Field guide
AI & Client Data: A SOC 2 Checklist for Accounting Firms
Before you put a single client transaction into a new AI tool, run this checklist. It's not a substitute for your firm's risk policy — it's the shortlist most engagement letters and SOC 2 audits actually care about.
Don't skip the engagement letter
Update engagement letters before AI tools touch client data. Most PII / privilege issues are contractual, not technical.
1. Vendor attestations#
- SOC 2 Type II report from the last 12 months. Type I is fine for new vendors but plan to upgrade within a year.
- Subprocessor list — including LLM providers (OpenAI, Anthropic, Google) — with their attestations.
- Data residency. Confirm where client data is processed and stored.
2. Data handling#
- No-training clause in the DPA — your data must not be used to train base models.
- Retention policy — how long is processed data retained, and where?
- Deletion on request — can you remove a client's data on offboarding?
3. Access controls#
- SSO / SAML support, plus enforced MFA.
- Role-based access down to the client level.
- Audit log export.
4. Incident response#
- Breach notification timeline — 72 hours or sooner is standard.
- Incident history — ask for the past 12 months.
5. Engagement letter updates#
- AI usage clause — disclose that AI tools may be used to process client data.
- Sub-vendor disclosure clause covering LLM providers.
What "good" looks like in 2026#
The vendors we recommend in our AP automation, bookkeeping, and practice management guides all clear this checklist. If a vendor can't produce the documents in section 1 within a week, walk.
Q & A
Frequently asked questions
- Do AI accounting tools need SOC 2?
- Yes — for any tool processing client financial data, SOC 2 Type II is the table-stakes attestation. Don't accept Type I as a permanent answer.
- Can I use ChatGPT for client work?
- Only the enterprise / API tier with no-training and DPA in place — and only when your engagement letter and client consent permit it.
Keep reading
Related guides
Best of
Best Encrypted USB Drives for CPA Client Data (2026)
The best hardware-encrypted USB drives for accountants carrying client data in 2026 — FIPS-validated Apricorn and Kingston IronKey keys that protect SSNs and returns if a drive is lost.
Best of
Best Laptop Privacy Screens for Remote CPAs (2026)
The best laptop privacy screen filters for CPAs working in public — 3M, Kensington, and budget picks that block shoulder-surfers from seeing client financials.
Best of
Best Paper Shredders for CPA Firms (2026)
The best paper shredders for accounting firms in 2026 — micro-cut and cross-cut models compared on security level, run time, and bin capacity for IRS-grade document destruction.
Best of
Best Fireproof File Cabinets & Safes for CPA Firms (2026)
The best UL-rated fireproof file cabinets and safes for CPA firms in 2026 — SentrySafe, Honeywell, FireKing, and Stack-On compared on capacity, fire rating, and price.