The concept of going paperless has been around for a long time, but CPA firms of all sizes are increasingly adopting a more virtual operating environment and taking advantages of the benefits allowed by Internet-, or “cloud-,” based computing service providers. While much has been written about the benefits of cloud computing, CPA firms should be aware of the hidden risks of allowing a third-party vendor to manage and maintain the firm’s and their clients’ data, and the associated professional liability implications.
This article provides an overview of cloud computing, highlights the common benefits of utilizing cloud computing services, provides sample practice aids, and raises awareness of the professional responsibilities and liability implications CPAs must consider.
Overview of Cloud Computing
Cloud computing is a model for on-demand network access to a shared pool of configurable computing resources.1 Essentially, this technology-driven model allows a user to store, access, and edit data in a remote and virtual environment rather than via a physical information technology (IT) server located in the firm’s office. Cloud computing offers centralized access to shared software applications and other computing resources that are managed by third-party vendors. The vendors own the programs, applications, and computer equipment, and lease their use to CPAs for a fee, which is generally based upon the number of users accessing the applications.
Accountants utilize various providers of cloud-based applications to help them manage their practices and deliver services to their clients. Cloud computing services targeted to CPA firms include those related to practice management/internal administration such as document management, workflow, or customer relationship management; service delivery such as tax return preparation, bookkeeping, payroll, billing and invoice management, and financial statement preparation; and information sharing via Internet-based portals, which offer an alternative to email for communicating and collaborating with clients and provide real-time access to client accounting records.
A comprehensive overview of cloud computing, including differing service models and practical considerations in employing such service models can be found in Cloud Computing Synopsis and Recommendations, Special Publication 800-146, issued by the National Institute of Standards and Technology (NIST), U.S. Department of Commerce.
Benefits of Cloud Computing
There are numerous benefits of utilizing cloud computing services to help CPAs deliver services to clients and share information.
- Reduced Cost/Reduced Capital Expenditures
Using a cloud model can help reduce or eliminate the need for in-house technology infrastructure. Accounting firms that fully utilize a cloud model no longer need computers with large memories, external hard drives, or servers to store all of their data. In addition, computer software and hardware maintenance, administration, and upgrades can be performed by the cloud vendor rather than an in-house IT department. To deploy cloud-based services, firms only need a robust Internet connection and a browser.
Another benefit of cloud computing is that CPA firms pay only for their actual service usage. Cloud services are generally billed on a subscription basis based on the number of users. If needs change based on fluctuations in personnel, users can be easily added or deleted. In addition, the firm has access to additional data storage when needed during peak periods and does not pay for unused storage during non-peak periods.
One of the greatest benefits for CPA firms with a highly mobile work force is the accessibility of data. Data stored in the cloud is accessible from any computer, tablet, or other device with access to the Internet and eliminates the need to create multiple versions of the same document on different devices. If a document is stored in the cloud, it can be updated from any device with access to the Internet. Additionally, data stored in the cloud is readily available in the event of a natural disaster or other catastrophe at the CPA’s physical location as the data is not stored on the CPA’s servers.
The most compelling feature of utilizing cloud services is the ability to share and collaborate remotely. Cloud-based portals provide a convenient method for CPAs and clients to share information in a secure environment and facilitate the exchange of files that are too large for email. Cloud computing also helps CPA firms, especially those with multiple offices, balance workloads and resources during busier times by removing the geographical barriers associated with the location of resources and clients.
Professional Liability Implications
While cloud computing offers a number of compelling benefits associated with CPA firm practice management and service delivery, one critical risk with both legal and ethical implications arises – protecting the privacy and security of confidential client information.
The risks of unauthorized disclosure of sensitive client and firm data by cloud vendors can be significant. Recent, high-profile data breaches at companies such as Expedia Inc.'s Trip Advisor, email marketing provider Epsilon Data Management L.L.C., Sony Corporation of America’s online entertainment services, Google, and Apple’s iCloud calls into question how secure information is within a cloud-computing infrastructure. While there has not yet been a high-profile data breach within the professional services industry, client data utilized by professional services firms presents an attractive option for hackers. Therefore, professional services firms that utilize this technology should not be complacent about the exposure.
Cloud computing involves the uploading of client data to the Internet outside of the control of the CPA firm, an inherently perilous environment if not safeguarded appropriately. ET section (§) 301 of the AICPA Code of Professional Conduct states that a CPA shall not disclose any confidential client information without the specific consent of the client. In addition, Internal Revenue Code (IRC) §7216 prohibits anyone involved in the preparation of U.S. income tax returns from knowingly or recklessly disclosing or using the tax-related information provided other than in connection with the preparation of such returns. Practitioners who violate this provision may be subject to fines or imprisonment.
Consequently, CPAs must fully understand the professional obligations related to information privacy and security, as well as the risks associated with leveraging cloud computing technology before venturing into this area.
Professional Responsibilities and Risk Control Considerations
Professional Obligations2
While ET §301 and IRC §7216 are not intended to prohibit a CPA from utilizing third-party cloud computing service providers to deliver professional services to clients, the Code of Professional Conduct identifies relevant obligations of the CPA:
- The CPA should enter into a written agreement with the third party regarding the maintenance of confidentiality of client information (see Ethics Ruling No. 1 of ET §391).
- The CPA should take steps to reasonably assure him/herself that the third party has appropriate procedures in place to maintain confidentiality (see Ethics Ruling No. 1 of ET §391).
- The CPA should disclose the use of third-party service providers to its clients, preferably in writing, before disclosing confidential information to the third party (see Ethics Ruling No. 112 of ET §191 and Ethics Ruling No. 1 of ET §391).
The obligations noted in IRC §7216 differ slightly from the Code of Professional Conduct. IRC §7216 provides an exemption from the law for tax return preparers who disclose taxpayer information to a third party for the purpose of having that third party process the return. However, members should make third-party providers to which they have supplied protected client information aware of the requirements of IRC §7216. While there is no requirement in §7216 or its regulations for a member to inform the client that a third-party provider is being used to process the return, best practice and the sections of the Code of Professional Conduct noted above indicate notification should be made.
Laws and Regulations
CPAs must comply with relevant state privacy laws and related breach notification requirements. Currently, 46 states, the District of Columbia, and Puerto Rico have breach notification statutes applying to disclosures of sensitive information and impose data security requirements on entities operating in the state or who hold data about state residents. If data stored by a cloud vendor is compromised, under state privacy and security laws, the cloud vendor is responsible only for notification to the data owner (the CPA firm), not to the CPA’s individual clients. Once the CPA becomes aware of a potential privacy breach, he/she is ultimately responsible for responding to the breach on behalf of their clients, as well as compliance with state breach notification statutes.
In addition, CPA firms that provide services to health care providers or health care plans are subject to the privacy and security rules contained in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH). Firms with access to protected health information, such as patient billing records, are business associates as defined in HIPAA, and, based on the passage of HITECH, are subject to the same privacy and privacy breach notification requirements as their health care clients. Consequently, CPA firms are subject to potential civil and criminal penalties and prosecution for violation of the federal health care privacy laws.
By extension, CPA firms that utilize third-party service providers to store protected health information may be held responsible for the violations of their third-party service providers. To help mitigate this risk, CPA firms should confirm the service provider’s use of encryption and encryption keys that comply with the HIPAA Security Rule.3 If private, non-encrypted protected health information is breached, CPA firms may be held liable for the breach.4
Costs of compliance with state statutes to respond to a data breach can be significant. Costs can include notification to clients, the provision of credit monitoring services for a period of time, and more. Insurance coverage for data breaches varies and may involve a practitioner’s professional liability or another specialized policy. Such coverage is typically not provided in a general liability policy. Practitioners should confer with their professional liability insurance agent or broker regarding the application of insurance coverage to data breaches. Additional coverage may be necessary to fill any gaps.
Risk Control Considerations
So what’s a CPA to do? There are several practical actions CPAs can take to help ensure compliance with professional standards and laws, and to help safeguard client information.
- Conduct Due Diligence Before Selecting a Vendor5
CPAs should investigate vendors thoroughly before making a selection. Information should be obtained related to the financial stability of the vendor, the processes and controls the vendor utilizes to protect data, and how and where data will be stored and backed up. The CPA should review these competencies prior to entering into any contract with the vendor. The location of data storage is also important. For example, if the vendor’s data storage resides outside the U.S., the CPA may be subject to liability in the country in which the data is stored. In addition, the ability to produce data in a timely manner may be affected, and the laws of the relevant country may not provide adequate protection.
The use of strong encryption technology is essential to protecting the confidentiality of data stored with a cloud vendor. CPAs should understand what encryption technology is used by the cloud vendor.6
Service Organization Control (SOC) reports issued under the guidance of Statement on Standards for Attestation Engagements No. 16 provide information on internal controls at a service organization. CPAs should obtain and review the SOC report for the prospective cloud vendor as it provides valuable information that CPAs may utilize to assess and address the risks associated with an outsourced services.
Diligence procedures performed, results obtained and the CPA’s evaluation of the vendor should be thoroughly documented. Initial and subsequent periodic evaluations to confirm the initial assessment are recommended. Documenting investigations undertaken helps demonstrate compliance with the Code of Professional Conduct and helps protect the CPA if questions arise.
The AICPA Code of Professional Conduct states that a CPA should take steps to reasonably assure him/herself that the third party has appropriate procedures in place to maintain confidentiality. However, there is no clear definition or determination of what is considered reasonable. The CPA should utilize professional judgment and exercise due diligence. The greater the sensitivity of client information, degree of data complexity, volume of data, or reliance on the cloud vendor, the more thorough the CPA’s diligence efforts should be.
Key commercial terms with the vendor should be agreed to in writing via a service level agreement or other contract that outlines the terms, services provided by the vendor, metrics by which that service is measured, and remedies or penalties, if any, if the agreed-upon service terms are not achieved. While vendor terms are not always negotiable, vendors will sometimes entertain reasonable negotiations. The CPA should not blindly accept the vendor’s terms and conditions without reviewing them in detail to verify the inclusion of key contract terms in the service level agreement. A competent attorney should be retained to assist with this review. If the agreement does not provide the CPA and its clients with the necessary protections for privacy and security, other available vendors or technology resources should be pursued. CPAs should not engage any vendor whose terms would be viewed as “unreasonable” or who attempt to disclaim liability for its own errors, omissions, or neglect.
CPAs should inform clients of its use of cloud service providers and obtain written consent from the client before providing client files and documents to the provider. A separate agreement between the CPA and the client specifically related to the use of portals or the inclusion of specific language in the engagement letter are ideal ways of obtaining client consent. While professional standards do not require CPAs to obtain written consent from the client, this is a recommended practice.
To help avoid misunderstandings with clients, the CPA should be responsive to client inquiries regarding the vendor’s data security controls and questions about the use of client data in the cloud.
Conclusion
While cloud computing can be attractive for many reasons, CPAs should not access this functionality to simply adopt the latest technology. The benefits of cloud computing should be weighed against the needs of the practice and the ability of the CPA to control the associated professional liability risk. If the CPA would benefit from the advantages offered, then appropriate steps must be taken to ensure that the CPA fulfills its legal, ethical and business obligations to its clients.
Appendix A: Cloud Vendor Checklist9
|
|
Yes
|
No
|
Comments if No or N/A
|
|
1. Cloud Vendor Information:
|
|
|
|
|
1.1 Has the CPA investigated the background of the vendor including business and ownership structure? Is the CPA satisfied with the vendor’s business model?
|
|
|
|
|
1.2 Has the CPA made inquiries of the vendor’s relationships with outer corporations in data-sensitive industries and, ideally, other CPA firms?
|
|
|
|
|
1.3 Is the vendor financially stable? What is the vendor’s source of primary funding?
|
|
|
|
|
1.4 How long has the vendor been in business? What is their background and experience in providing Internet based software applications?
|
|
|
|
|
1.5 Has the CPA obtained a copy of the vendor’s certificates of insurance and reviewed it with their insurance agent or broker?
|
|
|
|
|
1.6 Has the vendor had an SSAE 16 audit conducted regarding its controls over the following areas: data security, availability, processing integrity, online privacy and confidentiality?
|
|
|
|
|
1.7 If applicable, has the CPA requested a copy of the latest SSAE 16 report and reviewed its findings?
|
|
|
|
|
1.8 Does the CPA have a contact at the vendor to call with questions on technical or other data issues (other than the salesperson)?
|
|
|
|
|
2. Ownership of Data:
|
|
2.1 Has the CPA confirmed that the CPA firm is the sole owner of the data and that the vendor has no rights to the data?
|
|
|
|
|
3. Confidentiality of Data:
|
|
3.1 Has the CPA confirmed that the vendor will assume responsibility and legal liability for data confidentiality?
|
|
|
|
|
3.2 Has the CPA confirmed the means by which the vendor will keep the data secure (firewall, encryption, etc)?
|
|
|
|
|
3.3 Is the vendor experienced in handling data specific to the CPA firm? Has the CPA confirmed the vendor’s ability to comply with applicable state, federal and industry compliance requirements applicable to client industries (e.g., health care or financial services)?
|
|
|
|
|
3.4 Has the CPA confirmed how the vendor will segregate or otherwise protect the CPA firm’s data?
|
|
|
|
|
3.5 Has the CPA gained an understanding of how and when the vendor will notify the firm in the event of a potential data breach, and what events will trigger notification?
|
|
|
|
|
3.6 Does the vendor have stringent access controls to prevent unauthorized access to data?
|
|
|
|
|
3.7 Does their vendor utilize sub contractors? What are the vendor’s controls over the use of subcontractors?
|
|
|
|
|
4. Format of Data:
|
|
4.1 Has the CPA confirmed that the firm will have access to raw data in the original file format?
|
|
|
|
|
5. Location of Data Storage:
|
|
5.1 Has the CPA confirmed the location where the data will actually be stored?
|
|
|
|
|
5.2 Has the CPA’s attorney reviewed the choice of law provision in the vendor contract?
|
|
|
|
|
6. System Usage, Logon and Access:
|
|
6.1 Can the CPA firm define and control different levels of access to certain files for different employees/clients (important for firms that have different security and access for CPAs and support staff)?
|
|
|
|
|
6.2 Does the vendor have access controls in place to permit access to the CPA’s data to only those vendor employees who require such access?
|
|
|
|
|
7. Exit Strategy: Return of Data/Wipe Upon Termination:
|
|
7.1 Has the CPA confirmed that the vendor will return data to the firm in a usable format (for example, if the CPA firm stored Microsoft Word documents with the vendor, is the data returned in that format or another format that is unusable to the CPA firm)?
|
|
|
|
|
7.2 Has the CPA confirmed that the vendor will ensure permanent deletion or overwrite of data from the vendor’s servers at the CPA’s request or upon termination of the relationship? Does the vendor have adequate controls over the purge of data to ensure confidential information is not compromised?
|
|
|
|
|
7.3 Are the timelines associated with the return of data from the vendor reasonable such that the CPA’s business will not be disrupted?
|
|
|
|
|
7.4 Has the CPA gained an understanding of any fees associated with termination and/or return of data to the CPA?
|
|
|
|
|
8. Confirm Vendor’s Full Acceptance of Liability for Breach:
|
|
8.1 Has the CPA confirmed that there are no limitations on liability for the vendor?
|
|
|
|
|
9. What Happens if the Vendor Goes Out of Business?
|
|
9.1 Has the CPA confirmed with the vendor the status of the data if the vendor ceases operations?
|
|
|
|
|
10. Data Availability/Security:
|
|
10.1 Has the CPA gained an understanding of the redundancy the vendor has in place to ensure data availability and backup? Does the vendor have a disaster recovery plan? Does the vendor have controls over scheduled backup and safe storage of backup media?
|
|
|
|
|
10.2 Has the CPA gained an understanding of what happens in the event of data loss and the responsibilities of the vendor?
|
|
|
|
|
10.3 Has the CPA ensured that data is always travelling on a secure channel and is securely encrypted (not only when it’s on the vendor’s servers but also when it’s in transit or being accessed by the cloud-based applications)?
|
|
|
|
|
10.4 Has the CPA gained an understanding of what happens to the data or access in the event of a fee dispute or disagreement with the vendor?
|
|
|
|
|
10.5 Does the service level agreement provide an agreed upon percentage of service availability (uptime)?
|
|
|
|
|
10.6 Has the vendor’s software been tested for security vulnerabilities? Can the vendor provide industry-accepted security certificates?
|
|
|
|
|
10.7 Has the CPA confirmed the vendor’s ability to help comply with legal requests (e-discovery, record preservation, litigation holds, etc.)?
|
|
|
|
|
10.8 Does the vendor have a dedicated and competent in-house cyber security staff?
|
|
|
|
Appendix B: Key Vendor Terms and Considerations10
|
Term
|
Consideration
|
|
Ownership of Data
|
CPA firm should be the sole owner of the data. The vendor should not have ownership or other rights to the data.
|
|
Confidentiality of Data
|
CPA should confirm that vendor will assume responsibility and legal liability for confidentiality of data.
|
|
Location of Data Storage
|
CPA should confirm location of data storage and review with their attorney the choice of law provision in concert with laws that may govern the location of data storage.
|
|
Pricing
|
Payment terms and conditions should be clearly understood and agreed to by both parties. There should be no questions about how the pricing is set and updated. Additional fees (termination fees, costs to migrate data to another vendor, for example) should be disclosed.
|
|
Data Security Breaches
|
The responsibilities, including who is responsible for the costs associated with data breach investigation, of both the vendor and the CPA, in the event of a privacy breach should be clearly defined and understood.
|
|
Data Outages
|
Causes of service outages should be addressed in the vendor agreement, including the form and level of compensation. Does the vendor exclude or limit damages, especially consequential damages such as business loss?
|
|
Exit Strategy
|
CPAs should confirm that the vendor will return data to the CPA in a useable format upon termination of the relationship with the vendor. In addition, the CPA should confirm that the vendor permanently overwrites or deletes the data from its servers subsequent to return of data to the CPA.
|
|
Uptime
|
Uptime indicates the percentage of time the vendor guarantees a user will have access to the system. Most vendors will guarantee a 99.999% uptime.
|
|
Termination
|
The CPA should confirm its ability to terminate the contract if the vendor fails to live up to its obligations or perform under the contract, including the existence of any money-back guarantees.
|
Appendix C: Example Engagement Letter Language, Use of Cloud Computing Vendor
Note: The language below is provided as an example only. Engagement letters are considered legal contracts and local laws applicable to the matters included in engagement letters vary significantly. Certain governmental bodies, commissions, regulatory agencies, state boards of accountancy or professional organizations have established requirements that might prohibit entities subject to their regulation or professional standards from including engagement letter provisions that limit the rights of clients. Accordingly, before using the language below in an engagement letter, a competent attorney should carefully review it for conformity with applicable law.
Electronic Data Communication and Storage and Use of Third Party Service Provider11
In the interest of facilitating our services to your company, we may communicate by facsimile transmission, send data over the Internet, store electronic data via computer software applications hosted remotely on the Internet, or allow access to data through third-party vendors’ secured portals or clouds. Electronic data that is confidential to your company may be transmitted or stored using these methods. We may use third-party service providers to store or transmit this data, such as providers of tax return preparation software. In using these data communication and storage methods, our firm employs measures designed to maintain data security. We use reasonable efforts to keep such communications and data access secure in accordance with our obligations under applicable laws and professional standards. We also require all of our third-party vendors to do the same.
You recognize and accept that we have no control over the unauthorized interception or breach of any communications or data once it has been sent or has been subject to unauthorized access, notwithstanding all reasonable security measures employed by us or our third-party vendors, and consent to our use of these electronic devices and applications and submission of confidential client information to third-party service providers during this engagement.
December 2012
Accountants Professional Liability Risk Control, CNA, 333 South Wabash Ave. 36S, Chicago, IL 60604
For more than 50 years, CNA has been serving accounting firms with solutions that help reduce the risks of managing their practice and insurance that helps cover a firm and its employees. With products and services designed for accountants by experienced professional risk consultants with practical experience in the profession, CNA insures more accountants than any other carrier. CNA’s broad portfolio includes professional liability, general liability, cyber liability, property, employment practices liability, and our industry-leading P&C package for small firms. We are proud to be the endorsed professional liability insurance carrier for the American Institute of CPAs® member insurance program.