Skip to content
3 Questions Every Accounting Firm Should Ask Before Adopting AI

3 Questions Every Accounting Firm Should Ask Before Adopting AI

Published: May 7, 2026
If your firm is evaluating AI tools for tax client intake — or any AI-powered workflow — the right move is to ask hard questions before you buy. The CPA.com AI Working Group agrees.

Their AI Due Diligence Guide identifies five things every firm should verify before adopting AI tools. Three are questions with direct, verifiable answers, which we answer below. The other two aren’t questions so much as guidance on how to evaluate the answers you get, and we’ll address those at the end of this article.

Question 1: Where does your data go?

This is the most important question you can ask an AI vendor, and the quality of their answer tells you almost everything you need to know about how seriously they take data privacy. The CPA.com guide asks vendors to explain what data is accessed, where it’s processed and stored, whether it’s sent to an external LLM, and what is redacted before leaving the system. For SmartVault, most of that answer comes down to one principle: your data never leaves.

When SmartRequestAI® processes a client’s prior-year tax return to generate a personalized questionnaire, that data stays securely stored inside SmartVault’s infrastructure at all times — the same infrastructure that has protected accounting firm data for over 15 years, currently housing over 500 million documents and supporting more than 3 million users.

There is no movement to an external system, no exposure to third-party infrastructure, and no sharing with outside parties. Because nothing leaves the system, there is nothing to redact or anonymize in transit.

SmartRequestAI uses private AI models, which also addresses a related question the guide raises: whether your data is used to improve the underlying model. The model does not train on your data, full stop. This means your client data is used only to generate results for your firm — not to improve a shared system.

SmartRequestAI is built inside SmartVault, a SOC 2 Type 2 compliant document management and client portal platform. Our infrastructure maintains strict security standards and enterprise-grade security features. We cover our SOC 2 compliance in detail in Question 3.

Question 2: Where and why is AI used inside the product?

The CPA.com guide asks vendors to distinguish between deterministic logic, probabilistic AI, generative AI, autonomous workflows, and other types of AI — and to explain the reasoning behind each choice. It’s the right question, because not every task in a tax workflow should involve AI, and a good vendor should be able to tell you exactly where the line is.

Deterministic logic produces the same output every time given the same input — there is no inference, prediction, or interpretation involved. In SmartRequestAI, deterministic logic handles everything where accuracy is non-negotiable. The tax year is assigned automatically based on the date a request is sent. Documents are routed to the correct engagement folders based on tagging. Workpapers are compiled with consistent formatting and structure based on the questionnaire and source documents. These outcomes are rule-based and exact, and AI inference has no role in any of them.

Generative AI is used where context and interpretation are required — specifically, in understanding unstructured tax documents and translating them into usable inputs. In SmartRequestAI, generative AI functions as the intelligence layer of the system. This is where AI adds value: interpreting what appears in a prior-year return and translating it into a relevant, personalized request for the current year. This type of contextual understanding cannot be replicated with rule-based logic alone.

Autonomous workflows involve AI agents that take independent actions without human initiation or oversight. This is not part of how SmartRequestAI operates. A staff member initiates every client request, and the AI does not take independent actions on your firm’s behalf. There are no agents running in the background making decisions without human involvement — every step in the process has a person behind it.

Probabilistic AI uses patterns in data to make predictions, producing outputs that are likely rather than certain. SmartRequestAI does not use this approach.

Other types of AI are not currently used in SmartRequestAI beyond what is described above.

Question 3: Do you have a SOC 2 Type 2 report?

When firms ask about SOC 2, they’re usually trying to answer a simple question: is this vendor actually secure, or just saying the right things?

Not all SOC 2 compliance answers that question equally, and the CPA.com guide is explicit about this. Before looking at where SmartVault stands, it’s worth understanding what separates the two types.

Here’s the simplest way to think about the difference:

  • SOC 2 Type 1 captures a snapshot. It confirms that security controls were in place at a specific point in time. That’s a reasonable starting point, but it’s limited — a vendor can pass a Type 1 audit and still have inconsistent or unreliable practices the rest of the year.
  • SOC 2 Type 2 evaluates performance over time — typically across three to twelve months. Instead of taking a snapshot, auditors test whether those controls actually work consistently in real-world conditions, across systems, processes, and people. It reflects sustained operational discipline, not something that can be staged for a single audit date.

That’s why the CPA.com guide specifically asks whether a vendor has a SOC 2 Type 2 report — not Type 1 — and whether that report is available for review. It also recommends understanding who conducted the audit, how third-party vendors are handled, and whether there are any exceptions or limitations in the report.

SmartVault has completed successive SOC 2 Type 2 audits and received a clean opinion in each — our report is available in our Trust Center upon request. SmartRequestAI operates entirely within SmartVault’s existing infrastructure and operational environment. That means the controls evaluated in our SOC 2 Type 2 audit apply directly to how the product is built, delivered, and maintained.

Our audits are conducted by Securance, a global firm focused specifically on cybersecurity and compliance assurance. Their specialization ensures that the controls being evaluated are reviewed with deep domain expertise, not as part of a generalized audit practice.

Like most SOC 2 reports, certain third-party providers are handled using standard industry practices. SmartVault remains responsible for selecting, managing, and applying appropriate controls to those relationships.

We pursue SOC 2 Type 2 compliance because our customers are accounting firms, and accounting firms need more than a vendor’s promise — they need proof. Your clients trust you with their most sensitive financial data, and that trust has to be backed by something verifiable.

Our Commitment to Transparency — and Their Last Two Points

The CPA.com guide’s fourth item is a trial period. Their fifth is vendor transparency. Here’s where we stand on both items.

On transparency: the guide notes that the willingness to engage openly tells you as much as the answers themselves. Vendors who deflect, get vague, or can’t produce documentation quickly are signaling something about how seriously they take this.

SmartVault was built specifically for accounting professionals, which means we’ve spent over 15 years operating inside one of the most security-conscious industries there is. The firms we serve are responsible for sensitive financial data, and that reality has shaped every infrastructure and security decision we’ve made — from pursuing SOC 2 Type 2 compliance to building SmartRequestAI on private AI models. We welcome the scrutiny that comes with working in this space, and we applaud the firms that ask these questions. That diligence is exactly what your clients deserve from you, and it’s exactly what you should demand from us.

On trials: If you’re new to SmartVault, we offer a 14-day free trial that lets your team explore the platform — document organization, secure file sharing, and more — using your own workflows and sample data.

SmartRequestAI is not included in the standard trial. It is an add-on, purchased in bundles, and requires an active SmartVault subscription. Because SmartRequestAI relies on prior-year tax data and structured document workflows, it’s best evaluated in a real-world environment rather than a generic trial setting.

If you’re already a SmartVault customer, you can request limited access to SmartRequestAI before purchasing, giving you the ability to test AI-generated questionnaires and document requests using prior-year 1040 data in real-world conditions.

Regarding data retention: files stored in SmartVault are retained on our servers for a minimum of 90 days after account deactivation. If you reactivate within that window, your data remains accessible. After 90 days, we reserve the right to permanently delete stored files.

Ready to See It for Yourself?

The questions in this guide exist because trust has to be earned, not assumed. The answers above are our starting point. The demo is where the conversation continues.

If you’re not yet a SmartVault customer, the best place to start is a demo. You’ll see the full platform — including SmartRequestAI — and you can ask us anything on this list.

If you’re already a SmartVault customer and want to explore SmartRequestAI before adding it to your subscription, schedule a SmartRequestAI demo and we’ll walk you through how to get started.