This document is based on extensive review of publicly available regulatory text, IRS publications, AICPA ethics guidance, and FTC rules as of April 2026. It reflects our research and practical experience working with CPA and accounting firms. It does not constitute legal advice. CPA firms should consult qualified legal counsel before making compliance decisions based on this document. Regulatory guidance on AI in tax practice is actively evolving; firms should monitor IRS, AICPA, and state board updates continuously.
References to specific AI platforms are illustrative. The regulatory analysis applies equally to any AI-assisted product that processes client tax or financial data, regardless of vendor.
Short Answer: Yes. IRC § 7216 applies to AI tool use with client tax data. No IRS safe harbor, exemption, or carve-out exists for AI platforms as of April 2026. The statute's language is technology-neutral and broad enough to capture virtually every real-world AI use case in tax preparation and bookkeeping.
The accounting profession is rapidly adopting artificial intelligence. AI tools have moved from experimental to mainstream in tax preparation, bookkeeping, and financial reporting workflows.
Products like ChatGPT, Claude, Google Gemini, Intuit Assist, SurePrep TaxReaderAI, TaxDome AI, Botkeeper, Vic.ai, Canopy, and scores of others now handle tasks that were previously performed entirely by human staff — categorizing transactions, drafting schedules, identifying deductions, summarizing financials, and even preparing draft returns.
This adoption is outpacing regulatory guidance. CPA firms are implementing AI tools under the assumption that existing consent frameworks — designed for offshore human staffing — either do not apply or are satisfied by a generic engagement letter reference to 'third-party providers.' Both assumptions are legally risky.
The legal question is not whether an AI tool is intelligent, automated, or cloud-based. The question is:
The Test: Did the CPA firm submit client-identifiable tax return information to a third-party system? If yes, a disclosure under IRC § 7216 has occurred and consent is required unless a specific statutory exemption applies.
No published exemption under § 7216 or its regulations covers disclosure to a general-purpose or tax-specific AI platform. The 'administrative exception' — which excuses disclosure to software used purely for storage, hosting, or e-filing — does not reach AI tools performing substantive analytical work.
Section 2: Legal Provisions
The statutory text of IRC § 7216(a) reads:
"Any person who is engaged in the business of preparing, or providing services in connection with the preparation of, returns of the tax imposed by chapter 1, or any person who for compensation prepares any such return for any other person, and who knowingly or recklessly — (1) discloses any information furnished to him for, or in connection with, the preparation of any such return, or (2) uses any such information for any purpose other than to prepare, or assist in preparing, any such return, shall be guilty of a misdemeanor..."
| Term | Regulatory Definition | Application to AI Tools |
|---|---|---|
Disclosure | Any disclosure of return information to any person in any manner — including revealing, publishing, or otherwise making available tax return information. | Submitting client W-2s, 1099s, bank statements, QuickBooks data, or any return-connected data into an AI platform constitutes a disclosure to that platform's operator (OpenAI, Google, Anthropic, Intuit, etc.). |
Use | Any use of return information in connection with the preparation of any return or refund claim. | Using AI to categorize transactions for a Schedule C, identify deductions, prepare journal entries, or draft any return-related work product is a 'use' of return information. |
Tax return information | Broadly defined: any information, including taxpayer identity, the nature, source, or amount of income, receipts, deductions, and ANY information furnished to the preparer in connection with a return. | Covers virtually all bookkeeping data when being used in the tax preparation chain — revenue, expenses, bank feeds, payroll records, depreciation schedules. |
Tax return preparer | Any person who prepares a return for compensation, or who employs another who does so. The definition is entity-level — the firm, not just the individual preparer. | CPA firms using AI clearly qualify. Liability applies to the firm even when AI use is by an individual staff member or offshore team. |
Treasury Regulation § 301.7216-2 lists approximately 20 categories of disclosures that are permitted without taxpayer consent. These include disclosure to the IRS itself, to the taxpayer, for quality review within the same firm, and for certain legal or administrative purposes. The critical point: none of these exceptions cover disclosure to a third-party AI platform.
| Exemption Category (§ 301.7216-2) | What it covers | Does it cover AI tools? |
|---|---|---|
Administrative exception | Software used purely for record storage, hosting, or authorized e-file transmission (e.g., tax software for e-filing, cloud file storage) | No. AI performing substantive analytical work (categorization, deduction identification, schedule drafting) is not 'administrative support.' This exception covers tools, not processors. |
Disclosure within the same firm | Sharing information among partners, employees, or members of the same firm for purposes of return preparation. | No. An AI platform operated by OpenAI, Google, Anthropic, or any SaaS vendor is not a member of the CPA firm. Third-party ≠ same firm. |
Quality or peer review | Disclosure for a quality or peer review of the preparer's professional services by another tax return preparer. | No. AI tools are not conducting peer review. This exemption is for human professional review processes. |
Disclosure to taxpayer's attorney | Disclosure at the direction of the taxpayer to the taxpayer's attorney. | No. AI platforms are not attorneys and there is no client direction to disclose to a specific AI vendor. |
Critical Finding: As of April 2026, the IRS has issued zero guidance — no revenue procedure, notice, regulation, or FAQ that creates any exemption or safe harbor for the use of AI tools in tax preparation. Every AI-assisted workflow involving client tax data requires affirmative consent unless and until such guidance is issued.
The distinction between a software tool (no consent required) and a third-party service provider (consent required) is the most contested issue in applying § 7216 to AI. The following test helps firms evaluate each AI use case:
| The Question | 'Tool' — Likely No Consent Needed | 'Third-Party Processor' — Consent Required |
|---|---|---|
Does client-specific data enter the AI? | No client PII or return information is submitted. AI works on generic templates or anonymized data. | Client name, SSN, EIN, income, expenses, or any identifiable return data is submitted to the AI. |
Is the AI performing substantive work? | Formatting, spell-checking, or producing generic output that the preparer fully rewrites. | Categorizing transactions, identifying deductions, drafting schedules, summarizing financials, preparing return inputs. |
Who controls the data after submission? | Data stays within the firm's own systems; no transmission to an external party. | Data is transmitted to and processed by a third-party server (OpenAI, Google, Anthropic, SaaS vendor). |
Could the data be used for model training? | Platform has explicit no-training commitments for the firm's data under a signed DPA. | Consumer/free tier: default settings may allow training use. No DPA in place. |
If the AI platform processes data on servers located outside the United States (or if a foreign entity operates the AI), § 301.7216-3(b)(4) imposes an additional requirement: the disclosure is only permissible if both the U.S. preparer and the foreign processor maintain an 'adequate data protection safeguard.'
Under § 301.7216-3(b)(4), an adequate safeguard is a management-approved security program meeting one or more of the following frameworks:
Global AI Infrastructure Warning: Major AI platforms process data across global server networks. OpenAI operates infrastructure in U.S. and EU data centers. Google operates globally. Anthropic's API infrastructure is primarily U.S.-based but subject to change. CPA firms cannot assume U.S.-only processing. Enterprise agreements with specific data residency terms are required to satisfy § 301.7216-3(b)(4).
When consent is required — which is the default for AI tool use — the following elements are mandatory under Rev. Proc. 2013-14 (for 1040 work) and § 301.7216-3 (for all other returns):
| Consent Element | Standard Requirement | AI-Specific Consideration |
|---|---|---|
Identification of recipient | Must name the specific third-party recipient of the disclosure. | Must name the AI platform (e.g., 'OpenAI, LLC, operator of ChatGPT') or at minimum the category ('AI-assisted tax preparation tools'). Generic 'third-party providers' language is insufficient for a specific AI disclosure. |
Purpose of disclosure | Must state the purpose for which the return information will be disclosed or used. | Must describe the AI function: 'to assist in categorizing financial transactions,' 'to assist in identifying applicable deductions,' 'to assist in drafting return schedules.' |
Specific information disclosed | Must specify what tax return information will be disclosed. | Should identify data categories: income information, expense data, payroll records, bank statements, prior-year returns, etc. |
Foreign processor disclosure | If recipient is outside U.S., must disclose the name of the foreign company/preparer. | If AI processing occurs outside U.S., the foreign data center operator's identity or the platform's processing locations must be addressed in the consent. |
Affirmative opt-in | Consent must be affirmative — opt-out consent is expressly prohibited under Rev. Proc. 2013-14. | Pre-checked boxes, assumed consent from engagement letter signature, or implied acceptance do not satisfy § 7216. Each client must actively consent. |
Validity period | If not specified, consent is valid for one year from signature. Multi-year consent (5–10 years) is recommended. | AI consent should specify that it covers the current and future use of named or equivalent AI-assisted tools throughout the engagement. |
| Provision | Penalty | Reference |
|---|---|---|
IRC § 7216(a) — Criminal | Up to 1 year imprisonment and/or fine up to $1,000 per violation (per client/return) | |
IRC § 6713 — Civil | $250 per unauthorized disclosure, maximum $10,000 per year per preparer | |
EFIN Revocation | Suspension or permanent revocation of electronic filing privileges | IRS Publication 3112; Rev. Proc. 2007-40 |
Note: The AICPA has not issued an AI-specific ethics ruling as of April 2026. However, its existing Professional Code of Conduct applies directly and unambiguously to AI tool use. The AICPA's Technology and AI Task Force has confirmed this interpretation in advisory materials.
| AICPA Rule | What It Requires | How It Applies to AI | Risk Level |
|---|---|---|---|
ET § 1.700.001 Confidentiality | Member shall not disclose any confidential client information without specific consent of the client. | Submitting client data to an AI platform without consent breaches this rule — independent of § 7216 criminal liability. Applies to ALL AICPA members. | [HIGH RISK] |
ET § 1.150.040 Third-Party Service Providers | Before using a TPSP for substantive client work, must inform client in writing (preferably), unless administrative exception applies. | An AI platform performing substantive work on client data (transaction categorization, deduction analysis, return drafting) is a TPSP under this rule. Client disclosure required. | [HIGH RISK] |
ET § 1.700.040 Confidentiality — Protection | Must either have a contractual agreement with TPSP to maintain confidentiality, OR obtain specific client consent. | Consumer AI ToS (ChatGPT Plus, Gemini free) is NOT a confidentiality agreement for client tax data. Enterprise DPA required, or specific consent must be obtained. | [HIGH RISK] |
ET § 1.300.040 Due Diligence & Supervision | Must ensure TPSP has required professional qualifications, technical skills; must adequately supervise; must obtain sufficient data to support work product. | Requires vetting AI platform's accuracy, hallucination risk, data security. CPA must review all AI output — cannot 'pass through' AI work without professional review. | [MEDIUM-HIGH] |
ET § 0.300.040 Objectivity | Member must be free from conflicts of interest that impair professional judgment. | Using AI tools with financial ties to tax preparation outcomes (AI-recommended products, referral arrangements) may create conflicts that must be disclosed. | [MEDIUM] |
ET § 1.150.040 contains an administrative exception: firms need not inform clients when using TPSPs for 'administrative support services' such as record storage, software hosting, or authorized e-file transmittal.
The operative question is whether AI tools fall within this exception. They do not when they are performing substantive analytical work.
The test is function, not technology: if the system is categorizing, analyzing, interpreting, or generating tax-related work product from client data, it is performing substantive work, not administrative support.
| AI Use Case | Administrative Exception? | Rationale |
|---|---|---|
Tax software stores client returns in cloud (e.g., Lacerte, UltraTax hosted) | YES — likely exempt | Storage/hosting only. No AI analysis of client data. |
AI tool spell-checks or formats output with no client data | YES — likely exempt | No client tax return information submitted. |
AI categorizes bank transactions for Schedule C | NO — consent required | Substantive analytical work on client income/expense data. |
AI identifies deductions from client financial data | NO — consent required | Substantive tax preparation work using return information. |
AI platform (Intuit Assist, TaxDome AI) processes return data | NO — consent required | Substantive processing by a TPSP; administrative exception does not apply. |
AI generates draft return schedules from client data | NO — consent required | Core tax preparation function performed by a third party. |
AI reconciles bookkeeping entries from bank feeds | NO — consent likely required | If bookkeeping is part of tax preparation chain, return information is being used. |
The FTC Safeguards Rule (16 CFR Part 314), enacted under the Gramm-Leach-Bliley Act, applies to all 'financial institutions' as broadly defined. This definition includes any entity 'engaging in an activity that is financial in nature' — which expressly covers tax preparation and bookkeeping services.
Per 12 CFR § 225.28(b)(6)(vi) — referenced in the FTC Safeguards Rule — tax planning and preparation services are a listed financial activity. An accounting firm providing these services is a financial institution for FTC Safeguards Rule purposes. This is settled regulatory interpretation. Reference: 16 CFR Part 314
Under § 314.4(f), a financial institution (the CPA firm) must:
An AI platform that receives, maintains, or processes client financial data is a 'service provider' under the FTC Safeguards Rule.
The CPA firm cannot satisfy its § 314.4(f) obligations without:
This analysis covers all AI-assisted products that process client tax or financial data. The regulatory framework does not distinguish between general-purpose AI (ChatGPT, Claude, Gemini) and purpose-built tax AI products. What matters is whether client tax return information is being disclosed to or used by a third-party system.
| Product Category | Primary Function | § 7216 Exposure | FTC/AICPA Exposure |
|---|---|---|---|
General-Purpose LLMs (ChatGPT, Claude, Gemini) Consumer/Pro tiers | Broad AI — used ad hoc for tax analysis, bookkeeping, return drafting when client data is pasted in | HIGHEST RISK. No DPA. No consent framework. Default training policies. Consumer ToS not designed for tax data. | HIGH. No contractual safeguards. Fails FTC § 314.4(f) service provider requirements and AICPA ET § 1.700.040. |
General-Purpose LLMs Enterprise Tiers (ChatGPT Enterprise, Claude for Enterprise, Gemini for Workspace) | Same broad AI with enterprise data handling commitments | MEDIUM RISK. DPA available. No training on customer data. BUT: § 7216 consent still required — DPA does not substitute for client consent. | MANAGEABLE with proper DPA, WISP documentation, and AICPA ET § 1.700.040 contractual safeguard satisfied. |
Tax-Specific AI SaaS (SurePrep TaxReaderAI, TaxDome AI, Intuit Assist, Canopy AI, Karbon AI) | Automates specific tax workflow steps: document extraction, return assembly, client communication | MEDIUM-HIGH RISK. Purpose-built for tax data — but are still third-party processors. § 7216 consent required. Check each vendor's DPA. | Varies by vendor. Some (Intuit, Drake) have established data security programs. Others are newer. Perform due diligence per AICPA § 1.300.040. |
AI Bookkeeping Platforms (Botkeeper, Vic.ai, Docyt, Dext Precision, AutoEntry AI) | Automated transaction categorization, bank reconciliation, AP/AR processing using machine learning | MEDIUM-HIGH RISK when bookkeeping is part of the tax prep chain. Even if not directly preparing a return, processing return information triggers § 7216 if data will be used for a return. | FTC Safeguards Rule applies. Review vendor SOC 2 reports, DPAs, and security posture before engagement. |
AI Document Extraction (Copilot for M365, Adobe Acrobat AI, AWS Textract for tax docs) | OCR + AI extraction of data from tax documents, W-2s, 1099s, bank statements | HIGH RISK — directly processes the most sensitive return information (SSN, income, identity). § 7216 consent required. | Enterprise agreements available (Microsoft Copilot for M365 with DPA, AWS with BAA/DPA). Consumer versions insufficient. |
AI Practice Management (TaxDome, Karbon, Financial Cents with AI features) | Client portals, workflow management, automated client communications with AI-generated content | LOWER RISK if AI features are limited to workflow management. Risk escalates if AI accesses or analyzes return data. | Review whether AI features access client financial data. Most established practice management vendors have adequate DPA frameworks. |
The Key Point: The regulatory analysis does not depend on the vendor's marketing language. A product marketed as an 'AI tax assistant' is subject to the same § 7216 analysis as a firm's staff member using ChatGPT to analyze a client P&L. The question is always: was client tax return information disclosed to a third party without consent?
Stop Now: Immediately discontinue use of consumer/free tier AI platforms (ChatGPT Plus, Gemini Standard, Claude.ai consumer) for any work involving client-identifiable tax return information, financial statements, or bookkeeping data. There is no contractual basis for a compliant disclosure under § 7216 or the FTC Safeguards Rule under standard consumer terms of service.
| Action Area | What to Do | Priority | Owner |
|---|---|---|---|
1. Platform Selection | Identify all AI tools currently used by firm and offshore staff. For each tool, determine whether it has an enterprise DPA, no-training commitment, and breach notification obligation. Retire consumer tools immediately. Migrate to enterprise versions with signed DPAs. | NOW | Managing Partner / IT |
2. Engagement Letter Update | Update all engagement letters to disclose AI tool use. Name the specific platforms (or categories). Describe the function. Include § 7216 consent language covering AI platforms. Use the model language provided in Section 11 of this document. | NOW | Tax Manager / Counsel |
3. WISP Update | Update the firm's Written Information Security Plan to document all AI tools used in tax and bookkeeping workflows, the DPAs in place, access controls, and the periodic review schedule for AI platform security. | NOW | IT / Compliance |
4. Offshore AI Policy | Establish a written AI Acceptable Use Policy for all offshore staff handling U.S. client data. Name approved AI platforms. Prohibit unapproved platforms for client data. Require supervisor review of all AI output. Include in offshore provider agreement. | NOW | Offshore Lead |
5. Insurance Review | Contact E&O / professional liability insurer. Confirm that AI-assisted work is covered under current policy. Disclose AI tool use during renewal. Insurers are increasingly asking about AI practices — undisclosed use may void coverage. | SOON | Managing Partner |
6. Data Minimization Protocol | Establish a protocol for anonymizing or de-identifying client data before AI processing wherever technically feasible. Remove SSNs, EINs, and client names from data submitted to AI tools when the AI function does not require identity. The § 7216 risk drops substantially when identifiers are removed. | SOON | Operations |
7. Monitoring & Annual Review | Designate a responsible individual to monitor IRS, AICPA, and state board guidance on AI. Schedule annual review of all AI tools and DPAs. Update WISP and consent language as guidance evolves. Build AI governance review into the same cycle as offshore provider assessment. | ONGOING | Compliance Lead |
The following paragraphs are designed to be inserted into CPA firm engagement letters to satisfy § 7216 consent, AICPA ET §§ 1.150.040 and 1.700.040, and FTC Safeguards Rule § 314.4(f) requirements for AI tool use. Counsel should review before adoption.
State-specific requirements may impose additional obligations. Adapt bracketed fields to your firm's specific AI tools and practices.
Use when firm uses or may use AI tools but prefers not to name specific vendors in the engagement letter (which would require amendment each time a new tool is adopted).
Use of Artificial Intelligence and Technology Service Providers
In providing services under this engagement, [Firm Name] may use artificial intelligence (AI) tools and AI-assisted software platforms as part of our work processes. These tools may be used to assist with transaction categorization, document processing, data analysis, schedule preparation, and other functions related to the professional services described in this engagement letter.
Your consent: In accordance with Section 7216 of the Internal Revenue Code and Treasury Regulation § 301.7216-3, your signature below constitutes your affirmative consent for [Firm Name] and its service providers — including AI and software tools used in our work processes — to receive, process, and use your tax return information as necessary to provide the services described in this engagement.
AI tools used in our practice operate under enterprise-grade data agreements that prohibit the use of your information for the training of AI models and that require appropriate data security safeguards. [If offshore staff are used: Some services may be performed by staff or service providers located outside the United States, including [name of offshore provider], located in [country]. All such service providers are contractually required to maintain data security safeguards that meet the requirements of § 301.7216-3(b)(4) of the Treasury Regulations.]
We remain responsible for all work product produced under this engagement, including work assisted by AI tools. You may withdraw this consent at any time by notifying us in writing, in which case we will notify you whether we are able to continue the engagement on that basis.
This consent is valid for a period of [five (5) years] from the date of your signature below, or for the duration of our engagement, whichever is shorter.
Use when a specific AI platform (e.g., an AI bookkeeping tool) is integral to the engagement and naming it provides greater transparency. Requires amendment if the vendor changes.
Section 7216 Consent — AI-Assisted Services
[Firm Name] uses [Name of AI Platform, e.g., Botkeeper, Vic.ai, or similar] to assist with [describe function: e.g., automated transaction categorization and bookkeeping services / AI-assisted tax document processing]. In providing these services, your financial and tax return information, including [describe: e.g., bank transaction records, income and expense information, payroll data], will be shared with [Name of AI Platform], operated by [Vendor Company Name], located at [Address / Country of operation].
By signing this engagement letter, you affirmatively consent to this disclosure pursuant to IRC § 7216 and Treasury Regulation § 301.7216-3. [If outside U.S.: [Vendor Name] is located outside the United States. [Vendor Name] maintains an adequate data protection safeguard as required by § 301.7216-3(b)(4) under [specify framework: e.g., the EU-U.S. Data Privacy Framework / ISO 27001 / IRS Publication 1075 equivalent].] This consent is valid for [five (5) years] from the date of signature.
If consent is obtained electronically (via DocuSign, client portal, or similar), the following additional requirements under Rev. Proc. 2013-14 apply for 1040 engagements:
Use this checklist before implementing any new AI tool that will process client tax or financial data. Complete for each AI platform or AI-assisted product. Document responses and retain with firm compliance files.
| Question | Yes / No / N/A | Notes / Evidence |
|---|---|---|
A1. Does this AI tool process, receive, or have access to client-identifiable tax return information (names, SSNs, EINs, income, expense data, or any information furnished in connection with return preparation)? | ||
| A2. Is the AI tool operated by a third party (not a member of the CPA firm)? | ||
| A3. Does the AI tool perform substantive work on client data (analysis, categorization, drafting, identification of items) — beyond mere storage or transmission? | ||
| A4. Are the AI platform's servers located outside the United States (fully or partially)? | ||
A5. Will the AI tool be used by offshore staff in connection with U.S. client tax data? |
If A1 and A2 are both Yes: proceed with full checklist. If A1 or A2 is No: the AI tool may qualify for the administrative exception — document your reasoning and stop here if satisfied. If A4 is Yes: § 301.7216-3(b)(4) adequate data protection safeguard requirements apply.
| Requirement | Satisfied? (Y/N) | Documentation / Notes |
|---|---|---|
| B1. Vendor has been identified by legal name and business address. | ||
| B2. Data Processing Agreement (DPA) or equivalent contract has been reviewed and signed. | ||
| B3. DPA confirms client data will NOT be used to train AI models. | ||
| B4. Vendor's data security framework has been reviewed (SOC 2 Type II report, ISO 27001, or equivalent). | ||
| B5. If vendor is outside U.S. or processes data outside U.S.: vendor meets an 'adequate data protection safeguard' under § 301.7216-3(b)(4) (e.g., EU-U.S. DPF, GDPR, ISO 27001, IRS Pub. 1075 equivalent). | ||
| B6. Vendor references or customer reviews from other accounting firms have been obtained. | ||
| B7. Vendor's breach notification obligations and timeline are documented in the DPA or contract. | ||
| B8. Vendor's data retention and deletion policies are documented and acceptable. | ||
| B9. Vendor's subprocessor list has been reviewed (who else handles the data — e.g., cloud infrastructure providers). | ||
B10. Vendor's AI output accuracy limitations and hallucination risk have been assessed and documented. |
| Requirement | Satisfied? (Y/N) | Documentation / Notes |
|---|---|---|
| C1. Engagement letter or standalone consent form discloses AI tool use. | ||
| C2. Consent identifies the AI vendor by name or by category ('AI-assisted preparation tools'). | ||
| C3. Consent describes the purpose of AI use ('to assist in transaction categorization / deduction identification / return preparation'). | ||
| C4. Consent specifies the categories of information to be processed by the AI. | ||
| C5. If any processing occurs outside the U.S.: consent discloses the name and country of the foreign processor. | ||
| C6. Consent is affirmative (opt-in) — opt-out consent is NOT used. | ||
| C7. Consent is signed and dated by the taxpayer (or authorized representative for entities). | ||
| C8. For 1040 clients: consent uses the prescribed format under Rev. Proc. 2013-14 (12-point font, separate document, required elements). | ||
| C9. Consent validity period is stated (recommended: 5 years; 'as long as you remain a client' language NOT used). | ||
C10. If electronic consent: taxpayer types name to authorize (software does not pre-populate); signature and date fields captured. |
| Requirement | Satisfied? (Y/N) | Documentation / Notes |
|---|---|---|
| D1. Client has been informed in writing before AI tool is used on their data (ET § 1.150.040). | ||
| D2. Either a confidentiality agreement with the AI vendor is in place (Option A), OR specific client consent has been obtained (Option B), per ET § 1.700.040. | ||
| D3. All AI output is reviewed by a qualified professional before delivery to the client or use in a filed return (ET § 1.300.040 — adequate supervision). | ||
| D4. AI tool limitations, accuracy rates, and known failure modes have been communicated to supervising staff. | ||
D5. State-specific CPA board requirements have been reviewed and satisfied (state rules may exceed AICPA baseline). |
| Requirement | Satisfied? (Y/N) | Documentation / Notes |
|---|---|---|
| E1. AI tool has been added to the firm's Written Information Security Plan (WISP) as a service provider with access to customer information. | ||
| E2. Vendor is contractually required to maintain appropriate security safeguards (§ 314.4(f)(2)) — confirmed in DPA. | ||
| E3. Periodic assessment schedule for AI vendor security posture has been established and documented. | ||
| E4. Multi-factor authentication is enabled for all firm access to the AI platform. | ||
E5. Firm's professional liability / E&O insurer has been notified of AI tool use and coverage confirmed. |
| Requirement | Satisfied? (Y/N) | Documentation / Notes |
|---|---|---|
| F1. AI tool is listed as an approved tool in the offshore provider's AI Acceptable Use Policy. | ||
| F2. Offshore provider agreement explicitly governs AI tool use by offshore staff for U.S. client data. | ||
| F3. § 7216 consent obtained for offshore staff use covers disclosure to the AI platform (second disclosure in the chain). | ||
| F4. Offshore staff have received training on approved AI tools, data minimization practices, and prohibited uses. | ||
F5. Offshore provider's use of AI tools has been included in the annual FTC-required service provider risk assessment. |
| Resource | Relevance to AI Compliance | Citation |
|---|---|---|
| IRC § 7216 — Unauthorized disclosure or use of information by preparers | Primary statutory authority for consent requirements covering all AI disclosures of return information. | 26 U.S.C. § 7216 |
| Treasury Regulation § 301.7216-1 through -3 | Defines 'disclosure,' 'use,' 'tax return preparer,' and 'tax return information.' Adequate data protection safeguard standard at § 301.7216-3(b)(4). | 26 CFR § 301.7216 |
| Rev. Proc. 2013-14 — Consent for 1040 disclosures | Prescribes format and content for § 7216 consent for Form 1040 series. Applies to AI disclosure consent for 1040 clients. | Rev. Proc. 2013-14 |
| Rev. Proc. 2013-19 — Section 7216 guidance update | Updates and supplements Rev. Proc. 2013-14 requirements for consent forms. | Rev. Proc. 2013-19 |
| IRC § 6713 — Disclosure or use of information by preparers (civil penalty) | Civil penalty provision: $250 per violation, max $10,000/year. | 26 U.S.C. § 6713 |
| IRS Publication 4557 — Safeguarding Taxpayer Data | IRS expectations for all tax preparers on data security. WISP requirements. Service provider oversight. | IRS Pub. 4557 |
IRS § 7216 FAQs and Sample Consent Forms | IRS-provided sample language and FAQ for § 7216 compliance. Starting point for adapting to AI use. |
| Resource | Relevance | Link |
|---|---|---|
| AICPA Code of Professional Conduct — ET §§ 1.150.040, 1.300.040, 1.700.001, 1.700.040 | Core ethics rules governing TPSP disclosure, confidentiality, and due diligence — all directly applicable to AI tool use. | AICPA Ethics Code |
| AICPA Section 7216 Guidance and Sample Consent Forms | AICPA-recommended consent language for outsourcing. Basis for AI consent adaptation. | AICPA § 7216 Resources |
| AICPA Outsourcing Toolkit (PCPS) | Comprehensive toolkit for CPA firms on outsourcing compliance, including due diligence checklists applicable to AI vendor vetting. | AICPA PCPS Toolkit |
AICPA Recommended IT & Security Guidelines for Third-Party Providers | Security standards applicable to AI vendors as TPSPs. Basis for AICPA-aligned vendor due diligence. | AICPA PCPS Resources |
| Resource | Relevance | Link |
|---|---|---|
| FTC Safeguards Rule — 16 CFR Part 314 | Full text of the FTC Safeguards Rule. Section 314.4(f) governs service provider oversight obligations that apply to AI platform use. | 16 CFR Part 314 |
| FTC — How the Safeguards Rule May Affect Your CPA Firm | FTC-published guidance specifically for CPA and tax preparation firms on Safeguards Rule compliance. |
Nemin Vora, a CA and Tax Attorney, leads Client Relations at MYCPE ONE. With 7+ years of experience at Big 4 and top public accounting firms across America, he helps U.S. firms scale globally through remote talent, offshoring, and cloud operations. Known for his sharp tax insights and practical approach to firm growth, Nemin is a dynamic speaker. He breaks down complex topics such as leadership, AI, global staffing, and practice expansion into relatable lessons that professionals actually enjoy learning. Beyond the strategy decks, Nemin is a learner at heart, a stage actor, and a tech enthusiast.
How to Scale CAAS (Client Accounting & Advisory Service) + VCFO with Offshoring!
How To Scale CFO And Advisory Services With Offshoring
Bursting myths around Offshoring for an Accounting firm
Offshore vs Local Accounting: Best Growth Strategy for CPA Firms
CA Nemin Vora
