- column
- PROFESSIONAL LIABILITY SPOTLIGHT
Drafting an AI policy that actually works
Related
What AI agents mean for CPA firms
A guide to fighting AI-fueled AP/AR fraud
How to use the SCAN function to replace running totals in Excel
Generative AI burst into the public eye almost four years ago when OpenAI launched ChatGPT. Some CPA firms were early adopters and jumped right into leveraging AI’s capabilities, while others have been more cautious. Today, generative AI is everywhere. The question is whether your firm will let its AI usage and controls evolve ad hoc, or will you take a more structured approach — putting clear, thoughtful guardrails in place?
The goal is to create good habits around AI use from the start. To foster these good habits, thoughtfully created and carefully implemented policies can help. Consider developing easy-to-follow guidelines and training for your employees. Also, conduct rigorous oversight to help ensure the policies are followed. Getting started with the process may seem overwhelming, so consider the following building blocks for creating your policies:
Define the Scope and Purpose of AI Use
Your policy should start by clearly answering two questions: What are you governing and why? To answer the “what,” define “generative AI” and related terms. Once the terms are defined, you can tie AI use to professional obligations to answer the “why.” Consider compliance with the AICPA Code of Professional Conduct, state board of accountancy rules, regulatory requirements, ethical obligations, and client confidentiality agreement requirements. This framing makes clear that AI is a tool to support, not supplant, your professional responsibilities.
Governance: Who Can Use What and Under Whose Oversight?
Firms that manage AI risk well treat it as a governance issue, not just a technology issue. Consider limiting use to generative AI tools that are authorized for firm business, with a maintained list of approved tools and a process for requesting new ones. You want employees to use only firm-vetted-and-approved tools. Try to avoid having employees pick up their phones and start using a random and unvetted AI tool they downloaded. You may also want to require employees to use authorized AI tools on firm-issued devices. Consider prohibiting the sharing of access to the firm’s AI tools with individuals or entities outside of the firm.
To manage governance, consider designating an AI lead or committee to review proposed use cases, approve tools, revise and implement the policies, monitor employee use for compliance, and address incident reports. This will give your employees a clear path to ask questions and get consistent answers.
Data Privacy, Confidentiality, and Data Governance
For CPA firms, data security is vital. Your AI policy should be explicit and align with your data governance and privacy policies, as well as data breach procedures.
When using AI tools, learn how and where information provided to each AI tool is stored, who has access to the information, whether the information is de-identified, and whether the information is used to feed and further train the tool. If the information can be accessed by others outside the firm and is not de-identified, restrict the entry of personal, confidential, or proprietary information; intellectual property; or trade secrets into the tool.
Train employees to recognize what they are entering into the tool and identify how sensitivity the information is. Use specific examples of not only what cannot be entered into the tool but also examples of how to appropriately redact the information. Offer alternate ways to enter information that does not violate data privacy requirements. Remind employees to share only what is necessary for the AI tool’s purpose. Consider having the firm’s AI policies reviewed by an attorney to ensure they comply with applicable privacy laws.
Quality, Accuracy, and Professional Liability
Generative AI can be confidently wrong. That can be a professional liability problem if you rely on its output without proper review. If the tool provides incorrect information that goes unchecked, a client will come after the firm, not the AI tool. AI should not be used to make, finalize, or support decisions related to client services, such as tax filings, the issuance of opinions on financial statements, or advisory recommendations, without thorough human review and approval as required by your existing supervision policies. Remember, generative AI tools are resources to aid a professional in the provision of services, not a replacement for professional judgment. Require that any AI-generated research, technical explanations, or citations be verified directly from primary authoritative sources (the IRC, Treasury regulations, IRS guidance, professional standards, FASB, etc.) before use. This helps mitigate “hallucinations” by the AI tool and supports defensible working papers if a claim or complaint arises. Remind your employees that the signing CPA is responsible for the accuracy and completeness of all deliverables. Blaming an AI tool for incorrect information or advice is not an option.
Documentation and Supervision
If it isn’t documented, it didn’t happen. Consider requiring your employees to document their use and review/verification of AI-generated research and procedures. Have employees document the following items, at a minimum, in the client file: the prompts used, how the outputs were verified, and who performed the review. This should be no different than how you would document significant judgments and reliance on third-party tools or providers. Consider integrating AI review expectations into your quality control system, not as a separate, informal process.
Avoiding Bias
AI can embed and amplify bias in the data used to train the tool. Remind employees that outputs are subject to the firm’s anti-discrimination policies. Also, require employees to critically assess results for potential bias. Consider involving diverse reviewers where outputs relate to HR decisions, talent acquisition, or sensitive client decisions.
Transparency and Client Communication
Be clear about AI assistance where appropriate. Consider clearly attributing AI-assisted content as such in certain communications or internal documentation. You may want to consult an attorney on your disclosure policy, as some state laws, engagements, industries, or regulators may require disclosure. Even when it is not required, you may consider voluntary disclosure to clients to be transparent and build trust. Consider having disclosure language added to all engagement letters to inform your clients that AI tools may be used in the provision of professional services. For more, read the Professional Liability Spotlight column “Should I Disclose My Use of Gen AI to Clients?” JofA, April 1, 2025.
‘Acceptable Use’ Rules
Not every possible use of AI is appropriate for a CPA firm. Your AI lead or committee should define permissible and impermissible uses and provide examples. For example, permissible uses may include “lower risk” or “ordinary” uses, such as summarizing nonconfidential material or drafting internal memos. Impermissible uses should include uses that are clearly inconsistent with professional standards or client confidentiality requirements. Remember what is considered an “acceptable use” may vary by function. Identifying permissible and impermissible uses reduces ambiguity and helps prevent risky experimentation.
Training, Culture, and Implementation
Even a well-written policy fails without implementation. Good habits must be built from the start through education. Rigorous oversight helps ensure the policies are followed. Consider implementing training sessions for specific tools, and obtain a signed acknowledgement from employees that they understand the policies, spot checks, engagement reviews, and feedback loops to address issues that arise.
Policy Maintenance
Finally, recognize that AI is a moving target. As technology advances, the firm’s use of AI tools evolves, and legal and regulatory requirements advance, the policies will need to be reviewed and updated, internally or with an attorney, in response. These policies are a living part of your risk management framework, not a one-time memo.
Assistance with AI adoption needed
16%: According to the 2025 PCPS National Management of an Accounting Practice (MAP) Survey, the portion of firms that were “very confident” in their ability to adapt to AI and automation over the next three years.
Nicole L. Graham, Esq., is a risk consultant at Aon. For more information about this article, contact nicole.graham@aon.com.
The information contained in this article is for general purposes only. This article is not providing any individual business, financial, regulatory, or legal advice. Readers should speak with their legal counsel prior to taking any action. While care has been taken in the production of this article, Aon does not warrant, represent, or guarantee the accuracy, adequacy, completeness, or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Readers shall be responsible for the use to which they put this article. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.
