New ethics interpretation on data-hosting services

By Jason Miller

Are you currently providing a service that will soon impair your independence?

Are you currently providing a service that will soon impair your independence?

The AICPA Professional Ethics Executive Committee (PEEC) recently adopted a new interpretation, Hosting Services, which appears in the AICPA Code of Professional Conduct’s “Independence Rule” (ET § 1.295.143) under “Nonattest Services” and applies to practioners who provide nonattest services to attest clients. Under the new rule, providing hosting services to attest clients will soon (effective September 1, 2018) impair independence when a CPA takes responsibility for maintaining internal control over an attest client’s electronic information.

Where is the new line?

Your firm’s independence will be impaired if you:

  1. Assume responsibility for safeguarding or maintaining internal control of a client’s financial or even critical non-financial information;
  2. Control client data such that it becomes incomplete or only accessible through the CPA; or
  3. Provide disaster recovery or business continuity services for an attest client.

In these three service areas, the PEEC is concluding that by providing hosting services, a CPA is delivering services that cross the “management activity” restriction.

What are some examples that impair independence?

  • Cloud-hosted accounting software: If the CPA firm is managing the hosted software on their internal hardware or leased cloud servers, then the client is dependent on the CPA firm for controlling their critical financial information, and independence is impaired.

  • Website hosting: If the CPA firm hosts a client’s website on their internal hardware or leased cloud servers, then independence is impaired.

  • Disaster recovery: If the CPA enters into an engagement with the attest client by which they are playing a role in holding the client’s data backups or contingent processing environment to be used for disaster recovery or business continuity, then independence is impaired.

  • Contract management system: If the CPA firm offers the attest client services for a hosted solution to manage the client’s business contracts, then independence is impaired.

Please note, the preceding list is not intended to be all-inclusive.

What are some examples that do not impair independence?

  • Cloud-hosted accounting software: If a third-party software provider is responsible for the hosting, management, and availability of the hosted accounting solution and the client is controlling the access to the system, an independence issue would not be created. The primary differences between this scenario and the one above is the CPA is not controlling access to the system, and the client can maintain access to the information independent of the CPA. The client should be responsible for managing user access to the information for both their employees and the CPA team members.

  • Storage of client information for performance of engagement: The CPA may maintain copies of a client’s information required to provide engagement services. Information should not be the only copy or originals.

  • Client portal: The CPA firm may provide a secure electronic service to share information back and forth with a client, again as long as the information is required for the CPA to perform approved services and the information is not the only copy or original.

Please note, the preceding list is not intended to be all-inclusive.

Public accounting firms should always consider all applicable rules as defined in ET § 1.295 when providing non-attest services to attest clients. As a reminder, the changes discussed in this article do not take effect until September 1, 2018. This allows for adjustments to existing engagements.

The PEEC is also evaluating revisions to ET § 1.295.145 (Information Systems Design, Implementation, or Integration). Watch for proposed changes, which are expected to be released later in 2018.

As originally published in Kentucky CPA Journal