CPAs with attest clients should know about the new “Hosting Services” interpretation in the AICPA Code of Professional Conduct, which accounts for new technologies. Here’s how AICPA members can comply:
Understand the interpretation. The principle underpinning the "Hosting Services" interpretation (ET §1.295.143) of the "Independence Rule" (ET §1.200.001) is that AICPA members should not perform activities for attest clients that are management's responsibility. Taking responsibility for hosting an attest client's data or records impairs independence. Examples of taking responsibility for hosting a client's data include: (1) becoming the sole host of a client's financial or nonfinancial information system; (2) serving as custodian for the client's data to the extent that the client's data is incomplete and accessible only through the member; or (3) providing business continuity or disaster recovery services for a client. If the client could not change service providers without needing to contact the member, the member is likely providing hosting services.
Terminate attest clients' access to records and data in a portal. According to the interpretation, this should be done within a reasonable time. CPAs should use professional judgment to determine a period of time that is reasonable. More information is available on AICPA ethics FAQs available at aicpa.org. The "Hosting Services" interpretation is not meant to discourage cloud- or technology-based means of exchanging files and documents with clients. Such exchanges do not violate the interpretation, but when a member stores a client's documentation rather than sharing it, the member is likely providing hosting services, and independence may be impaired. To prevent a portal from becoming a place to store information, the interpretation requires members to "cleanse" the data or records from the portal after a reasonable time following the information's use by the member and the client.
Provide clients with a copy of records. It's OK for a member to keep a copy of an attest client's records, as long as the client also has a copy. A member also should make sure attest clients keep their own backup files and data for purposes of business continuity and disaster recovery. If a member's copy of those files and data is relied upon for business continuity or disaster recovery for an attest client, the member would be providing hosting services.
Make use of the engagement letter. Members should clearly communicate to attest clients in the engagement letter that a portal will be a place for information to be shared, but not stored. The engagement letter also can make clear that clients are responsible for providing their own data backup for business continuity and disaster recovery, and that the member's copy of a client's information is not to be used for these purposes.
Editor's note: This checklist is excerpted from "Comply With the Newly Effective 'Hosting Services' Interpretation," JofA online, July 24, 2019.
— By Ken Tysiac, the JofA's editorial director. To comment on this article or to suggest an idea for another article, contact him at Kenneth.Tysiac@aicpa-cima.com.