N
    Nifty Computing
    2026 Compliance Readiness Assessment
    Last reviewed

    Is your practice ready for the 2026 compliance landscape?

    A 20-question diagnostic for Australian accounting and bookkeeping practices - sole traders, partnerships, and multi-partner firms holding tax-agent or BAS-agent registration. See where you stand against the updated TPB Code of Professional Conduct, AUSTRAC Tranche 2 AML/CTF obligations from 1 July 2026, APES 110 ethics, the Privacy Act reforms, and the cyber controls trust-data insurers now require. Each weak answer returns a specific fix for your principal or IT provider.

    What's changing (and already changed) for Australian accounting practices
    • 10 DEC 2026Privacy Act automated decision-making disclosure rules commence
    • 29 JUL 2026AUSTRAC Tranche 2 enrolment deadline for in-scope accountants
    • 1 JUL 2026AUSTRAC Tranche 2 obligations commence - designated services in scope
    • CURRENTUpdated TPB Code obligations (breach reporting, quality management) already in force

    Pure tax return preparation and statutory audit are not AUSTRAC Tranche 2 designated services. Setting up trusts, companies or SMSFs, handling client money, and acting as a nominee director are in scope.

    Your privacy. Your individual answers stay on your device - we don't store them. When you finish, we save an anonymous record of your scores (industry, overall and per-category percentages, state, business type) so we can show how you compare to others in your industry. We also log anonymous counts for when a quiz is started, when a report is downloaded, and (if you later request it) when one is emailed - no identifying information is attached to any of these. We never capture your name, email, IP address, or any business identity.

    20Questions
    LiveAverage time
    10Risk Areas
    What best describes your practice? (select one)

    Full quiz content - Accountants Compliance Quiz 2026 - TPB, AUSTRAC, APES 110 | Nifty Computing

    This index lists every question, every answer option with its score, every tier band, every recommendation, and every regulatory source used by the accountants compliance readiness quiz. Last reviewed .

    Tier scoring

    • Compliance Ready - score ≥ 85/100, review every 12 months. Your practice demonstrates strong compliance maturity across the TPB Code, APES 110, Privacy Act, and (where applicable) AUSTRAC Tranche 2 obligations. Maintain annual reviews, confirm AUSTRAC enrolment and program review cycles, and keep pace with emerging TPB and APESB updates. Recommended next review: 12 months.
    • Good - Minor Gaps - score ≥ 70/100, review every 12 months. Solid foundations with targeted gaps to close before the 29 July 2026 AUSTRAC enrolment deadline and the 10 December 2026 ADM disclosure deadline. Work through the priority findings below and document your AML/CTF program. Recommended next review: 12 months.
    • Moderate Risk - Action Needed - score ≥ 50/100, review every 6 months. Several material gaps across regulatory obligations. With TPB breach reporting already in force and AUSTRAC Tranche 2 commencing 1 July 2026, prioritise the findings below over the next 1–3 months and engage your professional body's compliance support. Recommended next review: 6 months.
    • High Risk - Urgent Action - score ≥ 30/100, review every 1 months. Significant exposure across multiple obligations. At this readiness level, a TPB sanction, an APES 110 ethics complaint, or non-enrolment with AUSTRAC is a material risk. Engage qualified professional and regulatory advice without delay. Recommended next review: 1 month.
    • Critical - Immediate Intervention - score ≥ 0/100, review every 1 months. Your practice has substantial non-compliance with core regulatory obligations. Engage qualified regulatory advisers, your professional body, and (where AML/CTF is in scope) an AUSTRAC-aware specialist as soon as practicable. Recommended next review: 1 month.

    Categories assessed

    • TPB - TPB Registration & Code
    • ETH - APES 110 Ethics
    • AML - AUSTRAC Tranche 2
    • SAN - Sanctions & Tipping Off
    • PRV - Privacy & TFN Handling
    • CYB - Cyber & Data Security
    • CLM - Client Money & Engagement
    • TEC - Cloud, AI & Offshore
    • GOV - Quality, CPD & PI
    • SCP - Scope of Services

    Questions

    1. Q1 (TPB, weight 3): Is every partner or principal who provides tax agent services currently registered with the TPB?

      • Yes - all registrations current and tracked with renewal dates (score 5)
      • Yes, but we don't actively track renewal dates (score 3)
      • Not sure for every person (score 1)
      • No, or unaware this is required (score 0)

      If a weak option is selected: Every individual charging a fee for tax agent services must be TPB-registered. Maintain a register with expiry dates and renewal reminders 90 days out - lapsed registration is an immediate TPB enforcement issue.

    2. Q2 (TPB, weight 3): Do you have a documented process for identifying and reporting significant breaches of the TPB Code within 30 days?

      • Yes - written policy, clear triggers, dual sign-off (score 5)
      • Informal understanding only (score 2)
      • No process - we'd figure it out if it happened (score 1)
      • Not aware breach reporting is required (score 0)

      If a weak option is selected: The 2024 Code additions require self-reporting of significant breaches within 30 days of becoming aware. Document what constitutes 'significant', who decides, who signs off, and how the report is lodged. This is the single largest behavioural change for the profession.

    3. Q3 (TPB, weight 3): If you became aware of a significant breach by another registered tax practitioner, would you know when and how to report it to the TPB?

      • Yes - documented process and staff trained (score 5)
      • General awareness (score 2)
      • No (score 0)

      If a weak option is selected: Third-party breach reporting is also mandatory under the 2024 Code - within 30 days of forming a reasonable belief. This is a new obligation that most practitioners have not operationalised. Document the trigger and escalation path.

    4. Q4 (TPB, weight 2): Does your PI insurance cover tax agent services to the TPB's minimum level for your turnover, including run-off cover?

      • Yes - confirmed annually, run-off written in (score 5)
      • Yes, but run-off not confirmed (score 3)
      • We have PI but haven't checked it against TPB minimums (score 1)
      • No (score 0)

      If a weak option is selected: TPB PI minimums scale with turnover (from $250k to $2M+) and must cover tax agent services specifically, with at least 7 years run-off. Practices commonly fail the run-off test when switching insurer - confirm it in writing at renewal.

    5. Q5 (TPB, weight 2): Are your CPD logs current and would they stand up to a TPB 30-day production request?

      • Yes - up-to-date, verifiable, with evidence of activities (score 5)
      • Mostly current but not all verifiable (score 3)
      • Behind or incomplete (score 1)
      • No logs maintained (score 0)

      If a weak option is selected: Tax agents need 120 hours over 3 years (BAS agents 45 hours), including ethics. CPD logs must be producible within 30 days of TPB request, with evidence (not just titles). Use a CPD tracking tool and keep certificates/recordings.

    6. Q6 (TPB, weight 2): Have you reviewed the 2024 TPB Code additions (false/misleading statements, quality management, disqualified entities) and implemented them?

      • Yes - policies and processes updated and staff briefed (score 5)
      • Partially implemented (score 2)
      • Aware of changes but no action yet (score 1)
      • Not familiar with the 2024 additions (score 0)

      If a weak option is selected: The 2024 Determination added eight new obligations including quality management systems, record-keeping minimums, disqualified-entity restrictions, and material-error disclosure. Large firms from 1 Jan 2025, small from 1 Jul 2025 - already in force.

    7. Q7 (TPB, weight 2): If you employ unregistered staff who provide tax agent services, is their work supervised by a registered agent in a way that meets the Supervision and Control requirements?

      • Yes - documented supervision plan and review evidence (score 5)
      • Supervised, but not formally documented (score 2)
      • Informal supervision only (score 1)
      • N/A - no unregistered staff provide these services (score 5)
      • Not sure of requirements (score 0)

      If a weak option is selected: The TPB's Supervision and Control requirements mean a registered agent must meaningfully oversee unregistered staff - not just sign off returns. Document the supervision approach, workflow review, and the registered agent's time commitment.

    8. Q8 (ETH, weight 3): Do your staff understand the five fundamental principles of APES 110 (integrity, objectivity, professional competence and due care, confidentiality, professional behaviour)?

      • Yes - trained annually, referenced in file documentation (score 5)
      • General awareness (score 2)
      • No formal training (score 0)

      If a weak option is selected: The five principles are the backbone of professional conduct. Annual ethics training with examples relevant to your practice lifts this from abstract to operational. Document attendance and content.

    9. Q9 (ETH, weight 3): Do you maintain a documented conflicts-of-interest register updated when new engagements are accepted?

      • Yes - updated at every new engagement, reviewed by a partner (score 5)
      • Yes, but not consistently updated (score 3)
      • Informal - we'd spot a conflict if one appeared (score 1)
      • No register (score 0)

      If a weak option is selected: A live conflicts register is core to the Objectivity principle and engagement-acceptance under APES 320/325. Update at every new client, relationship, or material change. Document the mitigation applied to each identified conflict.

    10. Q10 (ETH, weight 2): When fees from a single client exceed 15% of practice revenue for two consecutive years, do you have a documented mitigation?

      • Yes - monitored annually, mitigation documented when threshold hit (score 5)
      • We monitor but have no standard mitigation (score 3)
      • Not monitored (score 1)
      • N/A - no client near the threshold (score 5)
      • Not aware of the threshold (score 0)

      If a weak option is selected: APES 110 recognises self-interest and intimidation threats when one client dominates fees. At 15%+ for two years, document the threat assessment and mitigations (partner rotation, quality review, external consultation). The test is recurring - review annually.

    11. Q11 (ETH, weight 3): If you became aware of material non-compliance with laws and regulations by a client (NOCLAR), do you have a documented response process?

      • Yes - written NOCLAR process with escalation and documentation steps (score 5)
      • General awareness, no written process (score 2)
      • No documented approach (score 0)
      • Not familiar with NOCLAR (score 0)

      If a weak option is selected: APES 110's NOCLAR provisions require a structured response: understand, discuss with management/governance, consider external disclosure, document. From 1 Jul 2026 there's overlap with AUSTRAC SMR obligations - treat these as separate workflows with different tipping-off implications.

    12. Q12 (ETH, weight 2): For each engagement, is a written APES 305 terms-of-engagement letter issued and signed before work starts?

      • Yes - every engagement, signed before work begins (score 5)
      • Most engagements, some verbal starts (score 2)
      • Inconsistent (score 1)
      • No - we rely on ongoing arrangements (score 0)

      If a weak option is selected: APES 305 requires a written terms letter for each engagement covering scope, fees, ownership of documents, liability, and termination. Verbal starts create disputes and UCT exposure. Adopt a templated approach that takes 10 minutes per new engagement.

    13. Q13 (ETH, weight 2): Do you apply the APESB Conceptual Framework (identify, evaluate, address threats) in file-level documentation on risk-relevant engagements?

      • Yes - documented on relevant engagement files (score 5)
      • Applied mentally but not documented (score 3)
      • Not applied systematically (score 1)
      • Not familiar with the Conceptual Framework (score 0)

      If a weak option is selected: The Conceptual Framework is the expected default approach where ethics risks exist. Document the threats identified (self-interest, self-review, advocacy, familiarity, intimidation) and the safeguards applied. Professional-body quality reviewers look for this evidence.

    14. Q14 (AML, weight 3): Have you determined whether you provide any AUSTRAC-designated services that would require enrolment under Tranche 2 from 1 July 2026?

      • Yes - service lines mapped to the designated services list, decision documented (score 5)
      • Partially - some services mapped (score 2)
      • No - haven't assessed (score 0)
      • Unaware of Tranche 2 (score 0)

      If a weak option is selected: Tranche 2 is service-based, not profession-based. Map every service line against the designated services list (structures, SMSF, client money, nominee officer, registered office). Pure tax return preparation and statutory audit are out of scope. Document the decision with reasoning - you will be asked to justify it.

    15. Q15 (AML, weight 3): Have you enrolled, or prepared to enrol, with AUSTRAC before the 29 July 2026 deadline?

      • Yes - already enrolled or enrolment plan locked in (score 5)
      • Planning to enrol, no concrete plan yet (score 2)
      • Not confirmed whether we need to enrol (score 1)
      • N/A - confirmed no designated services provided (score 5)
      • Unaware of enrolment requirements (score 0)

      If a weak option is selected: AUSTRAC Online enrolment opens 31 March 2026 with a hard deadline of 29 July 2026. Late enrolment draws immediate AUSTRAC attention. If you're in scope, allocate a principal to own the enrolment and the AML/CTF program build.

    16. Q16 (AML, weight 3): Do you have a documented AML/CTF program covering ML/TF risk assessment, CDD, ongoing monitoring, SMR procedures, staff training, and independent review?

      • Yes - complete, senior-manager approved, governing body sign-off (score 5)
      • Draft in progress (score 2)
      • Haven't started (score 0)
      • N/A - no designated services (score 5)
      • Unaware an AML/CTF program is required (score 0)

      If a weak option is selected: A written, senior-manager-approved AML/CTF program is mandatory before 1 July 2026. AUSTRAC is publishing a starter kit for small practices - use it as a baseline, don't start blank. The program must include ML/TF risk assessment, CDD, ongoing monitoring, SMR workflow, training, and a 3-yearly independent review.

    17. Q17 (AML, weight 3): Do you have a documented Customer Due Diligence process, including beneficial-owner identification for non-individual customers?

      • Yes - documented, staff trained, applied before designated services (score 5)
      • Informal process (score 2)
      • No documented process (score 0)
      • N/A - no designated services (score 5)
      • Unaware CDD is required (score 0)

      If a weak option is selected: Initial CDD before the designated service is a hard requirement. For companies, trusts, and partnerships, identify the natural persons who ultimately own or control the entity. Beneficial ownership is where complex structures hide - taking it seriously is your defence against penalties.

    18. Q18 (AML, weight 3): For customers involved in complex structures or higher-risk transactions, do you have an enhanced due diligence (source of funds / source of wealth) process?

      • Yes - EDD triggers documented, evidence collected (score 5)
      • Applied inconsistently (score 2)
      • No EDD process (score 0)
      • N/A - no designated services (score 5)
      • Not familiar with EDD (score 0)

      If a weak option is selected: EDD applies for PEPs, FATF high-risk jurisdictions, complex ownership structures, and anomalous transactions. Collect evidence of source of funds and source of wealth - bank statements, sale records, inheritance documents. Accountants see more of this than banks, so AUSTRAC expects you to document it.

    19. Q19 (AML, weight 2): Have staff been trained to recognise AML red flags specific to accounting services (urgent structure setup, unusual payment arrangements, reluctance to provide source of funds)?

      • Yes - documented training within the last 12 months (score 5)
      • General awareness only (score 2)
      • No formal training (score 0)
      • N/A - no designated services (score 5)

      If a weak option is selected: Staff training is mandatory under the AML/CTF Rules. Use accountant-specific red flags: urgent structure setup without commercial rationale, unusual payment methods, overpaying to offshore entities, reluctance to provide source of funds, or mismatch between client lifestyle and declared income. Document every training session.

    20. Q20 (AML, weight 2): Have you designated an AML/CTF Compliance Officer and identified the senior manager who approves the program and the governing body?

      • Yes - all three roles formally documented (score 5)
      • Compliance officer named, other roles informal (score 3)
      • In progress (score 1)
      • No (score 0)
      • N/A - no designated services (score 5)

      If a weak option is selected: The AML/CTF Rules require three governance roles: governing body, senior manager who approves the program, and an AML/CTF Compliance Officer. In small practices these can be the same person, but must be separately documented. Notify AUSTRAC of the compliance officer at enrolment.

    21. Q21 (SAN, weight 3): Do you screen every customer (and every beneficial owner) against the DFAT Consolidated List for Targeted Financial Sanctions before providing a designated service?

      • Yes - every customer and beneficial owner, documented process (score 5)
      • Yes, customers only - not beneficial owners (score 3)
      • Ad hoc (score 1)
      • No (score 0)
      • Not aware sanctions screening is required (score 0)

      If a weak option is selected: DFAT Consolidated List screening is mandatory before providing designated services, and applies to beneficial owners as well as direct customers. Lists change frequently - use a screening tool that updates automatically and re-screen periodically for ongoing relationships. Criminal penalties apply for dealing with sanctioned persons.

    22. Q22 (SAN, weight 3): Do you have a documented process for screening customers against a reputable PEP (Politically Exposed Person) database?

      • Yes - documented process using a reputable database (score 5)
      • Self-declaration on onboarding form only (score 2)
      • No screening (score 0)
      • Not aware PEP screening is required (score 0)

      If a weak option is selected: Foreign PEPs trigger mandatory enhanced CDD under the 2026 Rules. Domestic PEPs and international organisation PEPs require risk-based consideration. Self-declaration alone is insufficient - pair the onboarding question with database screening and document the outcome.

    23. Q23 (SAN, weight 2): Are you aware of the FATF high-risk and increased-monitoring jurisdictions list, and do you flag customers with significant ties to those jurisdictions?

      • Yes - list monitored, customers flagged for enhanced CDD (score 5)
      • General awareness only (score 2)
      • No process (score 0)
      • Unaware of FATF lists (score 0)

      If a weak option is selected: FATF publishes high-risk and increased-monitoring jurisdiction lists. Customers with significant ties (nationality, residence, business, or source of funds) require enhanced CDD. Subscribe to FATF updates and document how your process incorporates the current lists.

    24. Q24 (SAN, weight 3): Do you know the SMR reporting timeframes - 24 hours for terrorism-financing suspicions, 3 business days for other suspicions?

      • Yes - built into our incident process with automated reminders (score 5)
      • Know there are deadlines but not the specifics (score 2)
      • No (score 0)

      If a weak option is selected: Terrorism financing SMRs are 24 hours from forming the suspicion - actual hours, including weekends. Other suspicious matters are 3 business days. The clock starts when the suspicion is formed, not when the transaction occurs. Late submission is a civil penalty offence.

    25. Q25 (SAN, weight 3): Have staff been trained on the tipping off prohibition under s123 of the AML/CTF Act?

      • Yes - documented training, staff understand it's criminal (score 5)
      • General awareness (score 2)
      • No training (score 0)
      • Unaware of the prohibition (score 0)

      If a weak option is selected: Tipping off is a criminal offence. Staff must not disclose to a customer - or anyone other than AUSTRAC - that an SMR has been or may be lodged. They must also not visibly change customer-facing behaviour in ways that signal a report. This is a frequent enforcement target in equivalent jurisdictions.

    26. Q26 (SAN, weight 2): Do you have a documented dual-reporting pathway when a single incident triggers both an AUSTRAC SMR and a TPB breach report?

      • Yes - written process covering both regimes and the tipping-off boundary (score 5)
      • Aware of the overlap but no written process (score 2)
      • No (score 0)
      • Not aware dual reporting can apply (score 0)

      If a weak option is selected: Significant AML/CTF breaches by a registered tax practitioner can trigger both an AUSTRAC SMR and a TPB breach report. Tipping off applies to the AUSTRAC side only - but you must keep the two reports separate in language and audience. Document the dual pathway.

    27. Q27 (PRV, weight 3): Is your privacy policy published on your website and reviewed within the last 12 months?

      • Yes - published and reviewed annually (score 5)
      • Published but not recently reviewed (score 2)
      • Outdated or missing (score 0)

      If a weak option is selected: APP 1.3 requires a clearly-expressed, current privacy policy. The Privacy Act has changed materially in the last 24 months - a policy older than 12 months is almost certainly non-compliant. Review annually and at every regulatory change.

    28. Q28 (PRV, weight 3): Does your privacy policy disclose automated decision-making by tools you use (AI categorisation, anomaly detection, lead-scoring), or are you on track to disclose by 10 December 2026?

      • Yes - already updated with ADM disclosure (score 5)
      • In progress, on track for December 2026 (score 4)
      • Not started yet (score 1)
      • Unaware of the ADM disclosure rules (score 0)

      If a weak option is selected: From 10 December 2026, APP 1.7 requires transparency about automated decision-making. For accountants, this catches AI-assisted document classification, fraud/anomaly detection in cloud accounting software, and lead scoring. Start drafting disclosures in Q3 2026 to leave room for review.

    29. Q29 (PRV, weight 3): Do you collect Tax File Numbers only for specific tax-law purposes and with voluntary disclosure disclaimers, as required by the TFN Rule 2015?

      • Yes - TFN collection limited, voluntary disclaimer on all forms (score 5)
      • Collect TFNs routinely without specific purpose limitation (score 2)
      • Not sure of the TFN Rule requirements (score 0)

      If a weak option is selected: The TFN Rule 2015 is strict - TFN collection must be for a specific tax-law purpose, disclosure must be voluntary, and you can't require TFN on a general engagement letter. Audit your forms and processes. TFN breaches attract separate OAIC sanction from general privacy breaches.

    30. Q30 (PRV, weight 2): Is access to TFN, bank, and ID document data restricted on a least-privilege basis across your systems?

      • Yes - role-based access, reviewed regularly (score 5)
      • Some restrictions, not formalised (score 3)
      • All staff have broad access to client files (score 1)
      • Don't know (score 0)

      If a weak option is selected: Least-privilege access is a baseline APP 11 expectation for sensitive data like TFNs, bank details, and ID documents. Audit who can see what in your practice management system, cloud accounting, document store, and email. Tighten before a breach forces you to.

    31. Q31 (PRV, weight 3): Do you have a documented data breach response plan, and do you know the OAIC's NDB notification timeframe?

      • Yes - documented plan, tested, know the 30-day NDB clock (score 5)
      • Plan exists but never tested (score 3)
      • Informal understanding (score 1)
      • No plan (score 0)

      If a weak option is selected: A documented, tested breach response plan is essential. The Notifiable Data Breaches scheme requires notification as soon as practicable and no later than 30 days from awareness. Accountants holding TFNs, bank details and ID have a very low threshold for 'serious harm likely'.

    32. Q32 (PRV, weight 2): Does your privacy policy explain how clients can access or correct their personal information, and how to complain to the OAIC?

      • Yes - clear process and OAIC referral pathway included (score 5)
      • Access/correction covered, no OAIC referral (score 3)
      • General statement only (score 1)
      • No (score 0)

      If a weak option is selected: APP 12 and APP 13 require you to explain the access and correction process; APP 1.4(g) requires the complaints process with escalation to the OAIC. Name the Privacy Officer, give timeframes, and link to the OAIC complaints page.

    33. Q33 (PRV, weight 1): Have you assessed your exposure to the statutory tort of serious invasion of privacy (commenced 10 June 2025)?

      • Yes - reviewed with privacy adviser or insurer (score 5)
      • Aware of the tort, no formal assessment (score 2)
      • Not aware of the tort (score 0)

      If a weak option is selected: The statutory tort gives individuals a private right of action in the Federal Court. For accountants - with direct access to tax, banking, and identity information - exposure is real. Raise with your PI insurer and privacy adviser; consider cover implications.

    34. Q34 (CYB, weight 3): Is multi-factor authentication enforced on email, practice management, cloud accounting (Xero/MYOB/QuickBooks), and myID for every staff member?

      • Yes - handled in-house, and we verify it (reports, logs, or checks) (score 20)
      • Yes - outsourced to our IT provider, verified (they send us reports) (score 20)
      • Yes - in-house, but not formally verified (score 15)
      • Yes - outsourced, but we assume rather than verify (score 15)
      • Partial or inconsistent across staff/devices (score 8)
      • No, or don't know (score 0)

      If a weak option is selected: MFA on every business-critical account is the baseline under APP 11 and the TPB's cyber practice notes. If your IT provider manages it, ask for a quarterly MFA-coverage report naming any accounts still without MFA. SMS-based MFA is weak - prefer authenticator apps or hardware keys for principals.

    35. Q35 (CYB, weight 3): Are operating systems and applications (especially browsers and Office) patched on the Essential Eight 48-hour critical-patch cycle?

      • Yes - handled in-house, and we verify it (reports, logs, or checks) (score 20)
      • Yes - outsourced to our IT provider, verified (they send us reports) (score 20)
      • Yes - in-house, but not formally verified (score 15)
      • Yes - outsourced, but we assume rather than verify (score 15)
      • Partial or inconsistent across staff/devices (score 8)
      • No, or don't know (score 0)

      If a weak option is selected: Essential Eight expects critical patches for internet-facing services and operating systems within 48 hours. If your IT provider owns patching, ask for a monthly patch-compliance report showing critical patches applied and outstanding. Unpatched browsers and Office apps are the most common small-practice breach vector.

    36. Q36 (CYB, weight 2): Are local-admin rights restricted so no one does daily work as a system admin?

      • Yes - handled in-house, and we verify it (reports, logs, or checks) (score 20)
      • Yes - outsourced to our IT provider, verified (they send us reports) (score 20)
      • Yes - in-house, but not formally verified (score 15)
      • Yes - outsourced, but we assume rather than verify (score 15)
      • Partial or inconsistent across staff/devices (score 8)
      • No, or don't know (score 0)

      If a weak option is selected: Restricting admin privileges is one of the Essential Eight pillars. Daily work should run as a standard user - admin rights granted only when required and logged. Ask your IT provider for the list of users with local-admin and the justification for each.

    37. Q37 (CYB, weight 3): Do you have regular backups of practice data with a tested restore process?

      • Yes - handled in-house, restore-tested, and evidence retained (score 20)
      • Yes - outsourced to our IT provider, restore-tested and verified by provider report (score 20)
      • Yes - in-house backups exist, but restore testing/evidence is informal (score 15)
      • Yes - outsourced to our IT provider, but we assume rather than verify (score 15)
      • Partial, incomplete, or not covering all critical systems (score 8)
      • No reliable backup and restore process, or don't know (score 0)

      If a weak option is selected: Backups you haven't restored from aren't backups. Test restoration at least annually - quarterly is safer. If your IT provider runs backups, ask for the dated restoration-test report. A provider that can't produce one is charging you for hope, not protection.

    38. Q38 (CYB, weight 3): Are staff trained to recognise business email compromise (BEC) attempts, particularly around fake invoice/payment instructions?

      • Yes - annual training plus simulated phishing (score 5)
      • Annual training, no simulations (score 4)
      • Ad hoc awareness emails (score 2)
      • No training (score 0)

      If a weak option is selected: BEC targeting trust account and invoice payment instructions is the single most damaging attack pattern on accounting practices. Train every staff member annually with real examples, simulate at least quarterly, and adopt a callback-to-known-number verification rule for any change of payee.

    39. Q39 (CYB, weight 2): When staff leave, are their credentials revoked the same day across all systems (email, PMS, cloud, myID relationships)?

      • Yes - handled in-house, and we verify it (reports, logs, or checks) (score 20)
      • Yes - outsourced to our IT provider, verified (they send us reports) (score 20)
      • Yes - in-house, but not formally verified (score 15)
      • Yes - outsourced, but we assume rather than verify (score 15)
      • Partial or inconsistent across staff/devices (score 8)
      • No, or don't know (score 0)

      If a weak option is selected: Same-day credential revocation is the standard. Include practice management, cloud accounting, myID delegations, document store, email, password managers, and any app with client data. If your IT provider owns offboarding, ask for the checklist and the completion timestamp after each departure.

    40. Q40 (CYB, weight 2): Do you have cyber insurance that specifically covers privacy breach liability, regulatory investigation costs, and ransomware?

      • Yes - all three coverages confirmed in writing (score 5)
      • General cyber cover, details not confirmed (score 3)
      • Business policy only - no specific cyber cover (score 1)
      • No cyber cover (score 0)

      If a weak option is selected: Cyber insurance for accountants should explicitly cover privacy breach liability (OAIC), regulatory investigation costs (OAIC, AUSTRAC, TPB), ransom payments or business interruption, and breach response costs. Read the policy - sub-limits and exclusions are where insurers save money at your expense.

    41. Q41 (CLM, weight 3): If you receive client money (SMSF contributions, deposits held on trust, pre-paid fees), is it held in a separate trust account with monthly reconciliation?

      • Yes - separate trust account, monthly reconciled, annually audited (score 5)
      • Separate account, reconciled less often (score 3)
      • Held in general practice account (score 1)
      • N/A - we don't receive client money (score 5)
      • Not sure of trust account obligations (score 0)

      If a weak option is selected: Accounting to clients for money received on trust is a core TPB Code obligation and CA ANZ / CPA Australia / IPA by-law. Separate trust account, monthly reconciliation, annual audit where the threshold applies. Commingling with practice funds is a serious breach.

    42. Q42 (CLM, weight 3): Is every engagement backed by a written APES 305 terms-of-engagement letter signed before work begins?

      • Yes - every engagement, signed before work starts (score 5)
      • Most engagements (score 2)
      • Inconsistent (score 1)
      • No - rely on ongoing arrangements (score 0)

      If a weak option is selected: APES 305 requires a written terms letter for each engagement. Ongoing 'umbrella' arrangements without per-engagement confirmation create scope, fee, and liability disputes - and fail quality review. Template and automate the process.

    43. Q43 (CLM, weight 2): Have you reviewed your standard engagement letter against the Unfair Contract Terms regime (small business contracts, expanded Nov 2023)?

      • Yes - reviewed in the last 12 months with legal input (score 5)
      • Reviewed but before Nov 2023 (score 3)
      • Never reviewed for UCT (score 1)
      • Not aware UCT applies to engagement letters (score 0)

      If a weak option is selected: From 9 November 2023, UCT applies to standard-form small business contracts (counterparty <100 employees or <$10M turnover). Common traps: auto-renewal with short notice-out, unilateral fee variation, broad indemnities. UCT breaches attract penalties up to $50M - get the engagement letter reviewed.

    44. Q44 (CLM, weight 2): Is your fee basis disclosed to every client before work begins (fixed fee, hourly, disbursements, out-of-scope treatment)?

      • Yes - clear disclosure in every engagement letter (score 5)
      • Usually but not always (score 2)
      • Fee disclosed on first invoice only (score 1)
      • No fee disclosure before work (score 0)

      If a weak option is selected: Both the TPB Code and APES 110 require clear fee disclosure before work begins. For fixed-fee work, document how scope changes are re-priced - unchecked scope creep drives ethics complaints and UCT risk.

    45. Q45 (CLM, weight 2): For trust account operations, do you comply with your professional body's trust account by-laws, including the annual audit requirement?

      • Yes - annually audited, report to professional body on schedule (score 5)
      • Trust account operated but no formal audit (score 2)
      • Not aware of by-law requirements (score 0)
      • N/A - no trust account operated (score 5)

      If a weak option is selected: CA ANZ / CPA Australia / IPA each have trust account by-laws requiring separate banking, monthly reconciliation, and annual audit above threshold. Report particulars to the professional body under the Quality Review program. Non-compliance is a direct disciplinary matter.

    46. Q46 (TEC, weight 2): Do you know the jurisdiction in which each of your core practice tools (PMS, cloud accounting, document store, email, AI tools) stores and processes client data?

      • Yes - documented vendor register with jurisdiction per tool (score 5)
      • Partial - main tools only (score 3)
      • No (score 0)

      If a weak option is selected: Vendor jurisdiction drives APP 8 treatment. Maintain a vendor register with: vendor, service, data stored, data residency, jurisdiction, contract end, last review. Include cloud accounting (Xero/MYOB/QuickBooks), document store, email, AI tools, SMS, transcription - anything that touches client data.

    47. Q47 (TEC, weight 3): Have you assessed APP 8 (cross-border disclosure) compliance for overseas vendors - documented reasonable steps or obtained client consent?

      • Yes - documented steps or consent for each overseas vendor (score 5)
      • Partial - main vendors only (score 3)
      • No APP 8 documentation (score 1)
      • Not aware of APP 8 (score 0)

      If a weak option is selected: APP 8 makes you accountable for overseas recipients' handling of personal information. Document either (a) reasonable steps to ensure they meet the APPs - vendor security attestations, SOC 2 reports, contractual obligations - or (b) explicit client consent. Generic AI tools almost always route through US infrastructure.

    48. Q48 (TEC, weight 3): If you use AI tools to draft working papers, review documents, or summarise client emails, do you have a written policy on client confidentiality and human review before the output is used?

      • Yes - written AI policy with human-review gate (score 5)
      • Informal norms, no written policy (score 2)
      • AI used with no documented policy (score 1)
      • N/A - no AI tools in use (score 5)

      If a weak option is selected: APES 110 Section 113 (as updated in 2024) requires accountants to maintain competence in the technology they use, evaluate AI outputs before relying on them, and not outsource judgement to AI where professional scepticism applies. Write the policy, put a human-review gate in the workflow, and document it.

    49. Q49 (TEC, weight 2): Have you reviewed vendor contracts for breach-notification SLAs (ideally 24–48 hours, so they don't eat into your OAIC 30-day window)?

      • Yes - 24–48 hour SLA in writing for all key vendors (score 5)
      • Some vendors have SLAs, others vague (score 3)
      • No SLA review done (score 0)

      If a weak option is selected: If a vendor notifies you late, you miss your own OAIC 30-day clock. Push for 24–48 hour breach notification SLAs in writing. Renegotiate at renewal; for high-risk vendors (cloud accounting, document store, practice management) raise it sooner.

    50. Q50 (TEC, weight 2): Have you transitioned to myID (from myGovID / AUSkey legacy) for ATO system access, with every user on MFA?

      • Yes - all users on myID with MFA (score 5)
      • Transition in progress (score 3)
      • Still using legacy credentials (score 1)
      • Not aware of the transition (score 0)

      If a weak option is selected: The ATO's AUSkey → myGovID → myID transition has rolled through 2024–26. MFA on ATO credentials is expected baseline. Migrate any remaining legacy users, confirm MFA on every account, and audit delegations in Relationship Authorisation Manager (RAM).

    51. Q51 (TEC, weight 1): Do you have a documented process for decommissioning a vendor that includes a certificate of destruction for client data?

      • Yes - documented process, certificates retained (score 5)
      • Informal process (score 2)
      • No process - we just stop using the tool (score 1)
      • No (score 0)

      If a weak option is selected: Under APP 11.2 you must destroy or de-identify personal information you no longer need. 'They said they'd delete it' is not evidence. Request a certificate of destruction when decommissioning a vendor, keep it for 7 years alongside the engagement records.

    52. Q52 (GOV, weight 3): Is your PI policy currently compliant with the TPB minimum for your turnover, with adequate run-off cover written in?

      • Yes - confirmed against TPB minimums, run-off confirmed in writing (score 5)
      • Has PI but not confirmed against TPB minimums (score 3)
      • Below TPB minimums or unsure (score 1)
      • No PI, or expired (score 0)

      If a weak option is selected: TPB PI minimums scale with turnover. Policy must cover tax agent services with 7 years run-off. Confirm both - minimum cover and run-off - in writing at every renewal. The run-off test is where most practices fail when switching insurer.

    53. Q53 (GOV, weight 2): Are CPD hours on track for every registered practitioner (minimum 120 hours / 3 years for tax agents; 45 hours for BAS agents)?

      • Yes - tracked per practitioner, on target (score 5)
      • Partially tracked, some behind (score 3)
      • No active tracking (score 1)
      • Unaware of hour requirements (score 0)

      If a weak option is selected: CPD minimums include ethics content and verifiable activities. Track per practitioner against the 3-year rolling window, not calendar year. Logs must be producible within 30 days of TPB request - spreadsheet tracking is enough if it links to evidence.

    54. Q54 (GOV, weight 2): Do you have a documented quality management system aligned to APES 325 / ISQM 1 where applicable?

      • Yes - documented QMS with periodic review (score 5)
      • Elements in place but not consolidated (score 3)
      • No documented QMS (score 1)
      • Not aware of QMS obligations (score 0)

      If a weak option is selected: APES 325 applies to public practice; ISQM 1 applies to audit firms. Document: governance, ethics, engagement acceptance, performance, resources, monitoring, remediation. The 2024 TPB Code addition on quality management makes this a regulator-facing expectation too.

    55. Q55 (GOV, weight 2): Have you completed (or scheduled) a professional body quality review within the current cycle?

      • Yes - completed or scheduled (score 5)
      • Cycle lapsed - overdue (score 1)
      • Not aware of the quality review program (score 0)
      • N/A - not a public-practice member (score 5)

      If a weak option is selected: CA ANZ Practice Review, CPA Best Practice Program, and IPA Professional Practice Program run on a 3–5 year cycle for members in public practice. Missing a cycle is a disciplinary matter. Check your cycle date, prepare files, and clear findings from last review.

    56. Q56 (GOV, weight 2): Do you have a documented independent review of your AML/CTF program scheduled (minimum every 3 years from 1 July 2026)?

      • Yes - scheduled and budgeted (score 5)
      • Aware of requirement, not scheduled (score 2)
      • No (score 0)
      • N/A - no designated services (score 5)
      • Unaware an independent review is required (score 0)

      If a weak option is selected: Independent review of the AML/CTF program is mandatory at least every 3 years from program commencement. Plan for a first review in 2029 if you commence 1 July 2026. Reviewer must be independent of the program's development - can be external adviser or industry-body-authorised reviewer.

    57. Q57 (SCP, weight 3): Do all client-facing staff understand the scope of the accountants' financial-product-advice exemption (Corporations Reg 7.1.29), and when an AFSL is required?

      • Yes - documented boundaries, staff trained annually (score 5)
      • General understanding (score 2)
      • Unclear where the boundary sits (score 1)
      • Not aware of the exemption or AFSL issue (score 0)

      If a weak option is selected: The accountants' exemption under reg 7.1.29 is narrow: tax implications of products the client already owns, limited SMSF establishment/closure advice, super contribution advice without product recommendation. Product recommendation triggers AFSL. Document where your practice draws the line and train to it.

    58. Q58 (SCP, weight 2): If you advise clients on payroll, have you updated processes for Payday Super (commences 1 July 2026)?

      • Yes - processes updated and client communications sent (score 5)
      • Aware, update in progress (score 3)
      • Not yet (score 1)
      • N/A - no payroll advisory services (score 5)
      • Unaware of Payday Super (score 0)

      If a weak option is selected: Payday Super commences 1 July 2026 - super must be paid with each pay cycle, not quarterly. Update client engagement scope, cash-flow advice, STP reporting guidance, and your own practice payroll. Communicate the change to payroll advisory clients well before commencement.

    59. Q59 (SCP, weight 2): If you advise clients on wage underpayment remediation, have you updated your advice for the 2025 wage theft criminalisation regime?

      • Yes - advice updated, client communications refreshed (score 5)
      • Aware, advice not formally updated (score 2)
      • Not aware of the regime change (score 0)
      • N/A - no wage remediation advice (score 5)

      If a weak option is selected: Intentional underpayment became criminal in 2025. Your advice to clients on back-pay, self-remediation timing, and Fair Work disclosures needs to reflect the new criminal exposure. Don't give advice that could be characterised as assisting ongoing non-compliance - NOCLAR obligations apply.

    60. Q60 (SCP, weight 2): If you hold yourself out as providing services beyond your registration category (e.g. BAS agent holding out on income tax matters), have you documented the professional pathway for referring out?

      • Yes - scope boundaries documented, referral panel in place (score 5)
      • Informal referral arrangements (score 2)
      • No documented boundary (score 0)
      • N/A - only one registration category in the practice (score 5)

      If a weak option is selected: Providing services outside your registration category is a TPB and professional-body breach. Document where your registration ends, and where services must be referred out. Maintain a referral panel for common overflow areas (income tax for BAS-agent practices, audit for non-audit firms, financial product advice).

    Guidance

    TPB Registration & Code

    The TPB Code was substantially expanded in 2024 - breach reporting, quality management, disqualified-entity restrictions, and false/misleading statement obligations. All already in force. The TPB is more active on enforcement than at any time in the last decade.

    • Operationalise the 30-day breach reporting obligations (Within 30 days · Principal): Document what constitutes a 'significant breach' for your practice, who decides, and how the report is lodged. Cover both self-reporting (breaches by your practice or your practitioners) and third-party reporting (breaches by other registered agents you become aware of). Train every practitioner.
    • Audit your PI cover against TPB minimums and run-off (At next renewal · Principal): Confirm in writing at renewal: (a) policy covers tax agent services specifically, (b) cover meets TPB minimum for your turnover band, (c) 7-year run-off is written in and survives a change of insurer. The run-off test is where most practices fail - get it on the certificate.
    • Bring the 2024 Code additions into policy and training (Within 90 days · Principal + Compliance lead): Walk through the eight additions: quality management systems, record-keeping, disqualified-entity restrictions, material-error disclosure, false/misleading statement obligation. Update policies, train staff, and add the items to the engagement-acceptance checklist.
    • Make CPD logs audit-ready (Process from now on · Compliance lead): Every registered practitioner: 120 h / 3 y (tax agents) or 45 h / 3 y (BAS agents), with ethics content. Use a tracking tool that stores evidence (certificates, recordings, session notes) not just titles. Producible within 30 days of a TPB request.

    APES 110 Ethics

    APES 110 is the profession's master ethical code. Recent amendments have tightened fees rules, added NOCLAR obligations, and updated technology provisions (Section 113). The code is binding via your professional body's by-laws regardless of TPB registration.

    • Run annual ethics training against the five fundamental principles (Annually, within 90 days · Compliance lead): Cover integrity, objectivity, professional competence and due care, confidentiality, professional behaviour - with practice-specific examples. Name the five threats (self-interest, self-review, advocacy, familiarity, intimidation). Document attendance and content.
    • Maintain a live conflicts-of-interest register (Process from now on · Partner responsible): Update at every new engagement, new relationship, or material change. For each entry, document the threat assessed and the mitigation applied (separate team, partner rotation, external review, or engagement declined). Review at partner meetings.
    • Write a NOCLAR response process (Within 90 days · Compliance lead): Structured response: understand, discuss with management/governance, consider external disclosure, document. Make it clear how the NOCLAR pathway interacts with AUSTRAC SMR obligations from 1 Jul 2026 - tipping off applies to the AML side, not the NOCLAR side.
    • Document file-level use of the Conceptual Framework (Process from now on · Engagement partners): For engagements with ethics risk (single-client concentration, related-party work, advocacy positions), document on file: threats identified, evaluation, safeguards applied. Quality reviewers look for this - and the 2024 TPB quality management obligation reinforces it.

    AUSTRAC Tranche 2

    From 1 July 2026, accountants providing designated services become AUSTRAC-regulated entities. This is the most significant new regulatory regime to hit the profession in decades. Penalties run up to $33M per contravention for body corporates.

    • Confirm which services are designated, then enrol with AUSTRAC (Before 29 Jul 2026 · Principal): Map every service line against the designated services list (structures, SMSF, client money, nominee officer, registered office). Pure tax return prep and statutory audit are out of scope. Enrol via AUSTRAC Online - opens 31 March 2026, hard deadline 29 July 2026.
    • Develop a written AML/CTF program (Before 1 Jul 2026 · AML/CTF Compliance Officer): Required components: ML/TF risk assessment, CDD procedure, ongoing monitoring, SMR workflow, staff training schedule, independent review (3-yearly). AUSTRAC is publishing a starter kit for small practices - use it as baseline, don't start blank. Senior manager approves, governing body signs off.
    • Build a CDD workflow with beneficial-owner identification (Before 1 Jul 2026 · AML/CTF Compliance Officer): Initial CDD before the designated service. Beneficial ownership for non-individual customers - the natural persons who ultimately own or control. PEP screening. DFAT sanctions screening. Document the nature and purpose of each business relationship. Add EDD triggers for PEPs, FATF jurisdictions, and complex structures.
    • Train staff on AML red flags and tipping off (Before 1 Jul 2026, then annually · AML/CTF Compliance Officer): Accountant-specific red flags: urgent structure setup without commercial rationale, unusual payment arrangements, reluctance to provide source of funds, client lifestyle inconsistent with declared income. Plus: the s123 tipping-off prohibition - criminal offence. Document every training session.

    Sanctions & Tipping Off

    Sanctions and tipping off carry the heaviest penalties in the AML/CTF regime, including criminal penalties for individuals. Dealing with a sanctioned person - even inadvertently - can result in imprisonment. Tipping off is a frequent enforcement target in comparable jurisdictions.

    • Build sanctions screening into customer onboarding (Before 1 Jul 2026 · AML/CTF Compliance Officer): Screen every customer and every beneficial owner against the DFAT Consolidated List before providing designated services. Use a screening tool that updates automatically - lists change frequently. Re-screen periodically for ongoing relationships. Document each screening outcome.
    • Add PEP screening to your CDD process (Before 1 Jul 2026 · AML/CTF Compliance Officer): PEP self-declaration on the onboarding form is insufficient on its own. Pair it with a reputable PEP database screen. Foreign PEPs trigger mandatory enhanced CDD; domestic and international-organisation PEPs require risk-based consideration. Document the decision.
    • Lock the SMR timeframes into your incident process (Before 1 Jul 2026 · AML/CTF Compliance Officer): 24 hours for terrorism-financing suspicions (actual hours, weekends included). 3 business days for all other suspicions. Clock starts when the suspicion is formed. Build the deadlines into your compliance calendar with automated reminders. Late submission is a civil penalty offence.
    • Train every staff member on tipping off (Before 1 Jul 2026, then annually · AML/CTF Compliance Officer): s123 of the AML/CTF Act. Staff must not tell a customer - or anyone other than AUSTRAC - that an SMR has been or may be lodged. They must not visibly change customer-facing behaviour in ways that signal a report. Document this training specifically and keep refreshers short and concrete.

    Privacy & TFN Handling

    Accountants are APP entities regardless of turnover because they hold Tax File Numbers. The 2024 Privacy Act reforms raised penalties dramatically (up to $50M or 30% of turnover), introduced a statutory privacy tort, and require ADM disclosure from 10 December 2026.

    • Review your privacy policy against the 2024 Privacy Act reforms (Within 60 days · Privacy Officer): Walk through APP 1.4: identity, kinds of information collected, purposes, disclosure (including overseas), access and correction, complaints (with OAIC referral). Add retention periods by data type. Prepare an ADM disclosure section to land by 10 December 2026.
    • Lock down TFN handling to the TFN Rule 2015 standard (Within 90 days · Privacy Officer): TFNs only for specific tax-law purposes. Voluntary disclosure disclaimer on every form that asks for one. Least-privilege access in your systems. Secure disposal. Don't ask for TFN on a general engagement letter - that's a Rule breach.
    • Document a breach response plan with the 30-day OAIC clock (Within 60 days · Privacy Officer + IT): One page is enough. Cover: who declares an incident, who decides on OAIC notification, the 30-day clock, comms to affected individuals, evidence preservation, insurer and lawyer calls. Test with a tabletop exercise quarterly. Holding TFNs and bank details lowers the 'serious harm likely' threshold significantly.
    • Add ADM disclosure for every AI-assisted tool (Before 10 Dec 2026 · Privacy Officer + IT): Catch: AI-assisted document classification, fraud/anomaly detection in cloud accounting, lead scoring, automated working-paper review. Plain-English explanation of each tool, what it does, how a human reviews. Draft by October 2026 to leave room for review before the 10 December deadline.

    Cyber & Data Security

    Accounting practices hold TFNs, bank details, ID documents, and full financial pictures - the richest target on the small-business internet. Essential Eight is the de facto baseline. APP 11, TPB cyber practice notes, and APES 110 Section 113 all require reasonable controls.

    • Make MFA universal across business-critical systems (Within 14 days · IT lead): Email, practice management, cloud accounting (Xero/MYOB/QuickBooks), document store, myID, password managers, social accounts. Authenticator app or hardware key where possible - SMS MFA is vulnerable to SIM-swap. No exceptions for principals.
    • Close the Essential Eight high-impact subset (Within 60 days · IT lead): MFA, OS + application patching on 48-hour critical cycle, restrict admin privileges, tested backups. These four are the single biggest breach-probability reducers for a small practice. Ask your IT provider for evidence of each - not assertions, logs or reports.
    • Train staff on BEC and invoice fraud quarterly (Quarterly · Office Manager): BEC targeting trust account instructions and invoice payment redirection is the single most damaging attack pattern on accounting practices. Simulated phishing, real examples, and a callback-to-known-number verification rule for any change of payee. Document attendance.
    • Confirm cyber insurance coverage explicitly (At next renewal · Principal): Get in writing: privacy breach liability (OAIC), regulatory investigation cover (OAIC, AUSTRAC, TPB), ransomware, business interruption, and breach-response services. Sub-limits and exclusions are where insurers save money at your expense. Read the policy, don't rely on the broker summary.

    Client Money & Engagement

    Handling client money triggers trust-account obligations under professional-body by-laws and the 2024 TPB Code. Engagement administration sits at the intersection of APES 305, the UCT regime (expanded November 2023), and TPB fee-disclosure expectations.

    • Run a trust-account hygiene check (Within 30 days · Partner responsible): If you receive client money: separate trust account, monthly reconciliation, annual audit where threshold applies, by-law reporting to your professional body. Commingling with practice funds is a serious breach. If you don't need a trust account, document that decision to close the question off.
    • Issue an APES 305 letter for every engagement (Process from now on · Engagement partners): Every engagement. Before work starts. Covering scope, fees, ownership of documents, confidentiality, liability, termination, professional-body standards. Template the letter so it's a 10-minute step, not a drafting project. Keep the signed original for 7 years.
    • Review engagement letters against the UCT regime (Within 90 days · Principal + legal review): UCT applies to standard-form contracts with small-business counterparties (<100 employees or <$10M turnover) from 9 Nov 2023. Common traps: auto-renewal with short notice-out, unilateral fee variation, broad indemnities, below-insurable liability caps. Penalties tier is the same as privacy - $50M / 3× benefit / 30% turnover.
    • Document fee disclosure up front for every engagement (Process from now on · Engagement partners): Fee basis (fixed / hourly / value), disbursements, out-of-scope treatment, re-pricing for scope changes. Disclose before work begins, not on the first invoice. For fixed-fee work, document how scope changes are re-priced - this is where client disputes and ethics complaints cluster.

    Cloud, AI & Offshore

    Most accounting software routes data through US, EU, or Indian infrastructure. APP 8 makes you accountable for overseas vendors. APES 110 Section 113 (updated 2024) requires professional competence in the technology you use and protection of confidentiality when using cloud and AI tools.

    • Build a vendor register with data residency and jurisdiction (Within 60 days · Privacy Officer + IT): For each tool touching client data: vendor, service, data stored, data residency, jurisdiction (AU/US/EU/India), contract end, last review. Cover practice management, cloud accounting, document store, email, AI tools, SMS, transcription. Review annually.
    • Document APP 8 compliance for overseas vendors (Within 90 days · Privacy Officer): For each overseas vendor, document either (a) reasonable steps taken (vendor security attestations, SOC 2 reports, contract obligations matching APPs), or (b) explicit client consent for the cross-border transfer. Generic AI tools (ChatGPT, Claude, Gemini) almost always route through US infrastructure - APP 8 applies.
    • Write an AI policy with a human-review gate (Within 60 days · Compliance lead): APES 110 Section 113: maintain competence in tools used, evaluate AI outputs before relying on them, don't outsource professional judgement. Write what tools staff may use, for what, what information they may enter, and what human-review step closes every AI-assisted output. Update annually.
    • Push vendors for 24–48 hour breach SLAs (At next renewal · Operations + legal review): If a vendor notifies you slowly, you miss your OAIC 30-day clock. Renegotiate at renewal - 24–48 hour breach notification SLA in writing. For high-risk vendors (cloud accounting, document store, practice management, email) raise it ahead of renewal. Keep certificates of destruction when you change vendor.

    Quality, CPD & PI

    The 2024 TPB Code additions made quality management a federal regulatory expectation, not just a professional-body by-law. CPD, PI cover, and professional-body quality review cycles are all evidence the TPB and your body will ask for.

    • Audit PI cover annually against TPB minimums (At every renewal · Principal): Scale with turnover: $250k cover under $75k turnover, $500k up to $500k turnover, $1M up to $2M turnover, $2M+ above. Must cover tax agent services specifically. 7-year run-off written in - and surviving a change of insurer. Get it on the certificate.
    • Track CPD per practitioner with evidence (Process from now on · Compliance lead): 120 h / 3 y for tax agents, 45 h for BAS agents, including ethics minimums. Use a tracking tool storing titles, dates, hours, and evidence (certificates, recordings, session notes). Producible within 30 days of TPB request.
    • Document a QMS aligned to APES 325 / ISQM 1 (Within 120 days · Principal + Compliance lead): Cover: governance, ethics and independence, engagement acceptance and continuance, engagement performance, resources, information and communication, monitoring and remediation. APES 325 for public practice; ISQM 1 for audit firms. The 2024 TPB Code addition makes this regulator-facing.
    • Schedule the professional-body quality review and any AML independent review (Per cycle · Principal): CA ANZ Practice Review / CPA Best Practice Program / IPA PPP run on a 3–5 year cycle. Add a first AML/CTF program independent review at the 3-year mark from your program commencement - plan for 2029 if you commence 1 July 2026. Reviewer must be independent of program development.

    Scope of Services

    Scope creep is a common compliance failure mode. The financial-product-advice boundary, BAS/tax-agent boundary, and 2026 payroll changes (Payday Super, wage theft criminalisation) all require active management.

    • Document where the accountants' exemption ends and AFSL begins (Within 60 days · Principal): Reg 7.1.29 is narrow: tax implications of products already owned, limited SMSF establishment/closure, super contribution advice without product recommendation. Product recommendation triggers AFSL. Write down where your practice draws the line; train client-facing staff annually.
    • Update payroll advice for Payday Super before 1 July 2026 (Before 1 Jul 2026 · Payroll advisory lead): Super paid with each pay cycle, not quarterly. Update client engagement scope, cash-flow advice, STP reporting guidance, and your own practice payroll. Communicate the change to affected clients well ahead of commencement - short-notice advice is reputational risk.
    • Refresh wage-underpayment advice for criminalisation (Within 90 days · Payroll advisory lead): Intentional underpayment became criminal in 2025. Your advice on back-pay, self-remediation timing, and Fair Work disclosures needs to reflect criminal exposure. Don't give advice that could be characterised as assisting ongoing non-compliance - NOCLAR obligations apply if you become aware of it.
    • Document registration-category boundaries and referral pathways (Within 60 days · Principal): Providing services outside your registration (BAS agent on income tax, non-audit firm signing audit opinions, accountant recommending specific financial products) is a TPB and professional-body breach. Document where your registration ends and maintain a referral panel for common overflow work.

    Disclaimer

    General disclaimer

    This assessment is an indicative self-diagnostic tool and does not constitute legal, regulatory, or compliance advice. It reflects the regulatory landscape as of April 2026, including the Tax Agent Services (Code of Professional Conduct) Determination 2024, the AML/CTF Amendment Act 2024 (Tranche 2), APES 110 as currently issued, and the Privacy and Other Legislation Amendment Act 2024.

    AUSTRAC and AML/CTF advice

    AUSTRAC Tranche 2 obligations depend on which designated services you actually provide and how your customer base is structured. This tool is not a substitute for an AML/CTF compliance review by a qualified adviser, an industry-body authorised provider, or your professional body's AML support service.

    TPB and professional body advice

    TPB Code obligations and APES 110 ethical obligations require professional judgement applied to specific facts. This tool is not a substitute for advice from the Tax Practitioners Board, your professional body (CA ANZ, CPA Australia, or IPA), your PI insurer, or a qualified regulatory adviser.

    Privacy advice

    Privacy Act and TFN Rule 2015 compliance involves factors specific to each practice's systems, client base, and service offering. For a definitive privacy compliance review, consult a qualified privacy lawyer or your professional body's privacy resources.