Generative Artificial Intelligence (AI): Frequently Asked Risk Management Questions

Section I: General Information

Q1. What impact is generative artificial intelligence having on CPA firms?

A1. Generative artificial intelligence is reshaping CPA firms in much the same way it is transforming other industries. Many firms are exploring AI solutions to streamline repetitive tasks, address workflow inefficiencies, support innovation, and enhance overall productivity. In practice, most AI use within CPA firms generally falls into one of two categories:

• AI as a professional support tool. Examples include AI-assisted tax and accounting research, audit-related automation, document drafting, or analytical support that remains subject to professional judgment and review.

• AI systems that interact directly with clients. These include autonomous tools such as chatbots, automated tax or accounting guidance platforms, or AI-driven customer service applications.

Because AI adoption is highly firm-specific, it is critical for CPA firms to clearly define their objectives, understand how AI technologies function, and assess which use cases align with their operational and risk tolerance goals.

From a risk management standpoint, it is essential to differentiate between AI that supports professionals under human oversight and AI that independently generates advice, engages with clients, or makes decisions without human involvement. The former generally presents lower regulatory and liability exposure. The latter introduces increased risk and necessitates more robust controls, monitoring, and safeguards to address accuracy, privacy, ethical use, and regulatory compliance.

Q2. With so many AI tools available, what guidance does CAMICO offer for firms beginning their due diligence process?

A2. Firms at the early stages of AI adoption may find it challenging to fully understand how AI tools operate and how they are trained. Engaging a qualified IT professional can be beneficial in navigating the due diligence process. At a minimum, any AI tool implemented within a firm must adequately protect confidential and sensitive data.

As part of due diligence, firms should develop a clear understanding of the AI tools under consideration. Key questions to address include:

• How does the tool handle privacy and data security (for example, third-party systems with or without training, firm-controlled environments, or locally deployed solutions)?

• How is firm and client data stored, processed, and transmitted?

• Do the provider’s contractual terms require compliance with applicable laws and regulations?

Q3. Is it important for CPA firms to establish an AI governance structure?

A3. Yes. An effective AI governance framework supports secure, compliant, and ethical AI use while helping firms protect operational integrity and maintain client trust. In the absence of defined governance, firms may inadvertently expose confidential data, rely on flawed outputs, or increase their risk of regulatory noncompliance as AI-related laws continue to evolve.

Adopting AI responsibly is just as important as adopting it at all. From CAMICO’s perspective, responsible AI use includes documented policies and procedures that promote transparency, accountability, privacy protection, regulatory compliance, and ethical standards. For example, firms should establish written guidelines clarifying that AI tools may not be used to generate content that is inappropriate, discriminatory, or otherwise harmful to clients, employees, or the firm.

Section II: Risk Management Considerations

Q4. What risk management issues should firms consider when evaluating AI use?

A4. Generative AI tools are not error-free. Whether used for research support, automated calculations, drafting communications, or interpreting tax guidance, AI-generated output may be inaccurate, outdated, misleading, or entirely fabricated, sometimes referred to as “hallucinations.” As a result, all AI-generated content must be reviewed by qualified professionals to confirm accuracy and appropriateness before being relied upon or shared.

Another significant risk involves the unintended disclosure of confidential information. Prior to using any generative AI provider, firms should conduct due diligence to confirm that the provider’s systems comply with professional standards and applicable regulations. For tax engagements, firms must ensure compliance with Internal Revenue Code Section 7216 and related regulations governing the disclosure and use of taxpayer information. In certain situations, written taxpayer consent may be required before transmitting data to external AI platforms.

During the due diligence process, firms should also evaluate the provider’s reputation, including whether there is any history of training AI models on unauthorized or improperly sourced data. Reviewing terms of use is essential to understand how firm data and AI-generated output may be accessed, stored, reused, or incorporated into future model training. Contracts should clearly affirm that the firm retains ownership of its work product and client-related materials, restrict the provider’s use of firm data unless explicitly authorized, and impose confidentiality and data protection obligations.

Q5. How can firms mitigate risk as they move forward with AI adoption?

A5. As firms explore generative AI, they must first understand the associated risks and implement appropriate safeguards. Developing a comprehensive AI governance framework, as discussed in Section I, is a critical foundation. Equally important is a thoughtful implementation plan that includes firm-wide education and training to promote responsible use.

Firms should document employee training related to confidentiality requirements, verification of AI- generated output, responsible usage expectations, and procedures for escalating questionable or concerning results.

Maintaining data confidentiality requires a strong focus on privacy and security controls.

Firms should implement appropriate encryption, access restrictions, and compliance measures consistent with applicable data protection laws. In some cases, firms may need to consult legal counsel and revise their Privacy Policy to clearly disclose the types of information collected, sources of data, purposes for collection, and how information is stored, secured, and shared.

CAMICO also strongly recommends adopting a clear and concise generative AI usage policy that defines authorized and prohibited uses within the firm. A sample policy template is available on

CAMICO’s Members-Only Site. Because AI usage varies by firm, policies should be developed and implemented in collaboration with legal counsel and IT professionals, as appropriate.

Q6. Should firms disclose AI use to clients or update engagement letters?

A6. Not all AI applications currently require disclosure to clients under existing legal or regulatory guidance. The primary consideration is whether AI tools are interacting directly with clients or are used solely as internal tools to support professional work.

As AI capabilities advance and regulatory oversight increases, disclosure requirements may expand. Existing laws such as the European Union’s General Data Protection Regulation require disclosure when automated decision-making significantly affects individuals. The Federal Trade Commission has also emphasized the importance of AI transparency to prevent misleading practices. In addition, some states, including California, have enacted laws requiring disclosure when consumers interact with AI rather than a human.

Even when disclosure is not legally required, transparency is generally considered a best practice. It allows firms to reinforce their commitment to responsible AI use and reassure clients that appropriate safeguards are in place to protect data and privacy. CAMICO offers illustrative engagement letter language that firms may adapt based on their specific AI usage:

“Our firm may use generative artificial intelligence (“AI”) tools to improve efficiency in areas such as tax and accounting research, document drafting, or analytical support in connection with the services we provide under this agreement. We maintain policies and procedures to ensure that all AI-generated content is subject to our quality control standards, including professional judgment, expertise, and oversight. We also implement reasonable safeguards to support responsible AI use, including adherence to applicable confidentiality, privacy, security, ethical, and professional requirements.”

Q7. What considerations apply when using AI in Human Resources functions?

A7. Firms should exercise caution when implementing AI in HR-related activities such as recruiting, performance evaluations, or compensation decisions. While these tools may offer efficiency gains, they can also introduce legal and compliance risks, including the potential for discrimination claims.

One significant concern is disparate impact, where a seemingly neutral practice disproportionately disadvantages a protected group. The Equal Employment Opportunity Commission has clarified that automated decision-making tools are subject to the same anti-discrimination laws as traditional employment practices. Claims may arise not only from applicants or employees, but also from regulatory enforcement actions.

As states continue to enact laws governing AI use in employment contexts, often emphasizing transparency and informed consent, firms must remain current on applicable federal and state requirements. Additional risk mitigation measures include:

• Performing regular bias and fairness audits of AI tools

• Requiring human review of AI-generated employment decisions

• Maintaining clear and transparent communication with applicants and employees regarding AI use

Q8. What additional risk management best practices should firms consider?

A8. CAMICO recommends the following best practices:

• Invest in education. AI is rapidly evolving. Firms should understand available tools and conduct appropriate due diligence before adoption.

• Create an implementation strategy. Effective AI integration requires planning, training, and clearly defined responsible-use expectations.

• Engage qualified professionals. Legal counsel can assist with regulatory compliance questions, while IT professionals can address security and data protection concerns.

• Train and inform employees. Clearly document authorized AI usage and communicate policies to staff. CAMICO provides a sample Generative Artificial Intelligence Chatbot Usage Policy on its Members-Only Site.

• Monitor regulatory developments. Firms should stay informed about emerging AI laws at the state, federal, and international levels, including evolving transparency requirements under the European Union AI Act.

SECTION III: Additional Resources

Q9. Where can I find more information about AI?

A9. The following resources may be helpful:

Artificial Intelligence | AICPA & CIMA

Artificial Intelligence | CPA.com

References:

CAMICO. (2025, November 12). Generative artificial intelligence (AI): Frequently asked risk management questions (FAQ) on CAMICO’s advisory hotline. https://www.camico.com/blog/generative-artificial-intelligence-ai-frequently-asked-risk-management-questions-faq-on-camicos-advisory-hotline

We are available to provide referrals to consultants by providing guidance relative to insurance issues and even certain preventives, from construction observation to developing and applying sound human resources management policies and procedures. Please call on us for assistance. We're a member of the Professional Liability Agents Network (PLAN).

We provide the following material for informational purposes only. Before taking any action that could have legal or other significant consequences, speak with a qualified professional who can provide guidance that considers your unique circumstances.