The AICPA’s Professional Ethics Executive Committee (PEEC) is the senior committee responsible for maintaining the Code of Professional Conduct. Over 418,000 members of the AICPA and scores of other (nonmember) CPAs throughout the US whose state boards require compliance must comply with the AICPA Code.
Recently, the PEEC adopted a new independence interpretation entitled, "Hosting Services," which will appear under the Code’s Independence Rule (Nonattest Services, 1.295) and applies to members in public practice who provide attest services to a client. Under the new rule, hosting services impair independence when a member takes responsibility for maintaining internal control over an attest client's data or records. Specifically, a member performs hosting services when he or she takes responsibility for:
- being the sole host of a client's financial or nonfinancial information system,
- custody or storage of the client’s data leaving the client's data incomplete and accessible only through the member, or
- providing data / records security or back-up services for a client’s electronic data or records.
Why do hosting services impair independence?
A basic precept built into the independence rules is that members should avoid performing activities that are management’s responsibility. In this case, performing hosting services as described in the new rule mean a member assumes responsibility for maintaining internal control over the company’s information. The Conceptual Framework for Independence, which is the foundation for the independence rules, describes the threat to independence as follows:
Management participation threat. The threat that a member will take on the role of attest client management or otherwise assume management responsibilities for an attest client. Examples of management participation threats include the following:
a. A member serves as an officer or a director of the attest client. [1.275.005]
b. A member accepts responsibility for designing, implementing, or maintaining internal controls for the attest client. [1.295.030]
c. A member hires, supervises, or terminates the attest client’s employees. [1.295.135]
It is the member’s acceptance of responsibility that creates the threat to independence, and this is put forth plainly in the opening sentence of the interpretation.
To help members understand where the PEEC has drawn the boundaries, the interpretation provides examples of situations that create hosting services and hence unacceptable management participation threats to independence, and those that do not.
What are examples of hosting services?
The PEEC provides three (3) examples of situations that create hosting services; that is, if the attest client engages the member to be responsible for any of the following activities, independence is impaired:
- The member houses the client’s web site or other nonfinancial information system on the member’s server(s) (whether the member owns or leases the server(s)).
- The member keeps the client’s financial data or records (e.g., general ledger, legal documents, amortization schedules) on the member’s server(s) (whether leased or owned), or hardcopies of data or records in a physical location the member maintains.
- The member provides business continuity or disaster recovery services to the client for its data or records.
Which types of situations do not create hosting scenarios?
Not all custody or control of a client’s records results in hosting services as a member’s access, use, custody or control of the client’s data may be appropriate and necessary when rendering professional services. The pivotal question is whether the member has accepted responsibility to maintain custody or control of the client’s information. For example, a member may:
- Have custody of the client's records to support a nonattest service. For example, the client provides payroll data to the member to support the member’s preparation of a payroll tax return.
- Retain copies of work product, or data collected to support the member’s work product, when providing a professional service for a client.
- Provide bookkeeping services using accounting software such as Quickbooks if the member and client separately maintain the software on their respective servers. Or, the client can contract with a third-party cloud-based software provider such as Xero and give the member permission to access the client's books via the software to perform the services.
- Exchange data, records or the member’s work product with the client electronically (e.g., through a portal). Exchanges are related to performance of the member’s professional services to the client or to deliver the member’s work product to third parties at the client’s request. To avoid hosting services when exchanging client data or records through a portal, the member should terminate the client’s access to the data or records in the portal on a timely basis once the engagement is complete.
- License software to a client for the client’s own use, provided the software performs an activity that the member could provide under the independence rules. For example, the member should not license business valuation software to the client as under 1.295.110, Appraisal, Valuation, and Actuarial Services, valuation services that are subject to significant subjectivity and material to the client impair independence. However, the member could license software that performs tax-related valuations and appraisals, as the member is permitted to perform those types of valuations under the independence rules.
- Hold depreciation schedules the member prepared for the client; the member should supply the schedules and calculations to the client so their books and records are complete.
- Possess a client’s original data or records to facilitate performance of a nonattest service such as tax return preparation; the member should return the data or records at the completion of the engagement (or if the engagement is ongoing, on an annual basis).
Members are reminded to comply with requirements of other interpretations in the Nonattest Services Subtopic (1.295). For example, all nonattest services are subject to certain general requirements, including documentation, and since elements akin to hosting may arise when a member performs tax, bookkeeping or other nonattest services, members should comply with all applicable rules in 1.295 of the Code.
When is the new interpretation effective?
The new interpretation is effective September 1, 2018. Though not noted in the interpretation, there is no indication that members could not early adopt the interpretation, if they wished.