AI Policy for CPA Firms: Practical Build under AICPA Standards

Every CPA firm using AI tools needs a written AI policy. Peer reviewers, state boards, and insurance underwriters are increasingly asking. Without one, the firm operates on individual discretion rather than structured framework.

What the policy must cover

Six components:

• Tool inventory and scope
• Roles and accountability
• Use-case policies
• Data handling rules under AICPA standards
• Training and supervision
• Audit and review process

Each can be a paragraph or page depending on firm size.

Tool inventory

For each AI tool:

• Name and vendor
• Approved use cases
• Data handling certification (SOC 2)
• Approval status (Tier 1: approved; Tier 2: conditional; Tier 3: prohibited)
• Tool owner

Updated quarterly. Most firms discover during this exercise that AI is in use leadership doesn't know about.

Roles

Three roles minimum:

• AI Sponsor — Principal-level owner (typically managing partner)
• AI Operator — Operations leader running tools day-to-day
• AI Compliance Reviewer — Quality control / partner overseeing standards

At firms under 10 CPAs, one person may hold multiple roles.

Use-case policies

Three tiers:

Tier 1 (Permitted without approval):

• Internal AI use
• Personal productivity tools
• AI-assisted research on public information

Tier 2 (Permitted with documented review):

• AI-generated client communications
• AI-drafted tax returns and supporting work
• AI-prepared advisory materials
• AI document analysis

Tier 3 (Prohibited):

• AI rendering tax advice directly to clients
• AI signing returns or representations
• Consumer-grade AI tools processing client data
• AI without proper SOC 2 or equivalent

Data handling rules

Four rules under AICPA Rule 301 (Confidentiality):

• Client data goes only to approved tools. Approved tools have proper handling.
• PII redaction before AI processing where tools don't redact natively.
• Retention follows firm records policy, not vendor defaults.
• Cross-border data transfers require approval.

Training and supervision

Annual training requirements:

• All CPAs: AI competence training (Rule 201) — 60-90 minutes
• All staff using AI: tool-specific training
• New hires: AI policy review within 30 days
• Supervising CPAs: supervisory obligations
• AI Compliance Reviewer: regulatory developments

Documentation: training materials, attendance, acknowledgments, knowledge checks.

Audit and review

Cadences:

• Weekly: Compliance Reviewer samples 5-10 AI-assisted work products
• Monthly: AI Operator reviews tool usage
• Quarterly: Full inventory review
• Annually: Full AI policy refresh + training

What peer reviewers look for

Common questions:

• Written AI policy?
• What AI tools in use?
• How are CPAs trained on AI?
• How is AI use supervised?
• How is client confidentiality protected?
• Documentation supporting AI use?

If policy answers these and audit trail backs answers, peer review is straightforward. If not, deficiencies surface.

Engagement letter language

Modern engagement letters increasingly include:

"Our firm uses AI tools to assist with tax preparation, document analysis, advisory services, and related tasks. All AI-assisted work is reviewed and verified by our CPAs. Client confidentiality is maintained through tools that protect privileged information."

State board considerations

State CPA boards may have specific AI guidance. Reference in firm policy:

• State board AI guidance if published
• State-specific requirements
• Any state-specific data privacy considerations

Insurance interaction

Professional liability insurers increasingly:

• Ask about AI policy in underwriting
• Offer premium reductions for documented AI policies
• Add exclusions for AI-related errors without verification

Maintain AI policy as part of insurance compliance.

What can go wrong without a policy

Pattern 1: Junior staff using consumer AI with client tax data. Rule 301 breach.

Pattern 2: Inadequate verification of AI output. Errors in returns.

Pattern 3: Inconsistent application across staff. Quality and compliance gaps.

Pattern 4: Peer review findings on AI use. Remediation required.

Pattern 5: Insurance pushback or claim denial. Exposure.

Each preventable with structured policy and training.

What we recommend

For CPA firms deploying AI:

• 4-8 page written AI policy
• Quarterly tool inventory
• Annual CPA training (60-90 min)
• Engagement letter AI language
• Documented supervision process
• Quarterly compliance review
• Annual policy refresh

Total upfront work: 20-40 hours of leadership time. Annual maintenance: 5-10 hours.

Bottom line

AI policy for CPA firms isn't a binder. It's a small set of explicit decisions about what AI does, who oversees it, and how it complies with AICPA standards. Build it once at appropriate rigor, update it quarterly, and it serves the firm long-term.

Firms with structured AI policy operate confidently. Firms without face growing scrutiny.

The investment is modest. The protection is substantial.