SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

What Does the AICPA Require of Artificial Intelligence?

SOC Examinations | Artificial Intelligence

Now that artificial intelligence (AI) has more fully engrained itself into the digital world and economy, it makes sense that the American Institute of Certified Public Accountants (AICPA)—as the organization that sets the most recognized auditing standards in the U.S.—would have an opinion on AI use, particularly in terms of the possibility of related SOC-compliance issues.

As SOC auditors that have been providing this service for over two decades now, we’re interested in their thoughts too. Should organizations worry about their compliance when using AI?

Even though we don’t yet have concrete requirements from the AICPA, we can still explore the answer to this question in two different directions—regarding AI used in support of financial statements and regarding AI in support of other business operations. In this article, we’ll use our expertise to provide at least some insight as to how to approach compliance where AI is concerned.

That way, you’ll at least have some direction while we wait on authoritative guidance from the AICPA.

Using Artificial Intelligence in SOC Examinations

AI Used in Support of Financial Statements

Although the AICPA has hosted a few webcasts on the topic and provided some relevant articles, we have nothing authoritative to cite from the AICPA at this time, and the following opinion of ours regarding the use of AI in support of financial statement technologies is an attempt to fill in gaps in the attest code SSAE 18 – 21.

SOC compliance and reporting are governed by the Code of Professional Conduct and said Attest Code, and there is nothing in it that recognizes a departure from the standard operating procedure due to AI or machine learning. 

That being said, when it comes to using AI for support in generating information for financial statements, it's crucial to consider the design and purpose of the AI system. Like anything built for a specific purpose, if AI is to be used for contributing to the support of generating information relied upon in financial statements, it must be designed with that specific purpose in mind.

That’s tricky in this case, as a common challenge with AI is that it often operates by providing a "best guess" at the correct answer. But financial statements require accurate and reliable information, and best guesses rarely meet those required standards. 

Because financial statements must provide a correct answer every time to ensure accuracy and reliability, please be aware that the information generated by an AI system may not always be reliable and accurate, so it’s more advisable to avoid using AI for direct support in generating financial statements.

AI Used In Support of Business Operations (Outside of Financial Statements)

Now let's consider a different scenario where you develop an AI application and need to include it in your SOC 1, SOC 2, or SOC for Cybersecurity or SOC for Supply Chain examination. In such cases, let’s assume the AI is not used in support of financial statements but rather for other purposes such as automation within an organization.

In practical terms, AI has the potential to enhance your business operations and processes through automation by:

  • Enabling greater efficiency;
  • Refining operations and customer experiences; and
  • Facilitating predictive forecasting and prescriptive marketing approaches. 

That being said, AI systems do share common features with traditional computer systems and applications, including:

  • Authentication
  • User access controls
  • IT infrastructure

Artificial Intelligence and SOC Compliance

Therefore, the evaluation of information security and privacy controls for AI systems would follow a similar approach to that of your other information security and privacy controls. As SOC examiners, we would apply the same principles used to evaluate more common infrastructure to AI systems—that means we would require a thorough understanding of the AI application's design, data handling, configurations (algorithms) and system controls to ensure that appropriate security and privacy measures are in place.

From our standpoint, our approach to an AI system right now would be to:

  • Assess the risk of the technology environment and those to the audit
  • Develop and execute the audit plan based on that assessed level of risk
  • Ensure sufficient and appropriate evidence to base our opinion/conclusion.

The Future of AI in Auditing

That’s how we would do it right now, anyway, but looking ahead, AI has the potential to reshape the auditing and accounting fields even further. In fact, advancements in AI technologies—particularly more sophisticated machine learning algorithms—could lead to even more accuracy and efficiency within the auditing processes themselves.

While we still don’t know if this will come to fruition, we can suggest that professionals in the field—like us—should continually update their skills and knowledge to stay current amid advancing tools. Developing a deep understanding of machine learning and deep learning concepts will enhance our capabilities as auditors, particularly when dealing with novel AI systems that may evolve beyond current deployment models. 

Moving Forward with AI and Your SOC Compliance

As AI continues to advance and pushes are made to engrain it further into our existing digital systems, we will continue to also a witness dynamic and exciting intersection of AI and auditing. While for now, the AICPA has yet to publish official guidance or requirements on the use of AI in support of financial statements or business operations, you now at least have the perspective of how an auditor would approach the security evaluation of such technology.

The future of auditing and business advancements is here, and it's powered by AI. And while the ongoing integration of AI into these fields will bring many benefits, it will also present new challenges that we all will need to navigate. So, let's stay updated with AI advancements and AICPA guidelines, and in the meantime, please contact us with any questions you may have.

 

About the Authors

20220228_Schellman_046-2Ryan Buckner is a Principal and Chief Knowledge Officer at Schellman. Ryan currently serves on Schellman’s knowledge management leadership team and is responsible for Schellman’s Training and Professional Certification Services. Having led the firm-wide research and development for attestation methodology for over 15 years, Ryan is a CIPP, CISSP, CISA, Certified Knowledge Manager, and ISO 27001 Lead auditor and maintains multiple CPA licenses in several states, among other certifications. Ryan is also an AICPA-approved and nationally listed Peer Reviewer and Specialist for SOC examinations. Having directly performed and completed over 1,000 service audits, Ryan is one of the most experienced service auditors in the world.

 

Sampson, Eric (Headshot)Eric Sampson is a Senior Manager with Schellman & Company, LLC.  Prior to joining Schellman in 2008, Eric specialized in security assessments, GLBA, ISO, global privacy, and penetration testing assessments.  At Schellman, Eric is focused primarily on PCI, SOC, and WebTrust for Certification Authorities (CA) examinations for organizations across various industries.  Eric has over 15 years of experience comprised of serving clients in various industries including cloud and technology service providers, healthcare, and financial services, among others.  Eric has led hundreds of project engagements in the areas of PCI, System and Organization (SOC) examinations (SOC 1, SOC 2, SOC 3), WebTrust for CAs, HIPAA, Federal PKI, and agreed-upon procedures. 

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.