This is the archive of CPA Now blogs posted on the PICPA website through April 30, 2025. Want more recent blogs?
Accounting and finance are undergoing a significant transformation as artificial intelligence and machine learning technologies become increasingly integrated into daily operations. As CPAs navigate this evolving landscape, it is imperative to maintain the highest standards of data security.
By Randy Kardas, CPA, CITP
Accounting and finance are undergoing a significant transformation as artificial intelligence (AI) and machine learning technologies become increasingly integrated into daily operations. This shift presents both challenges and opportunities as professionals navigate this evolving landscape while still maintaining the highest standards of data security. In this blog, I delve into the essentials of data confidentiality and integrity and explore the evolving role of CPAs in protecting sensitive information.
AI technologies have brought numerous advantages to the accounting profession, such as increased efficiency and more advanced data analysis. However, these benefits come with a new set of IT risks related to data confidentiality and integrity. Unauthorized access to sensitive information, data breaches, and corruption of data are just a few examples.
When accounting firms adopt AI-driven solutions and collaborate with third-party vendors or subcontractors, ensuring data confidentiality and integrity is critical. One way to assess the security practices and data protection policies of potential partners is by reviewing their SOC 3 reports, which provide an overview of the vendor's adherence to the AICPA’s and the Chartered Institute of Management Accountants’ trust services criteria. These reports can help you evaluate whether third-party vendors have robust controls in place for maintaining data confidentiality and integrity, among other trust services criteria.
Data confidentiality is a top concern when working with vendors or subcontractors, as sensitive client information may be shared or accessed by external entities. Establishing clear data sharing protocols, implementing strict access controls, and encrypting data in transit and at rest are vital measures to help protect sensitive information from unauthorized access. Contractual agreements with third parties should include specific provisions related to data confidentiality, as well as requirements for regular security audits and reporting.
Data integrity is equally important when using AI solutions provided by external vendors. To maintain the accuracy and reliability of financial data and AI-generated insights, accounting firms should establish robust internal controls and validation processes. This may include verifying the AI-generated outputs against established accounting principles, cross-referencing results with alternative data sources, and implementing continuous monitoring to detect and address anomalies or inaccuracies. Firms should consider the information provided within SOC 3 reports regarding the vendor's commitment to data integrity and discuss their AI tool development and improvement processes to ensure that these solutions continue to meet the firm's expectations in terms of data integrity and overall performance.
Maintaining data confidentiality involves protecting this information from unauthorized access, both in transit and at rest. The legal and regulatory landscape surrounding data protection, including regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), must be considered in the context of data confidentiality.
The increasing adoption of AI tools such as GPT-4, ChatGPT, ChatPDF, Google’s BERT, and Microsoft’s Turing NLG in various industries demonstrates the potential for enhanced efficiency and decision-making capabilities. However, an inadvertent exposure of sensitive information raises concerns about the potential risks associated with these technologies.
Tools such as ChatGPT raise critical confidentiality concerns, particularly for professionals such as lawyers, doctors, and accountants who handle sensitive information. Understanding the potential risks is crucial to protecting client confidentiality.
One significant concern is data retention. AI tools may store input data for purposes such as model training, which could expose confidential information to unauthorized parties. Be aware of your AI provider's data retention policies and ensure that sensitive data is not retained or is adequately protected.
Data sharing practices also pose risks. If an AI tool shares input data with third parties – whether for collaboration or service provision – the potential for confidential information to be leaked or misused increases. Users should evaluate a provider's data sharing practices and ensure they comply with security and privacy standards.
To prevent unauthorized access or interception, AI tools must implement robust security measures, such as encryption for data. Additionally, access controls and authentication mechanisms should be in place to restrict access to sensitive information.
Inadvertent disclosure through AI-generated outputs can lead to confidentiality breaches. You do not want AI tools unintentionally including confidential or sensitive data in responses, originating either from the user's input or the AI model's training data. Be vigilant in reviewing AI-generated content before sharing it with others.
AI model memorization is a subtle but important risk. Despite being designed to generalize from training data, models such as ChatGPT may occasionally remember and reproduce confidential information in outputs. Although the risk is considered low, users should be cautious when providing sensitive information as input.
To address these risks, professionals must approach AI usage with caution, gain a thorough understanding of the provider's data handling practices, and adopt best practices for data security and privacy. By proactively managing these concerns, professionals can harness the power of AI to enhance their services while maintaining the trust and confidentiality of their clients and stakeholders.
Data integrity is vital for the accuracy and reliability of financial data, as well as the systems and processes that generate and process it. Compromised data can have serious consequences, including flawed decision-making and inaccurate financial reporting.
Technical strategies for ensuring data integrity involve validation and verification methods, error detection and correction techniques, and backup and recovery processes. By implementing these measures, accounting professionals can maintain the accuracy and reliability of the data they use in their work.
Data validation methods help accountants ensure that the data they collect and process meet predefined criteria and quality standards. For instance, accountants can implement input validation rules, such as checking for appropriate data types, formats, and value ranges. This can prevent the entry of incorrect or invalid data into financial systems. Additionally, accountants can use techniques such as referential integrity checks in databases, which help maintain consistency across related data sets.
Data verification involves assessing the accuracy and completeness of financial data. Accountants can use techniques such as reconciliation that compares data from different sources to identify discrepancies and inconsistencies. For example, comparing bank statements with internal financial records can help accountants detect errors or potential fraud. Furthermore, accountants can perform regular audits and reviews of financial transactions, verifying the accuracy of the data and ensuring that all necessary documentation supports it.
Error detection helps identify and diagnose data integrity issues. Data profiling and anomaly detection can be used to scan financial data for unusual patterns or values that deviate from expected norms. By flagging anomalies, accountants can investigate the cause and determine whether they are the result of error, fraud, or other factors. Sage Intacct has an incredible General Ledger Outlier Detection feature that leverages AI to identify anomalies and notify accountants in real-time!
Error correction techniques focus on fixing identified data integrity issues. Once accountants have detected errors, they must correct them to maintain the accuracy and reliability of financial information. Accountants can use tools such as data cleansing software to automatically correct common data entry errors, such as duplicate entries or incorrect formatting. Here are a few examples of tools:
CPAs continue to evolve within the technology arena. One new area where they can play a crucial role is protecting sensitive data and advising clients on the adoption of AI-driven tools. They can assess the data security measures of AI tools before recommending their use, ensuring that clients receive accurate information about capabilities and limitations.
CPAs and certified information technology professionals (CITPs) can advise clients on best practices for managing and storing sensitive information. This can include sharing knowledge about the latest data security protocols, advising on the proper configuration of AI tools, and providing guidance on how to detect and respond to potential security threats.
Staying informed about emerging security threats and technologies is a vital aspect of the CPA's role in data protection. By participating in ongoing education and collaborating with industry peers, CPAs can stay ahead of the challenges and provide up-to-date guidance to clients and colleagues.
Ensuring compliance with data protection regulations and industry standards is another crucial responsibility. By keeping abreast of the latest regulatory requirements and advising clients on how to achieve compliance, CPAs can help mitigate the risk of legal and financial penalties associated with data breaches or noncompliance.
Accountants are actively adopting AI tools, such as ChatGPT and similar options, as a way to streamline their work and enhance their decision-making processes. However, its use comes with its own implications for data confidentiality and integrity:
Implementing appropriate security measures and maintaining a robust internal control environment can help mitigate these risks and ensure the responsible use of AI in accountancy.
As accounting and finance continue to evolve and embrace AI-driven solutions, it is essential for CPAs in these fields to expand their skill sets to stay relevant and competitive. One crucial enhancement is developing a proficiency in prompt engineering.
Prompt engineering refers to the process of designing, testing, and refining prompts to effectively communicate with AI models, such as ChatGPT, and guide them in generating accurate, relevant, and useful responses. By mastering prompt engineering, CPAs can better harness the potential of AI tools to assist in a wide range of tasks, from data analysis and financial forecasting to risk management and regulatory compliance.
Developing prompt engineering skills involves understanding the capabilities and limitations of an AI model, as well as the ability to frame questions and instructions in a way that elicits a desired response. This skill requires a combination of critical thinking, creativity, and an in-depth knowledge of the AI tool being used. It also necessitates a strong foundation in accounting and finance principles to ensure that generated outputs align with industry standards and best practices.
As AI technologies advance and become more integrated, those who are adept at prompt engineering will be well-positioned to leverage these tools effectively and responsibly. By expanding their skill sets to include prompt engineering, accountants and finance professionals can not only enhance their ability to deliver services but also contribute to the development and implementation of innovative AI-driven solutions in their respective fields.
Let's consider an example in which an accountant wishes to use a tool like ChatGPT to summarize data from an Excel spreadsheet and identify key financial metrics. In this scenario, the accountant has a spreadsheet containing financial data for a client, including revenues, expenses, assets, and liabilities over multiple quarters. The goal is to use ChatGPT to quickly identify trends, anomalies, and key performance indicators that could inform financial decision-making and recommendations.
To effectively engage ChatGPT, the accountant first must carefully craft a prompt that clearly communicates the task and provides sufficient context. An example of a well-designed prompt might be: "Analyze the attached Excel spreadsheet containing financial data for the past eight quarters. Identify the key metrics, such as revenue growth, profit margin, and debt-to-equity ratio, and provide a summary of the trends and insights for each metric."
This prompt specifies the desired outcome (identifying key metrics and summarizing trends) and provides context by mentioning the type of data and timeframe involved. Additionally, it explicitly mentions several relevant financial metrics to ensure that the AI focuses on the most pertinent information.
Once the prompt is sent to ChatGPT, the accountant will receive a response that summarizes the financial data and highlights key metrics, as requested. At this point, though, it's important to review and verify the AI-generated insights to ensure their accuracy and relevance to the specific client situation.
In cases where the initial response may not fully address the accountant's needs, refining the prompt or asking follow-up questions can help guide the AI toward more targeted and useful information.
Accounting firms must establish comprehensive AI usage policies that address concerns related to IT governance, confidentiality, availability, and integrity as AI usage becomes more prevalent. These policies not only will serve as a framework for responsible AI adoption but also will help maintain trust with clients and stakeholders by ensuring the protection of sensitive financial data.
An effective AI usage policy should begin with a clear articulation of the firm's IT governance structure, outlining roles and responsibilities for overseeing AI adoption and usage, as well as the processes for monitoring and assessing AI-related risks. This structure should include a dedicated team or individual responsible for managing AI initiatives, ensuring compliance with industry standards and best practices, and coordinating with other stakeholders (such as IT and cybersecurity teams) to address potential risks.
Confidentiality is a critical aspect of any AI usage policy, as it involves safeguarding sensitive client data against unauthorized access or disclosure. Data confidentiality policies should outline strict access controls and data encryption requirements for AI tools, ensuring that only authorized personnel can interact with these systems. Additionally, accounting firms should work closely with AI vendors to ensure the tools adhere to stringent data protection standards and provide robust security features.
Availability is another crucial concern. Accounting firms should address this in their AI usage policies by implementing measures such as regular system maintenance, monitoring of AI tool performance, and the establishment of backup and disaster recovery plans to minimize downtime and mitigate potential disruptions to client services.
The integrity of financial data and AI-generated outputs must be preserved to ensure accurate and reliable decision-making. To maintain data integrity, the policy should emphasize the importance of validating AI-generated insights, incorporating robust internal controls, and continuously monitoring the performance of AI tools to detect and address any potential inaccuracies or anomalies.
As AI capabilities advance and become more integrated into the accounting profession, CPAs must remain adaptable and proactive in addressing new data security challenges. The role of regulation and standard-setting bodies in shaping the future of data security will also be significant, as new rules and guidelines will likely be introduced to address the unique risks associated with AI.
Accounting professionals must prioritize lifelong learning and adaptability to keep up with these ongoing developments. By staying informed about emerging trends and challenges and engaging in continuous learning, accounting professionals can navigate the evolving landscape of AI-driven accountancy with confidence.
Embracing an AI-influenced future requires accounting professionals to prioritize data security and continually expand their knowledge of best practices. By focusing on data confidentiality and integrity, CPAs can ensure that they are providing the highest level of service to their clients while safeguarding sensitive information. It is essential for professionals to stay ahead of emerging trends and challenges. By doing so, they will be well-positioned to help their clients navigate the complexities of the digital age and capitalize on the opportunities presented by advanced technologies.
Randy Kardas, CPA, CITP, is manager, digital platforms and analytics, at Cherry Bekaert Advisory LLC in Lancaster, Pa., and is responsible for systems implementations, consulting, and integrations with a focus on Sage Intacct. He can be reached at randy.kardas@cbh.com.
Sign up for PICPA's weekly professional and technical updates by completing this form.
Statements of fact and opinion are the authors’ responsibility alone and do not imply an opinion on the part of the PICPA's officers or members. The information contained herein does not constitute accounting, legal, or professional advice. For actionable advice, you must engage or consult with a qualified professional.