By Donal Kerr, CEO, Run Audit
I recently wrote about what happens when you build a company on the promise of shortcuts. I was writing in the context of a specific scandal — a well-funded AI startup accused of generating hundreds of nearly identical audit reports before anyone had looked at the underlying organisations — but my point was about a pattern, not just one company. Fake compliance didn’t arrive with AI. AI just made it possible to industrialise it.
In April 2026, the AICPA Professional Ethics Division published a piece that names the same pattern in precise professional language. SOC Engagements: Ethics Risks With Tool Providers is not a think piece. It is a formal statement from the AICPA’s ethics function, grounded in the Code of Professional Conduct, about specific contract terms and business arrangements now circulating in the SOC 2 market — and about what they mean for the independence and professional judgement of the CPAs who sign those reports.
The Market Structure the AICPA Is Describing
The article addresses a specific and now widespread commercial model: the SOC 2 tool provider that doesn’t just help organisations prepare for SOC 2 examinations, but actively brokers those examinations — cultivating relationships with CPA firms to route client engagements their way, setting the terms of those engagements through contract, and in some cases bundling the examination itself as a product feature.
The Contract Terms That Create Threats
The article identifies specific contract clauses and arrangements that create ethics and independence threats under the AICPA Code.
Cross-referral arrangements. When a service auditor’s client flow becomes concentrated in a single tool provider — particularly where there is an exclusive relationship — independence is threatened. The volume of referrals creates a self-interest threat.
Tool provider involvement in the examination. Contractual rights that allow the tool provider to observe audit work or sit in on service auditor-client discussions create an undue influence threat. The examination is the auditor’s.
Tool provider-driven deadlines. Contracts that require completion within a fixed time frame, without appropriate regard for the service auditor’s professional judgement about scope, risk, and evidence needs, are a direct threat to the auditor’s ability to meet the SSAEs.
Bundled services and fee control. The AICPA is explicit: if a third party effectively controls the audit fee or ties it to other services, independence may be impaired. The fee must be set by the service auditor using professional judgement.
Non-disparagement clauses and evidence access. The AICPA flags contract terms where non-disparagement clauses effectively prevent the service auditor from communicating required matters to the client — and arrangements where the service auditor must pay the tool provider to access the evidence needed for the examination. An auditor who needs to pay a third party to see the evidence on which their own report will be based is not running a compliance engagement. That is a document production service with professional credentials attached.
The Advertising Problem
Some tool providers make claims in their marketing that no independent service auditor could legitimately make: guaranteeing a clean audit, promising a 100% pass rate, or using phrases like AICPA-approved. The AICPA’s precise formulation is important: a service auditor cannot outsource misleading marketing to a vendor to avoid compliance with the rules. If a tool provider is making false claims and the CPA firm is participating in that arrangement, the CPA firm is not insulated by the fact that the claims came from the vendor.
This Is the Same Conversation the FRC Is Having
The FRC’s guidance on generative and agentic AI in audit makes clear that human accountability is non-negotiable. You cannot let the tool, the platform, or the commercial relationship substitute for your professional judgement. The AICPA article is making an identical claim in the specific context of SOC tool provider contracts. Every arrangement the AICPA flags — fee control, evidence access restrictions, deadline pressure, non-disparagement clauses, misleading marketing — shifts control away from the auditor and toward a commercial intermediary with no professional obligation to audit quality.
What This Means for Practitioners
The AICPA’s practical guidance is clear. Where contract terms shift control, professional judgement, or access to evidence away from the auditor toward the tool provider, service auditors need to evaluate those arrangements rigorously under the Code. If threats are significant, safeguards must be applied. If the arrangement would prevent compliance with the Code or the SSAEs, the service auditor should decline or discontinue the engagement. Documentation of that evaluation is required — not optional.
The specific questions to ask of any tool provider relationship: Does the tool provider control my examination fee? Do I need to pay the tool provider to access evidence? Are there terms restricting what I can communicate to the client? Is the tool provider involved in the examination itself? Is the marketing making claims about outcomes I couldn’t legitimately make?
What This Means for the Tools We Build
There’s a version of AI-enabled audit tooling that serves professional judgement, and a version that tries to replace or commercially entangle it. The AICPA article is a precise description of what the second version looks like in contractual form.
At Run Audit, the platform handles evidence ingestion, control mapping, and multi-framework gap analysis — freeing the auditor to do the work that actually requires them. What we don’t do is set fees, manage the client relationship, involve ourselves in the examination, or make claims about outcomes on a practitioner’s behalf. The boundary the AICPA is drawing — between tools that support the auditor and arrangements that compromise them — is one we think about a lot.
What are you actually seeing from tool providers in your market — and how are you thinking about where the lines are? I’d genuinely like to hear from practitioners navigating this.