AICPA Ethics + AI for CPAs: The Line You Don't Cross

CPAs operate under the AICPA Code of Professional Conduct. The Code doesn't have specific AI provisions yet. It does have provisions that apply directly to how AI is used.

This is not legal advice. Talk to your firm's compliance officer or state board.

The rules that matter

Integrity (ET 1.100.001). Members must perform all professional responsibilities with integrity. Using AI does not relieve the CPA of integrity obligations on the work product.

Objectivity and Independence (ET 1.200). Independence rules vary by service. AI tools used by the firm can affect independence if they're provided by, or to, an audit client.

Confidentiality (ET 1.700.001). Client information must be kept confidential. Most consumer AI services have terms that could be read as disclosure to a third party.

Competence (ET 1.300.001). Members must perform professional services with competence. This includes competence with any AI tools used.

Acts Discreditable (ET 1.400). Various sub-rules. The most relevant for AI: misuse of confidential information, unauthorized practice issues if AI is used to deliver services the CPA isn't licensed for in a particular jurisdiction.

Specific scenarios

Using ChatGPT to summarize client notes. Likely a confidentiality violation under most enterprise terms unless you have the no-training, no-third-party-use tier with explicit confidentiality. Use enterprise tiers with BAA-like terms or your firm-tenant Microsoft Copilot.

Letting AI draft client deliverables that the CPA signs. Acceptable if the CPA reviews. Not acceptable if the CPA rubber-stamps. Competence and integrity both implicated.

Marketing AI capabilities of the firm. Allowed. Make sure claims are accurate. "AI-augmented" is fine. "AI auditor" is not — auditing requires CPA judgment.

Using AI provided by an audit client. Independence issue. If the client's AI tools are integrated into your work for them, that may impair independence. Consult.

Using AI to deliver advice across state lines. Most CPAs are licensed by state. AI doesn't change jurisdiction rules. You can't use AI to practice in a state where you're not registered.

Sharing client data with AI tools provided by your firm's tech vendors. Each vendor relationship needs review. Confidentiality and data security terms matter.

Patterns that work

Enterprise AI with proper data agreements. Claude for Enterprise, ChatGPT Enterprise, Microsoft Copilot via firm tenant, Lexis+ AI / CCH AI / Bloomberg AI. Confidentiality terms acceptable in most cases.

AI for internal work (not yet client-facing). Internal training materials, firm operations, internal newsletters. Less exposed to confidentiality issues.

AI for non-CPA-specific tasks. Email drafting, calendar management, internal communications. The Code's specific provisions are about professional work product, not generic business operations.

Documented AI policy. A firm-level AI policy that's been reviewed by your state board or compliance counsel. Trained on. Audited. The policy is itself a defense.

Patterns that don't work

Free or consumer-tier AI for client matters. Terms typically don't meet confidentiality requirements. Tax preparation specifically also implicates IRC Section 7216.

AI-only judgment on attest engagements. Audit, review, compilation — these require CPA judgment. AI assists. AI does not replace.

AI marketing that overpromises. "Our AI never makes mistakes." Don't say that. AI makes mistakes. Members must be honest in their marketing.

Cross-jurisdiction use without local registration. AI doesn't expand your scope of practice.

The peer review angle

Your firm's peer review will ask about AI tools. Specifically: - Which AI tools are used - How outputs are reviewed - How client data is handled - How documentation supports the work

Firms without answers are increasingly cited. The trend is toward formal AI policies as a peer-review expectation.

The client communication question

Your engagement letter should address AI use. A version that fits most practices:

"We may use AI-assisted tools to support our work, including for data entry, document review, and draft generation. All such tools meet our security and confidentiality standards. All deliverables are reviewed by a qualified professional before issuance. Your data is handled in accordance with our security and confidentiality policies."

Specific firms add more depending on services offered.

The bottom line

AICPA ethics + AI is mostly about extending existing rules to AI tools. Confidentiality, competence, integrity. None of these change because AI is involved.

The firms doing this well have: - An AI policy - Trained staff - Enterprise tools with proper data terms - Documented review processes - Disclosed AI use in engagement letters

The firms at risk are skipping any of these. Don't.

Not legal advice. Talk to your state board, your peer reviewer, or counsel.