Is your business ready for the 2026 compliance landscape?

Full quiz content - Australian Business Compliance Readiness Quiz 2026 - ATO, Fair Work, WHS, Privacy, Cyber | Nifty Computing

This index lists every question, every answer option with its score, every tier band, every recommendation, and every regulatory source used by the general-business compliance readiness quiz. Last reviewed 2026-05-07.

Tier scoring

• Compliance-Ready - score ≥ 90/100, review every 12 months. You are operating with the discipline of a much larger business. Your posture across the ATO, Fair Work, WHS, privacy, and cyber domains reflects consistent, documented practice. The 2024-2026 reform wave - Payday Super, wage theft criminalisation, the UCT prohibition, and Privacy Act tort liability - appears to be on your radar. The handful of refinements surfaced below are about staying ahead rather than catching up. Re-take in 12 months; three significant obligations are still scheduled for 2026-2027.
• Mostly Solid - score ≥ 75/100, review every 12 months. You are across the basics, but a few targeted gaps could become material under an audit, an FWO inspection, or after a cyber incident. The recommendations below cluster in two or three categories, and each is a one-to-four-week project. Prioritise the weight-3 findings first - those are the obligations where the ATO, FWO, or OAIC have the sharpest penalty regimes. Review again in 12 months as Payday Super and the Privacy Tranche 2 changes roll into effect.
• At Risk - score ≥ 55/100, review every 6 months. Your overall posture falls below where a regulator or insurer would expect for a business of your size. Several of the gaps identified carry material penalties - wage theft (up to $8.25M for companies), payroll-tax deeming (years of back assessment), and Privacy Act NDB failures (enforceable undertakings, civil penalties). Start with the items tagged as quick wins this quarter, and book a board-level conversation about the weight-3 items before your next review in 6 months.
• Significant Exposure - score ≥ 35/100, review every 3 months. Multiple obligations are either unmet or unknown. None of these need to stay broken - but they will not fix themselves. At least one area (wage compliance, Director ID, payroll-tax registration, or privacy baseline) carries enough downside that a 90-day remediation plan, supported by professional advice, is strongly recommended. The ATO's STP data-matching, FWO's pro-active audit programme, and OAIC's growing enforcement activity mean the window for self-correction is narrower than it was three years ago.
• High-Risk - score ≥ 0/100, review every 1 months. You are operating without the safety net most regulators now assume. This is the most common pattern for owner-operated businesses that have outgrown their original structure and never had a compliance review. The 30-60-90-day triage below addresses the most acute exposures first. Treat every weight-3 item in the top four categories as urgent. Engaging a workplace-relations adviser, registered tax agent, and privacy/cyber consultant this month is the single highest-leverage action available.

Categories assessed

• TAX - Tax & ATO Baseline
• EMP - Employer Obligations & STP
• SUP - Super Guarantee & Payday Super
• FW - Fair Work - NES, Awards & Contracts
• WGE - Wage Compliance & Wage Theft
• WHS - WHS - Physical & Psychosocial
• PRV - Privacy & Notifiable Data Breaches
• CYB - Cyber Security Baseline
• ACL - Australian Consumer Law & UCT
• DIR - ASIC, Director Duties & Director ID
• XRK - Cross-Cutting Risk
• OPS - Records, Insurance, Marketing & Payroll Tax

Questions

1. Q1 (TAX, weight 2): When did you last verify that your ABN registration is current and accurately reflects your business activity?

   • Within the last 12 months - confirmed online and records match (score 5)
   • 1–3 years ago (score 3)
   • More than 3 years ago or never reviewed since registration (score 1)
   • Not sure - have never checked (score 0)

   If a weak option is selected: The ATO can cancel an ABN if it suspects the business is no longer active or if details are stale. An invalid ABN blocks GST credits, causes PAYG-withholding obligations for payers, and can trigger ATO compliance flags. Verify your ABN details at abr.gov.au at least annually and update within 28 days of any change. Cancel promptly if the business ceases.

2. Q2 (TAX, weight 3): Is your GST registration status correct for your current turnover?

   • Yes - registered because turnover is at or above $75,000 (or $0 for ride-share/taxi) (score 5)
   • Not registered - confirmed turnover is below $75,000 and no mandatory trigger applies (score 5)
   • Voluntarily registered below the threshold - deliberate and documented (score 4)
   • Above $75,000 threshold but not yet registered for GST (score 0)
   • Not sure whether we are required to be registered (score 1)

   If a weak option is selected: Failing to register for GST once you cross the $75,000 turnover threshold (measured on a rolling 12-month or projected basis) is a serious ATO compliance failure. You will owe GST on all taxable supplies from the date you should have registered, potentially without having charged it. Register before you cross the threshold. Review quarterly if turnover is near the threshold.

3. Q3 (TAX, weight 2): How often in the last 12 months did you lodge a BAS after the due date?

   • Never - all BAS lodged on time (score 5)
   • Once - isolated incident with a reason (score 3)
   • Twice or more in the last 12 months (score 1)
   • Not sure - bookkeeper handles it and I don't track timeliness (score 2)

   If a weak option is selected: Late BAS lodgement triggers ATO failure-to-lodge penalties (starting at one penalty unit per 28-day period per unreported obligation) and adds interest on unpaid amounts. The ATO's STP data matching means late BAS is now cross-referenced against real-time payroll data, increasing audit risk. Use a tax agent registered calendar and set reminders two weeks before each due date.

4. Q4 (TAX, weight 2): If you engage subcontractors or other businesses in building & construction, cleaning, courier, road freight, IT, security/investigation, or surveillance industries, do you lodge a Taxable Payments Annual Report (TPAR) by 28 August each year?

   • Yes - lodged annually by 28 August (score 5)
   • Not applicable - we do not pay subcontractors in a TPAR-affected industry (score 5)
   • We are in scope but have not been lodging (score 0)
   • Not sure whether we are in scope (score 1)

   If a weak option is selected: TPAR is mandatory for businesses in the listed industries that pay contractors. The ATO has significantly stepped up enforcement - failure-to-lodge penalties and data-matching against ABN registrations are now routine. Even non-trades businesses that subcontract IT or cleaning work may be in scope. Use the ATO TPAR tool (ato.gov.au) to check your obligation and set an annual 28 August deadline reminder.

5. Q5 (TAX, weight 2): Do you retain tax records (transactions, source documents, depreciation schedules) for at least 5 years, in a system you can produce on ATO request?

   • Yes - documented retention policy and tested retrieval (score 5)
   • Yes - informal but generally retrievable (score 3)
   • Some records are accessible; others may be missing or on old hardware (score 1)
   • No systematic retention approach (score 0)

   If a weak option is selected: The Tax Administration Act requires most tax records to be retained for 5 years from when prepared, obtained, or when the transaction was completed - whichever is latest. Depreciating-asset records must be kept for the life of the asset plus 5 years after disposal. An ATO audit that finds missing records can disallow deductions. Use cloud accounting software (Xero, MYOB, QuickBooks) with automated backup as the minimum baseline.

6. Q6 (EMP, weight 3): Are you reporting all Single Touch Payroll Phase 2 categories correctly at every pay event - including gross income, allowances, deductions, lump sums, country codes, and child-support deductions?

   • Yes - STP2 in place, all fields confirmed with our payroll software provider (score 5)
   • We report STP but haven't confirmed all Phase 2 fields are included (score 2)
   • We are still on STP Phase 1 or unsure which phase (score 0)
   • We don't use STP - not aware it applies to us (score 0)

   If a weak option is selected: STP Phase 2 has been mandatory for all employers since 1 January 2022 (with phased transitions ending by mid-2023). The ATO uses STP2 data in real time to cross-check PAYG withholding, super guarantee contributions, and wage compliance. Missing or incorrect Phase 2 fields trigger automated ATO follow-ups. Check with your payroll software provider that all Phase 2 fields are active and correctly mapped.

7. Q7 (EMP, weight 3): Do all pay slips meet Fair Work Regulation 3.46 requirements and reach employees within 1 working day of payment?

   • Yes - template reviewed against Reg 3.46 and delivery is same day (score 5)
   • Pay slips are issued but we haven't checked all required fields (score 2)
   • Pay slips are sometimes late or incomplete (score 1)
   • We don't always issue pay slips (score 0)

   If a weak option is selected: Failure to provide compliant pay slips is one of the most common FWO infringement findings. Regulation 3.46 requires employer name and ABN, employee name, employment classification, pay period, gross and net pay, any loadings and deductions, super fund name and amount, and hourly rate for time-based employees. The FWO can issue on-the-spot infringement notices for non-compliance - even without a wage underpayment.

8. Q8 (EMP, weight 2): Do you retain employee records (pay, leave, hours, contracts) for at least 7 years after the employment ends?

   • Yes - documented retention policy covering all FW Reg 3.31-3.40 record types (score 5)
   • We keep records but haven't formalised a 7-year retention policy (score 3)
   • Records for some employees are missing or incomplete (score 1)
   • No systematic employee record-keeping (score 0)

   If a weak option is selected: Fair Work Regulations 3.31–3.40 require employers to keep a broad range of employee records for 7 years: employment agreements, pay records, hours worked, leave balances, super contributions, and more. The FWO can request these during an investigation or audit. Missing records create a rebuttable presumption against the employer in wage underpayment claims. Use cloud HR software with built-in retention.

9. Q9 (EMP, weight 2): Do you provide new employees with the Fair Work Information Statement (FWIS) and - where the employee is casual - the Casual Employment Information Statement (CEIS)?

   • Yes - both statements issued at commencement and records kept (score 5)
   • Usually - but not always documented (score 3)
   • We provide them sometimes but not consistently (score 1)
   • No - not aware of this obligation (score 0)
   • No employees - not applicable (score 5)

   If a weak option is selected: Providing the FWIS to every new employee and the CEIS to every new casual is a legal obligation under the Fair Work Act. Both documents must be provided before or as soon as practicable after commencement. The FWO publishes current versions at fairwork.gov.au. Failing to provide these documents is an infringement of the NES and is a common finding in FWO audits.

10. Q10 (EMP, weight 3): Do you have a documented process for engaging contractors that applies the post-Closing-Loopholes 'objective sham contracting' test?

    • Yes - written contractor policy, reviewed for Closing Loopholes changes (score 5)
    • We engage contractors but rely on contract wording without a formal assessment process (score 2)
    • We rely mainly on ABN status and invoicing as indicators (score 1)
    • We have not reviewed contractor arrangements since 2023 (score 0)

    If a weak option is selected: The Closing Loopholes No.2 Act (from 26 August 2024) tightened the sham-contracting defence - subjective belief that the arrangement was genuine is no longer a complete defence; an objective test now applies. A contractor found to be a disguised employee triggers back-pay of all entitlements, super, and potential criminal liability for intentional underpayment. Review all contractor arrangements annually against the ATO and FWO contractor/employee decision tools.

11. Q11 (SUP, weight 3): Are you paying super at the current 12% SG rate and completing the most recent quarter's payment by the 28th day after quarter end?

    • Yes - 12% rate, quarterly payments all on time, reconciled to STP (score 5)
    • Yes - but occasionally one to two weeks late (score 2)
    • We were at 11.5% - haven't updated to 12% from 1 July 2025 (score 0)
    • Payments are irregular - we pay when cashflow allows (score 0)

    If a weak option is selected: The SG rate has been 12% since 1 July 2025. Late or short payment triggers the Super Guarantee Charge - a non-deductible charge with interest, admin fees, and penalties that are materially more expensive than the original contribution. The ATO's STP data now flags SG shortfalls in near real-time. Ensure your payroll system is set to 12%, quarterly deadlines are calendared, and each payment is reconciled against STP gross.

12. Q12 (SUP, weight 3): Have you booked a payroll-system or process change to be ready for Payday Super (1 July 2026), which requires SG to be paid within 7 calendar days of each payday?

    • Yes - payroll software upgraded, clearing house re-evaluated, cashflow modelled (score 5)
    • Aware of the change but haven't started preparation (score 2)
    • Not aware of Payday Super (score 0)
    • We don't employ anyone, so not applicable (score 5)

    If a weak option is selected: Payday Super is one of the biggest payroll changes in 20 years. From 1 July 2026, every employer must pay SG within 7 calendar days of each payday - the quarterly cycle ends. Key actions now: (1) Confirm your payroll software can make payday-frequency super payments. (2) Re-evaluate your super clearing house for speed (some take 5+ days to settle). (3) Model the cashflow impact of paying super with wages rather than retaining a 90-day float. The ATO is providing detailed transition guidance at ato.gov.au/paysuper.

13. Q13 (SUP, weight 3): Have you modelled the cashflow impact of moving from quarterly super payments to per-payrun super payments under Payday Super?

    • Yes - cashflow modelled, working capital facility reviewed if needed (score 5)
    • We understand it will change cashflow but haven't modelled it (score 2)
    • Not applicable - no employees (score 5)
    • No, and this is the first time we've considered it (score 0)

    If a weak option is selected: Businesses that have used the quarterly SG payment as a rolling working-capital float will feel a material cashflow impact from 1 July 2026. For example, a business with a $100K monthly payroll currently holds $30K in SG floats; from July 2026 that float disappears. Model the impact now and speak to your bank or accountant about whether a working capital facility or revised payment terms are needed.

14. Q14 (FW, weight 3): Have you mapped each role in your business to the correct modern award (or confirmed award-free / enterprise agreement coverage) within the last 12 months?

    • Yes - every role mapped, rates confirmed, reviewed post-July wage review (score 5)
    • Done more than 12 months ago - not updated for latest annual wage review (score 2)
    • Done for some roles; others assumed or inherited from previous owner (score 1)
    • Not done - unsure which awards apply to our business (score 0)

    If a weak option is selected: Misidentifying or failing to identify the applicable modern award is the root cause of most wage underpayment findings. The FWO's Pay and Conditions Tool (calculate.fairwork.gov.au) lets you look up minimum rates by award, classification, and state. Review is required at least annually (after the 1 July wage review) and any time you add a new role type.

15. Q15 (FW, weight 2): Do you have a written Right to Disconnect policy that all employees have been informed of?

    • Yes - written policy, communicated to all staff, referenced in contracts (score 5)
    • Aware of the right but no written policy yet (score 2)
    • Not aware that the Right to Disconnect applies to our business (score 0)
    • We have no employees, not applicable (score 5)

    If a weak option is selected: The Right to Disconnect has applied to businesses with fewer than 15 employees since 26 August 2025 (it applied to larger employers from 26 August 2024). Employees can refuse to monitor, read, or respond to contact from their employer outside working hours unless the refusal is unreasonable. A written policy clarifying your expectations - when reasonable contact outside hours is expected, and how that's communicated - protects both employer and employee and helps avoid Fair Work Commission disputes.

16. Q16 (FW, weight 2): Do you have a documented casual conversion / employee-choice procedure that meets the 21-day response window and the updated casual definition?

    • Yes - written procedure, response template prepared, definition reviewed for Closing Loopholes (score 5)
    • Aware of casual conversion but procedure not documented (score 2)
    • Not aware that the casual definition has changed since 2024 (score 1)
    • We have no casual employees, not applicable (score 5)

    If a weak option is selected: Since 26 August 2024 (non-small-business) and 26 August 2025 (small-business, fewer than 15 employees), casuals can request conversion under the Employee Choice pathway if they believe the practical reality of their engagement no longer matches the casual definition. Employers must respond within 21 days. The Closing Loopholes No.2 Act tightened the casual definition to focus on the practical reality rather than the contract label. Document your process now.

17. Q17 (FW, weight 3): Do all fixed-term employment contracts comply with the 2-year cap and exception rules (no rolling renewals beyond what is permitted)?

    • Yes - all fixed-term contracts reviewed post December 2023 reforms (score 5)
    • We use fixed-term contracts but haven't reviewed them for the 2-year cap (score 1)
    • We have contracts that may roll beyond 2 years without an applicable exception (score 0)
    • We don't use fixed-term contracts, not applicable (score 5)

    If a weak option is selected: Since 6 December 2023, most fixed-term contracts are limited to 2 years (including renewals and extension combinations). A contract that exceeds this without qualifying for an exception (e.g. specific task, high-income threshold, specialist skills) is treated as an ongoing contract. A rolling series of short fixed-term contracts for the same role is similarly caught. Review all current fixed-term contracts and update templates.

18. Q18 (FW, weight 2): Do you provide 10 paid days of family and domestic violence leave to all employees, including casual employees, per year?

    • Yes - 10 paid days for all employees including casuals, policy documented (score 5)
    • We provide the leave but unsure if casuals are included (score 2)
    • We provide unpaid FDV leave but not 10 paid days (score 1)
    • Not aware this applies to all casuals (score 0)
    • No employees - not applicable (score 5)

    If a weak option is selected: 10 days paid family and domestic violence leave per year is a NES entitlement for all employees including casual employees - it commenced for non-small-business employers on 1 February 2023 and for small businesses on 1 August 2023. Unlike other leave, it is available upfront (not accrued) each year. The FWO has been active in educating and enforcing compliance, including that payslips must not identify it as FDV leave to protect employee privacy.

19. Q19 (FW, weight 2): Have you reviewed your flexible-work-request handling (including parental return to work) against the post-2023 dispute pathway?

    • Yes - written procedure for FWR requests, dispute pathway documented (score 5)
    • We handle requests informally - no written procedure (score 2)
    • Not aware the dispute pathway has changed (score 1)
    • We have no employees, not applicable (score 5)

    If a weak option is selected: Since September 2023, the Fair Work Commission can arbitrate unresolved flexible-work disputes. Employers cannot simply refuse; they must genuinely consider requests and respond in writing within 21 days with specific grounds if refusing. Eligible employees include those with a child under school age, a disability, caring responsibilities, or aged 55+. A written procedure and template response form protects against FWC dispute applications.

20. Q20 (WGE, weight 3): When did you last commission a payroll audit (internal or external) against the applicable modern awards or enterprise agreement, including allowances, penalty rates, and overtime?

    • Within the last 12 months - external or independent internal audit (score 5)
    • 1–2 years ago (score 3)
    • More than 2 years ago or never (score 0)
    • We are award-free at all salary levels - confirmed in writing (score 4)

    If a weak option is selected: Since 1 January 2025, intentional underpayment of wages or entitlements is a criminal offence under the Fair Work Act, carrying up to 10 years imprisonment for individuals and fines of up to $8.25M for body corporates (or 3× the underpaid amount if greater). An annual payroll audit is the primary control. Many large-employer underpayments (media, hospitality, retail) were not discovered for years because audits didn't happen. The cost of an external audit is trivial compared to back-pay plus penalties.

21. Q21 (WGE, weight 3): If you employ fewer than 15 staff, are you familiar with the Voluntary Small Business Wage Compliance Code, and do your processes evidence the steps it sets out?

    • Yes - familiar with the Code, processes documented to satisfy it (score 5)
    • Aware it exists but haven't read or implemented it (score 2)
    • We have more than 15 employees, so the Code doesn't apply as a defence (score 3)
    • Not aware of the Voluntary Code (score 0)

    If a weak option is selected: The Voluntary Small Business Wage Compliance Code, which commenced with wage-theft criminalisation on 1 January 2025, provides small employers (fewer than 15 employees) with a defence pathway if they unintentionally underpay and have followed the Code's steps: knowing your obligations, checking pay rates, having good record-keeping, taking proactive remediation steps when errors are found, and working cooperatively with the FWO. Following the Code does not excuse intentional underpayment but protects against criminal prosecution for genuine mistakes.

22. Q22 (WGE, weight 3): When your applicable award or enterprise agreement minimum rates change (typically 1 July each year after the annual wage review), do you have a documented process to apply new rates from the first full pay period on or after the effective date?

    • Yes - rate updates calendared, payroll system updated before 1 July each year (score 5)
    • We update rates when we notice them - may not be exactly on time (score 2)
    • We don't have a process - updates happen reactively (score 0)
    • Not applicable - we are above-award for all employees (score 4)

    If a weak option is selected: Failure to apply updated minimum rates from 1 July each year (or the next full pay period) is an underpayment under the Fair Work Act - and from 1 January 2025, systematic failure to apply known rate changes can support a finding of intentional underpayment. The FWC publishes updated pay rates at fairwork.gov.au after the annual National Minimum Wage Order. Subscribe to FWO alerts and calendar your payroll rate review for mid-June each year.

23. Q23 (WHS, weight 3): Does each company officer (director or executive responsible for a substantial part of the business) understand and demonstrate the six elements of WHS due diligence under s27 of the model WHS Act?

    • Yes - officers have received WHS training, due-diligence responsibilities documented (score 5)
    • Officers are aware of WHS obligations but no formal due-diligence training (score 2)
    • WHS is delegated to a manager - officers are not directly engaged (score 1)
    • Not aware that officers have personal WHS duties (score 0)

    If a weak option is selected: Under s27 of the model WHS Act (and equivalent in VIC), every officer of a PCBU has a personal due-diligence duty: acquire and keep up-to-date WHS knowledge; understand the nature of business operations and hazards; ensure adequate resources and processes; implement reporting and review processes; and verify that risk controls are working. Industrial manslaughter now exists in all Australian jurisdictions - officer due diligence is no longer a back-office matter.

24. Q24 (WHS, weight 3): Do you have a psychosocial hazard register and risk-control documentation covering high job demands, low control, harassment, bullying, and conflict?

    • Yes - register completed, controls documented and reviewed in last 12 months (score 5)
    • We have a general risk register but psychosocial hazards are not separately addressed (score 2)
    • We are aware of the psychosocial regulations but have not yet implemented them (score 1)
    • Not aware that psychosocial hazards are a legislated WHS obligation (score 0)

    If a weak option is selected: Psychosocial hazard regulations are now in force across all Australian jurisdictions (model WHS Regulations amended from 2023; states rolling out 2023–2024). Employers must identify, assess, and control psychosocial hazards: high job demands, low control, poor support, lack of role clarity, poor environmental conditions, remote or isolated work, violence and aggression, harassment including sexual harassment, and bullying. Safe Work Australia's psychosocial hazards code of practice at safeworkaustralia.gov.au is the practical guide.

25. Q25 (WHS, weight 3): Is your notifiable-incident procedure documented, with a clear escalation path within 48 hours and a scene-preservation process?

    • Yes - written procedure, all workers know it, phone numbers on site (score 5)
    • We know to call the regulator but no written procedure (score 2)
    • We would figure it out at the time (score 1)
    • Not aware of the notifiable-incident reporting obligation (score 0)

    If a weak option is selected: A notifiable incident (death, serious injury, serious illness, or dangerous incident as defined in the WHS Act) must be reported to your state WHS regulator immediately by telephone, with a written record within 48 hours. The scene must be preserved until an inspector attends or directs otherwise. A written procedure posted in every workplace and saved in every supervisor's phone is the minimum requirement. Contact: SafeWork NSW 13 10 50, WorkSafe VIC 13 23 60, WHSQ 1300 362 128, WorkSafe WA 1300 307 877.

26. Q26 (WHS, weight 2): Are workers genuinely consulted on WHS matters via health and safety representatives (HSRs), safety committees, or documented consultation events?

    • Yes - formal consultation mechanism, HSR elections offered, records kept (score 5)
    • Informal consultation only - matters discussed in team meetings (score 3)
    • Workers are not consulted on WHS matters (score 0)
    • No workers, not applicable (score 5)

    If a weak option is selected: The duty to consult workers on WHS matters is a core obligation under all Australian WHS legislation. Workers have a right to request election of a Health and Safety Representative. While small businesses often manage through informal consultation (team meetings with WHS agenda items), the consultation must be genuine - documented, responded to, and traceable. Failure to consult is routinely cited in WHS regulator infringement notices.

27. Q27 (WHS, weight 2): Are mandatory training records (induction, role-specific, refresher) current for every worker?

    • Yes - training register current, records retrievable for each worker (score 5)
    • Training happens but records are informal or incomplete (score 2)
    • Induction records exist; ongoing training not tracked (score 1)
    • No training records maintained (score 0)

    If a weak option is selected: WHS training records are evidence of your PCBU's risk management. In the event of an incident, a WHS regulator will request training records for all workers involved. A training register (digital or physical) with worker name, training type, date, provider, and expiry is the minimum. Safe Work Australia's WHS training information at safeworkaustralia.gov.au outlines categories of training required across industries.

28. Q28 (WHS, weight 3): If your business supplies, processes, fabricates, or installs engineered stone, have you ceased and transitioned to compliant alternative materials since the ban came into force on 1 July 2024?

    • Yes - fully transitioned, no engineered stone in supply chain (score 5)
    • Not applicable - we do not deal in engineered stone (score 5)
    • Transitioning - some engineered stone still in supply or use (score 1)
    • Not aware of the engineered stone ban (score 0)

    If a weak option is selected: The manufacture, supply, processing, and installation of engineered stone benchtops, panels, and slabs has been prohibited across Australia since 1 July 2024 (model WHS Regulation amendments). Limited transitional carve-outs applied for existing stock and pre-existing contracts only. Continuing to supply, fabricate, or install engineered stone is a serious WHS offence carrying significant penalties. Contact your state WHS regulator immediately if any part of your business is still dealing with engineered stone.

29. Q29 (PRV, weight 3): Have you correctly determined whether your business is an APP entity under the Privacy Act 1988 - either by turnover above $3M or a carve-in (health information, Commonwealth contractor, trades in personal information, related body of an APP entity)?

    • Yes - APP entity status confirmed in writing, APPs documented and applied (score 5)
    • Yes APP entity - we are complying but status not formally documented (score 3)
    • Below $3M and no carve-in - small-business exemption applies for now (score 3)
    • Not sure whether the Privacy Act applies to us (score 0)

    If a weak option is selected: Any private-sector organisation with annual turnover above $3M is an APP entity subject to the 13 Australian Privacy Principles. Carve-ins apply regardless of size - if you hold health information, act as a Commonwealth contractor, or trade in personal information, you are an APP entity. The Privacy and Other Legislation Amendment Act 2024 (assented December 2024) introduced a statutory tort for serious invasions of privacy and increased civil penalties to $2.5M (individuals) / $50M+ (companies). Formally document your APP-entity assessment.

30. Q30 (PRV, weight 2): Is your privacy policy current - reviewed within the last 12 months and disclosing collection purposes, overseas disclosures, complaint mechanisms, and any use of automated decision-making?

    • Yes - reviewed within 12 months, covers all required disclosures including ADM (score 5)
    • Reviewed but more than 12 months ago (score 2)
    • We have a privacy policy on our website but haven't reviewed it since it was drafted (score 1)
    • No privacy policy (score 0)

    If a weak option is selected: APP 1 requires APP entities to maintain an up-to-date privacy policy. The Privacy and Other Legislation Amendment Act 2024 will require disclosure of automated decision-making (ADM) with significant effect from end of 2026 - begin updating policies now. Your policy must name the types of personal information held, how it is collected, how it is used and disclosed, whether it is sent overseas, and how individuals can access, correct, or complain. Update annually or whenever your data practices change.

31. Q31 (PRV, weight 3): Do you maintain a data inventory - documenting what personal information you hold, where it is stored, who can access it, why it is held, and how long it is retained?

    • Yes - documented data inventory, reviewed in last 12 months (score 5)
    • Partial - some systems mapped but no comprehensive inventory (score 2)
    • Informally known but not documented (score 1)
    • No data inventory exists (score 0)

    If a weak option is selected: A data inventory (also called a data register or data map) is the foundation of Privacy Act compliance - without it you cannot answer an access request, assess an eligible data breach, or respond to a regulator inquiry. OAIC has repeatedly cited absence of a data map as a systemic risk factor in NDB investigations. Start with a spreadsheet listing: system name, type of PI held, purpose, access controls, retention period, overseas transfers, and deletion method.

32. Q32 (PRV, weight 3): Do you have a documented Notifiable Data Breach (NDB) assessment process - including who decides if a breach is eligible, in what timeframe, and who notifies the OAIC and affected individuals?

    • Yes - written NDB procedure, roles assigned, template notifications prepared (score 5)
    • We would handle a breach but no written procedure (score 2)
    • We are aware of NDB obligations but haven't built a process (score 1)
    • Not aware of the NDB scheme (score 0)

    If a weak option is selected: Under the NDB scheme (Privacy Act Part IIIC), APP entities that suspect an eligible data breach must carry out a reasonable assessment within 30 days. An eligible breach is unauthorised access/disclosure or loss of personal information likely to cause serious harm. If confirmed, the OAIC and affected individuals must be notified as soon as practicable. The OAIC has issued enforceable undertakings against entities that delayed notification. Prepare a written procedure and a notification template before you need them.

33. Q33 (PRV, weight 2): If you disclose personal information to overseas recipients (cloud providers, offshore contractors, overseas group entities), have you documented these transfers and applied APP 8 accountability?

    • Yes - overseas recipients named in policy, data-processing agreements in place (score 5)
    • We use overseas cloud services but haven't addressed APP 8 formally (score 1)
    • No overseas disclosures (score 5)
    • Not aware of APP 8 cross-border disclosure obligations (score 0)

    If a weak option is selected: APP 8 requires that before disclosing personal information to an overseas recipient, you take reasonable steps to ensure the recipient does not breach the APPs - typically via a data-processing agreement. Cloud services based in the US, EU, or Asia are 'overseas recipients' for this purpose. A blanket disclosure in your privacy policy is necessary but not sufficient; contracts with key processors (Salesforce, Google Workspace, AWS, Xero) should include appropriate data-protection terms.

34. Q34 (PRV, weight 2): Are you operating as if the small-business Privacy Act exemption (turnover below $3M) may be removed in the near future - building baseline privacy hygiene even if currently exempt?

    • Yes - treating Privacy Act as applicable regardless of exemption (score 5)
    • Aware the exemption may be removed but haven't started preparation (score 2)
    • Relying on the exemption and not preparing (score 1)
    • Not aware the exemption may be removed (score 0)

    If a weak option is selected: Treasury's Privacy Reform Tranche 2 (expected 2026-2027) is likely to abolish the small-business exemption that currently exempts businesses under $3M turnover. Even businesses currently exempt should be building baseline Privacy Act hygiene now - a data inventory, a basic privacy policy, and an NDB assessment process. These are not onerous and they protect against breach of confidence actions, spam complaints, and customer trust damage even before the exemption falls.

35. Q35 (CYB, weight 3): Is multi-factor authentication (MFA) enforced on business email, remote access, admin accounts, and cloud administration consoles?

    • Yes - MFA on all named systems, verified by IT or IT provider report (score 5)
    • MFA on most systems but not all - some accounts still password-only (score 2)
    • MFA on banking only - not on email or cloud services (score 1)
    • No MFA in use (score 0)

    If a weak option is selected: The ASD's Essential Eight lists MFA as a top-tier control. Compromised email accounts are the entry point for business email compromise, ransomware deployment, and data exfiltration. Microsoft 365 and Google Workspace both have straightforward MFA enforcement settings that take under an hour to activate. Require MFA for every account with access to financial data, customer data, or infrastructure controls - not just banking.

36. Q36 (CYB, weight 3): Are operating systems, applications, and internet-facing services patched within the Essential Eight ML1 cadence - critical patches within 48 hours, others within one month?

    • Yes - managed patching cadence, verified monthly by IT provider report (score 5)
    • Auto-updates enabled but not verified - some devices may be behind (score 2)
    • Patching happens reactively when problems arise (score 1)
    • No structured patching process (score 0)

    If a weak option is selected: Unpatched vulnerabilities are the primary ransomware and malware entry point for SMEs. ASD's Essential Eight Maturity Level 1 requires: OS patches within one month of release; application patches within one month; internet-facing services patched within 48 hours for critical vulnerabilities. If your IT provider manages patching, ask for a monthly patch-compliance report listing any outstanding patches and their age - 'everything is up to date' without evidence is not sufficient.

37. Q37 (CYB, weight 3): Do you have offline or immutable backups that have been tested by a full restoration in the last 12 months?

    • Yes - handled in-house, restore-tested, and evidence retained (score 20)
    • Yes - outsourced to our IT provider, restore-tested and verified by provider report (score 20)
    • Yes - in-house backups exist, but restore testing/evidence is informal (score 15)
    • Yes - outsourced to our IT provider, but we assume rather than verify (score 15)
    • Partial, incomplete, or not covering all critical systems (score 8)
    • No reliable backup and restore process, or don't know (score 0)

    If a weak option is selected: Ransomware routinely targets online backups first, then encrypts production data. Offline (airgapped) or immutable backups are the essential recovery mechanism. Test your backups by actually restoring from them - not just checking backup logs. The restoration test should cover financial records, customer data, and operational files. Document the test date and what was recovered. Backups that have never been restored are unverified hope.

38. Q38 (CYB, weight 3): Do you have a written incident response plan with named roles and at least one tabletop exercise completed in the last 12 months?

    • Yes - written plan, roles assigned, tabletop exercise completed and documented (score 5)
    • Written plan but no tabletop exercise (score 3)
    • Informal understanding of what to do but no written plan (score 1)
    • No incident response plan (score 0)

    If a weak option is selected: The first hour after a cyber incident determines whether it becomes a contained disruption or a business-ending event. A written incident response plan should cover: (1) who declares an incident; (2) who calls the bank (funds recall); (3) who calls the cyber insurer; (4) who reports to ReportCyber (cyber.gov.au); (5) who manages communications; (6) how systems are isolated. Run a 90-minute tabletop exercise annually - it surfaces gaps before the incident, not during it.

39. Q39 (CYB, weight 2): If your annual turnover is above $3M and a ransomware payment were made, do the people authorising payment know about the 72-hour reporting obligation under the Cyber Security Act 2024?

    • Yes - aware of the obligation, reporting process documented (score 5)
    • Below $3M turnover - reporting obligation does not apply (score 5)
    • Above $3M but not aware of the reporting obligation (score 0)
    • Not sure of our turnover position against this threshold (score 1)

    If a weak option is selected: The Cyber Security Act 2024 (in force from late 2025) requires businesses with annual turnover above $3M that make a ransomware payment to report to the Department of Home Affairs within 72 hours of the payment. The report must include the demand, the payment amount, the threat actor description, and incident facts. Reports carry limited-use protections - they cannot be used in regulatory or criminal proceedings against the reporting entity. Smaller businesses that pay ransomware are strongly encouraged to also report via ReportCyber.

40. Q40 (ACL, weight 3): Have you reviewed your standard form contracts (with consumers and small businesses) for unfair terms since the November 2023 UCT prohibition and penalties came into force?

    • Yes - legal review completed post-November 2023, terms updated (score 5)
    • Aware of the UCT reform but contracts not yet reviewed (score 1)
    • Using standard contracts drafted before 2022 without updates (score 0)
    • We don't use standard form contracts with consumers or small businesses (score 5)

    If a weak option is selected: Since 9 November 2023, unfair contract terms in standard-form contracts with consumers and small businesses are prohibited (not merely voidable) and attract civil penalties up to $50M for companies and $2.5M for individuals. The small-business definition was expanded to parties with fewer than 100 employees OR turnover below $10M. Common UCT risks: one-sided termination rights, unilateral price change clauses, auto-renewal without notice, excessive cancellation fees, and broad liability exclusions. Have a commercial lawyer review your standard templates.

41. Q41 (ACL, weight 2): Do your customer-facing terms and conditions correctly acknowledge the non-excludable consumer guarantees - acceptable quality, fitness for purpose, and match of description?

    • Yes - consumer guarantees acknowledged, no purported exclusion or limitation (score 5)
    • Our terms include a clause purporting to exclude or limit consumer guarantees (score 0)
    • Not sure - terms haven't been reviewed for this (score 1)
    • We only sell B2B above the consumer threshold, not applicable (score 4)

    If a weak option is selected: Consumer guarantees under the ACL apply to goods and services supplied to consumers (broadly, purchases up to $100,000 or for personal/domestic use) and cannot be excluded, restricted, or modified by contract. Any clause that purports to do so is void and, in a standard-form contract, may also be an unfair term. The ACCC has actively enforced against businesses that use void exclusion clauses - even as 'dead letter' clauses in templates. Remove them.

42. Q42 (ACL, weight 2): Do your pricing displays (website, catalogues, advertising) comply with the ACL single-price and component-pricing rules?

    • Yes - all prices shown as single total price inclusive of all fees and charges (score 5)
    • Most prices correct but some add-on or booking fees disclosed separately (score 2)
    • Prices exclude fees - customers see the full price only at checkout (score 0)
    • Not sure of the pricing display rules (score 1)

    If a weak option is selected: The ACL requires that prices be displayed as a single total price - the minimum amount payable. Mandatory fees (service fees, booking fees, card surcharges where unavoidable) must be included or disclosed clearly alongside the base price before the customer commits. The ACCC's 'drip pricing' enforcement has intensified since 2023 - adding unavoidable fees at checkout without clear prior disclosure is misleading conduct under s18.

43. Q43 (ACL, weight 2): Are your website terms and conditions (including terms of sale, refund policy, and privacy policy) current and accurate as of today?

    • Yes - reviewed within 12 months, match current business practices (score 5)
    • Terms exist but haven't been reviewed since the UCT reform in November 2023 (score 2)
    • Using a template downloaded from the internet - never customised or reviewed (score 1)
    • No website terms (score 0)

    If a weak option is selected: Stale or inaccurate website terms create ACL exposure on multiple fronts: misleading conduct (if terms don't match actual practice), unfair terms (if they contain prohibited clauses), and privacy obligations (if the privacy policy is out of date). The November 2023 UCT reform and the December 2024 Privacy Act amendments are the two most recent triggers for a terms review. Schedule an annual legal review of all customer-facing terms.

44. Q44 (DIR, weight 3): Does every current director of your company hold a Director Identification Number (Director ID) issued by the ABRS?

    • Yes - all directors confirmed, Director ID numbers recorded (score 5)
    • Most directors have one but one or more have not yet applied (score 1)
    • Not sure - haven't checked recently (score 1)
    • No - some directors don't have a Director ID (score 0)

    If a weak option is selected: Director IDs have been mandatory since November 2022. A director must apply for their Director ID before they are appointed - they cannot be appointed and then apply afterwards. The ABRS (abrs.gov.au) administers the scheme. Failure to hold a Director ID is a civil penalty offence. New directors must verify they have applied through myGovID before the appointment paperwork is completed. Maintain a record of all directors' Director ID numbers in your company register.

45. Q45 (DIR, weight 3): Are ASIC notifications (changes to officeholders, registered office address, share allotments) lodged within 28 days of the change?

    • Yes - all changes notified within 28 days, company register current (score 5)
    • Usually but sometimes delayed (score 2)
    • We rely on our accountant but don't track timeliness (score 2)
    • ASIC notifications are often delayed or missed (score 0)

    If a weak option is selected: ASIC requires companies to notify changes to directors, secretaries, registered office, and principal place of business within 28 days using Form 484 (or via ASIC Connect). Late lodgement triggers late fees (starting around $82). ASIC also uses these records to identify directors for enforcement purposes - outdated records create compliance and enforcement risks. Your company secretarial process should include a trigger for lodgement at the time of any change.

46. Q46 (DIR, weight 3): Does your board or management pack include a solvency view - cashflow forecast, debt-covenant status, and going-concern indicators - at each meeting?

    • Yes - solvency indicators presented at every board or management meeting (score 5)
    • Financial reports are reviewed but no explicit solvency test or going-concern note (score 2)
    • Financial review is informal or infrequent (score 1)
    • No formal financial review process (score 0)

    If a weak option is selected: Directors have a personal duty not to allow the company to trade while insolvent (Corporations Act s588G). The defence requires showing that at the relevant time, there were reasonable grounds to expect solvency. A board pack that includes a 13-week cashflow forecast, creditor-aging report, and commentary on going-concern indicators is the evidence that officers are monitoring solvency actively. ASIC's FY26 enforcement priorities include insolvent trading and illegal phoenix activity.

47. Q47 (DIR, weight 2): Are directors' resolutions, minutes, and registers maintained as required by the Corporations Act (ss286-289) and available for inspection?

    • Yes - all statutory registers current, minutes completed within one month of each meeting (score 5)
    • Minutes exist but are sometimes incomplete or delayed (score 2)
    • Minimal records - resolutions confirmed by email, no formal minute book (score 1)
    • No formal company records maintained (score 0)

    If a weak option is selected: The Corporations Act requires companies to maintain a range of statutory registers (members, officeholders, options, debentures) and to keep financial records and minutes for 7 years. ASIC can inspect these records. Missing or falsified records are a criminal offence (Corporations Act s1307). A Company Secretary engagement (even outsourced at $500-1,000 per year) provides the framework to keep these current.

48. Q48 (DIR, weight 2): Do directors hold appropriate management liability / D&O insurance, and are they aware of recent carve-outs for greenwashing and climate-disclosure claims?

    • Yes - D&O policy in place, reviewed within 12 months including carve-outs (score 5)
    • D&O policy in place but not reviewed recently for new exclusions (score 2)
    • No D&O or management liability insurance (score 0)
    • Not sure if we have it (score 1)

    If a weak option is selected: Directors of proprietary companies face personal liability exposure across insolvent trading, employment practices, statutory duties, and increasingly climate and cyber governance. Management liability / D&O insurance covers defence costs and judgments. Insurers are now carving out greenwashing, climate-disclosure misrepresentation, and ESG-related claims from standard policies - review your policy wording carefully. The ASIC FY26 enforcement priorities specifically name greenwashing and climate-disclosure obligations.

49. Q49 (XRK, weight 3): Have you assessed whether your business provides a designated service under the AML/CTF Act - either under Tranche 1 (current) or Tranche 2 (from 1 July 2026, covering accountants, lawyers, real estate, precious metals/stones)?

    • Yes - designated-service assessment completed and documented (score 5)
    • We are aware of Tranche 2 but haven't assessed our scope formally (score 2)
    • Not aware of Tranche 2 at all (score 0)
    • Confirmed not in scope - documented (score 5)

    If a weak option is selected: The AML/CTF Amendment Act 2024 (assented December 2024) extends the AML/CTF regime from 1 July 2026 to accountants, auditors, SMSF auditors, lawyers, conveyancers, notaries, real estate professionals, trust-and-company service providers, and dealers in precious metals and stones. If any of these services describe part of your business, you must enrol with AUSTRAC, develop an AML/CTF Program, implement customer due diligence, and lodge Suspicious Matter Reports. AUSTRAC is finalising detailed Rules through 2025-2026 at austrac.gov.au.

50. Q50 (XRK, weight 3): If your business is in scope for AML/CTF Tranche 2, is your AUSTRAC enrolment, AML/CTF Program, and customer due diligence process being prepared for 1 July 2026?

    • Yes - enrolment commenced, Program being drafted, CDD process documented (score 5)
    • In scope but preparations have not started (score 1)
    • Not in scope - confirmed (score 5)
    • Not sure whether we are in scope (score 1)

    If a weak option is selected: AUSTRAC enforcement for Tranche 2 entities commences from 1 July 2026. Civil penalties for failure to enrol, maintain an AML/CTF Program, or conduct customer due diligence are significant - AUSTRAC has levied penalties in the hundreds of millions for serious non-compliance by financial institutions. Tranche 2 entities should engage an AML/CTF compliance specialist now. AUSTRAC's Tranche 2 guidance at austrac.gov.au is updated regularly.

51. Q51 (XRK, weight 2): If you receive modern slavery or ESG supply-chain questionnaires from larger customers, do you have a documented position on supply-chain forced-labour risk?

    • Yes - supply-chain risk assessment completed, documented position available for customers (score 5)
    • We receive questionnaires but respond ad hoc without a documented position (score 2)
    • We do not receive such questionnaires (score 4)
    • We receive them but typically don't respond or don't know how to (score 0)

    If a weak option is selected: While the Modern Slavery Act 2018 (Cwlth) only directly requires reporting from entities with consolidated revenue above $100M, many smaller businesses are asked to provide modern slavery information as a vendor-onboarding requirement by larger customers. A documented supply-chain risk position - even a one-page policy identifying your supply chain, your risk assessment, and your mitigation steps - satisfies most vendor questionnaires and demonstrates governance. The Australian Border Force's Modern Slavery Register at modernslaveryregister.gov.au provides current guidance.

52. Q52 (XRK, weight 3): If you have overseas dealings (suppliers, agents, freight, offshore sales), have you completed a foreign bribery risk assessment and gap-checked against the AGD's six adequate-procedures elements?

    • Yes - risk assessment completed, policies include adequate-procedures elements (score 5)
    • No overseas dealings of material substance (score 4)
    • We have overseas dealings but no foreign bribery risk assessment (score 0)
    • Not aware of the foreign bribery failure-to-prevent offence from September 2024 (score 0)

    If a weak option is selected: The Crimes Legislation Amendment (Combatting Foreign Bribery) Act 2024 (in force 8 September 2024) created a failure-to-prevent foreign bribery offence - a company is liable if an associate (employee, contractor, agent, subsidiary) bribes a foreign official for the company's benefit, unless the company had adequate procedures. The AGD has published guidance on six adequate-procedures elements: top-level commitment, risk assessment, due diligence, communication and training, reporting and investigation, and monitoring and review. Even SMEs with indirect overseas exposure (freight forwarders, overseas component suppliers) should conduct a basic assessment.

53. Q53 (XRK, weight 1): If you receive Scope 3 carbon-emissions questionnaires from larger customers or clients, do you have a baseline understanding of your Scope 1 and 2 GHG emissions?

    • Yes - Scope 1 and 2 baseline measured, documented and available on request (score 5)
    • Aware of the obligation but no baseline measured yet (score 2)
    • We do not receive Scope 3 questionnaires (score 4)
    • Not sure what Scope 1, 2, and 3 emissions are (score 1)

    If a weak option is selected: Mandatory climate-related financial disclosures under AASB S2 apply directly to entities above the Group 3 threshold ($50M revenue / $25M assets / 100 employees) from July 2027. However, Group 1 and 2 entities are already seeking Scope 3 supply-chain emissions data from their suppliers - creating practical questionnaire pressure on SMEs below the direct-reporting threshold. A basic Scope 1 and 2 GHG inventory (electricity, gas, fleet fuel) using the NGERS methodology or a carbon-accounting tool is the foundation for responding to these requests. AASB standards at aasb.gov.au.

54. Q54 (XRK, weight 2): If your consolidated revenue is at or above $100M, is your annual Modern Slavery Statement published on the Australian Government's Modern Slavery Register within 6 months of your financial year-end?

    • Yes - statement published and current (score 5)
    • Above threshold but statement is late or never lodged (score 0)
    • Below $100M threshold - not directly required (score 4)
    • Not sure of our threshold position (score 1)

    If a weak option is selected: The Modern Slavery Act 2018 (Cwlth) requires entities with consolidated revenue at or above AUD$100M to publish an annual Modern Slavery Statement describing their structure, supply chains, risk assessment, actions, and effectiveness. The Government has accepted review recommendations to lower this threshold to $50M and introduce penalties for non-compliance - legislation is expected in 2026. Statements are published at modernslaveryregister.gov.au.

55. Q55 (OPS, weight 2): Do you have a records-retention schedule covering all mandatory retention periods - tax records (5 years), employee records (7 years), WHS incident records (5 years; SDS/exposure monitoring 30 years), company records (7 years), and privacy records (no longer than necessary)?

    • Yes - written retention schedule covering all categories, with secure destruction process (score 5)
    • Some records retained but no formal schedule across all categories (score 2)
    • Records are kept indefinitely - no destruction process (score 1)
    • No records retention policy (score 0)

    If a weak option is selected: Different regulatory regimes impose different retention periods for the same or overlapping records. A conflict table is the practical tool - for each record type, list the regulator, the minimum period, and the applicable regime. Key ones: tax records 5 years (Tax Administration Act); employee records 7 years (FW Regulations); WHS incident records 5 years with some SDSs and occupational-exposure monitoring at 30 years; company records 7 years (Corporations Act). Over-retention of personal information also creates Privacy Act liability under APP 11.

56. Q56 (OPS, weight 3): Have you reviewed your insurance schedule (workers' comp, public liability, professional indemnity, cyber, D&O, business interruption) within the last 12 months?

    • Yes - full schedule reviewed with a broker, gaps identified and addressed (score 5)
    • Renewals are processed but no active gap analysis (score 2)
    • Last reviewed more than 2 years ago (score 1)
    • No formal insurance review process (score 0)

    If a weak option is selected: Insurance gaps discovered after an event cannot be fixed retroactively. Key changes in the 2024-2026 period: (1) cyber insurance premiums have hardened - insurers now require Essential Eight ML1+ as a baseline for affordable cover; (2) D&O policies increasingly exclude greenwashing and climate-disclosure claims; (3) workers' compensation classification errors are being identified in state revenue audits. Review with a specialist broker annually, not just at renewal time.

57. Q57 (OPS, weight 2): If you send marketing emails, SMS, or conduct telemarketing, do you maintain a consent register, correctly identify the sender, and process unsubscribes within 5 working days?

    • Yes - consent register maintained, sender ID on every campaign, unsubscribes processed within 5 working days (score 5)
    • We send marketing communications but consent management is informal (score 2)
    • We do not send marketing communications (score 5)
    • Not aware of the Spam Act consent and identification requirements (score 0)

    If a weak option is selected: The Spam Act 2003 requires every commercial electronic message (email, SMS, instant messaging) to carry sender identification, be sent only with express or narrowly defined inferred consent, and include a functional unsubscribe mechanism that takes effect within 5 working days. ACMA has issued penalties in the millions for major brands since 2023. Even small-business marketing campaigns are in scope - a simple consent register (spreadsheet or CRM tag) and an unsubscribe-process checklist are the baseline controls.

58. Q58 (OPS, weight 3): Are you registered for payroll tax in every state or territory where your wages (after grouping of related entities) exceed the local threshold?

    • Yes - registered in all applicable states, returns lodged on time (score 5)
    • Registered in our primary state but not sure about other states where we have employees (score 2)
    • Below threshold in all states, confirmed with adviser (score 5)
    • Not sure if we need to be registered (score 1)

    If a weak option is selected: Payroll tax is state-administered, and thresholds vary: NSW $1.2M, VIC $1.0M, QLD $1.3M, WA $1.0M, SA $1.5M, TAS $1.25M, ACT $2.0M, NT $1.5M (verify at publish date). Related entities are grouped - if two related businesses each have $700K payroll in NSW, the group exceeds the $1.2M threshold and is taxable. Non-registration triggers back-assessments, interest, and penalties. A payroll-tax health check with your accountant is essential if you are near threshold or have related entities.

59. Q59 (OPS, weight 3): Have you assessed contractor 'deeming' exposure under each state's payroll-tax provisions, including the Thomas & Naaz and Optical Superstore lines of cases?

    • Yes - contractor arrangements assessed against deeming provisions, exemptions documented (score 5)
    • We use contractors but haven't assessed payroll-tax deeming risk (score 1)
    • We have no contractors (score 5)
    • Not aware of contractor deeming for payroll tax (score 0)

    If a weak option is selected: Under state payroll-tax laws, payments to contractors can be 'deemed wages' and subject to payroll tax unless an exemption applies (e.g. the contractor provides services to multiple clients, or provides materials comprising most of the contract price). The Thomas & Naaz (NSW) and Optical Superstore (VIC) cases confirmed that many practitioner-in-practice structures in medical, dental, and allied health are caught. State revenue offices in NSW, VIC, and QLD are conducting active contractor-deeming audits across many industries. Obtain a payroll-tax deeming opinion for any significant contractor arrangement.

60. Q60 (OPS, weight 2): Are long-service-leave entitlements correctly tracked, and where applicable, are contributions being made to portable long-service-leave schemes (building, cleaning, contract cleaning in some states)?

    • Yes - LSL tracked, portable scheme obligations met where applicable (score 5)
    • LSL tracked but portable scheme obligations not assessed (score 2)
    • LSL tracking is informal or incomplete (score 1)
    • Not aware of portable long-service-leave schemes (score 0)

    If a weak option is selected: Long-service-leave entitlements are state-regulated with different accrual rates and qualifying periods. Portable LSL schemes apply in certain industries - particularly building and construction, cleaning, and related services - where employees carry their entitlement from employer to employer. Non-participation in a portable scheme when required triggers back-assessments. Check your state's portable LSL authority: CoINVEST (VIC construction), Incolink (VIC construction), BCISC (WA), or similar, if your workforce falls within a covered industry.

Guidance

Regulatory sources

• ATO - Small Business Hub - tax
• ATO - Single Touch Payroll Phase 2 - emp
• ATO - Super Guarantee & Payday Super - sup
• ATO - Taxable Payments Annual Report (TPAR) - tax
• Fair Work Ombudsman - fw
• Fair Work - Right to Disconnect - fw
• Fair Work - Closing Loopholes changes and Voluntary Wage Compliance Code - wage
• Safe Work Australia - whs
• Safe Work Australia - Psychosocial Hazards - whs
• OAIC - Australian Privacy Principles - priv
• OAIC - Notifiable Data Breaches Scheme - priv
• ASD - Essential Eight Maturity Model - cyb
• ACCC - Unfair Contract Terms - acl
• ABRS - Director Identification Number - dir
• AUSTRAC - AML/CTF Tranche 2 guidance - xrisk
• AGD - Foreign Bribery and Adequate Procedures - xrisk
• Home Affairs - Cyber Security Act 2024 - cyb
• AASB - Sustainability Standards (AASB S1/S2) - xrisk
• ACMA - Spam Act compliance - ops

Disclaimer