Blog

CPA and CA Firm AI Policies: A Template for 2026

July 2026 · 6 min read · Industry Guide

Notebook illustration: a filing cabinet beside a terracotta shield with a tick and a policy sheet, representing a firm AI usage policy.
← Back to all posts

Most Australian accounting firms already have staff using Claude and other AI tools, whether the partners have formally signed off on it or not. A graduate pastes a client trial balance into a chatbot to draft variance commentary. A bookkeeper asks an assistant to explain a Fair Work award clause. None of that is wrong on its face, but without a written policy the firm wears all of the risk and captures none of the control. This guide gives CPA and CA firms a practical template you can adapt, built around the obligations that actually apply here rather than generic overseas advice.

Why a written AI policy matters now

The Tax Practitioners Board expects registered agents to maintain client confidentiality and to take reasonable care in the work they sign off. APES 110, the code of ethics issued by the Accounting Professional and Ethical Standards Board, sets confidentiality and professional competence requirements that do not pause because a tool did part of the drafting. The Privacy Act 1988 and the Australian Privacy Principles govern how personal information is handled, including where it travels once it leaves your systems. A written policy is how a Sydney or Melbourne firm shows a client, an insurer, or a regulator that it thought about all three before anyone typed a prompt.

The cost of getting this wrong is concrete. A single confidentiality slip that reaches the wrong party can cost a small firm well past A$50,000 once you count remediation, legal review, and the clients who quietly leave. A clear policy is cheap insurance by comparison. Budget roughly A$4,500 for a half day workshop and staff training to put one in place, and you have addressed the biggest exposure most firms carry into 2026.

What the policy needs to cover

A good firm AI policy is short enough that people read it and specific enough that they can act on it. At a minimum it should address these five areas:

  • Approved tools: which AI products are cleared for firm work, and which are banned. Name Claude and any others you have reviewed, and state that unlisted tools are off limits until assessed.

  • Client data rules: what may and may not be entered into an AI tool. Draw a bright line around tax file numbers, bank details, and anything that identifies a client without their consent.

  • Human review: who checks AI output before it reaches a client or the ATO, and how that sign off is recorded in the workpapers.

  • Confidentiality and consent: how the firm meets APES 110 and the Privacy Act when a tool sits between the preparer and the client file.

  • Accountability: which partner owns the policy, how breaches are reported, and what happens when the rules are not followed.

The template, section by section

Open with a plain statement of intent. Something like: this firm uses AI tools such as Claude to assist with drafting, research, and analysis, under human supervision, without compromising client confidentiality or professional standards. That one sentence sets the tone and gives staff permission to use approved tools well.

Approved and banned tools

List the tools the firm has assessed and the account type staff must use. A paid business plan with Claude keeps firm prompts out of model training and gives you an audit trail, which a free consumer login does not. State clearly that personal accounts are not permitted for client work, and that any new tool goes through the policy owner before it touches a client file.

Data handling

Define three tiers so staff can make the call in seconds. Green data can be used freely, such as general tax questions with no client identifiers. Amber data can be used only in an approved tool on a business plan, such as de-identified figures. Red data, including tax file numbers, full names tied to financials, and anything under a confidentiality agreement, never goes into a tool unless the client has given written consent and the tool has been cleared for that purpose.

Review and record keeping

Require that a qualified person reviews every AI assisted deliverable before it leaves the firm, exactly as they would review a graduate's work. Note in the file that AI was used and that a reviewer checked it. This protects the firm if the work is ever questioned and keeps you inside the reasonable care standard the Tax Practitioners Board applies.

Rolling it out without slowing the firm down

A policy no one reads is worse than none, because it creates a false sense of safety. Run a single training session, walk through three real examples from your own practice, and let staff ask what is allowed. Appoint one partner as the AI policy owner so questions have a home. Review the document every six months, since both the tools and the regulators' guidance move quickly.

Firms that do this well tend to see the upside within a quarter. Staff stop guessing, the risky shadow usage stops, and the genuine time savings on drafting, research, and first pass review become something the firm can measure rather than something that happens in the dark. A written policy is what turns AI from a liability sitting on your books into a supervised part of how the practice works.

Where to start

If you want a policy tailored to your firm's size, client mix, and the tools you actually use, that is the kind of work we do every week with Australian practices. You can book a short call to talk it through: book a brainstorm.

Ready to move from AI pilot to production?

We help mid-market Australian businesses deploy AI automations that actually reach production and deliver measurable ROI.