Hosting of Client Files and Its Impact on Independence

February 17, 2020 | Article

The AICPA Professional Ethics Executive Committee (PEEC) recently provided updated requirements related to “Hosting Services” as part of the independence rules. Their interpretation became effective on July 1, 2019.

The rule change has a direct impact on client engagements that require independence, including audits, reviews, certain compilations, certain financial statement preparation engagements and attestation engagements.

What is an audit and why does it matter?

The Impact of the Independence Requirement Updates
The fundamental premise underlying the interpretation is that AICPA members cannot perform activities considered to be management’s responsibility and remain independent.

Specifically, the updated requirement deals with hosting of client files. According to the interpretation, taking responsibility for the “hosting” of an attest client’s data or records would impair independence.

Examples of these “hosting services” include:

  • Becoming the sole host of a client’s financial or nonfinancial information system
  • Serving as a custodian for the client’s data to the extent that the client’s data is incomplete and only accessible to the accounting firm
  • Providing business continuity or disaster recovery services to a client

In other words, if you could not change service providers without needing to contact the public accounting firm or individual CPA, your current firm or CPA is likely providing hosting services.

What Changes May Occur
The most visible changes that you may experience include:

  1. a likely increase in the amount of information (client records) returned upon the completion of engagements.
    The interpretation allows the CPA or firm to keep a copy of client records, as long as the client also has a copy.

  2. a decrease in the amount of time that information is available on your client portal.
    While firms and clients will continue to be allowed to exchange data through use of a portal, the interpretation requires firms to incorporate policies to terminate client access to data contained in a portal, with a requirement to delete this information within a reasonable time.

    The underlying premise of this requirement is that if client records are retained for an unlimited period of time, the firm is essentially “hosting” those records. The interpretation does not specifically define what constitutes a reasonable time. For Eide Bailly clients, we have determined that a reasonable time equates to one year.

What to do Next With the Requirement Standard Changes
Because of this new independence interpretation by the AICPA, public accounting firms and individual CPAs will need to evaluate whether they are providing hosting services. This means that you may see an increase in records returned to you for storage, as well as a shorter period of availability for your records on client portals.

The important thing to note with these updated requirement interpretations is that the AICPA is working to maintain independence when it comes to assurance and attestation engagements with your organization. That way, you can rest assured you are getting the best possible service when it comes to your financial information.

Want to learn more about how this new interpretation could impact you?

Stay current on your favorite topics


Learn More

See what more we can bring to organizations just like yours.

Construction & Real Estate Ag Producers Manufacturing & Distribution Healthcare Financial Institutions

Take a deeper dive into this Insight’s subject matter.

Audit & Assurance