In 2017, the American Institute of CPAs amended its Code of Professional Conduct to include a new independence rule on hosting services (
First, it’s important to understand that under the new rule, only nonattest services described as “hosting services” impact a firm’s independence -- that is, “hosting services” are narrowly defined to mean a CPA firm accepts responsibility to:
- Act as the sole host of an attest client’s (financial or nonfinancial) information system; or,
- Store data or records for an attest client (electronically or physically, leaving the client’s records incomplete and accessible only through the CPA firm); or,
- Provide electronic security or back-up services to the attest client.
Some examples of hosting services are:
- The CPA firm hosts an audit client’s website on its server or in a cloud-based solution the firm licenses from a third-party software provider.
- The CPA firm maintains a review client’s general ledger in a cloud-based solution that the CPA firm licenses from a third-party software provider. The client has no direct access to its records and must request them from the CPA firm.
- The CPA firm provides business continuity services to an audit client in the event the client’s electronic records and data are damaged or lost due to natural disasters, power outages, hardware failure, user errors, software problems or cybersecurity-related disasters.
The source of the conflict
Hosting services create an unacceptable management participation threat to independence because the CPA would be responsible for safeguarding the client’s data or records, in other words, become part of the client’s internal control. Independence standards for nonattest services clearly prohibit CPAs from performing management responsibilities for attest clients, which, among other things, includes accepting responsibility for maintaining internal control for the client.
However, CPAs often have access to and retain client data during and after engagements, or may license their own software to clients, so the rule also describes several scenarios that would not be considered hosting services. These examples include:
- The CPA firm may retain the attest client’s records and data to perform a service; the firm must return the records when services are complete, except the firm may keep copies of the firm’s work product or client records to support performance of a service.
- The CPA firm may exchange data, records or work product with a client or others during an engagement using a portal; the firm terminates client access to the data or records in the portal within a reasonable period once services are completed.
- The CPA firm licenses software to an attest client for the client’s use; the software must perform a service the CPA firm would be permitted to perform under the independence rules.
Hosting services and cloud-based bookkeeping
Two examples of services that are not hosting services relate to a CPA’s permissible use of cloud-based (or other) general ledger software used to provide bookkeeping services to an attest client. First, the CPA and the client can separately license or subscribe to the software on their respective servers. The CPA would provide updated financial information electronically to the client for its review. Another way to avoid hosting services is for the attest client to license or subscribe to the software solution and give the CPA firm access to the software so the firm’s personnel can perform bookkeeping services for the client.
The CPA may also have custody of a depreciation schedule (or similar record) prepared for the attest client as part of a bookkeeping arrangement. If the CPA gives the schedule and related calculations to the client (so the client’s records are complete), this too is a permissible arrangement and would not, in and of itself, threaten the firm’s independence.
The official release of the new rule is available