The Latest Independence Impairment Concern – Hosting Your Client’s Data
The AICPA Code of Professional Conduct “Independence Rule” Section 1.295.143 relates to Hosting Services. Under this newest rule, a CPA’s independence is impaired when taking responsibility for hosting an attest client’s data or records (whether hard copy or electronic). This action is deemed to be synonymous with maintaining internal control over the client’s data or records, which is deemed to be an explicit responsibility of management.
The following would indicate that the practitioner assumed responsibility for safeguarding the client’s data or records:
- Agreeing to solely host an attest client’s financial or nonfinancial information system (e.g., assuming responsibility for hosting the client’s website on the CPA firm’s servers).
- Agreeing to be the custodian for the client’s data, such that the client’s data is incomplete and accessible only through the CPA (e.g., a client outsources the storage and safekeeping of its general ledger and supporting schedules to the practitioner, which are maintained on the CPA firm’s server).
- Signing an engagement letter to provide business continuity or disaster recovery support.
However, not every exchange of data with the client is deemed to be a nonattest “hosting service”. For example, the following may not result in an independence impairment concern:
- Retaining a client’s financial or nonfinancial data while performing an engaged service, but then returning all original records to the client upon engagement completion.
- Both the client and the practitioner use the same third-party software solution, each with their own license and server.
- The practitioner has permission to access the client’s books via a cloud-based platform that the client subscribes to.
The most important point to remember is that all nonattest services are subject to the independence rules of the Code of Professional Conduct, including services related to storing, moving, or manipulating the client’s data.