7 Rules Every Accountant Must Know Before Using AI

Written By Eszter Rapanos, Quality Assurance, Public Sector and Publication Manager, Chartered Institute for Business Accountants (CIBA)

This article will count 0.25 units (15 minutes) of unverifiable CPD. Remember to log these units under your membership profile.

Your client sends you a report. It was generated by AI. The numbers look right. The analysis seems solid. You sign off.  Then the auditors come. And suddenly, "the software said so" is not an answer anyone wants to hear, including you.

This is exactly the scenario IESBA had in mind when it updated the International Code of Ethics for Accountants in April 2023. Those revisions became effective in December 2024, and if you haven't read them yet, this article is your starting point.

Why the Code Had to Change

Technology is no longer a tool that sits beside the accounting profession. It's inside it. AI, agentic systems, digital assets, and cloud platforms have changed what it means to do the job. The good news is that IESBA didn't throw out the rulebook. The five fundamental principles of integrity, objectivity, professional competence and due care, confidentiality, and professional behaviour still apply. What changed is how explicitly those principles speak to technology risks.

What Changed in the 2023 Revisions

  1. You must understand the tools you use. Professional accountants must be able to understand, explain, and evaluate the technology outputs they rely on. Relying on opaque or unexplained outputs is no longer acceptable.

  2. An inquiring mind is now mandatory.  When applying the Code's conceptual framework, having an inquiring mind is a formal requirement for every professional accountant, regardless of the activity.

  3. Using technology outputs comes with specific obligations. Whenever you use a technology output, from your own system, a purchased tool, or a third-party platform, you must assess it for fitness, understand its limitations, evaluate data quality and potential bias, and determine the appropriate extent of reliance.

  4. Automation bias is now named in the Code. The tendency to trust technology outputs even when contradictory information raises questions is explicitly named as a threat to objectivity. As explored in Accounting Weekly's earlier piece on [how ChatGPT may disrupt auditing](https://www.accountingweekly.com/audit-accounting/how-chatgpt-may-disrupt-auditing), accountability cannot be delegated to a machine ,and IESBA has now drawn that line formally.

  5. Complexity gets its own guidance. When digital tools create compounding uncertainty from interdependent variables, you must communicate that uncertainty to your organisation or the users of your work.

  6. Confidentiality extends across the full data lifecycle. Obligations now cover collection, use, transfer, storage, dissemination, and destruction. Crucially, using client data to train an AI model requires proper authorisation. This sits alongside IESBA's tightening of [ethical standards for tax planning](https://www.accountingweekly.com/tax/new-ethical-standards-for-tax-planning) — informed consent matters.

  7. Independence standards are tighter for technology-enabled services. Firms face reinforced requirements around self-review threats, the risk of assuming management responsibility through technology, and commercial dependencies that can arise when tech is used in assurance engagements.

The Risk You Might Be Missing: Shadow AI

IESBA's Technology Expert Group has flagged shadow AI, employees using AI tools without organisational knowledge or approval, as a growing and underappreciated risk.

If a staff member uses an unapproved tool to draft a client report and you sign off on it, the Code's confidentiality, competence, and independence obligations still apply to you. If your firm doesn't have a clear policy on approved tools, build one now.

For a broader read on IESBA's independence thinking, read The Big Money Red Flag: IESBA Warns Accountants on Private Equity Pitfalls.

What to Do Now

The revisions are already in effect. Here's a practical checklist:

  • Review your technology stack, can you explain the outputs of every tool your practice uses?

  • Check your data-sharing agreements, any platform that could train on client data needs a consent framework.

  • Build a shadow AI policy, document what tools staff may and may not use.

  • Train your team on automation bias, awareness is the first line of defence.

  • Watch for the IESBA guidance publications, an overarching technology guide is due Q3 2026, and an AI-specific guide follows in Q4 2026.

Eszter Rapanos, Quality Assurance, Public Sector and Publication Manager, Chartered Institute for Business Accountants (CIBA)
Next

Two Enforcement Notices, One Message: POPIA and PAIA Are Real.