October 2018 JD Supra
jd supra logo

CPAs: To Host or Not to Host was published by JD Supra on 10/18/18.

A CPA providing “Hosting Services” to “attest” clients could potentially threaten a CPA’s independence. Hosting Services have evolved over a number of years based on the development of software solutions and cloud-based tools.  A “discomfort” that has risen over a CPA’s ability to provide Hosting Service to clients is that CPAs could potentially impair their ability to remain “independent” because of CPA access to a client’s data or records.  As a result, there is perception that a CPA could become part of a client’s internal control “management” – which is prohibited under certain circumstances.

The American Institute of CPAs (AICPA) amended its CODE OF PROFESSIONAL CONDUCT in 2017, by issuing a NEW AND REVISED Interpretation effective on September 1, 2018 which includes a new “independence” rule on hosting services.   

New Independence Rule

The Interpretation states that when a member provides Hosting Services, the member is maintaining internal control over a client’s data or records. Consequently, in an attest services environment, a CPA’s management participation could affect the member’s compliance with the “Independence Rule”; which would be impaired, and which impairment could not be reduced to an acceptable level through the application of other independence safeguards.    

The new “Hosting Services” Interpretation issued by the AICPA refers to “non-attest” services involving a member accepting responsibility for the following:

  • Acting as the sole host of a financial or non-financial information system of an attest client
  • Taking custody of or storing an attest client’s data or records whereby, the data or records are available only to the attest client from the member, such that the attest client’s data or records are otherwise incomplete
  • Providing electronic security or back-up services for an attest client’s data or records

Examples of activities that are considered “Hosting Services” are:  

  • Housing the attest client’s website or other non-financial information system
  • Keeping the attest client’s data or records on the attest client’s behalf: the attest client’s general ledger information, supporting schedules (depreciation or amortization schedules), lease agreements or other legal documents are stored on the member’s firm’s servers or servers licensed by the member’s firm or the member is responsible for storing hard copy versions of the data or records
  • Being the attest client’s business continuity or disaster recovery provider

Examples of activities that are NOT considered to be “Hosting Services” are:

  • Retaining a copy of an attest client’s data or records as documentation to support a service the member provided to the attest client:  payroll data that supports a payroll tax return prepared by the member for the attest client, a bank reconciliation that supports attest procedures performed by the member on the attest client’s cash account, the attest client’s vendor data used to prepare an analysis of vendor activity,
  • Retaining, for a member’s records, a copy of a work product prepared by the member (a tax return),
  • Using general ledger software to facilitate the delivery of bookkeeping services when either of the following occurs:
  • The member and the attest client maintain separate instances of the software on their respective servers, and the member provides updated financial information electronically to the attest client.
  • The attest client enters into an agreement with a third-party service provider to maintain its software in a cloud-based solution and grants the member access to the software so that the member can perform the bookkeeping service for the attest client.

What are attest services?

According to the American Institute of Certified Public Accountants (AICPA), attest services are “protected services” that can only be performed by a CPA operating within a CPA firm.  They include audits, reviews, compilations, examinations of prospective financial information, and engagements performed pursuant to the Public Company Accounting Oversight Board (PCAOB). The attestation standards are developed and published by the AICPA.  

What is Independence?

The AICPA defined the Independence Rule as: “A member in public practice shall be independent in the performance of professional services as required by standards promulgated by bodies designated by Council. Professional services include all services requiring accountancy or related skills that are performed by a member for a client, an employer, or on a volunteer basis. These services include, but are not limited to accounting, audit and other attest services, tax, bookkeeping, management consulting, financial management, corporate governance, personal financial planning, business valuation, litigation support, educational, and those services for which standards are promulgated by bodies designated by Council”.

Don’t be a victim of your own making

CPAs must remain independent and comply with the AICPA’s Independence Rule.  Hosting Services can throw a wrench into protected “attest” service engagements.