CPA AI Policy Template: Free Download for Canadian Accounting Firms

Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.

This is the clause-by-clause AI policy template that Canadian accounting firms can adapt and adopt under the CPA Code of Professional Conduct. Every clause maps to a named CPA Ontario expectation from Accountabilities for CPAs in the Age of Artificial Intelligence (2024), to a CSQM 1 control objective, and to the privacy regime the firm operates under (PIPEDA, Quebec Law 25, or the provincial PIPAs in Alberta, BC, and Quebec).

The download is a Word policy document plus a one-page implementation checklist a managing partner can hand to a CSQM monitor, a cyber insurance underwriter, or a CPA Ontario practice inspector.

Talk to Fusion about CPA-compliant AI

What’s in this download?

The template is anchored to CPA Ontario’s Accountabilities for CPAs in the Age of Artificial Intelligence (2024), to CPA Canada’s CSQM 1 (effective December 2022), and to the federal and provincial privacy statutes that govern client data flowing into a model. Every clause cites the source obligation and the rule it operationalizes, so a CSQM monitor or a CPA Ontario practice inspector can trace each control back to a named authority without guesswork.

The policy maps to CPA Code Rule 202 (integrity and due care) where the AI output is the work the partner signs, to Rule 203 (professional competence) where the firm has to demonstrate it understands what the tool does, to Rule 205 (false or misleading documents) which is where AI hallucination becomes a discipline risk, and to Rule 208 (confidentiality of client information) which is the constraint on what data can flow into a model.

The operational tools inside the document are practical and adoption-ready. The approved-tools and prohibited-tools matrix names products by vendor and engagement use case, so a managing partner can hand it to IT and have a working policy by end of week.

What the policy template covers

The matrix covers Microsoft 365 Copilot inside the firm tenant (the FC-recommended default), CCH iFirm AI assistants, CaseWare Sherlock for audit, and where consumer-grade ChatGPT, Claude.ai, and Gemini are prohibited because of the data-residency and training-data exposure problems.

The 90-day rollout plan covers tenant readiness (Microsoft Purview labels, Conditional Access, Entra ID hardening per CRA EFILE expectations), CSQM monitoring design, four-hour competence training, written sign-off filed with personnel records, intranet publication, quarterly monitoring under CSQM 1, and annual partner re-attestation. The monitoring-record template is the artifact most firms are missing when CPA Ontario inspects an AI-touched engagement.

The work-product-verification clause addresses the failure mode that is now showing up in disciplinary cases and in CRA reassessment letters. When an AI model fabricates a tax citation, a financial-statement footnote reference, or an audit working-paper conclusion, the partner who signed the file is the one who owns the result under Rule 205.

How firms apply this to their existing AI work

The template clause requires the preparer to sign a per-engagement attestation confirming every AI-assisted citation, calculation, or working-paper conclusion was independently verified against the primary source (CRA folio, CPA Canada Handbook, or the underlying client record) before partner sign-off.

Without that attestation in the file, the firm is one CSQM monitor visit away from a finding.

The data point we will share from our own client work: a 22-person Toronto CPA firm that adopted this template before its 2026 cyber insurance renewal saw its annual cyber premium drop by roughly 14% on the rider that asks whether a written AI policy and a written CSQM 1 framework are both in force.

The numbers vary by firm and broker, but the underwriting question is now standard across the four carriers most Canadian CPA firms use. Reach out if you want a walkthrough of how the policy interacts with your specific underwriter and your CSQM 1 monitor.

Who is this for?

This template is for the managing partner of a 4 to 50 staff Canadian accounting firm who is being asked, either by an audit client’s in-house controller during procurement, by a cyber insurance broker at renewal, by a CSQM 1 monitor during quarterly review, or by a senior associate who just read CPA Ontario’s 2024 paper, whether the firm has a written AI policy.

The honest answer for most firms is no, or yes but it’s a Slack message from the partner saying “don’t paste client data into ChatGPT,” which is not a policy and will not survive a CSQM monitor visit. This download closes that gap inside one engagement cycle.

It is also for the CFO or IT director at a 50 to 200 staff regional firm who needs a reviewable starting point rather than a blank Word document. The clauses are written so an in-house IT manager, the firm’s CSQM monitor, and the practice leader can collaborate productively in a single working session.

Solo CPAs and 2 to 3 person partnerships can also use the document, though the CSQM 1 monitoring clause is materially lighter when the partner is also the monitor and the engagement quality reviewer.

It is not intended for non-Canadian accounting firms without adaptation. US firms operating under AICPA standards should cross-check against the AICPA AI guidance and the relevant state board rules. Cross-border firms with engagements that touch both CPA Canada and AICPA frameworks should adopt the strictest applicable standard rather than the CPA Ontario baseline; the template footnotes name the divergence points so that decision is documented.

Quebec-only firms should pay particular attention to the Law 25 data-residency clause, which is materially stricter than the federal PIPEDA equivalent and requires named cross-border transfer impact assessments before any non-Canadian-resident model is enabled.

Download the CPA AI Policy Template

Fill in the four fields below. We will send the Word document and the one-page implementation checklist to your firm email within five minutes. We’ll also include the 90-day rollout-plan PDF as a separate attachment so you can route it to the CFO or the CSQM 1 monitor without forwarding the full template.

Form not loading? Email us directly and we’ll send the template within the hour.

Related deep dives

• The full AI for Canadian Accounting Firms walkthrough: the CPA Ontario rules, the CSQM 1 framework, and the clause-by-clause logic behind every section of the template.
• Microsoft 365 Copilot vs Generic ChatGPT for Canadian CPA firms: the approved-tools decision matrix expanded into a head-to-head review of why tenant-scoped Copilot is the default and consumer ChatGPT is the prohibited tool.
• CRA EFILE security for Canadian accounting firms: how the confidentiality clause translates into actual Microsoft 365 configuration, Entra ID hardening, and the CRA-imposed access controls every EFILE-authorized firm must operate.
• CCH iFirm and CaseWare cybersecurity hardening for Canadian accounting firms: the engagement-system piece of the approved-tools matrix and the data-segregation pattern that keeps AI exposure inside the firm tenant.
• Tax-season cybersecurity for Canadian CPA firms: the operational pressure context that explains why a written AI policy filed before February matters more than one drafted in May.

Book a working session on CPA AI policy

Frequently Asked Questions

What’s the download?

A Microsoft Word policy template (fourteen clauses, roughly 4,500 words), an approved-tools and prohibited-tools matrix in the same file, and a one-page PDF implementation checklist. Total payload is one Word document plus one PDF. Both are editable. Both are written for adoption by Canadian accounting firms operating under the CPA Code of Professional Conduct, with CSQM 1 monitoring hooks built in and footnotes flagging where US AICPA practice diverges.

How will my data be used?

Your name, firm name, role, and email go into Fusion Computing’s contact system. We will email you the template files within minutes. We may send occasional updates relevant to Canadian accounting firm IT, CPA Ontario AI guidance, and CSQM 1 developments, no more than once a month, and only on topics tied to CPA Ontario, CPA Canada, CRA EFILE, FINTRAC, or PIPEDA.

Your data is never sold, never shared with vendors, and you can unsubscribe from any email we send with one click.

Is this just a sales pitch?

No. The PDF and Word template are the deliverable. Most firms that download it never speak to us, and the template works without our involvement.

We make the policy free because regulator-anchored documents like this one are how Canadian accounting firms find out we exist. If you want a sales conversation about Fusion managing the Microsoft 365 Copilot rollout, the Purview sensitivity labels, the Entra ID hardening that satisfies CRA EFILE controls, or the monitoring system that keeps CSQM 1 quarterly review defensible, you can reach out on your own timeline.

Do I need to be an existing FC client?

No. The template is free for any Canadian accounting firm, in-house finance team, or accounting academic to download and adapt. It is published under a permissive use-and-modify license inside the firm. The only restriction is no resale and no removal of the Fusion Computing attribution footer on the title page. Most downloaders are not Fusion clients, and that is fine. Get in touch if you want help wiring the policy into your Microsoft 365 tenant.

Can I share it with my partner or colleague?

Yes. Share it with anyone inside your firm, with outside CPA counsel, with your CSQM 1 monitor, with your cyber insurance broker, or with your IT vendor. Attribution to Mike Pearlstein and Fusion Computing must remain on the title page. Beyond that, modify it freely for firm specifics. The clauses are designed to be marked up, struck through, and rewritten to fit how your firm actually runs engagements.

Who wrote this?

Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Fusion has been doing regulator-anchored AI deployment work for Canadian accounting firms, law firms, financial brokerages, and healthcare clinics since 2012. The template was reviewed against CPA Ontario’s 2024 accountabilities paper, CPA Canada’s CSQM 1 guidance, the CRA EFILE 2025 security expectations, FINTRAC’s reporting entity obligations, PIPEDA, and the provincial PIPAs in Alberta, BC, and Quebec. It was field-tested at six Canadian accounting firms before publication.

Bottom line

CPA Ontario has not amended the CPA Code to mandate a written AI policy. It has made clear, through the 2024 accountabilities paper and through every CSQM 1 monitoring expectation since, that the existing rules already apply, and that a written policy is how a firm demonstrates it has operationalized those rules.

The absence of a written policy is a material adverse factor when a CSQM monitor reviews an AI-touched engagement or when a cyber insurance underwriter prices the renewal.

The presence of one written to the right rules, with a documented monitoring record and an annual partner re-attestation, is the threshold most firms can clear in under three weeks with this template.

If you want help with the Microsoft 365 Copilot configuration that sits behind the confidentiality clause, the Microsoft Purview sensitivity labels that have to be in place before Copilot is enabled, the Entra ID hardening that satisfies CRA EFILE access-control expectations, or the CSQM 1 monitoring system that keeps the quarterly review defensible, that is work Fusion does for Canadian accounting firms every week.

See our IT and cybersecurity hub for Canadian accounting firms for the full operating scope, or contact us to book a working session with the partner who would own the engagement.

Talk to Fusion