Hosting Services: The New Rules for CPAs to Remain Independent
By Benjamin R. Ripple, CPA, Partner
Beginning July 1, 2019, CPAs will have additional rules to follow from the AICPA to ensure they remain independent. The new rules focus on hosting services. They were originally supposed to go into effect on September 1, 2018 but have been extended to July 2019.
Hosting services is defined as any of the following:
- Being the sole host of an information system for an attest client.
- Possessing custody or storing a client’s information in a manner where the client can only obtain the information from the CPA.
- Providing electronic security or back-up services for a client’s information.
Providing any of these services would create a management participation threat that could not be reduced to an acceptable level by applying safeguards. As a result, independence would be impaired.
The new addition to the AICPA Code of Professional Conduct provides the following specific examples of what type of activities would impair independence and what activities would not. Here are some of the examples provided in the Code:
|Impairs Independence||Does Not Impair Independence|
|Housing an attest client’s website or other non-financial system||Maintaining a copy of an attest client’s data as support for a service provided (for example: payroll data to support a payroll tax return, or bank reconciliations or vendor data as audit support)|
|Keeping an attest client’s data or records on their behalf (for example: a general ledger, depreciation schedules, lease agreements or other legal documents) on the firm’s servers or servers licensed by the firm or storing hard copies of the data or records||Maintaining a copy of work product prepared for the client (such as a tax return or financial statements)|
|Being an attest client’s business continuity or disaster recovery provider||Using a general ledger software to facilitate the delivery of bookkeeping services when either of the following occurs: 1) the client and the firm maintain separate instances of the software on their respective servers and the firm provides updated information electronic to the client, or 2) the client enters into an agreement with a 3rd party service provider to maintain its software in a cloud-based solution and grants the firm access to the software|
|Licensing software to a client that the client uses to input its data and receive an output that the client is responsible for maintaining, providing that the service the software provides would not impair independence if performed directly by the firm|
|Having possession of a depreciation schedule prepared by the firm as long as the schedule and calculation are given to the client so the client’s books and records are complete|
|Retaining a client’s original data or records to facilitate the performance of nonattest services (such as preparing a tax return) as long as the data/records are returned to the client at the end of the engagement (or in a multi-year engagement, at least annually)|
If your CPA is currently providing any of the restricted services above, now is the time to discuss what can be done to ensure that independence is not impaired when the time comes to perform your audit, review, or other attest work.
Benjamin R. Ripple Partner, Assurance Practice Leader, CPA
Ben is a partner in BRC’s assurance services. Since starting his career in 2001, Ben has worked with clients ranging from family-owned companies, to multinational corporations, to not-for-profit and governmental entities requiring A-133 audits. Ben’s industry experience includes: Manufacturing and distribution Hospitality, including restaurants and hotels Investment companies Governmental and not-for-profit entities Affordable housing […]