Under a new ethics interpretation, a CPA’s independence will be impaired when taking responsibility for hosting an attest client’s data or records.
The AICPA Professional Ethics Executive Committee (PEEC) recently adopted a new interpretation, Hosting Services, which appears in the AICPA Code of Professional Conduct’s “Independence Rule” (ET §1.295.143) under “Nonattest Services” and applies to practitioners who provide nonattest services to attest clients. Under the new rule, hosting services can impair independence when a CPA takes responsibility for maintaining internal control over an attest client’s data or records. For example, the member assumes responsibility for safeguarding the information by agreeing to:
- Be the sole host of a client’s financial or nonfinancial information system;
- Be the custodian for the client’s data such that the client’s data are incomplete and accessible only through the CPA; or
- Provide business continuity or disaster recovery services to the client.
Why this new rule?
In recent years, it has become common for businesses and their CPAs to employ various software solutions, including cloud-based tools, to store, move, and manipulate data. Technological tools have rapidly evolved, becoming less costly and more prevalent in practice, thus PEEC sought to address hosting services in its “Nonattest Services” subtopic under the “Independence Rule” to alert practitioners to potential independence-impairing situations.
A basic precept in the independence rules is that members should not perform activities that are management’s responsibility. The Code of Professional Conduct (the Code) precludes activities such as serving, even temporarily, on a client’s board or as an executive, approving invoices, holding client assets, or supervising employees. The Conceptual Framework for Independence, as the foundation for the rules, describes management participation threat as the threat that a member will take on the role of the attest client’s management or otherwise assume management responsibilities for an attest client.
One example of a management participation threat cited in the framework occurs when a member accepts responsibility for designing, implementing, or maintaining internal controls for the attest client.
The new rule narrowly interprets hosting services to mean the member has accepted responsibility for maintaining internal control over an attest client’s information (i.e., safeguarding information the company uses to run its business), whether financial or nonfinancial in nature.
Accepting responsibility to perform a management function creates the threat to independence, and this is stated plainly in the opening sentence of the interpretation.
Situations that create hosting services
Scenarios 1–4 illustrate the types of situations that create hosting services and impair independence:
- Scenario 1: B. Rolf, CPA, assumes responsibility for housing her client’s website on server(s) her firm leases from Rentserver.com.
- Scenario 2: R Corp. outsources to Z. Olsen, CPA, the storage and safekeeping of its general and subsidiary ledgers, legal documents, and amortization and depreciation schedules, which are maintained on the CPA firm’s server.
- Scenario 3: V. Mistry, CPA, agrees to maintain the original hard copies of his client’s lease agreements in his firm’s facility. Note: The new interpretation applies to hard copy and electronic files, as both result in assumption of a management responsibility, which threatens independence.
- Scenario 4: J. Higby, CPA, signs an engagement letter with her client to provide disaster recovery services for the client’s data and records.
Situations that do not create hosting services
Not all custody or control of a client’s records results in hosting services, as a member often must access, use, and/or take possession of a client’s information when providing professional services. The pivotal question is whether the member has accepted responsibility for maintaining custody or control of the information. Scenarios 5–10 illustrate situations in which the member’s services would not equate to hosting services under the new rule:
- Scenario 5: M. Aguado, CPA, requests D Inc.’s records (e.g., time records and other employee payroll data), which she retains while preparing D Inc.’s payroll and related quarterly tax return. Once the engagement is completed, Aguado returns all original client records to D Inc. She retains a copy of the tax return and any of the data she collected during the engagement that support her completed work product. Note: If the engagement was ongoing, Aguado should return the records to D Inc. at least annually.
- Scenario 6: L. Duffie, CPA, provides bookkeeping services to ABC using Bookit, a third-party software solution. Duffie and ABC separately license and maintain the software on their respective servers. Duffie performs write-up services for ABC and compiles financial statements when ABC needs to provide an independent CPA’s report to a bank or other outside party. As required under ET Section 1.295.120, Bookkeeping, Payroll, and Other Disbursements, Duffie works with ABC’s designee, who reviews and takes responsibility for any decision-making affecting the financial statements. As in Scenario 5, once the engagement is completed, Duffie retains only the finished work product and the information that supports the work product.
- Scenario 7: XYZ contracts with E-Cloud, a third-party cloud-based software provider and gives S. Rose, CPA, permission to access XYZ’s books via the software to perform bookkeeping services. Rose assists XYZ with these services as described in Scenario 6.
- Scenario 8: C. Alto, CPA, and J Corp. exchange data, records, and Alto’s work product electronically through Alto’s portal. All their exchanges relate to performance of Alto’s professional services to J Corp. Occasionally, J Corp. asks Alto to deliver its work product to a third party via the portal (e.g., J Corp. asks Alto to send recommended improvements to the company’s internal audit function to J Corp.’s board of directors). To avoid hosting services, Alto terminates J Corp.’s access to the information in the portal on a timely basis once the engagement is complete.
- Scenario 9: T. Zena, CPA, prepares depreciation schedules for her client, B Co., using her firm’s accounting software. To avoid providing hosting services, she gives B Co. a copy of the schedules and the underlying information (e.g., depreciation method, useful life, cost, etc.) so that B’s records are complete.
- Scenario 10: R. Hensen, CPA, licenses a third party’s software to N Corp. so the client can perform its own tax-related valuations throughout the year. The software performs services that Hensen could perform under the Code (ET §1.295.110, Appraisal, Valuation, and Actuarial Services). Note: Hensen should not license software to the client that performs an activity that he is unable to perform under the independence rules, for example, valuation services that are subject to significant subjectivity and material to the client’s financial statements.
Reminder to comply
Members are reminded to comply with requirements of other interpretations in the “Nonattest Services” subtopic (ET §1.295). For example, all nonattest services are subject to the rule’s general requirements (ET §1.295.040), including documentation. Since elements akin to hosting may arise when a member performs tax, bookkeeping, or other nonattest services, members should comply with all applicable rules in ET Section 1.295 of the Code.
The new hosting-services interpretation becomes effective on Sept. 1, 2018, allowing members who are currently providing hosting services but wish to maintain their independence ample time to modify or exit those engagements. Members may early adopt the new rule.
Practitioners providing other information technology services to attest clients should be aware that PEEC is currently working on comprehensive revisions to ET Section 1.295.145, Information Systems Design, Implementation, or Integration. A proposal is expected later in the year and will address independence considerations when a member configures, integrates, converts, maintains, designs, or develops an attest client’s information system.