Contact Us
 Search

Should I disclose my use of gen AI to clients?

The use of generative AI by accountants is increasing and leading to questions such as, “Should we inform our clients about our use of generative AI? If so, how?

By CNA Accountants Risk Control

In today’s rapidly evolving technological landscape, the use of generative AI is gaining currency in the accounting profession. Not only are CPA firms integrating generative AI into administrative workflows, but a growing number of firms are investigating how deploying generative AI can help them more efficiently deliver solutions to clients. Generative AI options range from publicly available platforms to custom-built systems and include essential programs that also make use of generative AI, such as technical research software. Regardless of the platform or software, CPAs are increasingly asking, “Should we inform our clients about our use of generative AI, and if so, how?

Legal and Ethical Compliance

The analysis starts with assessing whether compulsory requirements exist. The current legal environment is disjointed, and no specific federal law or professional standard applicable to CPAs mandates disclosure when generative AI is used or if client data is used within it. Consider this patchwork of laws, to name a few:

  • The Gramm-Leach-Bliley Act, through the Federal Trade Commission’s Privacy Rule and Safeguards Rule, requires “financial institutions” — which includes CPA firms — to safeguard nonpublic personal information and take steps to ensure that their affiliates and service providers safeguard customer information in their care;
  • Some states, including California and Utah, have enacted laws that require some level of disclosure around the use of generative AI;
  • Existing state consumer/data privacy laws may apply to client data used in generative AI models; and
  • Firms that are subject to the European Union’s General Data Protection Regulation may need to consider the recently enacted EU Artificial Intelligence Act.

On the ethics side, outside of the “Confidential Client Information Rule” included in the AICPA Code of Professional Conduct (the Code), tax preparers subject to AICPA Statements on Standards for Tax Services must also comply with Section 1.3, Data Protection, and make reasonable efforts to protect taxpayer information shared with others.

The legal landscape will likely continue to shift, and future legislation and/or standards may address the disclosure question. Unless a firm’s offices and/or clients are 100% intrastate, it is unlikely that one single disclosure rule will apply. Consequently, as part of ongoing diligence, firms should periodically engage legal counsel to identify laws that may require disclosure to clients, and then ensure any disclosure is compliant.

Trust and Transparency

If, after consultation with an attorney, a CPA determines there is no disclosure requirement, consider the utility of a transparent, voluntary disclosure that tells clients when and how generative AI is used. Being transparent can engender a client’s trust when the CPA is willing to be upfront about how they use generative AI to deliver services and how the firm protects client information — both important to most clients.

Quality of work product

For some clients, expected use of generative AI by their CPA will be a given. Other clients may fully reject its use either on privacy or quality grounds. Regardless of client preference, the limitations of generative AI are such that no CPA should blindly rely on its outputs. This conclusion is echoed in the American Bar Association (ABA) Formal Opinion on Generative Artificial Intelligence Tools (July 29, 2024) (the ABA Opinion), which states that a lawyer’s reliance on a generative AI tool’s output without independent verification or review could violate the duty of competent representation. The lack of an authoritative, generative AI-specific standard applicable to CPAs is not likely to help defend a negligence assertion that the work was not properly reviewed prior to delivery to the client.

Data protection

CPAs using generative AI can anticipate clients inquiring about a number of areas, including how their information is stored; whether their data is used to further train the generative AI model; who has access; whether their data is shared outside of your organization; how data is retained, by both the firm and any external provider(s); and whether the generative AI has de-identification procedures for stored information. Before you pay to license any generative AI software or major application utilizing generative AI, ask the provider about how they protect client information, understand the contract terms (especially risk transfer and data ownership), review the provider’s responsibilities in the event of a data security incident, and make sure your questions are answered to your and/or your IT professional’s satisfaction.

If a firm develops its own generative AI, consider the topics above both from an operational risk perspective and possibly from a buyer’s perspective. Although internally developed generative AI may appear to lack third-party disclosure concerns, firms may wish to monetize their investment in internally developed technologies and may ultimately choose to license or sell their generative AI. Or they may simply be the target in a CPA firm mergers-and-acquisitions transaction. Client data used in creating generative AI platforms raises unique intellectual property questions, and these and other questions about future transactions involving internally developed generative AI are novel.

Risks when transparency is lacking

With any new, cutting-edge technology, there is a level of wariness until it is understood and accepted. If a CPA over-relies on generative AI output and that overreliance is coupled with a failure to disclose generative AI use upfront, the client may interpret this as an intentional deception. In the event of a loss, the combination of new tech distrust and suboptimal work product may result in a plaintiff’s argument that the CPA lacked subject matter competence or, in the extreme, the CPA fraudulently misrepresented their service capabilities.

Both quality and data concerns should prompt CPAs to consider what happens to client trust if the client learns that generative AI was part of their service without their knowledge or their data was used in generative AI without their explicit consent. It may be worth erring on the side of caution through client disclosure and consent. Disclosure gives the client the ability to make an informed decision on whether they want to proceed with services that use generative AI, and consent gives them control over their information shared with the model.

Creating Disclosure and Consent

In the absence of a controlling professional standard, CPAs who opt to create disclosures and consents may wish to consider the guidance included in the ABA Opinion. The ABA Opinion requires a generative AI-use consent be an informed consent, and explicitly notes that “merely adding general, boiler-plate provisions to engagement letters purporting to authorize the lawyer to use generative AI is not sufficient.” The difference between consent and informed consent perhaps can be best understood by comparatively examining the descriptions of general and specific consent found in ET Section 1.110.010, Conflicts of Interest for Members in Public Practice, paragraph .13 of the Code. Specific consent is deemed to be sufficient to enable the client to make an informed decision with respect to a matter, whereas general consent is not. The language included in the Code and related to specific consent — an explanation of the situation and any planned safeguards — is more consistent with the ABA Opinionwhich lists several indicators of informed consent, including the extent of and specific information about the risk of generative AI usage and informing the client of the professional’s best judgment on why generative AI is being used.

When creating a disclosure and/or consent, consult with legal counsel to draft a clear and comprehensive document that accurately reflects the firm’s generative AI use and policies, and adheres to applicable laws, regulations, and professional standards. Use straightforward language to help clients easily understand what generative AI the firm uses, whether the firm is creating its own generative AI from existing client data, and how generative AI will be used in furtherance of the services provided. In addition to describing how generative AI will be used, a disclosure and consent will also likely address:

  • The firm’s quality control procedures to be followed prior to final delivery of the work product;
  • The client’s consent to the disclosure of confidential information to third parties in support of the firm’s services;
  • The firm’s responsibility to prevent unauthorized release of the client’s confidential information; and
  • A request for the client’s consent to engagement performance under those conditions.

If the disclosure/use involves tax return information, consider Regs. Sec. 301.7216-2 and assess if the disclosure/use requires consent in the format required by Sec. 7216 and Regs. Sec. 301.7216-3.

Regular review and updates to the disclosure and consent and firm policies to reflect any changes in generative AI usage or data security practices, as well as any changes to laws and regulations, is recommended. Training of employees on the importance of disclosure and consent is also suggested. This helps promote a culture of transparency and trust within the firm.

The Original ‘New Normal’

In the Information Age, consumers have become attuned to which businesses misuse client data and which do not. Some businesses understand that being transparent enhances both client trust and their public reputation, and some businesses have yet to learn this lesson. Transparency also empowers clients to make informed decisions. Increasingly, clients want to know who has access to their data and how their data is protected. Whether a CPA uses client data in generative AI for professional services, marketing, or administrative tasks, upfront disclosure can acknowledge clients’ concerns about their sensitive information.

Gen AI adoption

39.4%: As of August 2024, about 4 in 10 U.S. adults ages 18-64 had used generative AI, with 28% using it at work and 32.7% using it outside of work. Workers have adopted generative AI at a much faster clip than they did either the internet or personal computer.
 
Source: The Rapid Adoption of Generative AI.

For more information about this article, contact [email protected].

A version of this article originally appeared in the Journal of Accountancy.

Share:

Print:

Print Friendly and PDF

How Helpful Was This Article?

 

Related Content

Responding to Client Requests for Confidentiality
Responding to Client Requests for Confidentiality
Clients are increasingly requesting CPA firms impose confidentiality agreements as a precondition to engaging the firm to perform professional services.  This article is designed to help identify a roadmap on how to address these requests.
Generative AI and risks to CPA firms
Generative AI and risks to CPA firms
Cybersecurity is a necessity for CPA firms who accelerated their digital transformation during the pandemic and are now particularly vulnerable to an attack.

Related Products

Professional Liability Program for CPA Firms
Professional Liability
Learn More

Assistance with the associated legal and defense fees in the event of a lawsuit for errors and omissions.

Cyber Liability
Cyber Liability
Learn More

Replace lost income and cover expenses caused by data breaches involving sensitive customer data.

Specialty Coverage for AICPA Member Firms
Specialty Coverage
Learn More
Protect your firm and your employees from errors and omissions in the performance of your professional services.

This information is produced and presented by CNA, which is solely responsible for its content. Continental Casualty Company, a member of the CNA group of insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.
 
The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the author’s knowledge as of the date of the article. Accordingly, this article should not be viewed as a substitute for the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA.
 
Any references to non-CNA websites are provided solely for convenience, and CNA disclaims any responsibility with respect to such websites.
 
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.
 
“CNA” is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the “CNA” trademark in connection with insurance underwriting and claim activities.
 
Copyright © 2025 CNA. All rights reserved.

AICPA Member Insurance Programs
1100 Virginia Drive, Suite 250
Fort Washington, PA 19034

Plans

Education + Resources

Legal

Quick Links