What are hosting services?Under the ethics interpretation, a CPA who maintains a client's internal control over its data and records is providing hosting services. Examples of situations where a CPA takes responsibility for hosting a client's data include:
- Becoming the sole host of a client's financial or non-financial information system.
- Serving as sole custodian for the client’s data in such a way that the client’s records and information are incomplete. If the only way that the client can access its complete records is through the CPA, the CPA's independence is deemed impaired1.
- Providing clients with business continuity or disaster recovery services.
It is clear that performing activities that are "management’s responsibilities" with respect to custody and control of client data or records would impair independence. This could become an issue with client portals were the client to choose not to retain their records or your work product and instead rely on being able to have access via your portal. To address this independence impairment concern, the ethics interpretation requires CPAs to resolve such issues within a "reasonable period of time." That period is NOT clearly defined. Parameters mentioned within the February 25, 2019, AICPA Nonattest Services FAQ2 are "at least 60 days" and “not more than a year” from the date the engagement is concluded.
Remember, your retention of your clients’ supporting documents would impair your independence if your clients were to rely solely on your firm retaining their records and documents. However, merely having access to, or temporary possession of, an attest client’s information in order to provide the services you have been engaged to perform does not rise to the level of hosting services. The risk management guidance below will help you respond to this ethics interpretation.
Risk Management GuidanceCAMICO encourages firms to apply appropriate measures to ensure they don’t inadvertently provide "hosting services." Specific protocols and procedures are necessary so that all firm personnel understand and adhere to appropriate rules regarding the return of client information, records and work products. Inconsistent actions regarding the return of client records have the potential threat of inadvertently impairing independence.
Although not meant to be all-inclusive, the following safeguards are best practices to consider:
- Avoid client "expectation gaps." CAMICO strongly encourages firms to consider modifying their record retention and destruction policies to clarify the role of the firm as it relates to providing hosting services. In addition, firms should modify the language in their engagement letters to address firm limitations regarding hosting services, and to clarify their clients’ responsibilities to retain and maintain their own records.
CAMICO has added the highlighted text within the below sample engagement letter clause regarding record retention to affirmatively state that the firm DOES NOT accept responsibility for hosting client information.
Record Retention Clause
It is our policy to keep records related to this engagement for
years. However, [CPA Firm] does not keep any original Company records, so we will return those to you. It is your responsibility to retain and protect your records (which includes any work products we provide to you and any records returned to you) for possible future use, including potential future examinations by government or regulatory agencies. [Firm] does not accept responsibility for hosting client information; therefore, you have the sole responsibility for ensuring you retain and maintain in your possession all your financial and non-financial information, data and records.
By your signature below, you acknowledge and agree that upon the expiration of the [number]-year period, [Firm Name] shall be free to destroy our records related to this engagement.
- Firms should review and update, if necessary, their client portal agreements to avoid the perception of providing "hosting services." The portal agreement should specify that the firm will terminate the client's access to data or records in the portal after [X days/Y months — a period not less than 60 days and not more than 12 months] after the conclusion of the engagement. In addition, the portal agreement should make it clear that the client is responsible for maintaining and retaining all their records and documents.
It is important to note that this requirement is for any and all data or records on your portal for an "attest client," not just the information related to the attest services. For example, you should ensure that all documentation that makes up a client's books and records are made available to attest clients for the tax services you provide them. You would impair your independence if your attest clients were to rely on you retaining all, or even just a portion of, their tax records beyond a reasonable period of time after the engagement concludes. Again, a reasonable period time is not defined, but guidance suggests that it should be no less than 60 days and no longer than 12 months.
- CPAs performing attest services need to be independent for the entirety of the period of the professional engagement3. That period begins the earlier of (1) when the agreement is reached to perform attest services or (2) when the attest engagement actually begins. The period lasts until the relationship terminates. The period does not end with the issuance of a report and recommence the following year, and independence needs to be maintained for the entirety of the period. So, CPAs wishing to be able to perform attest services for nonattest clients should take care to adhere to the new interpretation’s requirements so that “hosting services” inadvertently provided to nonattest clients don’t deny firms the opportunity to perform attest services for those clients for periods including the time when the firm provided “hosting services.”
- From a best practice perspective, CAMICO suggests that firms consider having the same protocols and procedures in place for all clients, not just attest clients (minimizing confusion and reducing the likelihood of inadvertent mistakes caused by a change in classification). Clients should accept responsibility for retaining and protecting all their records, which includes any work products you provide as well as any records you return to them.
- Stay educated and informed on this issue; access the AICPA's resources and information referenced below.
AICPA ResourcesThe Ethics Interpretation.
More on this subject can be found at:
- Nonattest Services FAQ — see pages 21 to 23.
- AICPA Plain English Guide to Independence — see pages 43 and 44
- July 2019 Journal of Accountancy article, Comply with the newly effective ‘Hosting Services’ interpretation.
Additional information is discussed in the PEEC’s Podcast, Ethically Speaking, which delves into the subject. Please consider listening to podcast Episodes 3 and 4 available at https://www.aicpa.org/interestareas/professionalethics/ethically-speaking.html .
CAMICO policyholders with questions regarding this communication or other risk management questions should contact the Loss Prevention department at email@example.com, or call our advice hotline at 800.652.1772 and ask to speak with a Loss Prevention Specialist.
1 Many tax practitioners are concerned that complying with the Interpretation will be difficult and burdensome and fear they could inadvertently impair the firm’s independence by mistakenly not providing or returning documents to clients, resulting in clients’ records being incomplete.
2 February 25, 2019, AICPA Nonattest Services FAQ – Page 21
3 ET 92.29 Defines Period of the professional engagement