Go to top of page

TPB(PN) D38/2017 Outsourcing, offshoring and the Code of Professional Conduct

Exposure Draft

TPB practice note

TPB(PN) D38/2017

Outsourcing, offshoring and the Code of Professional Conduct

This exposure draft practice note is also available as a PDF, download  TPB(PN) D38/2017 Outsourcing, offshoring and the Code of Professional Conduct (251 KB)

Tax Practitioners Board exposure draft practice note

The Tax Practitioners Board (TPB) has released this draft practice note to provide practical guidance and assistance to registered tax practitioners in understanding their obligations under the Code of Professional Conduct in relation to the use of outsourcing and offshoring.

Comments invited

The TPB invites comments and submissions in relation to this draft practice note. The comment period is open for 45 days with the closing date for submissions being 12 October 2017 

The TPB will then consider any submissions before settling its position, undertaking any further consultation required and finalising the practice note.

Written submissions can be made via email at tpbsubmissions [at] tpb.gov.au or by mail to:

Tax Practitioners Board

GPO Box 1620

SYDNEY NSW 2001
 

Disclaimer

This document is in draft form, and when finalised, will be intended as information only. While it seeks to provide practical assistance and explanation, it does not exhaust, prescribe or limit the scope of the TPB’s powers in the Tax Agent Services Act 2009 (TASA). In addition, please note that the principles and examples in this paper do not constitute legal advice. They are also at a preliminary stage only. The TPB’s conclusions and views may change as a result of the comments the TPB receives or as other circumstances change.
 

Document history

This draft practice note was issued on 28 August 2017 and is based on the TASA as at 15 March 2017.

Issue date: 28 August 2017

 

Introduction

  1. This draft practice note has been prepared by the Tax Practitioners Board (TPB) to provide practical guidance and assistance to registered tax agents, BAS agents and tax (financial) advisers[1] (registered tax practitioners) to understand their obligations under the Code of Professional Conduct (Code), as contained in section 30-10 of the Tax Agent Services Act 2009 (TASA), in relation to the use of outsourcing and offshoring.
  2. In this draft practice note, you will find the following information:
    • what is outsourcing and offshoring? (paragraphs 3 to 10)
    • factors to consider when entering into arrangements involving outsourcing and/or offshoring (paragraphs 11 to 49)
    • consequences of having inadequate arrangements (paragraphs 50 to 52)
    • where to find further information (paragraph 53).
       

What is outsourcing and offshoring?

  1. The terms ‘outsource’ and ‘offshoring’ are not defined in the TASA. As a result, the terms take on their ordinary meaning. The Oxford Dictionary (2015) provides the following definitions:

Outsource

To obtain (goods or a service) by contract from an outside supplier

Offshoring

The practice of basing some of a company’s processes or services overseas

  1. Essentially, outsourcing involves an entity entering into an agreement with a third party[2] to provide a specific process(es), function(s), service(s) or activity(ies).[3] It can involve transferring portion(s) of services an entity provides or even an entire operation to outside providers, contractors or suppliers.
  2. Examples of outsourcing activities include the following:
    • contracting or engaging a third party external IT provider to provide IT services (for example, hosting client data on a Cloud based platform)[4]
    • seeking an opinion or advice from a third party (such as another registered tax practitioner or legal practitioner)
    • contracting with a third party domestically located entity to undertake specific work
    • contracting with a third party foreign entity to undertake specific work (see also paragraphs 7 to 10 below for more information on ‘offshoring’)
    • entering into a service trust arrangement whereby a third party trust undertakes specific work for the registered tax practitioner.
  3. There are various outsourcing models including, among others, outsourcing of activities to subsidiaries, directly hiring a third party foreign entity, or employing a third-party vendor who may be onshore (within Australia; including through the use of service trust arrangements or contracting out to a referral network) or offshore (including through accessing an entity’s systems at a remote location).
  4. Offshoring occurs where an entity enters into an arrangement to transfer a process, function, service or activity to a country other than Australia. It is important to note that offshoring does not necessarily involve the use of outsourcing.
  5. Examples of offshoring activities include, among others:
    • a registered tax practitioner transferring specific work (for example, processing activities) from their Australian office to their international office (with no third party involvement)
    • a registered tax practitioner moving an internal business unit from Australia to another country (with no third party involvement)
    • a registered tax practitioner engaging a third party in a foreign country to undertake specific work
    • a registered tax practitioner engaging an overseas third party to host and operate computer infrastructure on behalf of the registered tax practitioner.
  6. Some more common outsourcing and offshoring models can include:
    • outsourced offshoring (outsourcing of activities to a third party located in a foreign country)
    • captive offshoring (when firms set up their own operations in offshore locations), or
    • a joint venture model (an organisation forms joint ventures with overseas service providers and transfers their functions into the new entity).
  7. It is important to recognise that there are various arrangements that can be a mixture of both outsourcing and offshoring if and to the extent that the service provider to whom business activities are outsourced performs them outside Australia. As an example, the provision of a service where another party hosts and operates computer infrastructure on behalf of an entity at an external data centre or in a cloud environment would be outsourcing, and if done outside Australia, offshoring.
     

Factors to consider when deciding to enter into outsourcing and offshoring arrangements

General considerations

  1. When entering into outsourcing and offshoring arrangements, various factors will need to be considered, depending on the nature of the particular arrangement and also the circumstances of the registered tax practitioner. However, as a starting point, registered tax practitioners may wish to consider the following general factors:
    • if there is a clear definition of duties, obligations and responsibilities of the parties involved in the arrangement, including sufficient detail and review provisions to provide assurances for security and confidentiality
    • the details of any limitation of liability and indemnity insurance arrangements for the parties (for example, clauses contained in the terms and conditions of outsourced provider agreement(s) or terms of use)
    • if the outsourced provider is allowed to unilaterally change relevant terms of the agreement (that is, without input from the registered tax practitioner), including in relation to change in business and/or ownership structure, how or where data is stored or managed, and review processes
    • if there is flexibility to allow for changes / developments in technology and operations
    • how  information is being transferred between various systems and whether data integrity is being maintained
    • how information is being stored and accessed
    • the processes in place in relation to the backup and archiving of information (such as multiple backup servers)
    • the security controls the registered tax practitioner and outsourced provider is responsible for (such as issues around passwords, encryption, backups and having security protocols in place to safeguard against unauthorised access)
    • the protections in place to prevent service access from being disrupted
    • the processes in place for managing and resolving disputes in relation to access to client information (including legal jurisdiction)
    • the processes in place to evaluate and oversee outsourcing relationships, recognising that oversight activity will depend in part on the scope and complexity of the services being outsourced
    • the processes in place for the registered tax practitioner to review output of the outsourced or offshore entity
    • the processes in place for exiting an arrangement / when the arrangement ends (including, for example, the return of or access to data held in the cloud)
    • if there are any relevant legislative and regulatory requirements associated with having any information held offshore (that is, information stored or processed in equipment not located in Australia).
  2. In addition, while not binding on all registered tax practitioners, further useful guidance on issues to consider and steps that may be taken when providing or utilising outsourced services may also be found in specific Accounting Professional and Ethical Standards Board (APESB), Australian Prudential Regulation Authority (APRA), Australian Securities and Investments Commission (ASIC),  and Australian Securities Exchange (ASX) guidance.[5] It is also noted that TPB accredited recognised professional associations may be able to assist in providing practical guidance, while recognising that there is not a default one-size-fits-all template and that arrangements will need to be mindful of the particular circumstances.
     

Code obligations

  1. The Code, as contained in section 30-10 of the TASA, does not specifically deal with the issue of outsourcing and/or offshoring. However, there are a number of Code obligations that may be relevant when using these types of arrangements.
  2. The Code regulates the personal and professional conduct of registered tax practitioners, and contains 14 items covering obligations in relation to honesty and integrity, independence, confidentiality, competency, and other obligations such as responding to requests from the TPB. When using or considering outsourcing and offshoring arrangements for your practice, you need to ensure, among other things, that:
    • appropriate disclosure is provided to clients (see the section on Code item 6 below)
    • services are provided to a competent standard (including sufficient staff with the necessary professional competencies and skills) (see the section on Code item 7 further below)
    • adequate supervision and control arrangements are in place (see the section on Code item 7 further below)
    • reasonable care is taken in ascertaining the client's state of affairs and in ensuring that the taxation laws are applied correctly to the client's circumstances (see the section on Code items 9 and 10 further below)
    • you maintain professional indemnity insurance that meets the Board’s requirements (see the section on Code item 13 further below).
  3. The following paragraphs contain further detail in relation to the above-mentioned obligations under the Code.
     

Code item 6

  1. Code item 6 provides that a registered tax practitioner must not disclose any information relating to a client’s affairs to a third party unless:
    • the tax practitioner has the client’s permission; or
    • there is a legal duty to do so.[6]
  2. For the purposes of the TASA, a third party is any entity other than the client legal entity and the registered tax practitioner legal entity.[7]
  3. Examples of third parties can include:
    • entities that maintain offsite data storage systems (including ‘cloud storage’)[8]
    • another entity to which a registered tax practitioner outsources a component of a tax agent service[9] (for example, another registered tax practitioner, a legal practitioner, or an overseas or offshore entity), including where that entity might be related to, associated with, or a subsidiary of the registered tax practitioner entity
    • subject to relevant contractual arrangements, other AFS licensees, authorised representatives, para-planners, product providers and advisers, insurance brokers, and technical teams and advisers[10]
    • an overseas party that shares the same brand/name as that in Australia but is a different legal entity
    • a wholly-owned subsidiary (different legal entity)
    • service trust arrangements
    • a separate entity partly controlled by an outsourcer based either in Australia or overseas
    • unrelated parties such as subcontractors and labour-hire arrangements.[11]
  1. It is only necessary that the information relates to the affairs of a client. Therefore, the information does not have to belong to the client, or have been directly provided by the client to the registered tax practitioner.
  2. Assuming that there is no legal obligation, registered practitioners must obtain permission from each client prior to divulging client information to a third party. This permission has to be relevant to the engagement and may be by way of a signed letter of engagement, signed consent, or other communication with the client.[12] The relevant communication should outline the disclosures to be provided, as well as information about the entity/entities (where known) that will have access to the client information.
  3. When obtaining client permission, it is recommended that the registered tax practitioner inform the client about the proposed disclosure, including noting to whom and where the proposed disclosure will be made (if known or reasonably ought to have known). However, it is also recognised that a general consent relating to disclosure to third parties may also be acceptable having regard to particular circumstances. Further, a registered tax practitioner is not excused from taking necessary steps to protect information just because it would be inconvenient, time-consuming or costly to do so.[13]
  4. However, even in the context of a general disclosure, registered tax practitioners should require a positive step from their client to authorise the requisite disclosure. This may include an appropriate ‘opt-in’ type approach.
  5. While there is no set formula or methodology used to obtain client permission, the TPB suggests that registered tax practitioners be clear in explaining to their client where information may be disclosed (including, among other things, where a component of work or add-on activity is completed elsewhere). For example, to avoid any likelihood of your practices being seen as misleading, we suggest that you must not imply or state that all your work is completed in Australia, if that is not the case.[14]
  6. There are a number of controls that could be employed to assist in maintaining and protecting the confidentiality, integrity and availability of data to ensure that information is not disclosed beyond the scope of the client’s consent, such as:
    • an appropriate confidentiality agreement between the registered tax practitioner and their outsourced provider
    • other appropriate protocols, such as:
      • use of a secured website and encrypted network traffic
      • security credentials
      • access controls ensuring unauthorised persons do not have access to data
      • standardised reporting
      • audit trails
      • appropriate segregation of duties
      • approval and review of data changes.
  1. For further information, including in relation to ‘third party’, ‘permission’, ‘legal duty’ and cloud computing refer to the following TPB information products:
  2. Ultimately, the onus is on the registered tax practitioner to exercise appropriate due diligence when outsourcing work and sending information offshore, including ensuring appropriate disclosure. It is also important to be mindful that outsourcing and offshoring may also give rise to other obligations under the TASA, including ensuring that a tax agent service is provided to a competent standard and that there are adequate supervision and control arrangements (see further below).
     

Code item 7

  1. Code item 7 provides that a registered tax practitioner must ensure that any tax agent service they provide, or that is provided on their behalf, is provided competently.[15] This includes where such services are provided by an unregistered external contractor, whether in Australia or abroad.
  2. Where a registered tax practitioner outsources part or all of the provision of tax agent services to an unregistered third party, they must ensure that the work performed by the third party is under their supervision and control or the supervision and control of another registered tax practitioner.[16] In this case, the registered tax practitioner is ultimately responsible for the quality of work of the unregistered third party, including ensuring that there are appropriate supervisory arrangements.[17]
  3. Where a registered tax practitioner outsources the provision of tax agent services to a registered third party, then the tax practitioner is not responsible for reviewing the third party’s work, nor are they required to provide supervision and control.
  4. Therefore, when contemplating or using an outsourcing or offshoring arrangement there is a need to carefully consider the extent to which this may impact on the ability to supervise work, noting that supervision and control should be commensurate with the nature and extent of the work undertaken. Practitioners should ensure that any services provided to clients in Australia from a location outside Australia are provided competently, just as must occur within Australia.
  5. However, it is also important to recognise that while supervisory arrangements may be an important factor in ensuring services are provided to a competent standard, it will not of itself ensure competency. It is not sufficient to simply say that 'supervisory work' is being undertaken and that work is being reviewed, you must also satisfy the Board that:
    • there are adequate supervisory and review arrangements, including having a sufficient number of individuals (being registered tax practitioners) for the work being carried out
    • internal procedures are used to satisfy supervisory and control requirements, which may include activities such as:
      • training for offshore staff in Australian tax
      • registered tax practitioners or other experts being onsite overseas
      • rotation for overseas staff to gain experience, and
      • solid quality assurance and review systems
    • registered tax practitioners are involved so that the work being completed overseas is considered competent for Australian tax law purposes
    • registered tax practitioners are meeting their requirements for maintaining knowledge and skills relevant to the tax agent services, such as taxation laws and tax administration, and
    • registered tax practitioners are maintaining competence by continuing awareness, understanding and up-to-date knowledge of relevant technical, legal and business developments.
       

Adequate supervisory arrangements

  1. As is the case with the phrase ‘competent standard’, the phrase ‘supervisory arrangements’ is not defined in the TASA and takes on its ordinary meaning. Supervisory arrangements are broadly considered to be arrangements aimed at directing, overseeing and checking the tax agent service performed (on behalf of a registered tax practitioner) to ensure those services are provided competently.[18]
  2. The Macquarie Dictionary (2009) provides the following definitions:

Supervise

  1. to oversee (a process, work, workers, etc.) during execution or performance; superintend; have the oversight and direction of.

Supervision

  1. the act or function of supervising; oversight; superintendence.

Control

  1. to exercise restraint or direction over; dominate; command

  1. the act or power of controlling; regulation; domination or command
  2. check or restraint.
  1. There is no standard process to determine if you have adequate supervisory arrangements in place. A number of factors may be relevant in determining whether adequate supervisory arrangements are or have been in place, noting that this will vary from entity to entity having regard to the particular circumstances. These factors include:[19]
    • the level and depth of oversight over the provision of tax agent, BAS or tax (financial) advice services, noting that this will vary according to the skills and experience of the individuals providing the services and the complexity of the service being provided
    • the physical or geographic proximity of the registered tax practitioner to the person carrying out the work
    • whether there is substantial supervision, rather than mere checking of documents, while recognising that the oversight will vary according to the knowledge, skills and experience of the person doing the work and the complexity of the tax matters involved
      • in particular, it is noted that merely checking a document prepared by an unskilled employee / contractor / other provider to determine whether the contents of the document seems reasonable does not demonstrate a sufficient degree of supervision and control
      • further, it is noted that while it is not necessary to closely monitor all work carried out on behalf of the registered tax practitioner, a substantial degree of oversight of the individuals carrying out the work is required
    • whether the registered tax practitioner performs periodic and spot checks of relevant material prepared
    • quality assurance mechanisms such as conducting regular reviews of work performed or undertaken to ensure the accuracy and completeness of the services provided on their behalf
    • the degree of control exercised by the registered tax practitioner over the way in which work is carried out on their behalf
    • the level of relevant initial and ongoing educational and practical training undertaken  by those performing work on behalf of the registered tax practitioner, recognising that staff engaged to provide the services are required to possess an adequate level of education and understanding of the relevant tax legislation concepts to undertake the tasks for which they are responsible
    • whether there are documented procedures to ensure relevant processes can occur, including escalation of issues that are beyond an individual’s knowledge or experience to an appropriate supervisor.
  2. Determining whether appropriate supervision and control has been exercised or if there are appropriate supervisory arrangements in place, will require an assessment of the measures taken by a registered tax practitioner to supervise and control relevant activities in the context of the circumstances of their practice.
  3. Ultimately, what is adequate will be a question of fact to be determined on the basis of the specific facts of a particular case.
  4. It is also highlighted that in the event that there are any changes in circumstances relevant to the registration of a registered individual, company or partnership tax practitioner, which may include when ceasing to be a supervising agent for another registered entity, it is imperative that the registered tax practitioner notifies the TPB as required under section 30-35 of the TASA.
  5. For further information, see the following TPB information sheets:

Code items 9 and 10[20]

  1. Code item 9 provides that a registered tax practitioner must take reasonable care in ascertaining a client’s state of affairs, to the extent that ascertaining the state of those affairs is relevant to a statement they are making or a thing they are doing on behalf of the client.
  2. Code item 10 provides that a registered tax practitioner must take reasonable care to ensure that taxation laws are applied correctly to the circumstances in relation to which they are providing advice to a client.
  3. When it comes to outsourcing or offshoring tax agent services, there is no set formula for determining what it means to take reasonable care. Rather, whether a registered tax practitioner has taken reasonable care in a given situation will depend on an examination of all the circumstances, including:
    • the nature and scope of the tax agent services being provided[21]
    • the terms of engagement between the registered tax practitioner and the outsourced provider or offshore entity
    • the agreed terms of engagement between a registered tax practitioner and their client, including whether the client, or another entity, checks or reviews the work before purporting to rely on it[22]
    • the skills, experience, qualifications and abilities of the outsourced/offshore provider
    • the degree of supervision and oversight the registered tax practitioner exercises over the provider’s provision of tax agent services
    • the client’s circumstances, including their level of sophistication (such as education standard and level of tax knowledge or experience in the area which is the subject of advice) and
    • the nature of any pre-existing relationship between the registered tax practitioner and their client. 
  4. The standard generally requires a registered tax practitioner to act in a way consistent with how a competent and reasonable person, possessing the knowledge, skills, qualifications and experience of a registered tax practitioner, objectively determined, would act in the circumstances. The Board expects that, due to the nature of the use and/or engagement of an outsourced or offshore provider, registered tax practitioners will be required to take additional steps and measures to those that they would ordinarily need to take. This will ensure that the applicable technical and professional standards are met and that a client receives competent professional services.
  5. For further information, see the following TPB information sheets:

Code item 13 – Professional indemnity insurance

  1. Code item 13 provides that a registered tax practitioner must maintain the professional indemnity insurance (PI insurance) that the Board requires them to maintain.[23]
  2. The objective of the TPB's PI insurance requirements is to ensure those entities that are registered with the TPB have adequate PI insurance cover for the tax agent services / BAS services / tax (financial) advice services they provide. Features include, among other things, scope of cover,[24] amount of cover, persons covered, exclusions, and insurance provider.
  3. A registered tax practitioner who outsources or provides outsourced services should review their PI insurance policy to assess whether appropriate coverage exists for the outsourced services.
  4. The TPB’s PI insurance requirements (including features of adequate PI insurance cover and minimum requirements and exclusions) are outlined in the following explanatory papers:

Privacy Act

  1. In addition to their obligations under the Code in the TASA, registered tax practitioners should also be aware that the Privacy Act 1988 (Cth) (Privacy Act) sets out a number of Australian Privacy Principles (APPs) which govern the use of, storage and disclosure of personal information.  Some of these APPs may have a direct impact on the requirement to obtain consent from clients.
  2. Registered tax practitioners should seek their own advice about whether the provisions of the Privacy Act apply to them. Information about obligations under the Privacy Act is provided by the Privacy Commissioner and is accessible from the Office of Australian Information Commissioner’s website at www.oaic.gov.au
     

Consequences of having inadequate outsourcing arrangements

  1. If a registered tax practitioner has inadequate procedures and policies in relation to their outsourcing or offshoring arrangements, the TPB may find that the registered tax practitioner has breached the Code and may impose one or more of the following administrative sanctions:
    • a written caution
    • an order requiring the registered tax practitioner to do something specified in the order
    • suspension of the practitioner’s TPB registration
    • termination of the practitioner’s TPB registration.
  2. In addition to the above consequences of any breach of the Code, the registered tax practitioner may also contravene other relevant legislation (such as, from the Privacy Act or the Corporations Act 2001 (Cth)).
  3. Ultimately, determining whether a registered tax practitioner has complied with their obligations under the Code will be a question of fact. This means that each situation will need to be considered on a case-by-case basis having regard to the particular facts and circumstances.
     

Further information

  1. Outlined below is a listing of reference material that may provide further guidance in relation to what is outsourcing and offshoring, and general considerations and issues to consider in contemplating an outsourcing / offshoring arrangement:

 

Information product

Purpose of document

Tax Practitioners Board

TPB practice note TPB(PN) 01/2017: Cloud computing and the Code of Professional Conduct

Provides guidance to assist registered tax practitioners to understand their obligations under the Code of Professional Conduct, as contained in section 30-10 of the Tax Agent Services Act 2009 (TASA), in relation to the use of cloud computing

TPB information sheet TPB(I) 21/2014: Code of Professional Conduct – Confidentiality of client information (for tax and BAS agents)

Further information regarding obligations under Code item 6 – Confidentiality (as contained in subsection 30-10(6) of the TASA) for registered tax and BAS agents

TPB information sheet TPB(I) 32/2017: Code of Professional Conduct – Confidentiality of client information for tax (financial) advisers

Further information regarding obligations under Code item 6 – Confidentiality (as contained in subsection 30-10(6) of the TASA) for registered tax (financial) advisers

TPB information sheet TPB(I) 01/2011: Letters of engagement

Further information regarding engagement letters

TPB information sheet TPB(I) 17/2013: Code of Professional Conduct – Reasonable care to ascertain a client’s state of affairs

Further information regarding Code item 9 in the TASA (reasonable care to ascertain a client’s state of affairs) for registered tax and BAS agents

TPB information sheet TPB(I) 28/2016: Code of Professional Conduct – Reasonable care to ascertain a client’s state of affairs for tax (financial) advisers

Further information regarding Code item 9 in the TASA for registered tax (financial) advisers

 

TPB information sheet TPB(I) 18/2013: Code of Professional Conduct - Reasonable care to ensure taxation laws are applied correctly

Further information regarding Code item 10 in the TASA (reasonable care to ensure taxation laws are applied correctly) for registered tax and BAS agents

TPB information sheet TPB(I) 29/2016: Code of Professional Conduct - Reasonable care to ensure taxation laws are applied correctly for tax (financial) advisers

Further information regarding Code item 10 in the TASA for registered tax (financial) advisers

TPB information sheet TPB(I) 26/2016: Labour hire/on-hire firms

 

Provides guidance to assist labour hire/on-hire firms involved in the provision of tax related services to understand the operation of the tax agent services regime and whether or not they need to register with the TPB

TPB information sheet TPB(I) 13/2012: Contractors

 

Provides guidance to help contractors to understand the operation of the tax agent services regime, including registration requirements for contractors and employees

TPB information sheet TPB(I) 09/2011: Software providers and the Tax Agent Services Act 2009

 

Provides guidance to assist software providers who provide tax related software systems to understand the operation and impact of the tax agent services regime

TPB information sheet TPB(I) 08/2011: Reports or other advice incorporating tax agent services provided by a third party

Provides information about the TPB’s position on reports or other advice incorporating tax agent services provided by a third party

TPB explanatory paper TPB(EP) 02/2010: Fit and proper person

Provides a detailed explanation of the Board’s interpretation of the fitness and propriety requirements in subdivision 20-A of the TASA

TPB explanatory paper TPB(EP) 01/2010: Code of Professional Conduct

Provides a detailed explanation of the Board’s interpretation of the Code of Professional Conduct contained in Division 30 of the TASA

TPB explanatory paper TPB(EP) 03/2010: Professional indemnity insurance requirements for tax and BAS agents

Explains the TPB's interpretation of the provisions in the TASA relating to the professional indemnity insurance requirements for tax and BAS agents

TPB explanatory paper TPB(EP) 05/2014: Professional indemnity insurance requirements for tax (financial) advisers

Provides an explanation of the TPB's professional indemnity insurance requirements for tax (financial) advisers

Accounting Professional & Ethical Standards Board Limited

Guidance Note GN 30: Outsourced Services

Provides information in regard to managing risks associated with providing or utilising outsourced services, including steps that may be taken

Australian Prudential Regulation Authority

APRA Prudential Standard SPS 231: Outsourcing

Sets out APRA’s requirements in relation to outsourcing / outlines factors to consider when entering into outsourcing arrangements

APRA Prudential Standard CPS 231: Outsourcing Outlines requirements that apply for applicable APRA-regulated institutions, including outlining information to address in an outsourcing agreement
APRA Prudential Standard SPG 231: Outsourcing Provides guidance to assist registrable superannuation entity licensees in complying with APRA’s requirements in relation to SPS 231 and, more generally, to outline prudent practices in relation to managing outsourcing

Information paper: Outsourcing involving shared computing services (including cloud)

Includes guidance on general considerations (including governance arrangements, risk considerations and assurance mechanisms) when assessing the use of cloud services

Prudential Practice Guide: PPG 234 – Management of security risk in information and information technology

Includes guidance in relation to managing security risk

Prudential Practice Guide: CPG 235 - Managing data risk

Includes guidance in relation to managing security risk

Australian Securities and Investments Commission

ASIC Regulatory Guide RG 105: Licensing - Organisational competence

Describes what ASIC looks for when assessing compliance with the organisational competence obligation in s912(1)(e) of the Corporations Act 2001 (Cth)

ASIC Regulatory Guide RG 168: Disclosure: Product Disclosure Statements (and other disclosure obligations)

ASIC guidance on disclosure obligations, including noting ASIC ‘good disclosure’ principles

Australian Securities Exchange (ASX)

ASX 24 Operating Rules: Guidance Note 9 – Offshoring and Outsourcing

ASX information to assist market participants to understand and comply with their obligations under the ASX 24 Operating Rules, providing guidance on some of the issues to address when offshoring or outsourcing activities as a participant

Australian Taxation Office

ATO portal access and Standard Business Reporting, refer to www.ato.gov.au and www.sbr.gov.au

For further information in relation to ATO portal access and Standard Business Reporting

Department of Communications

Consumer factsheet Cloud computing and privacy

Includes information in relation to privacy

Consumer factsheet Questions to ask about a cloud service

Includes information in relation to a list of potential questions to ask a potential cloud service provider in relation to privacy and security

Department of Defence (Cyber Security Operations Centre)

Cloud Computing Security Considerations

Includes information in relation to security considerations

Department of Finance

Australian Government Cloud Computing Policy

Includes information about the Australian Government’s cloud computing policy

 

Better Practice Guide: Negotiating the cloud – legal issues in cloud computing agreements

Includes information in relation to a checklist of some legal issues to consider and address in contemplating a cloud computing arrangement

Better Practice Guide: Privacy and Cloud Computing for Australian Government Agencies 

 

Includes information in relation to privacy and cloud computing, including a guiding summary of checkpoints

Department of the Prime Minister and Cabinet

Australia’s Cyber Security Strategy

Notes themes of action for Australia’s cyber security

Office of Australian Information Commissioner

Guide to securing personal information

Provides guidance on protecting personal information and in relation to destroying or de-identifying personal information once information is no longer needed

Australian Privacy Principle Guidelines

Outlines requirements of the Australian Privacy Principles (APPs), how the Office of the Australian Information Commissioner (OAIC) will interpret the APPs, and matters the OAIC may take into account when exercising functions and powers under the Privacy Act 1988 (Cth)

 

 

[1]  It is noted that the requirements in the Code relating to tax (financial) advisers are limited to the provision of tax (financial) advice services. Tax (financial) advisers should refer to ASIC’s guidance in relation to the use of outsourcing and offshoring under the financial services regime.

[2] For the purposes of the TASA, a third party means any entity other than the client legal entity and the registered tax practitioner legal entity. See also the section on Code item 6 further below (paragraphs 16 to 26). 

[3] See, e.g. Accounting Professional and Ethical Standards Board (APESB) Guidance Note GN 30: Outsourced services.

[4] For further information in relation to Cloud, see TPB Practice Note TPB(PN) 1/2017: Cloud computing and the Code of Professional Conduct.

[5] See APES Guidance Note GN 30: Outsourced Services; APRA Prudential Standards CPS 231- Outsourcing and SPS 231 – Outsourcing; APRA Information Paper: Outsourcing involving shared computing services (including cloud); ASIC Regulatory Guide RG 244: Giving information, general advice and scaled advice; ASX 24 Operating Rules Guidance Note 9: Offshoring and Outsourcing.

[7] Whether or not a contractor will be considered a third party for the purposes of Code item 6 will depend upon the circumstances of a particular case – for further information, see also TPB Information Sheet TPB(I) 13/2012: Contractors which provides guidance to help contractors to understand the operation of the tax agent services regime. In arrangements involving a type of outsourcing arrangement where the contractor is not working as part of the registered tax practitioner’s practice in providing services (relating to their arrangement with the registered tax practitioner) to the registered tax practitioner’s clients, it is likely that the contractor will be considered a third party and the practitioner providing the services would need to obtain their client’s permission before disclosing any information. This may include, for example, where a contractor provides tax agent services to a registered tax agent, such as tax return or BAS preparation work for the registered tax practitioner’s clients, and where the client or registered tax practitioner is relying on the services provided by the contractor and the contractor is charging a fee or other reward for these services.

[8] For further information, see TPB Practice Note TPB(PN) 1/2017: Cloud computing and the Code of Professional Conduct, which recognises that there is a distinction between data storage that a third party cannot effectively access (for instance, through the use of encryption) and disclosure to a third party.

[9] A ‘tax agent service’ is defined in section 90-5 of the TASA. It includes a BAS service and a tax (financial) advice service. For further information, see also TPB Information Sheet TPB(I) 20/2014: What is a tax (financial) advice service? Subsection 90-5(2) of the TASA provides that a service specified in the Tax Agent Services Regulations 2009 for the purposes of this subsection is not a tax agent service.

[11] For further information, see also TPB Information Sheet TPB(I) 13/2012: Contractors and TPB Information Sheet TPB(I) 26/2016: Labour hire/on-hire firms. For the purpose of providing clarity, it is noted that an employee of your business who is located overseas does not constitute an arrangement involving a third party.

[12] This may include, in certain circumstances, a relevant ‘fact find’ and consent, Financial Services Guide (FSG) and consent, Statement of Advice (incorporating an ‘authority to proceed’) signed by the client, a privacy declaration and consent form, a privacy acknowledgment and consent, a relevant product disclosure statement and consent, or an appropriately authorised confirmation email. For further information in relation to engagement letters, see TPB information sheet TPB (I) 1/2011: Letters of engagement.

[13]See also Office of the Australian Information Commissioner Guide to securing personal information.

[14] Such misleading statements or conduct could result in a breach of Code item 1 (you must act honestly and with integrity) and/or an adverse fitness and propriety finding.

[15] A ‘tax agent service’ is defined in section 90-5 of the TASA. A tax agent service includes a BAS service and a tax (financial) advice service (see section 90-10 and section 90-15 for the meaning of a ‘BAS service’ and ‘tax (financial) advice service’ respectively).

[16] Following from this, a registered tax practitioner may wish to consider the civil penalty provisions (do not apply where reasonable steps are taken to ensure accuracy of the document) if:

  • signing a declaration or other statement in relation to a taxpayer that is required or permitted by a taxation law; and
  • the document in relation to which the declaration or other statement is being made was prepared by an entity other than an individual registered tax practitioner or an individual working under the supervision or control of an individual registered tax practitioner.  

See also footnote 9 above.

[17] For further information in regard to supervision and control, see the relevant TPB website information sheets – Supervisory arrangements and supervision and control and Supervision and control – tax (financial) advisers.

[18] As BAS services are a subset of tax agent services, the provision of BAS services may be supervised by a registered tax or BAS agent. Similarly, the provision of tax (financial) advice services may be supervised by a registered tax agent or tax (financial) adviser. However, the provision of tax agent services may only be supervised by a registered tax agent.

[19] Some of the outlined factors are taken from paragraph 2.56 of the Explanatory Memorandum to the Tax Agent Services Bill 2008. The TPB also recognises that the business models and structures in the financial services industry are different to those commonly found with tax and BAS agents, in part due to the licensing requirements under the Corporations Act 2001 (Cth). For further information, see also TPB information sheet TPB(I) 23/2014 Sufficient number requirement for partnership and company registered tax (financial) advisers.

[20] The TPB recognises that the obligations of some Australian financial services (AFS) licensees and their representatives under the Corporations Act 2001 (Cth) are similar to some obligations under the TASA. Further, although not specifically related to taxation advice, the TPB notes that there are (ASIC) requirements outlined in relevant ASIC Regulatory guides (RGs), including RG 175 Licensing: Financial product advisers – Conduct and disclosure and RG 244: Giving information, general advice and scaled advice. While compliance with relevant Corporations Act and Australian Securities and Investments Commission (ASIC) requirements will be a relevant factor, it is not conclusive in relation to whether obligations under Code items 9 and 10 in the TASA have been satisfied. For further information, see TPB information sheet TPB(I) 28/2016: Code of Professional Conduct – Reasonable care to ascertain a client’s state of affairs for tax (financial) advisers and TPB information sheet TPB(I) 29/2016: Code of Professional Conduct - Reasonable care to ensure taxation laws are applied correctly for tax (financial) advisers.

[21] The requirement to take reasonable care relates to the circumstances to which the registered tax practitioner is providing a tax agent service to their client and is therefore subject to the agreed terms of the engagement with the client (which may arise from a variety of sources, such as an engagement letter or a statement of advice incorporating an ‘authority to proceed’).

[22] Where the agreed scope of the services excludes the examination of information provided by the client or requires the registered tax (financial) adviser to rely on the information or advice of another expert, then further enquiries would not be required to rely on the relevant information unless the registered tax (financial) adviser identifies, or reasonably ought to have identified, that the information was incorrect or incomplete.

[23] A ‘tax agent service’ is defined in section 90-5 of the TASA. It includes a BAS service and a tax (financial) advice service. It is also noted that section 20-5 of the TASA includes an eligibility requirement for registration and renewal of registration that applicants maintain, or will be able to maintain, PI insurance that meets the TPB’s requirements.

[24] The TPB's PI insurance requirements require that the insurance must cover civil liability arising from any act, error or omission in the provision of tax agent or BAS services.