Certified Public Accountants
Certified Public Accountants
Embedded Files
CPA-driven insights plus resources for CPAs.
AI governance is no longer a future issue for accounting firms — it’s a 2026 reality.
The Texas Responsible Artificial Intelligence Governance Act (HB 149) is already in effect.
Colorado’s high-risk AI law (SB 24-205) goes live June 30.
Utah has amended its AI framework through SB 226 with new disclosure expectations.
For firms operating across multiple states, this isn’t a theoretical compliance exercise anymore. It’s a patchwork of obligations that directly affects how CPAs use AI, how they document it, and how they defend those decisions to clients, regulators, and insurers.
What stands out most right now:
Texas (HB 149) introduces civil penalties tied to certain AI uses.
Colorado (SB 24‑205) becomes enforceable in under 60 days.
Utah (SB 226) sharpens rules around high‑risk generative AI interactions & clarifying disclosure expectations in defined circumstances..
There is still no unified federal framework — meaning firms must track each state individually.
Professional liability carriers are already signaling that existing policies may not respond cleanly to AI‑related claims. That alone should get every managing partner’s attention.
The AICPA’s guidance is clear:
→ Treat AI as a risk issue, not a novelty
→ Embed AI rules into existing IT + security policies
→ Use context‑based disclosure, not blanket statements
→ Assign ownership for keeping policies current
→ Document AI use in a way that is reviewable and defensible
Firms that build governance structures now will have answers ready when clients, regulators, or insurers ask.
Firms that wait will be building under pressure.
AI prepares. Professionals verify.
________________________
________________________
AI Governance Framework Outline for Accounting Firms (Draft)
AI Governance Framework Outline for Accounting Firms (Draft)
1. Purpose & Scope
1. Purpose & Scope
Defines why the policy exists and where it applies.
Policy Purpose — Establishes AI as a risk domain requiring controls, documentation, and oversight.
Scope of Use — Applies to all firm personnel, contractors, and technology partners using AI in any client‑related or internal workflow.
Systems Covered — Includes generative AI, predictive models, automation tools, and vendor‑embedded AI features.
2. Definitions
2. Definitions
Ensures clarity and reduces ambiguity.
AI System Definition — What counts as AI within the firm.
High‑Risk AI — Based on state laws (Texas, Colorado, Utah) and AICPA guidance.
Human Oversight — Required human review steps.
3. Roles & Responsibilities
3. Roles & Responsibilities
Assigns ownership — a key AICPA expectation.
AI Governance Officer — Accountable for updates, monitoring laws, and reporting.
AI Review Committee — Cross‑functional oversight group.
End‑User Responsibilities — Required disclosures, documentation, and prohibited uses.
4. Approved Use Cases
4. Approved Use Cases
Defines where AI can be used safely.
Internal Productivity — Drafting, summarization, research.
Client‑Facing Work — Only with documented human review.
Prohibited Uses — High‑risk scenarios, unsupported claims, or unreviewed outputs.
5. Risk Classification
5. Risk Classification
Aligns with state laws and insurer expectations.
Low‑Risk AI — Internal, non‑client, reversible tasks.
Moderate‑Risk AI — Client‑related but fully reviewable.
High‑Risk AI — Requires documentation, approval, and enhanced oversight.
6. Disclosure Requirements
6. Disclosure Requirements
Context‑based, not one‑size‑fits‑all.
Client Disclosure Rules — When and how clients must be informed.
Internal Disclosure — When staff must note AI involvement in workpapers.
State‑Specific Requirements — Texas HB 149, Colorado SB 24‑205, Utah SB 226.
7. Documentation Standards
7. Documentation Standards
Creates a defensible audit trail.
Workpaper Requirements — What must be recorded when AI is used.
Model Input/Output Logging — Inputs, prompts, decisions, and human review.
Vendor Documentation — Evidence of vendor controls and risk posture.
8. Data Security & Privacy Controls
8. Data Security & Privacy Controls
Integrates with existing IT and security policies.
Data Handling Rules — What data can/cannot be entered into AI tools.
PII & PHI Restrictions — Required redaction and safeguards.
Third‑Party AI Tools — Security review and approval process.
9. Model Validation & Quality Control
9. Model Validation & Quality Control
Ensures accuracy and reduces liability.
Human Review Standards — Required for all client deliverables.
Accuracy Checks — Procedures for verifying AI‑generated content.
Bias & Fairness Review — Required for high‑risk AI.
10. Incident Response
10. Incident Response
Defines what happens when AI goes wrong.
AI‑Related Incident Definition — Misuse, errors, data exposure, or compliance failures.
Reporting Process — Who must be notified and when.
Corrective Action — Documentation, remediation, and follow‑up.
11. Training & Competency
11. Training & Competency
Ensures staff understand risks and responsibilities.
Annual Training Requirements
Role‑Specific Training
Certification of Understanding
12. Policy Maintenance & Review
12. Policy Maintenance & Review
Keeps the framework aligned with evolving laws.
Annual Review Cycle
State Law Monitoring
Version Control
Page updated
Google Sites
Report abuse