Hosting Service and Auditor Independence

AAFCPAs would like to make clients aware that the AICPA’s Professional Ethics Executive Committee (PEEC) has issued a new interpretation of AICPA’s independence rule, Hosting Service. The new interpretation, effective July 1, 2019, applies specifically to CPA firm attest clients and prohibits CPA firms from providing Hosting Services to these clients.

As you may know, attest services require independence. Attest services include: audits, reviews, compilations, and other engagements conducted in accordance with AICPA’s attestation standard, such as agreed-upon procedures, SOC 1 and SOC 2 reporting. Under the new rule, when an auditor provides Hosting Services, its independence will be impaired because the auditor is maintaining the attest client’s internal control over its data or records.

What are hosting services?

Hosting services are non-attest services and defined as a member in public practice accepting responsibility for the following:

1. Acting as the sole host of a financial or non-financial information system of an attest client.
2. Taking custody of or storing an attest client’s data or records whereby, that data or records are available only to the attest client from the member, such that the attest client’s data or records are otherwise incomplete.
3. Providing electronic security or back-up services from an attest client’s data or records.

In an audit engagement, the following services are considered hosting services:

• Depreciation, amortization, and supporting tax schedule that are “solely” maintained by the auditor.
• Using CPA firm portal or third-party portal to store auditee’s documents, such as lease agreements or other legal documents.
• Being the auditee’s business continuity or disaster recovery provider.

Examples of activities that are not considered hosting services are:

• Retaining a copy of an attest client’s data or records as documentation to support a service provided by CPAs and firms in public practice.
• Using a portal to exchange data and records with the attest client related to professional services provided by the auditor and to deliver the auditor’s work product to third parties at the attest client’s request. However, to avoid providing hosting services, auditor should terminate the attest client’s access to the data or records in the portal within a reasonable period of time after the conclusion of the engagement.
• Having possession of a depreciation or amortization schedule prepared by the auditor, provided the schedule and calculation are given to the attest client so that the attest client’s books and records are complete.

What does this mean for you?

AAFCPAs reminds clients to review our document retention policy. Attest clients must maintain their own records and note that documents exchanged via our client portal are stored temporarily and should not be your only copy.

AAFCPAs ensures all professional team members are familiar with and adhere to relevant ethical standards and always act in the public interest.  We prohibit any transaction, event, circumstance, or action that would impair independence or violate the firm’s relevant ethical requirement policy on an attest engagement.  In addition, AAFCPAs has taken the following actions to ensure we are in compliance with the new independence rule related to hosting services:

• If we prepare depreciation, amortization or supporting tax schedules, we give the attest client the underlying information so their records are complete.
• To avoid storing attest client’s data or records, we remove all data and records from AAFCPAs’ portal within 120 days after upload.

If you have any questions, please contact Hui-Ting Grady, CPA, at 774.512.4106, hgrady@nullaafcpa.com; Matt Hutt, CPA, CGMA, at 774.512.4043, mhutt@nullaafcpa.com; or your AAFCPAs Partner.