Don’t Get Lost in the Cloud….

by Thomas G. Neill, CPA, Chair, Washington State Board of Accountancy | Aug 16, 2017
cloud cut out fingers

I had occasion the other day to call the company that provides my tax software. During my conversation with the customer service representative, I asked the following question: “When will I be required to store my client tax data on the cloud?” The reason I asked this question was because that I have been seeing more and more information about software providers moving towards cloud storage for their customers’ information. Be it our tax software providers, Microsoft Exchange, or Gmail for Google, this is becoming a more common occurrence. Also, I wanted to be aware of the steps that I might need to take in anticipation of this.

The concept of cloud storage of data is one that many CPAs have not considered from the regulatory standpoint. At its most basic level, this is the use of a third-party service provider to store and allow you access to data—either yours or data that belongs to your employer or your clients. This is often viewed as a methodology for low cost, easily accessible data from wherever one might be working, but it is not without perils if one is unaware that there are regulatory standards governing this area.

The Washington State Board of Accountancy rule that comes into play is WAC 4-30-050(3), which states the following:

WAC 4-30-050

What are the requirements concerning records and clients' confidential information?

(3) Confidential client communication or information: Licensees, CPA-Inactive certificate holders, nonlicensee firm owners and employees of such persons must not without the specific consent of the client or the heirs, successors, or authorized representatives of the client disclose any confidential communication or information pertaining to the client obtained in the course of performing professional services.

This rule also applies to confidential communications and information obtained in the course of professional tax compliance services unless state or federal tax laws or regulations require or permit use or disclosure of such information.

Consents may include those requirements of Treasury Circular 230 and IRC Sec. 7216 for purposes of this rule, provided the intended recipients are specifically and fully identified by full name, address, and other unique identifiers.

From a regulatory standpoint, CPAs need to understand that the placement of client data on the cloud is considered disclosure of client information per the above—since it is being sent to a third party. What the above specifies is that before information is disclosed, specific, written consent is required to be obtained from the client.

The AICPA Code of Professional Conduct, that Washington licensees are also bound to under WAC 4-30-048, indicates the following regarding the use of a third-party:

1.700.040 Disclosing Information to a Third-Party Service Provider

.01 When a member uses a third-party service provider to assist the member in providing professional services, threats to compliance with the “Confidential Client Information Rule” [1.700.001] may exist.

.02 Clients may not expect the member to use a third-party service provider to assist the member in providing the professional services. Therefore, before disclosing confidential client information to a third-party service provider, the member should do one of the following:

a. Enter into a contractual agreement with the third-party service provider to maintain the confidentiality of the information and provide reasonable assurance that the third-party service provider has appropriate procedures in place to prevent the unauthorized release of confidential information to others. The nature and extent of procedures necessary to obtain reasonable assurance depends on the facts and circumstances, including the extent of publicly available information on the third-party service provider’s controls and procedures to safeguard confidential client information.

b. Obtain specific consent from the client before disclosing confidential client information to the third-party service provider.

As noted above, the AICPA Code of Conduct places responsibility on the CPA to use their best efforts to make sure that the cloud service provider being used will maintain the confidentiality of the client data. So one way to resolve this would be to get your client(s) to approve this method of data storage—and the easiest way to do this is in an engagement letter whereby you obtain written authorization from the client. But it is important to note that the AICPA Code allows the licensee the option of either verbal or written consent, whereas State Board Rule only allows written consent.

Do Your Due Diligence

Notwithstanding the issue of confidentiality, you also need to consider what other areas of the Code of Conduct might be in play. As discussed above, it is imperative to perform procedures to understand your cloud service provider's policies and methods used to keep your client data secure, as noted in the excerpt above—and to document and retain those policies and procedures. When one delves further into the AICPA Code of Conduct, under the concept of “acts discreditable,” it would also be a violation of the Code if you as a licensee cannot demonstrate that you applied appropriate safeguards to ensure that your cloud service provider has adequate data security procedures. Merely clicking through a licensing agreement would not demonstrate that you applied appropriate safeguards.

So as you consider the move to a cloud storage environment, consider the rules and regulations found in Board rule and in the AICPA Code of Conduct. Failure to do so could lead to disciplinary action should someone file a complaint.

The Board of Accountancy is working on revisions to Board Rule that will hopefully align more with the provisions noted in the AICPA Code of Conduct, so stay tuned for more in the future on this.

Tom Neill 2017 headshotThomas G. Neill, CPA, CGMA, is the current Chair of the Washington State Board of Accountancy.

This article originally appeared in the July 2017 WBOA Newsletter. If you would like to read more article’s like this, sign up for the Washington State Board of Accountancy newsletter.


  1. 2 Mary Hollen 17 Aug
    When I obtain my taxpayers' signatures on form 8879 I explain to them that 'Consent to Disclose' means that their personal information will pass through the hands and servers of another on the way to IRS, an intermediary that I believe to be secure although I cannot guarantee it.  I explain that by their signature they are consenting.  I reference the language on the 8879 page two, which is in part:

    "I consent to allow my Intermediate Service Provider, transmitter, or ERO to send my return to IRS...."

    Does this meet the State Board requirement?
  2. 1 Paul Carboni 22 Aug
    Hi Mary! We reached out to Tom in order to find an answer to your question. Here's what Tom told us:

    "On the question, existing Board rule says to obtain 'specific consent' and what you described appears to meet the standard for the purposes of electronic transfer of the return. But it wouldn’t apply to electronic record storage or storage of tax return data on the cloud, which is why obtaining a broader written consent, such as in an engagement letter, is the most foolproof approach."

You are not allowed to post comments.


The Washington Society of Certified Public Accountants is the only organization in the state of Washington dedicated to serving the professional needs of CPAs, educating consumers about CPAs and the services they provide, and encouraging students to study accounting and enter the profession.

Your Profession. Your Future. Your Advocate.


Washington Society of CPAs
902 140th Ave NE
Bellevue, WA 98005-3480

  • (P) 425-644-4800
  • (F) 425-562-8853

The WSCPA's business hours are 7:30 a.m. to 4:30 p.m., Monday through Friday.