AICPA Hosting Services Interpretation

By Charles Hall | Auditing

Aug 07

As of July 1, 2019, hosting services impair independence, so says the AICPA. And most firms are providing hosting services (though they may not know it). This can be dangerous. Below I explain the AICPA hosting services interpretation. 

AICPA Hosting Services Interpretation

Starting July 1, 2019, your possession of client documents (e.g., tax records) or information (e.g., the housing of QuickBooks files on your server) can, in some instances, create an independence impairment. (If you temporarily possess original documents (e.g., tax records) but return them to the client in a short period, then the possession of the original documents does not impair your independence.)

AICPA hosting services

The AICPA recently adopted a new interpretation, “Hosting Services,” which appears in the Code of Conduct under nonattest services. See 1.295.143 of the Code.

Why would possessing documents or information potentially impair independence? Because you accepted the responsibility for designing, implementing or maintaining internal controls for the records in your possession. And this is considered a management function.

In effect, the AICPA is saying there is an implicit understanding that you (the CPA) will safeguard the client’s records. And to safeguard the information, you agree to create controls to ensure the safety of the information in your possession.

To understand the actions that would impair your independence, see Catherine Allen’s article in the Journal of Accountancy. Specifically, look at her examples of where independence is impaired and where it is not. 

Hosting Services that Impair Your Independence

The AICPA Hosting Services Interpretation can be confusing. So here are a few other real-world examples that impair your independence:

Scenario 1: Charles Hall, CPA, maintains MedStop, Inc.’s accounting records on Accounting CS software which are stored on his firm’s server. Charles keys monthly entries into Accounting CS based on the information provided by MedStop. MedStop does not have access to the general ledger via Accounting CS. Charles provides monthly financial statements, copies of the general ledger, and bank reconciliations to his client.

Scenario 2: Shirley Jones, CPA, agrees to maintain the original hard copies of her client’s legal contracts at her CPA firm’s office.

Scenario 3: Joan Banks, a partner at Jones, Banks, CPAs, provides disaster recovery services to a bookkeeping client.

1.295.143.01 of the Code says:

For the purpose of this interpretation, hosting services are nonattest services that involve a member accepting responsibility for the following:

a.    Acting as the sole host of a financial or non-financial information system of an attest client

b.    Taking custody of or storing an attest client’s data or records whereby, that data or records are available only to the attest client from the member, such that the attest client’s data or records are otherwise incomplete

c.    Providing electronic security or back-up services for an attest client’s data or records

When a member provides hosting services, the member is maintaining the attest client’s internal control over its data or records. Accordingly, the management participation threat to the member’s compliance with the “Independence Rule” [1.200.001] would not be at an acceptable level, and could not be reduced to an acceptable level by the application of safeguards, and independence would be impaired.

Examples of activities that are considered hosting services, and as such will impair independence if performed for an attest client, include accepting responsibility for the following:

a.    Housing the attest client’s website or other non-financial information system

b.    Keeping the attest client’s data or records on the attest client’s behalf, for example, the attest client’s general ledger information, supporting schedules (such as, depreciation or amortization schedules), lease agreements or other legal documents are stored on the member’s firm’s servers or servers licensed by the member’s firm or the member is responsible for storing hard copy versions of the data or records

c.    Being the attest client’s business continuity or disaster recovery provider

Are You Independent if You Provide a Copy of the G/L to Your Client?

When I originally wrote this hosting services article (it has now been amended), I said that a CPA would be independent if they performed bookkeeping on their software and server (as the sole host) but provided a copy of the general ledger to the client. (My thinking was that the client would have access to their general ledger, so the CPA would be independent.) Afterwards, I received an email from Cathy Allen, a member of the AICPA’s Professional Ethics Executive Committee advising that providing a physical copy of the general ledger to the client would not remove the independence impairment. Excerpts from the emails follow.

My Email to Cathy Concerning Independence when the G/L is Provided to a Client 

Are you saying that a firm’s independence is impaired if a firm does bookkeeping on its server, even if a copy of the general ledger is given to the client? If yes, then almost every firm in the country will lack independence for their small clients. 

In your article, you provide an example of the CPA providing a copy of the depreciation schedule to the client. In that example the firm is independent. I am confused about why a firm would impair its independence by performing bookkeeping if it provides a copy of the general ledger to its client—and would not impair its independence if it maintained depreciation records on its software but provides a copy of the depreciation schedule to the client.

Cathy’s Response Concerning Independence when the G/L is Provided to a Client 

I can see how you might think maintaining the GL is okay as long as you give copies of it to the client. In fact, a CPA attended two PEEC meetings trying to make the case that that would be sufficient to maintain Independence but he was unsuccessful.

The distinction the PEEC made was that you could maintain discrete portions of the general ledger like depreciation or amortization schedules and provide the details to the clients so their books and records are complete, but you would not be able to do the same with G/L software if the software is solely maintained by you.

(I appreciate Cathy helping me understand this part of the interpretation.)

Independence is Impaired if Your Firm is the Sole Host of the General Ledger

So, if a CPA firm is the sole host of an attest’s client general ledger, independence is impaired

See 1.295.143.01 a. of the Code; it says: 

Hosting services are nonattest services that involve a member accepting responsibility for the following:

a.    Acting as the sole host of a financial or non-financial information system of an attest client

(There are situations where maintaining a client’s general ledger does not impair independence; see the section below titled Maintaining Independence When Using General Ledger Software.)

Now, let’s look at situations that don’t create hosting services.

Services that Do Not Impair Your Independence

Here are situations that are not considered hosting services (and don’t impair your independence):

Scenario 4: XYZ uses the cloud-based version of QuickBooks to maintain its general ledger and other accounting records. XYZ gives Tee Kite, CPA, permission to access XYZ’s online books to perform bookkeeping services.

Scenario 5: Dawgs, Inc. provides a copy of their QuickBooks files to Bill Allen, CPA. Bill uses the QuickBooks file to review their bookkeeping records for the year. Bill provides journal entries to Dawgs, Inc. to post to their QuickBooks file. Dawgs, Inc. has the required skill, knowledge, and experience to review and accept responsibility for the journal entries and has agreed to do so.

Scenario 6: Pat Muse, CPA, and Mirage Corp. exchange data and records using Sharefile. All their exchanges relate to the performance of an audit. To avoid hosting services, Pat terminates Mirage Corp.’s access to the information in Sharefile once the engagement is complete.

Scenario 7: Sheila Thatcher receives client tax information (e.g., W-2s, 1099s) for preparation of the tax return but returns the original information once the engagement is complete. For a multi-year engagement, the information has to be returned at least annually.

Retaining copies of client information does not impair a CPA’s independence.

Maintaining Independence When Using General Ledger Software

About using general ledger software, 1.295.143.04 of the Code says:

Examples of activities that are not considered to be hosting services, and as such will not impair independence…include these:

Using general ledger software to facilitate the delivery of bookkeeping services when either of the following occurs:

i.    The member and the attest client maintain separate instances of the software on their respective servers, and the member provides updated financial information electronically to the attest client.

ii.    The attest client enters into an agreement with a third-party service provider to maintain its software in a cloud-based solution and grants the member access to the software so that the member can perform the bookkeeping service for the attest client.

AICPA Hosting Services

Critical Points of the AICPA Hosting Services Interpretation

Here are the critical points of this new interpretation:

  • If you retain original documents for an extended period of time, your independence may be impaired.
  • Retaining copies of original documents will not impair your independence.
  • If you act as the “sole host” of a client’s financial information (e.g., general ledger), you are not independent.
  • Client access to electronic portals (e.g., Sharefile) should be terminated once an attest engagement is complete. If access is not terminated, independence is impaired.
  • If your client contracts with your firm for backup recovery services, you are not independent.
  • If your independence is impaired, then disclose the lack of independence in your compilation report.
  • If your independence is impaired, then you cannot perform review or audit services (for that client).

Effective Date 

The effective date for the AICPA Hosting Services interpretation is July 1, 2019. (It had been September 1, 2018, but the AICPA extended the implementation date to provide more time for firms to comply.)

Graphic: AICPA Hosting Services Interpretation

The following graphic is not comprehensive but provides an overview of the AICPA Hosting Services interpretation.

Hosting Services

Quiz Questions

[tqb_quiz id=’12750′]
Follow

About the Author

Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty-five years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention, The Why and How of Auditing, Audit Risk Assessment Made Easy, and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles consults with other CPA firms, assisting them with auditing and accounting issues.

  • Charles Hall says:

    In providing payroll services, you just want to make sure your firm is not the sole host of the source documents or payroll information. If your client has the source information (e.g., payroll entry records) and provides you with copies, that’s fine. If your firm is the sole repository of payroll information (e.g., in the general ledger or in a payroll module), then you may not be independent. If you provide copies of payroll records to the client, I tend to believe you are independent. I asked one of the PEEC members about maintaining depreciation records; she stated that if we provide copies of the depreciation records to the client, then we would be independent.

  • Anonymous says:

    Can you speak to when a firm performs payroll services for a client?

  • Charles Hall says:

    Brandon, good question. Just today I reviewed an independence form that had several pages of questions. To me it was overkill. The independence standards are voluminous and complex. There’s no way we can document every potential issue. I think (as you said) a sentence saying you considered the hosting interpretation is fine—particularly if no problems were noted. I do think such documentation would make a peer reviewer happy as well—you are demonstrating you’ve considered a new audit wrinkle.

  • Brandon Baldauf says:

    I am working with my firm to update our understanding surround this new independence rules. We have a re-occurring question which is, how do we document the fact that we are in fact independent in regards to hosting. Would it be as simple as a sentence in our analysis of non-attest services stating “we do not host clients documents”? Do we need a separate workpaper strictly for this? Any thoughts?

  • Charles Hall says:

    Chuck, yes, for compilations you need to say you are not independent in the report.

    This language is not required for the preparation standard (you are not required to be independent to use AR-C 70 and there is no requirement to disclose the lack of independence for preparation engagements).

    Hope this helps.

  • Charles Hall says:

    I added an updated video and a graphic to summarize the interpretation.

  • Charles Hall says:

    Cathy, I took the video down since I incorrectly stated that providing a copy of the general ledger would enable a CPA to maintain his/her independence. Thanks for bringing this to my attention.

  • Cathy Allen says:

    As I was a member of the PEEC task force that worked on this rule, and published an article in the Jan 2018 Journal of Accountancy on this subject (“How Data-Hosting Services Affect Independence” https://www.journalofaccountancy.com/news/2017/sep/aicpa-ethics-interpretation-data-hosting-services.html), I feel compelled to comment on your video. Specifically, you mentioned that a firm that has bookkeeping software on the firm’s server which the CPA uses to maintain the client’s G/L would be independent if the firm provided copies of the G/L details to the client. That is not a correct application of the new standard as in that case, the CPA is the sole host of the client’s financial information system and providing copies of the data will not mitigate threats to independence. See pars. .01 and .03 of 1.295.143, which state:

    .01 For purpose of this interpretation, hosting services are nonattest services that involve a member accepting responsibility for the following:

    a. Acting as the sole host of a financial or non-financial information system of an attest client

    .03 Examples of activities that are considered hosting services, and as such will impair independence if performed for an attest client, include accepting responsibility for the following:

    a. Housing the attest client’s website or other non-financial information system

    b. Keeping the attest client’s data or records on the attest client’s behalf, for example, the attest client’s general ledger information, supporting schedules (such as, depreciation or amortization schedules), lease agreements or other legal documents are stored on the member’s firm’s servers or servers licensed by the member’s firm or the member is responsible for storing hard copy versions of the data or records.

    Please note that par. .04c does provide two (2) ways in which a CPA could provide bookkeeping services to an attest client using a third party’s software and maintain independence.

    I hope this note helps you and your readers.

  • Charles Hall says:

    Dan, yes, I think that will happen a great deal. I don’t fully agree with this standard. It seems to be a bit of a reach to me.

  • Dan Hughes says:

    Great… so now to protect ourselves from the AICPA, we’ll all put “We are not independent with respect to [XYZ Company].” at the bottom of our compilation reports.

    That should serve the public very well… /sarc

  • >
    Tweet
    Share
    Share
    Flip
    Email