The topic of hosting services for attest clients has received considerable attention from CPAs this year as a new ethics interpretation took effect on July 1.
Over the past several years, the emergence of new technologies has provided new ways for CPAs to provide services to clients through cloud-based and virtual platforms. These new services required careful consideration to maintain the high ethical principles that always have been a source of pride for CPAs, who are determined to maintain their independence so they can perform attest services without even a hint of possible impropriety.
The new “Hosting Services” interpretation (ET §1.295.143) of the “Independence Rule” (ET §1.200.001) in the AICPA Code of Professional Conduct establishes requirements for CPAs that were developed with the new technology in mind.
The principle underpinning the “Hosting Services” interpretation is that CPAs should not perform any activities for their clients that are management’s responsibility. The interpretation explains that taking responsibility for hosting an attest client’s data or records impairs a CPA’s independence.
Some basic situations in which a CPA takes responsibility for hosting a client’s data are:
- Becoming the sole host of a client’s financial or nonfinancial information system.
- Serving as custodian for the client’s data to the extent that the client’s data is incomplete and accessible only through the CPA.
- Providing business continuity or disaster recovery services for a client.
A good way to conceptualize whether hosting services are being provided to a client is to imagine that the client decided to change service providers. If the client could not make such a change without relying on data, records, and documents held by the member, the member is likely to be providing hosting services.
As the effective date for the interpretation approached and passed, CPAs had numerous questions about how to comply. Guidance in a Frequently Asked Questions document issued by the AICPA Professional Ethics team explained that the interpretation does not require a member to terminate by July 1 an attest client’s access to data or records in a portal covered by the interpretation.
The FAQs explain that upon the July 1 effective date, a member should terminate access to records and data in a portal within a reasonable period of time. Members should use professional judgment to determine what’s a reasonable period of time, according to the FAQs, which say that the period of time:
- Should provide the client sufficient time to retrieve the information from within the portal and not cause the member undue hardship.
- Should be limited in duration and not be extensive.
- Would likely be considered extensive if it is consistent with the member’s documentation retention policy or a statute of limitation that continues for multiple years.
- In some situations may be relatively brief, such as 60 days, if the member can conclude that no undue hardship would occur during that time.
- May be closer to a year in other circumstances to avoid undue hardship for the member.
The FAQs also state that a third-party subscription clearinghouse, such as Rivio, used by a member to issue attest reports is not considered hosting under the “Hosting Services” interpretation if all the following criteria are met:
- The platform is a document repository designed to facilitate document exchange between users;
- The platform is hosted, run, and controlled entirely by a third-party vendor that is not the member; and
- The member, attest client, and other subscription clearinghouse members have their own user agreements with the third-party vendor.
In addition, a member using their own portal to transmit a filed income tax return to an attest client is required to terminate the attest client’s access to the return in the portal within a reasonable period afterward to avoid providing hosting services, according to the FAQs.
For a member providing bookkeeping services, having a third party’s general ledger on a server owned or leased by the member would result in the provision of hosting services if the client’s books and records are not complete without the client having to contact the member or having access to the member’s server, the FAQs state.
Although the FAQs indicate that retaining a copy of an attest client’s original data or records to support a member’s work product would not constitute hosting services, caution should be taken when an attest client repeatedly requests copies of data or records. Such behavior could raise hosting services concerns.
The AICPA Professional Ethics team answered numerous questions about the interpretation at the AICPA ENGAGE conference in June. One member expressed frustration that may be shared by others who have been encouraged for years to move their client interactions and services into the cloud and now find that their technology-enabled services cannot include hosting of clients’ information. Another asked whether there is a risk that firms will revert to less secure forms of delivery such as USB drives, CDs, and password-protected PDFs to avoid becoming de facto hosts of client records.
But the “Hosting Services” interpretation is not meant to discourage cloud- or technology-based means of exchanging files and documents with clients. Such exchanges do not violate the interpretation. But when a member stores a client’s documentation rather than sharing it, the member is likely to be providing hosting services and independence may be impaired.
To prevent the portal from becoming a place to store information rather than a place to share information, the “Hosting Services” interpretation requires members to “cleanse” the data or records from the portal after a reasonable period of time following the information’s use by the member and the client.
A member’s professional judgment is required to determine that reasonable period of time. AICPA Professional Ethics team Lead Manager Michele Craig, CPA, said on Episode 3 of the Ethically Speaking podcast that a reasonable period would not cause undue hardship for the member while still providing the client sufficient time to retrieve the information.
An engagement letter is a good place for members to clearly communicate to clients that a portal will be a place for information to be shared, but not stored. The engagement letter also can make clear that clients are responsible for providing their own backup to their data for business continuity and disaster recovery, and that the member’s copy of a client’s information is not to be used for these purposes.
Craig explained that it’s OK for a member to keep a copy of the client records, as long as the client also has a copy of those records.
“For example, if it’s a tax return, a member work product, if you keep a copy of that, it would not be considered providing hosting services, as well as if you keep a copy of a depreciation schedule,” Craig said. “You want to make sure the client has a copy of the depreciation schedule because it would complete their books and records.”
Members also should make sure attest clients keep their own backup files and data for purposes of business continuity and disaster recovery. If a member’s copy of those files and data is relied upon for business continuity or disaster recovery for an attest client, the member would be providing hosting services.
One question that has frequently been posed to Shelly Van Dyne, CPA, a member of the AICPA Professional Ethics Executive Committee, is whether the “Hosting Services” interpretation is violated if a member provides access to software for an attest client so the client can calculate their tax provision.
Van Dyne said on the Ethically Speaking podcast that providing access to such software would not constitute hosting services if the client is putting their own data into the software and then using the calculations to determine their tax provision.
“As long as the client takes the output from the system and they hold that and are responsible for it, then that’s not going to be considered to be providing hosting services,” Van Dyne said.
It’s fairly easy to understand the “Hosting Services” interpretation principle that a member is permitted to keep copies of an attest client’s data and documents but is not permitted to be the sole host of a client’s financial or nonfinancial information. But the many specific use cases that exist may require members to seek additional guidance or clarification. For those purposes, the FAQs, Center for Plain English Accounting (for CPEA members), the Ethically Speaking podcast, the AICPA Professional Ethics hotline (800-777-7077, press 2 and then 3), and the email hotline (firstname.lastname@example.org) are available to members.
“There’s going to be some judgment here,” Ellen Goria, CPA, the AICPA’s associate director–Global Professional Ethics, said on the Ethically Speaking podcast.
Careful professional judgment is one of a CPA’s most important traits, and ultimately it may be necessary to keep members in compliance with the “Hosting Services” interpretation.
— Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is the JofA’s editorial director.