The major issue I worry about with cloud services for CPAs is compliance with laws and regulations. Microsoft has a page which details how you can use their cloud services, including Office 365, for health services, which would get you to HIPAA compliance. I think they are probably going to be adequate, but I would get the documentation in the file before I switched over. If you are doing e-mail archiving, or would ever do e-mail archiving, you will want to get the Enterprise version of Office 365 instead of the Small Business (P1) version.
As far as using SharePoint, it's a great tool, but I would call your malpractice carrier about putting client tax information on the hosted SharePoint with Office 365. The penalties for noncompliance with IRC 7216 are so severe that I would be positive that it's compliant before I put any client information out there on it, and I've not done enough homework on it to confirm its compliance with these and other regulatory requirements. There are some deployment readiness and overall deployment guides/checklists for Office 365 at http://community.office365.com/en-us/f/183.aspx, but I haven't had time to go through them for HIPAA/FINRA/GLB compliance. I think the hosted solutions are probably more compliant than what you would have installed locally in your office, but I haven't read the security audits.
Here's what PCWorld/ZDNet said about Office 365 - and it's consistent with what I've read on the application:
Compliance with government and industry regulations is a big deal in today’s business world. Microsoft Office 365 services have been certified as compliant with ISO 27001 standards, completed SAS70 Type I and II audits, and achieved the EU Safe Harbor seal. Microsoft has also added controls for helping customers comply with HIPAA (Health Insurance Portability and Accountability Act) and FERPA (Family Educational Rights and Privacy Act).
Wow. Pretty impressive “alphabet soup” of regulatory compliance.
I think the real risk to compliance in Office 365 is someone e-mailing tax returns or sending payroll or benefits data over e-mail without encryption. Worrying about compliance of Microsoft's servers without addressing these basic risks is somewhat like smoking a cigarette while putting gas in a fire truck. The vehicle is designed to provide fire suppression, but you have to use good judgment in how you use the tool.
Bottom line - I have some hesitation with cloud services from people other than tax software providers (since they don't necessarily know the requirements for a CPA firm), but given Microsoft's focus on the needs of enterprises and everything I've read about the service, I think it's as good or better than any other hosted e-mail service.