Understanding the AICPA ethics interpretation on hosting

November 20, 2019

From the Nov/Dec 2019 issue of New Jersey CPA magazine (

By Kenneth A. Heaslip, CPA, Cullari Carrico LLP 


Many practitioners are still not aware of how problematic the new independence in­terpretation for CPAs who provide hosting services can be. The American Institute of CPAs (AICPA) Professional Ethics Executive Committee’s (PEEC) ruling, which became effective July 1, 2019, and amends its Code of Professional Conduct, applies when the CPA needs or desires to be independent. If independence is not a concern, the rule would not apply. At first, many professionals saw the ruling, which was extended from 2017, as benign and not applying to them, but further analysis proves that the ruling can be anything but that. 

Control of client assets

Under the new ruling, an independent CPA cannot take control of client assets. In today’s age, the issue of who has control of electronic information needs to be defined. Management should own the place where data is stored or contract with a third party. A CPA who does this is taking on a manage­ment responsibility. The ruling states that this will apply to housing a client website, storage of data or records, such as general ledger information or supporting schedules, and serving as the client’s disaster recovery provider. Most CPAs do not provide the first or third services, but many provide data storage and general ledger services.

Online records

CPAs still perform traditional write-up services where they would summarize the client’s transactions, propose journal entries and reconcile the bank accounts. Under previous independence rules, this would be allowed as long as the client approved the chart of accounts, coded the checks and approved the journal entries. Today, this is often done on QuickBooks which is housed on the CPA’s server. Under the new ruling, since the client’s accounting software is housed on a server controlled by the CPA, independence would be impaired. Fortunately, the solution can be relatively simple. If the CPA were to provide the client with a copy of the general ledger to be restored on client servers, then the client will have control of the accounting system and independence would not be impaired. Alternatively, if the accounting software were in the cloud, such as Xero or QuickBooks online, independence would not be impaired as long as 1) the client has access to the files through passwords and 2) the client has contracted with the third party to host the data. The second point is important. The client — not the CPA — must license the software.

Use of portals

Storage of client data is also a concern. Often, the CPA gives the client access to tax returns, supporting documents and financial information such as depreciation schedules and bank reconciliations through a portal. Again, it is the client’s responsibility to keep these records. If they are relying on the CPA portal to store the documents and they do not independently keep their own records, then the CPA has control of the records and independence would be impaired. The ruling states that it is acceptable for the CPA to use portals to exchange data and records with the client or to deliver work product to the client or third parties. The caveat is that the portal is only used for temporary data transfer and cannot be used as a substitute for other forms of data storage. In order to assure it is not used for this purpose, the ruling states that “the [CPA] should terminate the attest client’s access to the data or records in the portal within a reasonable period of time after the conclu­sion of the engagement.” In February 2019, the PEEC issued an FAQ document which states that the CPA should use professional judgement when determining what a reason­able period of time would be. It continues to say that “no undue hardship would occur within a relatively brief period of time, such as 60 days, therefore this would be a reason­able period of time for the client to retrieve data or records.” It continues to state that “in other circumstances, a reasonable period of time may be closer to a year.” In subsequent discussions, it seems unlikely that a period of over one year would be acceptable. There has been mounting pressure on the PEEC to better define the reasonable period of time threshold, but it does not appear that this guidance is forthcoming.

This ruling has made it imperative that CPAs evaluate their responsibility in keeping client records. Although the ruling was written to apply to electronic data, it is clear that it would also apply to paper records held by CPAs. Implementation of this standard could change how services are offered to clients. 

Kenneth A. Heaslip, CPA, CGMA, MBA, MS, is a director at Cullari Carrico LLC and a professor of accounting at Mercy College. He is a former NJCPA vice president and is currently a member of the NJCPA State Taxation, Federal Taxation, Nonprofit, Governmental Accounting & Auditing and Accounting & Auditing Standards interest groups. Kenn can be reached at


View All News