A partner at a small practice recently told me her team was already using ChatGPT to summarise HMRC manuals and draft client emails. She had not asked them to. She had set no ground rules. And she had no way of knowing whether the tools they were using had a data processing agreement in place.
That situation is common in UK accounting firms right now. AI has arrived in practice workflows through the side door, carried in by staff who found it useful before anyone had thought through the compliance side. The question that matters now is how to choose the right tools for the right tasks, with the right guardrails in place.
What does AI selection look like in an accounting practice?
AI adoption in accounting firms splits across three distinct use cases: document capture and admin automation, technical research and drafting, and quality review. Each involves a different type of tool, a different risk profile, and a different buying decision. ACCA’s 2024 guidance on AI for practitioners frames admin and documentation as the safe first wave, with technical judgment remaining firmly in human hands.
Admin tools handle the high-volume, structured work: capturing invoice data, coding transactions, reconciling bank statements, and managing client documents. Research tools, typically general-purpose large language models, assist with summarising standards, exploring tax questions, and drafting memos and client communications. Review tools flag anomalies in ledgers, surface missing documentation, and highlight transactions outside expected ranges.
These three categories require different evaluation criteria. A document capture tool lives inside your existing accounting platform and is assessed on accuracy, MTD compliance, and audit trail quality. A research LLM is assessed on data handling, jurisdiction coverage, and whether the enterprise terms prohibit training on your inputs. A review tool is assessed on its ability to explain why it flagged something, not just that it did.
Why does this choice carry more weight in accounting than in other sectors?
Accounting firms hold some of the most sensitive data a business carries: payroll records, company accounts, personal tax returns. Sending any of that to a cloud AI system counts as data processing under UK GDPR, per ICO guidance. That triggers controller obligations: a lawful basis, a data processing agreement, and international transfer safeguards if the data leaves the UK.
The ICO’s guidance on controllers and processors makes this explicit. When a firm sends client data to a cloud AI service, the firm remains the data controller and the AI vendor is the processor. That means the firm must have a data processing agreement in place, the vendor must process data only on the firm’s instructions, and appropriate safeguards must exist for any data crossing UK or EEA borders to reach a US-hosted API.
The FCA’s position on AI reinforces this from a professional conduct angle. Firms remain accountable under their regulatory principles when they use AI, in the same way that outsourcing any function does not shift the underlying obligation. The ACCA’s code of ethics is equally clear: professional accountants remain responsible for applying professional scepticism to AI outputs and for ensuring those outputs are reasonable, documented, and explainable to clients and regulators.
Where do these tools appear in day-to-day practice?
For admin and document capture, the tools already embedded across UK practices are Dext, AutoEntry, and Hubdoc: OCR-powered systems that extract invoice line items, VAT amounts, and supplier data and post them into Xero, Sage, or QuickBooks. Sage Copilot and Xero’s built-in AI features extend this further with bank reconciliation, cash-flow forecasting, and anomaly detection within platforms firms are already using.
CodeIQ, a UK-built AI bookkeeping layer, takes bank transactions and applies a multi-stage pipeline for account coding, VAT classification, and bank transfer detection, posting results back to Xero, Sage, QuickBooks, or Pandle. For firms that want a UK-built vendor and closer alignment with domestic data residency preferences, this is worth evaluating alongside the larger platforms.
For research and drafting, the main tools UK firms are experimenting with are ChatGPT, Claude, Perplexity, and Gemini. AccountsDraft’s UK practitioners guide recommends enterprise or business-tier subscriptions rather than free consumer accounts, partly for the data handling terms and partly because the enterprise tier typically prevents the provider training on your inputs. For summarising HMRC guidance or drafting client communications, these tools are genuinely useful, provided a human reads and verifies the output before it leaves the practice.
When does AI earn its place, and when should you hold back?
ACCA and the NCSC both point to the same principle: start with high-volume, predictable tasks that have clear acceptance criteria and a straightforward way to spot errors. Document coding, invoice matching, email triage, and first-draft summarisation of standards all fit that profile. Technical judgment calls, client-facing tax positions, and audit opinions do not, at least not with current tools.
Accountancy Age reported in January 2025 that UK firms were recovering nearly a quarter of their capacity through AI and automation. The same piece noted that many partners were not seeing margin improvement, because the time freed had not been repriced or redeployed into higher-value work. AI that reduces admin hours without a pricing or service-mix adjustment creates slack, not profit. The business model shift matters as much as the tool selection.
The NCSC recommends treating AI systems as part of your normal cyber security perimeter: least-privilege access, logging, monitoring, and regular review. That applies even to SaaS tools you did not build and cannot inspect. Staff copying client data into free-tier AI chatbots is specifically the scenario the ICO highlighted in 2024 briefings to professional services firms as a potential confidentiality breach and international transfer violation.
What do you need in place before you commit?
Before committing to any AI tool that will touch client data, three things need to be in place: a data processing agreement from the vendor, audit logs showing what the AI did with the ability to override or correct outputs, and for research use, an enterprise-tier subscription rather than a free consumer account. Each of these requirements sits behind a genuine regulatory obligation, not a preference.
For admin tools, confirm UK VAT and MTD compatibility before signing up, particularly if your firm acts for VAT-registered clients. HMRC maintains a list of MTD-compatible software, and this is a straightforward check rather than a trust-based assumption. For review tools, the AccountingWEB AI guide for accounting firms notes that the ability to explain why an item was flagged matters as much as whether it was flagged. A tool that surfaces anomalies without audit-traceable reasoning does not give you enough to satisfy professional judgement requirements.
On international data transfers, ICO guidance is clear: sending personal data to AI systems hosted outside the UK and EEA requires appropriate safeguards, typically the UK International Data Transfer Agreement or EU Standard Contractual Clauses with a UK addendum. Many US-hosted AI tools offer enterprise data processing agreements that include these safeguards. Free-tier accounts rarely do. That gap is where many accounting firms encounter their first compliance problem.
