How data-hosting services affect independence: Hosting an attest client's data or records leads to impairment under a new interpretation.

Author:Allen, Catherine R.

Under a new ethics interpretation, a CPA's independence will be impaired when taking responsibility for hosting an attest client's data or records.

The AICPA Professional Ethics Executive Committee (PEEC) recently adopted a new interpretation, "Hosting Services," which appears in the AICPA Code of Professional Conduct's "Independence Rule" (ET [section]1.295.143) under "Nonattest Services" and applies to practitioners who provide nonattest services to attest clients. Under the new rule, hosting services can impair independence when a CPA takes responsibility for maintaining internal control over an attest client's data or records. For example, the member assumes responsibility for safeguarding the information by agreeing to:

* Be the sole host of a client's financial or nonfinancial information system;

* Be the custodian for the client's data such that the client's data are incomplete and accessible only through the CPA; or

* Provide business continuity or disaster recovery services to the client.


In recent years, it has become common for businesses and their CPAs to employ various software solutions, including cloud-based tools, to store, move, and manipulate data. Technological tools have rapidly

evolved, becoming less costly and more prevalent in practice, thus PEEC sought to address hosting services in its "Nonattest Services" subtopic under the "Independence Rule" to alert practitioners to potential independence-impairing situations.

A basic precept in the independence rules is that members should not perform activities that are management's responsibility. The Code of Professional Conduct (the Code) precludes activities such as serving, even temporarily, on a client's board or as an executive, approving invoices, holding client assets, or supervising employees. The Conceptual Framework for Independence, as the foundation for the rules, describes management participation threat as the threat that a member will take on the role of the attest client's management or otherwise assume management responsibilities for an attest client.

One example of a management participation threat cited in the framework occurs when a member accepts responsibility for designing, implementing, or maintaining internal controls for the attest client.

The new rule narrowly interprets hosting services to mean the member has accepted responsibility for maintaining internal control over an attest client's information (i.e., safeguarding...

To continue reading