AI Compliance for Canadian Accountants & CPAs 2026:
CPA Canada, Quebec Law 25 & OSFI

AI tools are now standard in Canadian accounting practices — from automated bookkeeping and tax preparation to AI-assisted audit analytics and financial forecasting. The compliance frameworks are catching up. CPA Canada has published guidance on AI in audit and advisory work that applies to all members. The Office of the Superintendent of Financial Institutions has issued AI risk management guidance for regulated financial entities. Quebec Law 25 is fully in force and governs how accounting practices process client financial data through AI platforms. PIPEDA applies across all provinces. And when AI produces an error in a tax filing, financial statement, or audit opinion, the CPA remains the liable professional. This guide covers what Canadian accountants and CPAs need to have in place in 2026.

CPA Canada guidance: what professional competence requires

CPA Canada has published guidance confirming that existing professional standards — the CPA Code of Professional Conduct and Canadian Auditing Standards — apply to AI-assisted work. The guidance is consistent with the position of accounting bodies globally: competence obligations extend to understanding and supervising the tools used in professional practice.

CPA Canada's guidance identifies the following as core requirements for members using AI:

• Output verification: AI-generated financial analyses, computations, and summaries must be verified against primary source documents before inclusion in client deliverables, financial statements, or audit files. The verification process must be documented in working papers.
• Understanding tool limitations: CPAs must have sufficient understanding of AI tools to assess the reliability of their outputs in the specific context being used. A general-purpose AI tool may not be appropriate for interpreting complex Canadian tax provisions or applying sector-specific accounting standards.
• Client confidentiality: Client financial data is confidential under the CPA Code. Uploading client data to AI platforms requires review of vendor data handling terms to ensure the confidentiality obligation is not compromised. Vendor assurances in marketing materials are not sufficient — contractual protections are required.
• Audit file documentation: Where AI tools are used in audit engagements, the audit file must document the tool used, the outputs generated, and how those outputs were assessed by the engagement team.

OSFI guidance: AI risk management for regulated financial entities

The Office of the Superintendent of Financial Institutions has issued guidance on technology and third-party risk management that directly applies to AI systems used by federally regulated financial institutions — including Schedule I and II banks, insurance companies, and trust and loan companies. Accounting firms that provide services to these entities are also affected where their AI tools process regulated entity data.

OSFI's expectations for AI risk management include:

• Model risk management: AI models used in financial risk assessment, credit adjudication, or regulatory reporting must be validated, documented, and subject to ongoing performance monitoring. OSFI expects the same rigour applied to traditional statistical models to be applied to AI and machine learning models.
• Third-party oversight: Where AI capabilities are sourced from third-party vendors, OSFI expects institutions — and their advisers — to conduct appropriate due diligence on vendor AI governance practices, data handling, and model risk management.
• Explainability: AI systems used in credit decisions, capital calculations, or regulatory reporting must be sufficiently interpretable that senior management and regulators can understand how outputs were generated.

Quebec Law 25: the most consequential active obligation for client data

Quebec Law 25 is fully in force. For accounting practices with Quebec clients, this is the most operationally significant active compliance requirement for AI use. It applies to any organisation that processes the personal information of Quebec individuals — regardless of where the organisation is based.

The requirements most directly relevant to accounting AI:

• Privacy Impact Assessment: Required before deploying any AI system that processes client personal financial data. Must be completed before deployment, document privacy risks, and identify mitigations. Using a new AI-powered bookkeeping tool, deploying AI-assisted tax preparation software, or running AI analytics on client financial data — each requires a PIA under Law 25 for Quebec clients.
• Automated decision transparency: Where AI influences a consequential decision about a Quebec individual — for example, automated financial risk scoring or AI-driven client categorisation — the individual must be informed, provided an explanation of the factors considered, and given a mechanism to request human review.
• Consent specificity: Consent to process personal financial information must be specific to AI-assisted purposes. A client engagement letter does not automatically authorise AI profiling of their financial data for purposes beyond the core engagement scope.

Penalties: up to $25 million CAD or 4% of worldwide turnover, whichever is higher. The Commission d'accès à l'information enforces actively.

PIPEDA: the federal baseline across all provinces

PIPEDA creates accountability obligations for client personal data processed by AI tools in accounting practices across all Canadian provinces. The key requirements:

• Purpose must be identified and disclosed before collecting client personal financial data for AI processing
• Meaningful consent is required — clients must understand when AI tools are being used to analyse or act on their financial information in a material way
• Firms are accountable for client data transferred to AI processor vendors, including international providers — "we use a US-based AI tool" does not transfer accountability to the vendor
• Clients have access rights to personal information held about them, including inferences generated by AI systems

CASL: AI-generated client communications and outreach

Accounting practices using AI to generate or personalise client newsletters, tax reminder communications, or any commercial electronic message sent to Canadian recipients must comply with CASL. The requirements apply regardless of whether the message was drafted by a human or generated by AI:

• Express or implied consent required before sending any commercial electronic message
• Sender identification and contact information mandatory in every message
• Functional unsubscribe mechanism required — automated sequences must honour opt-outs within ten business days

Penalties: up to $10 million CAD per violation for organisations.

Preparing for AIDA: Canada's pending federal AI law

Bill C-27 — the Artificial Intelligence and Data Act — has not yet passed Parliament but reflects the clear direction of federal AI regulation in Canada. AIDA would classify certain AI systems as high-impact and require organisations to implement risk mitigation measures, maintain records, and publish plain-language descriptions of AI system use. Financial risk assessment is expected to fall within the high-impact category.

Accounting practices that build PIPEDA and Quebec Law 25 compliance frameworks now will require minimal additional work when AIDA passes — the documentation, risk assessment, and oversight structures are substantively aligned.

What a compliant Canadian accounting practice AI framework requires

1. AI inventory: Every AI tool documented — what client data it processes, where that data is stored, and what vendor contractual protections exist.
2. Quebec Law 25 PIAs: Completed before deployment for any AI tool processing personal financial data of Quebec clients.
3. Verification and documentation policy: Written procedures for reviewing AI-generated outputs before delivery to clients or submission to CRA, with documentation requirements for working files.
4. OSFI vendor due diligence: For practices serving regulated financial entities, documented due diligence on AI vendor governance and model risk practices.
5. CASL compliance review: Audit of any AI-driven client communications for consent documentation, identification requirements, and unsubscribe mechanics.