この記事は現在英語でのみご利用いただけます。
AI in Accounting Firms: Governance for Audit, Tax, and Advisory Practices
The Big Four and mid-tier accounting firms are deploying AI at scale across audit, tax, and advisory. The governance requirements — professional standards, independence, confidentiality, and accuracy — create specific obligations that general AI governance frameworks do not address.
Key Takeaways
Accounting firms using AI in audit face specific independence considerations: AI tools connected to client systems or trained on client data may create independence threats that must be assessed against professional independence standards.
AI in tax practice creates specific accuracy and liability obligations — tax advice assisted by AI carries the same liability as any tax advice, and AI-generated tax positions that are incorrect create professional exposure.
APES 110 (Code of Ethics for Professional Accountants) in Australia, and equivalent codes internationally, apply to AI-assisted work — the ethical principles of integrity, objectivity, professional competence, and confidentiality all apply regardless of what tools are used.
The IAASB (International Auditing and Assurance Standards Board) and AASB have issued guidance on the use of AI in audit that establishes specific standards for AI-assisted audit procedures.
Quality management standards (ISQM 1 and 2 in Australia and internationally) require firms to establish quality policies for new technology — AI tools used in audit and assurance must be within the firm's quality management framework.
"情報提供のみを目的としています。この記事は法律、規制、財務または専門的なアドバイスを構成するものではありません。具体的なアドバイスについては、資格を持つ専門家にご相談ください。"
AI governance for accounting firms — beyond the individual practitioner
While the ICAEW, AICPA, and CA ANZ guidance addresses individual practitioner ethics (covered in detail in our practitioner-focused materials), accounting firms themselves have firm-level governance obligations that go beyond individual professional responsibility. This includes obligations under the AICPA System of Quality Management, ICAEW Quality Management for an Audit of Financial Statements, CA ANZ APES quality management standards, and PCAOB quality control standards for firms that audit public companies.
The firm-level governance question is not "should our staff use AI?" but rather "how does our firm satisfy its quality management obligations when AI is deployed across the firm?" The answer requires firm-level policy, technology controls, supervision, and documentation that individual practitioner ethics alone cannot provide.
Quality Management Standards — what they require for AI
The AICPA's Statements on Quality Management Standards (SQMS) Nos. 1, 2, and 3 are effective from 15 December 2025 for engagements covered by the standards. SQMS 1 requires firms to design, implement, and operate a system of quality management to manage the quality of engagements. For AI specifically, this means: firms must identify quality risks arising from AI use; design responses to those risks (controls); monitor whether the controls are operating effectively; and document the entire system. The ICAEW International Standard on Quality Management 1 (ISQM 1) imposes equivalent obligations on ICAEW firms.
The PCAOB has multiple standards taking effect 2024-2026 covering auditor responsibilities and technology-assisted analysis. PCAOB inspectors are specifically focusing on firms' use of advanced technologies in audits, including AI, and whether firms have appropriate quality controls in place. Firms unable to demonstrate competent and controlled AI use face inspection findings, registration risks, and potential client losses.
Firm-level AI governance policy — what it must address
A firm-level AI governance policy that satisfies regulatory and quality management expectations should cover:
Approved tools. Specific AI tools approved for firm use, with clarity about: which tools may be used for which purposes; data classifications permitted in each tool (no client PII into consumer tools); enterprise vs personal tool boundaries; and prohibited tools (consumer ChatGPT, free Claude, free Gemini are all typically prohibited for client work).
Data handling. What client data may be processed through AI tools; what data may not be (typically all client PII unless using enterprise tools with training-data opt-out and appropriate confidentiality assurance); data residency requirements; encryption and access controls.
Review and sign-off. The competent professional remains responsible for any work product. AI outputs must be reviewed before delivery. The reviewer's standard of review must be documented — not a rubber-stamp, but substantive assessment of accuracy, appropriateness, and consistency with professional standards.
Documentation. What must be retained in the workpaper file when AI is used. Most firms require documentation of: the AI tool used; the purpose of use; the inputs (sanitised of PII where required); the outputs; the human review performed; and any modifications made before client delivery.
Client disclosure. When AI use must be disclosed to clients in engagement letters, deliverables, or otherwise. The ICAEW Code of Ethics (2025 edition in force from 1 July 2025; new edition coming into force 1 July 2026) and equivalent frameworks expect transparency where AI use is material to the engagement.
Training. Required training for staff using AI. The AICPA's Profession Ready Initiative (launched February 2026), CA ANZ Certificate in AI Fluency (2025-2026), and ICAEW AI learning materials all provide structured curricula. Employees receiving formal AI training save 8-19 hours weekly per Karbon's data — and the firm benefits from controlled, competent use.
Risk areas specific to firm-level governance
Confidentiality across clients. A firm that uses AI tools across multiple clients must prevent cross-contamination of confidential information. AI tools that retain context, learn from interactions, or store data between sessions create confidentiality risks. Enterprise-tier tools with training-data opt-out are baseline; some firms additionally segregate AI tool instances by client or engagement.
Independence in audit engagements. AI tools used in audit engagements must not compromise independence. AI vendors that provide consulting or non-audit services to audit clients may create independence threats — firms must apply the same independence assessment to AI vendors as to other service providers.
Reliance on third-party AI for substantive procedures. Where AI is used to perform substantive audit procedures (anomaly detection, journal entry testing, account analysis), the firm must satisfy itself that the AI tool is sufficiently reliable. The PCAOB has specifically focused on whether firms have validated AI tools used in audits — vendor representations alone are not sufficient.
Engagement quality reviewer access to AI. Where engagement quality reviewers must form their own conclusions on contentious matters, they must have access to and understanding of any AI analysis that influenced the engagement team's conclusions. AI black boxes do not satisfy EQR requirements.
Vendor management at firm level
Firm-level vendor management for AI vendors should cover: due diligence before adoption (security attestations, contractual terms, training data sources, professional indemnity); standard contract terms that protect client confidentiality and address professional standards obligations; ongoing monitoring (vendor security incidents, model updates, ownership changes); approved vendor lists with engagement-level checks before deployment; and exit planning for material AI vendor dependencies.
For smaller firms without dedicated procurement functions, professional body resources (AICPA's Trust Services Initiative, ICAEW's Tech Faculty, CA ANZ's Technology Advisory Group) provide vetted recommendations and vendor frameworks. Smaller firms can leverage these resources rather than conducting first-principles vendor assessments.
Practical implementation for accounting firms in 2026
Establish firm-level AI governance — appoint a named partner or senior staff member as AI governance lead with authority and budget; create an AI committee covering audit, tax, advisory, and IT/risk functions; document the AI policy and obtain partner sign-off. Conduct an AI tool inventory across the firm — staff are using tools beyond what the firm has formally approved. Update engagement procedures and quality management documentation to reflect AI use. Train all staff on the AI policy and the underlying professional standards. Update engagement letters with appropriate AI disclosure where material. Maintain documentation sufficient for PCAOB, AICPA, ICAEW, or CA ANZ inspection — when the inspectors arrive, the firm needs evidence that the system of quality management addresses AI, not just that an AI policy exists on paper.