Does AICPA require CPAs to disclose AI use to clients?

AICPA has not issued an AI-specific disclosure mandate as of 2026, but existing professional standards do apply. AICPA ET Section 1.300 (General Standards) requires CPAs to maintain due care and competence — which extends to any AI tools that influence your work product. If AI is materially contributing to a tax return, financial statement, or advisory deliverable, disclosure is the professionally responsible course of action. Several state CPA societies have also issued guidance recommending voluntary disclosure. The practical answer: tell your clients, in your engagement letter, what AI tools you use and how you review their output.

What should an AI clause in a CPA engagement letter say?

At minimum: (1) identify the AI tools your firm uses in service delivery, (2) confirm that a licensed CPA reviews and is responsible for all AI-assisted outputs, (3) state your data protection practices for client information in AI tools (specifically whether consumer tools like ChatGPT free tier are prohibited), and (4) note the client's right to request human-only review. A one-paragraph clause is sufficient for most small firm engagement letters. The goal is informed consent, not a legal disclaimer arms race.

Does Colorado's AI Act apply to a CPA firm?

It depends on what your AI tools do. Colorado's CPAIA (effective June 30, 2026) applies to firms deploying 'high-risk AI systems' that make consequential decisions about people — including financial analysis and client assessment. If your firm uses AI tools that directly influence credit, loan, or financial determinations for Colorado clients or that affect Colorado residents in any consequential way, you may fall under CPAIA as a 'deployer.' Tax preparation software with AI components may or may not qualify depending on how the vendor classifies it. Review your tools against the CPAIA high-risk definition and consult with your professional liability carrier.

Can I use ChatGPT or Claude with client tax data?

Not with consumer or free tiers. Consumer AI tools (ChatGPT free, Claude.ai free) may use your inputs to improve their models — inputting client tax data, financial statements, or personally identifiable information into these tools creates professional liability exposure and likely violates AICPA data protection standards. Use API-based tools or enterprise versions with data processing agreements that explicitly prohibit training on your inputs. Claude for Business, ChatGPT Enterprise, or API access with your own agreement in place are the appropriate options for client-facing work.

What is the difference between AICPA AI guidance and the Colorado AI Act?

AICPA professional standards are self-regulatory — violations can result in disciplinary action from your state board, loss of license, or professional liability claims, but they are not government enforcement. Colorado's CPAIA is state law with civil penalties up to $20,000 per violation enforced by the Attorney General. The two operate independently. You may be compliant with AICPA standards and still violate CPAIA, or vice versa. The 5-step checklist in this article addresses both.

AI Compliance Checklist Accounting Firm 2026

Published: March 31, 2026 | By: The Crossing Report | 12 min read

Summary

AICPA professional standards already apply to AI use — there is no AI-specific rule yet, but existing competence and due care requirements cover your liability exposure
Client disclosure for AI-assisted work is not yet mandated by AICPA, but voluntary disclosure in your engagement letter is the professionally responsible — and liability-reducing — approach
Colorado's CPAIA (June 30, 2026) may apply to CPA firms depending on what their AI tools do and who their clients are
A 5-step compliance checklist any CPA firm with 5-50 employees can complete this quarter

The Gap No One Is Filling

Search for "AI compliance checklist accounting firm" right now. What you'll find: generic small-business guides written for restaurants and retailers, cybersecurity checklists that conflate AI with data security, and enterprise compliance frameworks built for companies with legal departments.

What you won't find: guidance written specifically for the CPA or accounting firm owner who is using AI to help with tax preparation, client advisory, financial statement drafting, or practice management — and who needs to know what their professional obligations actually are.

That's what this is.

The honest framing: AI compliance for CPA firms in 2026 sits at the intersection of AICPA professional standards (self-regulatory, but license-threatening), state AI legislation like Colorado's CPAIA (government enforcement, up to $20,000 per violation), and rapidly evolving state CPA board guidance. None of these are moving in sync. This checklist helps you build one policy that addresses all three.

What AICPA Guidance Requires

AICPA has not published an AI-specific ethics standard as of 2026. That does not mean your AI use is unregulated.

The existing framework that applies:

ET Section 1.300 — General Standards. CPAs must perform professional services with professional competence, due care, adequate planning and supervision, and sufficient relevant data. "Professional competence" means understanding the tools you use well enough to stand behind the output. If you use an AI tool to generate a tax strategy and cannot explain how it reached that conclusion, you may not meet the competence standard.

SSTS No. 1 (Tax Return Positions). The Statement on Standards for Tax Services requires that a CPA not recommend a tax return position without a reasonable basis for that position. AI-generated tax strategies require the same standard of review as human-generated ones. The AI does not transfer the professional responsibility — you do.

Confidentiality (ET Section 1.700). Client information is confidential. Inputting client tax data, financial records, or personally identifiable information into consumer AI tools (tools that may train on your inputs) likely violates this standard. Enterprise tools with data processing agreements are required.

What this means practically: You are already professionally responsible for everything your AI tools produce. The question is not whether AICPA rules apply — they do — but whether your current AI use would survive a peer review or a state board investigation.

The practical gap most small CPA firms have right now: no written AI use policy, no training documentation, and no process for verifying that staff is using approved tools with client data.

Client Disclosure: When and How to Tell Clients You Use AI

No uniform AICPA rule requires AI disclosure to clients. Several state CPA societies (including California and New York) have issued non-binding guidance recommending it. Your professional liability carrier is quietly tracking this issue.

The case for voluntary disclosure is straightforward: clients who find out you use AI tools without their knowledge are significantly more likely to file complaints and suits than clients who were informed and consented. Disclosure is not a liability — secrecy is.

When disclosure matters most:

Tax preparation: If AI tools are substantially drafting returns, suggesting positions, or flagging deductions, disclose in the engagement letter. Some clients will ask whether the work was done by a human CPA — they deserve an honest answer.
Financial advisory: If AI is generating financial projections, scenario analyses, or investment recommendations that feed into client decisions, the client has a reasonable interest in knowing how those analyses were produced.
Audit support: AI-assisted audit procedures (risk assessment tools, anomaly detection) are increasingly common. Engagement letter disclosure covers you if a client later questions the audit methodology.
Any deliverable you sign off on: Your signature attests to competence and responsibility. If AI materially contributed, disclosure is consistent with that responsibility.

How to disclose without creating alarm:

The tone matters. "We use AI tools to work more efficiently on your behalf. All work product is reviewed and approved by a licensed CPA. Here is how we protect your data." That is disclosure — not confession.

The worst version of this conversation is one your client initiates after reading about a competitor data breach involving AI tools. Own the disclosure in your engagement letter and you control the framing.

Engagement Letter Update: The AI Clause for Accounting Firms

The ABA issued Opinion 512 for lawyers on AI use in legal practice. AICPA has not issued an equivalent opinion, but the engagement letter is your primary risk management tool in the interim.

The AI clause your engagement letter needs (adapt to your firm):

Use of AI-Assisted Tools: Our firm uses AI-assisted software tools to support certain aspects of our work, including [tax preparation review / financial analysis / document drafting / practice management — identify which apply]. All work product is reviewed, and responsibility for its accuracy and completeness rests with a licensed CPA. Client information shared with AI tools is processed under enterprise data agreements that prohibit use of your information for training AI models. You may request human-only processing for any engagement deliverable.

This clause accomplishes three things: informed consent, liability placement, and data protection assurance. It takes two minutes to add to an existing engagement letter template.

What NOT to include: Lengthy disclaimers about AI limitations, hedged language about "AI may make errors," or anything that erodes client confidence in your judgment. The clause should read as professional competence disclosure, not a warning label.

Colorado AI Act: Does It Apply to Your Accounting Practice?

Colorado's Consumer Protections for Artificial Intelligence Act (SB24-205, known as CPAIA) takes effect June 30, 2026. It applies to firms that deploy "high-risk AI systems" — a defined category that includes AI used to make consequential decisions about people's access to financial services, employment, and healthcare.

The accounting firm applicability question:

The law defines "consequential decision" broadly: any decision that has a material legal or similarly significant effect on a person's access to financial services, housing, employment, credit, or education. If you use AI tools that influence credit determinations, loan analysis, or financial recommendations for clients who are Colorado residents — you may qualify as a CPAIA-covered deployer even if your firm is not in Colorado.

Scenarios that likely bring a CPA firm under CPAIA:

AI-assisted financial analysis tools that evaluate creditworthiness or investment suitability for Colorado clients
Automated tax review tools that flag returns or generate positions affecting Colorado residents
Any AI hiring tool used internally to screen candidates in Colorado

Scenarios that likely do not trigger CPAIA:

General practice management software with AI features (scheduling, document processing)
Grammar/drafting assistance for client communications
Internal research tools that do not generate client-facing recommendations

For most 5-50 employee CPA firms: The immediate action is a tools audit — inventory what you use and against the CPAIA "consequential decision" definition. If you use AI in any client-facing financial analysis capacity with Colorado clients, add CPAIA compliance to your June 30 action list and document your risk management policy.

The penalty is up to $20,000 per violation. The enforcement mechanism is civil, via the Colorado AG. It is not a fine most small firms can absorb.

5-Step AI Compliance Checklist for CPA Firms

This checklist is designed for a CPA firm with 5-50 employees. No legal department required. Target: complete this within 90 days.

Step 1: Audit Your AI Tools

List every AI tool your firm uses, including tools staff may be using without formal approval. For each tool, document:

What client data (if any) goes into it
What the tool outputs (recommendations, drafted text, calculations)
Whether you have a data processing agreement in place with the vendor
Whether consumer/free tier use is occurring

Common tools to audit: ChatGPT, Claude, Copilot, tax software AI features (Intuit, Drake, UltraTax AI components), document automation platforms, practice management AI features.

Red flag: Staff using free-tier AI tools with client tax data. Address this in Step 3.

Step 2: Update Your Engagement Letter Template

Add the AI disclosure clause described above. Apply it to all new engagements. For existing multi-year clients, add it at the next renewal or in a supplemental communication. Keep a copy of the previous template in your files to document when the update was made.

Time required: 30 minutes to draft, 2 hours to review with your professional liability carrier if desired.

Step 3: Write a One-Page AI Use Policy

Your policy needs to cover: which AI tools are approved for client work, which data categories may not be input into AI tools (client PII, SSNs, tax records in non-enterprise tools), how staff should handle AI-generated output (review required, not submit-as-is), and who is responsible for AI compliance at your firm (assign a name, not "the firm").

One page is enough. Do not overcomplicate this. The policy exists to document that you took a reasonable approach — peer review and professional liability claims both benefit from the existence of a written, dated policy.

Step 4: Train Your Team

A one-hour team meeting covering: approved tools and why, prohibited data inputs and why, the human review requirement, and how to flag situations they are unsure about. Document attendance.

This is not a technical training. It is a professional standards conversation. If you have two employees, this is a 20-minute conversation. If you have 30, it is a structured lunch-and-learn.

Step 5: Set a Quarterly Review Calendar

AI compliance is not a set-it-and-forget-it task. New tools, new regulations, and new guidance from state CPA boards will arrive in the next 12 months. Set a 90-day calendar reminder to:

Review your tools audit for anything new
Check whether your state CPA board has issued new AI guidance
Review CPAIA enforcement updates from the Colorado AG (if applicable)
Confirm engagement letter template is still current

The compounding risk of not reviewing: A tool that was compliant 18 months ago may have changed its data processing terms. Staff tool use creep is real — new tools appear without a formal approval process. The quarterly review catches both.

The Bottom Line for CPA Firms

The compliance gap is not whether AI rules apply to your firm. They already do — through existing AICPA professional standards. The gap is documentation, disclosure, and tool governance. None of this requires a legal team or a compliance budget. It requires 90 days of focused attention and the willingness to have an honest conversation with your clients.

The firms that complete this checklist before June 30, 2026 are positioned to use AI more aggressively in service delivery — because they have the governance in place to defend it. The firms that skip it are running professional liability exposure they may not understand yet.

Your action this week: Open your standard engagement letter template and add the AI disclosure clause. One paragraph. That is the minimum viable starting point, and it takes 30 minutes.

The Crossing Report covers the AI transition for professional services firm owners. The premium tier includes a fill-in engagement letter AI clause template for accounting firms — ready to add to your practice software. Subscribe here →

AI Compliance Checklist for CPA and Accounting Firms (2026)