CPAs are moving to the cloud in greater and greater numbers. A December 2015 survey conducted by CPA Magazine reveals that 40% of CPA firms are already using cloud services, and many more say they will do so within the next year or so.

The term “cloud” refers to computer-based IT services that are delivered via the internet rather than from a firm’s own installed hardware and software. This is often called Software as a Service (SaaS). Perhaps your firm has been considering moving your IT functions to the cloud. There are a number of significant advantages to doing so.

Advantages of cloud computing for a CPA firm

SaaS allows you to access your software and data through any internet-connected device that supports a web browser. It might be your office computer, a laptop you carry with you while traveling, or even your smartphone. This means that you, your staff, and your clients can easily collaborate on tasks, sharing information in real time.

Choosing the right cloud services provider will allow you to focus on accounting, not technology. The vendor will take care of installing, maintaining, and upgrading the hardware and software required to provide the services you depend on, relieving your practice of tasks that have nothing to do with your core mission.

Perhaps the greatest benefit CPA firms gain by moving to the cloud is lower costs. SaaS works on a subscription model in which customers pay a monthly fee based only on the amount of the service they consume during that billing period. This allows a firm to avoid all the up-front capital costs associated with purchasing and maintaining its own servers and software.

But will your data be safe in the cloud?

The major hesitation many CPAs have about joining the cloud computing revolution is concern about the security of their data. By using the SaaS model, an accounting firm entrusts its business-critical data, including sensitive client information, to an outside vendor. Rule 301 of the AICPA Code of Professional Conduct and Internal Revenue Code Section 7216 require CPAs to insure that a client’s confidential information is protected at all times. How can a CPA firm do that when the data is no longer under its direct control?

Actually, a premier cloud services provider like TOSS C3 will necessarily have a level of expertise in data protection that goes far beyond what a CPA practice could achieve on its own. That’s their business. So, the key to ensuring that your firm’s data is protected in the cloud is choosing the right cloud services vendor.

How to choose the right cloud services provider

Because of the data protection issue, the Code of Professional Conduct requires that a CPA exercise due diligence in choosing a cloud services vendor. Here are some steps that should be taken before a selection is made.

1. Perform a background check: Is the vendor financially stable? What is their reputation in the industry for reliability and integrity in their relations with customers?

2. Ask the vendor some key questions about their operations: Are they familiar with and able to meet the data protection requirements to which a CPA practice must adhere? Does their data center have an AICPA Service Organization Controls (SOC) report?

• –What specific measures does the vendor have in place to make sure that sensitive data remains secure from unauthorized exposure, that it will not be intermingled with the data of other customers, and that it can be recovered in the event of equipment failure or natural or man-made disaster?
• –Where will your data be stored? Is it possible that your clients’ confidential data will be physically housed in locations that are not under the jurisdiction of U.S. law?
• –What level of availability (percent of time the service is up and usable) does the provider guarantee?

3. Get it in writing!

Ethics Ruling 1 of ET §391 states that a CPA “should enter into a contractual agreement with the third-party service provider to maintain the confidentiality of the information and be reasonably assured that the third-party service provider has appropriate procedures in place to prevent the unauthorized release of confidential information to others.”

Contractual agreements with cloud service providers usually take the form of a Service Level Agreement (SLA) that defines the services to be provided, as well as procedures and penalties should defaults occur. The SLA should address issues such as who owns the data stored on the vendor’s servers (it must be clear that your firm retains ownership of its data), whether the vendor assumes legal responsibility for safeguarding that data (AICPA recommends that a CPA not use a vendor who attempts “to disclaim liability for their own errors, omissions, or neglect”), how and under what circumstances the vendor must notify you of security breaches, and how you can retrieve and transfer your data in the event your relationship with the vendor is severed for whatever reason.

Is it time for your firm to move to the cloud?

More and more CPAs are finding that by doing their due diligence in selecting a cloud services provider, they can receive the substantial benefits cloud computing provides, while gaining an even greater level of confidence that their sensitive client data will remain safe.

If you would like to explore how moving to the cloud can benefit your firm