← Field Notes
Five Bearings·15 June 2026·4 min read

The AI in Your Accounting Software Is Already a Compliance Risk

The TPB's new AI guidance says tax practitioners own every AI output. The real risk? AI already embedded in Xero, MYOB, and Microsoft 365 that you didn't opt into.

The compliance risk hiding inside your software stack

The Tax Practitioners Board issued draft AI guidance in March telling accountants and tax agents exactly how the Code of Professional Conduct applies when they use artificial intelligence. The headline principle: using AI does not reduce or transfer your professional responsibilities. You own every output.

That's sensible. But three of Australia's peak accounting bodies — the NTAA, CPA Australia, and Chartered Accountants ANZ — have told the TPB its guidance misses the real problem. The compliance risk isn't practitioners choosing to fire up ChatGPT. It's the AI already running inside the software they use every day.

Your software is using AI whether you opted in or not

Xero launched JAX, an AI assistant powered by Anthropic's Claude, that processes client financial data as routine platform operation. QuickBooks now has Intuit AI with specialised agents handling GST tracking and BAS lodgement. Microsoft 365 Copilot runs across Word, Excel, and Outlook. These aren't optional add-ons you consciously enable. They're baked into the platforms your team already uses.

The NTAA's submission to the TPB put it bluntly: 'the data flow is often invisible; a staff member opens an email, works on a document, or reviews a client file, and AI functionality operates in the background.' The practitioner doesn't actively choose to disclose client information to an AI system. The software does it for them.

The TPB's draft guidance assumes practitioners make a conscious decision to input data into AI tools. That assumption no longer holds. And the Code requires practitioners to maintain confidentiality of client information — including when third-party software processes it through AI features they didn't explicitly enable.

What the Code now demands

The draft guidance — TPB(I) D62/2026, issued 24 March 2026 — maps five existing Code obligations onto AI use. Competence: AI output is not a substitute for your own analysis. You must independently assess client circumstances and exercise professional judgement, whether the work is yours or a model's. Confidentiality: client permission is required before sharing information with third parties, and that now includes AI systems processing their data. Supervision: every AI-generated document, calculation, or recommendation needs a qualified practitioner reviewing it before it reaches a client or the ATO.

Reasonable care: the standard depends on whether you reviewed AI outputs before relying on them and whether the tools were appropriate for the task. Honesty and integrity: if an AI hallucination ends up in client advice, that's a Code breach — not a software bug.

Where the industry bodies want the TPB to go further

CPA Australia endorsed the principles-based approach but flagged a gap: the draft doesn't define what 'independent verification' actually means. Does the tax agent verify, or can another staff member? For a two-person practice, that distinction matters.

CA ANZ recommended five changes, including a checklist of privacy disclosures, worked examples for low-, medium-, and high-risk AI use cases, and clarity on the difference between external AI tools and those embedded in practice software. The NTAA was bluntest: for many practices, AI is already 'the most significant compliance risk they face.' Their practical recommendation: the final guidance should confirm that listing AI-enabled software providers in engagement letters satisfies the disclosure obligation, rather than requiring practitioners to track specific sub-processors and data storage locations that vendors don't make transparent.

Three things to do before the final guidance lands

First, audit your software stack for AI features. Check Xero, MYOB, QuickBooks, Microsoft 365, and any other platform your team uses daily. Document which tools have AI capabilities enabled by default — and which ones process client data through AI. If you don't know, ask your vendor in writing.

Second, update your engagement letters. Add a clause disclosing which AI-enabled software providers handle client data in the course of your services. The NTAA's recommendation — listing providers rather than tracking sub-processors — is a practical starting point even before the final guidance arrives.

Third, build a review step into every AI-assisted workflow. We've written before about the hidden cost of reviewing AI output — and the 77 per cent of workers who say it takes longer to review than human-produced work. For tax practitioners, the review isn't optional. It's a Code obligation. The consultation closed on 21 April 2026, and the final guidance is expected later this year.

Key takeaways

The TPB's draft guidance (TPB(I) D62/2026) makes clear that tax practitioners remain fully liable for any AI-generated output — the Code of Professional Conduct applies regardless of whether a human or AI produced the work.
The NTAA warned the biggest compliance risk is AI embedded in everyday software like Xero, MYOB, and Microsoft 365, where data flows are invisible and practitioners don't actively choose to use AI.
CPA Australia and CA ANZ endorsed the principles-based approach but called for clearer definitions of 'independent verification' and practical guidance for small practices.
Practitioners should audit their software for AI features, update engagement letters with provider disclosures, and build mandatory review steps into AI-assisted workflows — before the final guidance drops.

Sources

Tax Practitioners Board — Exposure Draft TPB(I) D62/2026: The use of Artificial Intelligence and the Code of Professional Conduct (24 March 2026)

Accountants Daily — TPB's AI guidance fails to address 'most significant compliance risk', warns NTAA

Accountants Daily — CPA Australia suggests tweaks to TPB's draft AI guidance (1 May 2026)

Assumptions & methodology
  1. TPB(I) D62/2026 was issued as an exposure draft on 24 March 2026. The consultation period closed 21 April 2026. The final information sheet has not yet been published as of June 2026. The obligations outlined reflect the draft guidance and existing Code requirements under the Tax Agent Services Act 2009.
  2. The NTAA, CPA Australia, and CA ANZ submissions were reported by Accountants Daily between April and May 2026. The NTAA's characterisation of AI as 'the most significant compliance risk' is a direct quote from their submission as reported.
  3. The 77% figure on AI review time is from the GoTo Pulse of Work 2026 report (2,500 respondents globally, November 2025 – January 2026). It represents employee perception rather than measured time-on-task data. Australia was not included in the sample. Covered in detail in a previous Field Note.

Next

43% of Workers Have Submitted AI Output They Suspected Was Wrong

Read →

Field Notes are general commentary on AI trends for Australian businesses. They don’t constitute professional advice. Talk to your accountant, lawyer, or IT adviser before acting on anything specific to your situation — or talk to us if you want help working out where AI fits.

Want to know where AI is running in your practice — and whether you're covered?

A short conversation can map your current AI exposure and build a compliance plan before the final TPB guidance drops. Book a call.

Book a call →