Hosting Services: The New Rules for CPAs to Remain Independent

Hosting Services:  The New Rules for CPAs to Remain Independent

By Benjamin R. Ripple, CPA, Partner

Beginning July 1, 2019, CPAs will have additional rules to follow from the AICPA to ensure they remain independent.  The new rules focus on hosting services. They were originally supposed to go into effect on September 1, 2018 but have been extended to July 2019.

Hosting services is defined as any of the following:

  1. Being the sole host of an information system for an attest client.
  2. Possessing custody or storing a client’s information in a manner where the client can only obtain the information from the CPA.
  3. Providing electronic security or back-up services for a client’s information.

Providing any of these services would create a management participation threat that could not be reduced to an acceptable level by applying safeguards. As a result, independence would be impaired.

The new addition to the AICPA Code of Professional Conduct provides the following specific examples of what type of activities would impair independence and what activities would not.  Here are some of the examples provided in the Code:

Impairs Independence Does Not Impair Independence
Housing an attest client’s website or other non-financial system Maintaining a copy of an attest client’s data as support for a service provided (for example: payroll data to support a payroll tax return, or bank reconciliations or vendor data as audit support)
Keeping an attest client’s data or records on their behalf (for example: a general ledger, depreciation schedules, lease agreements or other legal documents) on the firm’s servers or servers licensed by the firm or storing hard copies of the data or records Maintaining a copy of work product prepared for the client (such as a tax return or financial statements)
Being an attest client’s business continuity or disaster recovery provider Using a general ledger software to facilitate the delivery of bookkeeping services when either of the following occurs:  1) the client and the firm maintain separate instances of the software on their respective servers and the firm provides updated information electronic to the client, or 2) the client enters into an agreement with a 3rd party service provider to maintain its software in a cloud-based solution and grants the firm access to the software
Licensing software to a client that the client uses to input its data and receive an output that the client is responsible for maintaining, providing that the service the software provides would not impair independence if performed directly by the firm
Having possession of a depreciation schedule prepared by the firm as long as the schedule and calculation are given to the client so the client’s books and records are complete
Retaining a client’s original data or records to facilitate the performance of nonattest services (such as preparing a tax return) as long as the data/records are returned to the client at the end of the engagement (or in a multi-year engagement, at least annually)


If your CPA is currently providing any of the restricted services above, now is the time to discuss what can be done to ensure that independence is not impaired when the time comes to perform your audit, review, or other attest work.

Ben Ripple updated

Benjamin R. Ripple Partner, Assurance Practice Leader, CPA

Ben is a partner in BRC’s assurance services. Since starting his career in 2001, Ben has worked with clients ranging from family-owned companies, to multinational corporations, to nonprofit and governmental entities requiring A-133 audits. Ben’s industry experience includes: Manufacturing and distribution Hospitality, including restaurants and hotels Investment companies Governmental and not-for-profit entities Affordable housing […]