and where management functions actually occur is a core part of managing that risk.

Compliance Services

If you're an NRP managing a foreign company and want to confirm your documentation is genuinely audit-ready

Our compliance services cover record system setup, multi-jurisdictional filing support, and ongoing compliance management.

Chat on WhatsApp
Multi-jurisdictional expertise
NRP-specialist advisors
Ongoing compliance management

Open in your AI

Choose which AI assistant to use