AI governance for accountancy firms
Your partners remain accountable for what the AI produces.
AI now drafts working papers, reconciles ledgers, screens clients and answers tax questions across the profession. The named member and the firm stay accountable for the output. A tool cannot hold a duty of competence, and the FRC is explicit that in audit the human auditor is always accountable. Governance AI helps your board or partnership govern AI so professional standards, client confidentiality and your regulator's expectations survive contact with it, and builds the controls that hold.
Professional responsibility cannot be delegated to a tool.
An accountancy firm answers to several authorities at once. Clients entrust it with confidential financial and personal data. The ICAEW or ACCA holds each member to the Code of Ethics, whose technology-related provisions were revised into force in July 2025, requiring competence, due care, confidentiality and objectivity before a member relies on any AI system. For firms that audit, the FRC's 2025 guidance on AI in audit, extended in 2026 for emerging technologies, is explicit that regulatory accountability and the human auditor's responsibility for audit quality are unchanged. These are conduct duties, not commercial preferences.
The pressing risks are specific. Feed confidential client material into a tool the firm does not control and you may breach confidentiality and UK GDPR and expose client data through model training or retention. Fabricated figures, misread source documents or a hallucinated tax position reaching a filing, a client or a court expose the firm to negligence, HMRC challenge and disciplinary action. Where AI screens clients or transactions, the firm's anti-money-laundering duties still bind. The gap usually sits at the top, where partners reached leadership through technical excellence rather than scrutiny of how a model handles client data.
The standards accountancy firms are held to.
AI does not create a separate rulebook. It runs through the duties and regulators you already answer to.
ICAEW / ACCA Code of Ethics
Binds chartered and certified accountants to competence, due care, confidentiality and objectivity. Revised technology provisions in force from 2025 require a member to judge whether an AI tool and its data are sufficient before relying on the output.
Financial Reporting Council (FRC)
Its AI in audit guidance (2025, extended 2026) confirms that regulatory accountability and the human auditor's responsibility for audit quality are unchanged, with documentation expected on how AI tools are certified and used.
Information Commissioner's Office (ICO) and UK GDPR
The firm is data controller for client and personal data processed by AI, requiring a lawful basis, a DPIA, and controls that keep confidential material out of third-party models and their training data.
HMRC agent obligations and PCRT
Professional Conduct in Relation to Taxation, updated for AI, holds the member responsible for the accuracy of AI-assisted tax work. Standards for agents mean the firm answers to HMRC for filings, whatever tool prepared them.
Money Laundering Regulations 2017 and AML supervision
Where AI screens clients or transactions for customer due diligence, the firm and its AML supervisor still require the checks to be adequate, explainable and evidenced, with a human decision on risk.
What good AI governance looks like for accountancy firms.
The Board AI Scorecard measures five areas. Here is what each means in your sector.
Accountability & board oversight
A named member, not the model, owns every AI-assisted output that reaches a client, a filing or a court, and in audit the engagement partner remains accountable for quality with a record of who reviewed the work.
AI policy & controls
Your AI policy states which engagement types and client data AI tools may touch, what disclosure clients receive, and how it maps to your ICAEW or ACCA ethics, FRC audit expectations and AML duties.
Risk, transparency & assurance
AI risks sit on the firm's risk register with named owners, including fabricated figures, misread source documents, hallucinated tax positions and whether AI-screened AML checks are adequate and explainable.
Data & security
Confidential client and personal data never leaves systems the firm controls or trains a third-party model, with retention and residency confirmed and a DPIA where personal data is processed.
Board literacy & capability
Partners and staff can recognise where an AI tool's output is likely to be wrong and what adequate review looks like, especially over junior staff relying on it in audit, tax and accounts work.
Questions your board should be asking.
- Which engagement types and client data are AI tools permitted to touch, and how do we guarantee confidential material never leaves systems we control or trains a third-party model?
- How do we evidence that a competent member has reviewed and takes responsibility for every AI-assisted output, and in audit that the engagement partner remains accountable for quality?
- Does our use of AI in tax work meet our PCRT and HMRC obligations, with the member, not the tool, responsible for the accuracy of every filing?
- Where AI screens clients or transactions for anti-money-laundering, are the checks adequate, explainable and backed by a human decision our AML supervisor would accept?
- What is our process for catching fabricated figures, misread documents and hallucinated positions before they reach a client, a filing or a court, and who owns that control?
- Do we have a DPIA and a lawful basis for any AI system processing personal or confidential client data under the UK GDPR, and does the board see the AI risk register?
Taking these to a meeting? Print the one-page board pack.
We govern the AI and build the controls that hold it.
Start with the free Board AI Scorecard, a short self-assessment that shows your firm where its AI exposure sits against the duties your regulator already enforces. The AI Wake-Up Call is a board session that translates those duties into the decisions a managing partner or head of audit has to own, and the GovernIQ™ Diagnostic goes deeper into your engagements, data and review regime. Our founder, Karl George MBE, created the tgf Governance Code, and we align work to ISO/IEC 42001, the NIST AI Risk Management Framework, UK GDPR and the NCSC cloud security principles. We help you prepare for certification against these standards and do not issue it. One team advises and then builds the system, so the governance you agree is the governance that ships.
Begin with a clear view of where your firm stands.
Take the free Board AI Scorecard, or have a short conversation with us about AI in your audit, tax and accounts work. No tool will hold your duty of competence for you, so it is worth knowing what your firm is accountable for.
