When I started working in public practice more than 20 years ago, “the cloud” referred to something in the sky, not storing data over the internet. Things have changed. Our profession has and continues to benefit from technological advances like the cloud, and the AICPA Code of Professional Conduct is evolving just as practice is.
The code was written before wide adoption of current technological advances. To keep pace with change, we’ve developed guidance for members who act as custodians of their clients’ information—members who store and maintain their clients’ information for them.
If you don’t provide attest services for a client whose data you host, the AICPA Code of Professional Conduct does not require you to be independent, so this interpretation does not apply to you. It’s as simple as that.
But if you do provide hosting for an attest client, your independence is impaired because you are essentially taking responsibility for maintaining internal control over an attest client’s data or records.
Here are three questions that I received from members at the AICPA ENGAGE conference.
If the interpretation says we have to provide the depreciation schedule, do we also need to provide other schedules and supporting documentation?
Yes. You need to provide any supporting schedule that a member’s books and records would be incomplete without. In other words, you need be sure your client has as much information as is necessary for another practitioner to take over and do your client’s taxes or bookkeeping next year.
How does the hosting services interpretation impact client portals?
To avoid hosting a client’s data, you need to terminate access to files within a reasonable period of time. You do not need to close the portal necessarily; you simply need to remove the data or records so they can’t be accessed through the portal.
If you have a third-party provider in the cloud, when are you considered to be hosting and when are you not considered to be hosting?
To answer this question, you must consider who has the software license for the third-party provider. If the attest client pays for the license and it is the client’s name, then the member is not hosting. It all depends on who owns the software license.
For more information on hosting services, check out our Ethically Speaking podcast episode on this interpretation and take a look at the hosting services FAQs starting on page 21. If you have questions about the hosting services interpretation that aren’t answered in this blog post, the podcast episode or the FAQs, please contact the ethics hotline via email at firstname.lastname@example.org or call us at 888-777-7077.