Tax Practitioners Board practice note

The Tax Practitioners Board (TPB) has released this practice note to provide practical guidance and assistance to registered tax practitioners in understanding their obligations under the Code of Professional Conduct in relation to the use of outsourcing and offshoring.

Disclaimer

This is a Tax Practitioners Board (TPB) practice note (PN). It is intended to be for information only. While it seeks to provide practical assistance and explanation, it does not exhaust, prescribe or limit the scope of the TPB’s powers in the Tax Agent Services Act 2009 (TASA) or the Tax Agent Services Regulations 2022 (TASR).

In addition, please note that the principles and examples in this TPB(PN) do not constitute legal advice and do not create additional rights or legal obligations beyond those that are contained in the TASA or which may exist at law.

Document history

The TPB originally released this document as a draft practice note in the form of an exposure draft on 28 August 2017. The closing date for the submissions was 12 October 2017.

The TPB considered the comments and submissions received and now publishes the following TPB(PN) based on the TASA as at 15 March 2017. 

On 1 April 2022, the updated this TPB(PN) to remove references to tax (financial) advisers and replace references from the repealed Tax Agent Services Regulations 2009 to Tax Agent Services Regulations 2022.

Issue date: 27 February 2018

Last updated: 1 April 2022

Introduction

1. This practice note has been prepared by the Tax Practitioners Board (TPB) to provide practical guidance and assistance to registered tax agents and BAS agents^[1] (collectively referred to as 'tax practitioners') to understand their obligations under the Code of Professional Conduct (Code), as contained in section 30-10 of the Tax Agent Services Act 2009 (TASA), in relation to the use of outsourcing and offshoring.

2. In this practice note, tax practitioners will find the following information:

   • what is outsourcing and offshoring? (paragraphs 3 to 10)

   • factors to consider when entering into arrangements involving outsourcing and/or offshoring (paragraphs 11 to 48)

   • consequences of having inadequate arrangements (paragraphs 49 to 53)

   • where to find further information (paragraph 54).

What is outsourcing and offshoring?

3. The terms ‘outsourcing’ and ‘offshoring’ are not defined in the TASA. As a result, the terms take on their ordinary meaning. The Oxford Dictionary (2017) provides the following definitions:

Outsourcing

Refer to the definition of outsource^[2]

Outsource

To obtain (goods or a service) by contract from an outside supplier

Offshoring

The practice of basing some of a company’s processes or services overseas

4. Essentially, outsourcing involves an entity entering into an arrangement with a third party^[3] to provide a specific process(es), function(s), service(s) or activity(ies).^[4] It can involve transferring portion(s) of services an entity provides or even an entire operation to outside providers, contractors or suppliers.

5. Examples of outsourcing activities include the following:

   • contracting or engaging a third party external IT provider to provide IT services (for example, hosting client data on a Cloud based platform)^[5]

   • seeking an opinion or advice from a third party (such as another tax practitioner or legal practitioner)

   • contracting with a third party domestically located entity to undertake specific work

   • contracting with a third party foreign entity to undertake specific work (see also paragraphs 7 to 10 below for more information on ‘offshoring’)

   • entering into a service trust arrangement whereby a third party trust undertakes specific work for the tax practitioner.

6. There are various outsourcing models including, among others, outsourcing of activities to subsidiaries, directly hiring a third party foreign entity, or employing a third-party vendor who may be onshore (within Australia; including through the use of service trust arrangements or contracting out to a referral network) or offshore (including through accessing an entity’s systems at a remote location).

7. Offshoring occurs where an entity enters into an arrangement to transfer a process, function, service or activity to a country other than Australia. It is important to note that offshoring does not necessarily involve the use of outsourcing.

8. Examples of offshoring activities include, among others:

   • a tax practitioner transferring specific work (for example, processing activities) from their Australian office to their international office (with no third party involvement)

   • a tax practitioner moving an internal business unit from Australia to another country (with no third party involvement)

   • a tax practitioner engaging a third party in a foreign country to undertake specific work

   • a tax practitioner engaging an overseas third party to host and operate computer infrastructure on behalf of the tax practitioner.

9. Some more common outsourcing and offshoring models can include (but are not limited to):

   • outsourced offshoring (outsourcing of activities to a third party located in a foreign country)

   • captive offshoring (when firms set up their own operations in offshore locations), or

   • a joint venture model (an organisation forms joint ventures with overseas service providers and transfers their functions into the new entity).

10. It is important to recognise that there are various arrangements that can be a mixture of both outsourcing and offshoring if and to the extent that the service provider to whom business activities are outsourced performs them outside Australia. As an example, the provision of a service where another party hosts and operates computer infrastructure on behalf of an entity at an external data centre or in a cloud environment would be outsourcing, and if done outside Australia, offshoring.

Factors to consider when deciding to enter into outsourcing and offshoring arrangements

General considerations

11. When entering into outsourcing and offshoring arrangements, various factors should be considered, depending on the nature of the particular arrangement and also the circumstances of the tax practitioner. For example, tax practitioners may wish to consider the following general factors:

    • if there is a clear definition of duties, obligations and responsibilities of the parties involved in the arrangement, including sufficient detail and review provisions 

    • the details of any limitation of liability and indemnity insurance arrangements for the parties (for example, clauses contained in the terms and conditions of outsourced provider agreement(s) or terms of use)

    • if the outsourced provider is allowed to unilaterally change relevant terms of the agreement (that is, without input from the tax practitioner), including in relation to change in business and/or ownership structure, how or where data is stored or managed, and review processes

    • if there is flexibility to allow for changes / developments in technology and operations

    • how information is being transferred between various systems and whether data integrity is being maintained

    • how information is being stored and accessed

    • the processes in place in relation to the backup and archiving of information (such as multiple backup servers)

    • the security controls the tax practitioner and outsourced provider is responsible for (such as issues around passwords, encryption, backups and having security protocols in place to safeguard against unauthorised access)

    • the protections in place to prevent service access from being disrupted

    • the processes in place for managing and resolving all relevant disputes in relation to access to client information (including legal jurisdiction)

    • the processes in place to evaluate and oversee outsourcing relationships, recognising that oversight activity will depend in part on the scope and complexity of the services being outsourced

    • the competency and ability of the outsourced service provider to perform the services

    • the processes in place for the tax practitioner to review output of the outsourced or offshore entity

    • the processes in place for exiting/changing an arrangement / when the arrangement ends (including, for example, the return of or access to data held in the cloud)

    • if there are any relevant legislative and regulatory requirements associated with having any information held offshore (that is, information stored or processed in equipment not located in Australia).

12. In addition, while not binding on all tax practitioners, further useful guidance on issues to consider and steps that may be taken when providing or utilising outsourced services may also be found in specific Accounting Professional and Ethical Standards Board (APESB), Australian Prudential Regulation Authority (APRA), Australian Securities and Investments Commission (ASIC), and Australian Securities Exchange (ASX) guidance.^[6] It is also noted that TPB accredited recognised professional associations may be able to assist in providing practical guidance, while recognising that there is not a default one-size-fits-all template and that arrangements will need to be mindful of the particular circumstances.

Code obligations

13. The Code, as contained in section 30-10 of the TASA, does not specifically deal with the issue of outsourcing and/or offshoring. However, there are a number of Code obligations that may be relevant when using these types of arrangements.

14. The Code regulates the personal and professional conduct of tax practitioners, and contains 14 items covering obligations in relation to honesty and integrity, independence, confidentiality, competency, and other obligations such as responding to requests from the TPB. When using or considering outsourcing and offshoring arrangements, the tax practitioner needs to ensure, among other things, that:

    • appropriate disclosure is provided to clients (see the section on Code item 6 below)

    • services are provided to a competent standard (including sufficient staff with the necessary professional competencies and skills) (see the section on Code item 7 further below)

    • adequate supervision and control arrangements are in place (see the section on Code item 7 further below)

    • reasonable care is taken in ascertaining the client's state of affairs and in ensuring that the taxation laws are applied correctly to the client's circumstances (see the section on Code items 9 and 10 further below)

    • professional indemnity insurance is maintained and meets the TPB’s requirements (see the section on Code item 13 further below).

The following paragraphs contain further detail in relation to the above-mentioned obligations under the Code.

Code item 6

15. Code item 6 provides that a tax practitioner must not disclose any information relating to a client’s affairs to a third party unless:

    • the tax practitioner has the client’s permission; or

    • there is a legal duty to do so.^[7]

16. For the purposes of the TASA, a third party is any entity other than the client legal entity and the tax practitioner legal entity.^[8]

17. Examples of third parties can include:

    • entities that maintain offsite data storage systems (including ‘cloud storage’)^[9]

    • another entity to which a tax practitioner outsources a component of a tax agent service^[10] (for example, another tax practitioner, a legal practitioner, or an overseas or offshore entity), including where that entity might be related to, associated with, or a subsidiary of the tax practitioner entity

    • subject to relevant contractual arrangements, AFS licensees, authorised representatives, para-planners, product providers and advisers, insurance brokers, and technical teams and advisers^[11]

    • an overseas party that shares the same brand/name as that in Australia but is a different legal entity

    • a wholly-owned subsidiary (different legal entity)

    • service trust arrangements

    • a separate entity partly controlled by an outsourcer based either in Australia or overseas

    • unrelated parties such as subcontractors and labour-hire arrangements.^[12]

18. It is only necessary that the information relates to the affairs of a client. Therefore, the information does not have to belong to the client, or have been directly provided by the client to the tax practitioner.

19. Assuming that there is no legal obligation, tax practitioners must obtain permission from each client prior to divulging client information to a third party. This permission has to be relevant to the engagement and may be by way of a signed letter of engagement, signed consent, or other communication with the client.^[13] The relevant communication should outline the disclosures to be provided, as well as information about the entity/entities (where known) that will have access to the client information.

20. When obtaining client permission, it is recommended that the tax practitioner inform the client about the proposed disclosure, including noting to whom and where the proposed disclosure will be made (if known or reasonably ought to be known). It is also recognised that a general consent relating to disclosure to third parties may also be acceptable having regard to particular circumstances. Further, a tax practitioner is not excused from taking necessary steps to protect information just because it would be inconvenient, time-consuming or costly to do so.^[14]

21. However, even in the context of a general disclosure, tax practitioners should require a positive step from their client to authorise the requisite disclosure. This may include an appropriate ‘opt-in’ type approach.

22. While there is no set formula or methodology used to obtain client permission, the TPB suggests that tax practitioners be clear in explaining to their client where information may be disclosed (including, among other things, where a component of work or add-on activity is completed elsewhere). For example, to avoid any likelihood of clients being misled, the TPB suggests that tax practitioners do not imply or state that all their work is completed in Australia, if that is not the case.^[15]

23. There are a number of controls that could be employed to assist in maintaining and protecting the confidentiality, integrity and availability of data to ensure that information is not disclosed beyond the scope of the client’s consent, such as:

    • an appropriate confidentiality agreement between the tax practitioner and their outsourced provider

    • other appropriate protocols, such as:

      • use of a secured website and encrypted network traffic

      • security credentials

      • access controls ensuring unauthorised persons do not have access to data

      • standardised reporting

      • audit trails

      • appropriate segregation of duties

      • approval and review of data changes.

24. For further information, including in relation to ‘third party’, ‘permission’, ‘legal duty’ and cloud computing refer to the following TPB information products:

    • TPB(I) 21/2014 Code of Professional Conduct – Confidentiality of client information

    • TPB(PN) 1/2017: Cloud computing and the Code of Professional Conduct

25. Ultimately, the onus is on the tax practitioner to exercise appropriate due diligence when outsourcing work and sending information offshore, including ensuring appropriate disclosure. It is also important to be mindful that outsourcing and offshoring may give rise to other obligations under the TASA, including ensuring that a tax agent service is provided to a competent standard and that there are adequate supervision and control arrangements (see further below).

Code item 7

26. Code item 7 provides that a tax practitioner must ensure that any tax agent service they provide, or that is provided on their behalf, is provided competently.^[16] This includes where such services are provided by an unregistered external contractor, whether in Australia or abroad.

27. Where a tax practitioner outsources part or all of the provision of tax agent services to an unregistered third party, they must ensure that the work performed by the third party is under their supervision and control or the supervision and control of another tax practitioner. In this case, the tax practitioner is ultimately responsible for the quality of work of the unregistered third party, including ensuring that there are appropriate supervisory arrangements.^[17]  In these circumstances, tax practitioners should, in addition to their Code of Professional Conduct obligations, also consider their civil penalty obligations in the TASA.^[18]

28. Where a registered tax practitioner outsources the provision of tax agent services to a registered third party, then the tax practitioner is not responsible for reviewing the third party’s work, nor are they required to provide supervision and control.

29. Therefore, when contemplating or using an outsourcing or offshoring arrangement there is a need to carefully consider the extent to which this may impact on the ability to supervise work, noting that supervision and control should be commensurate with the nature and extent of the work undertaken. Practitioners should ensure that any services provided to clients in Australia from a location outside Australia are provided competently, just as must occur within Australia.

30. However, it is also important to recognise that while supervisory arrangements may be an important factor in ensuring services are provided to a competent standard, it will not of itself ensure competency. It is not sufficient to simply say that 'supervisory work' is being undertaken and that work is being reviewed; tax practitioners must also satisfy the TPB that:

    • there are adequate supervisory and review arrangements, including having a sufficient number of individuals (being registered tax practitioners) for the work being carried out

    • internal procedures are used to satisfy supervisory and control requirements, which may include activities such as:

      • training for offshore staff in Australian tax

      • tax practitioners or other experts being onsite overseas

      • rotation for overseas staff to gain experience, and

      • appropriate quality assurance and review systems

    • tax practitioners are involved so that the work being completed overseas is considered competent for Australian tax law purposes

    • tax practitioners are meeting their requirements for maintaining knowledge and skills relevant to the tax agent services, such as taxation laws and tax administration, and

    • tax practitioners are maintaining competence by continuing awareness, understanding and up-to-date knowledge of relevant technical, legal and business developments.

Adequate supervisory arrangements

31. As is the case with the phrase ‘competent standard’, the phrase ‘supervisory arrangements’ is not defined in the TASA and takes on its ordinary meaning. Supervisory arrangements are broadly considered to be arrangements aimed at directing, overseeing and checking the tax agent service performed (on behalf of a tax practitioner) to ensure those services are provided competently.^[19]

32. The Macquarie Dictionary (2009) provides the following definitions:

Supervise

1. to oversee (a process, work, workers, etc.) during execution or performance; superintend; have the oversight and direction of.

Supervision

1. the act or function of supervising; oversight; superintendence.

Control

1. to exercise restraint or direction over; dominate; command

…

4. the act or power of controlling; regulation; domination or command

5. check or restraint.

33. There is no standard process to determine if tax practitioners have adequate supervisory arrangements in place. A number of factors may be relevant in determining whether adequate supervisory arrangements are or have been in place, noting that this will vary from entity to entity having regard to the particular circumstances. These factors include:^[20]

    • the level and depth of oversight over the provision of tax agent, BAS or tax (financial) advice services, noting that this will vary according to the skills and experience of the individuals providing the services and the complexity of the service being provided

    • the physical or geographic proximity of the tax practitioner to the person carrying out the work

    • whether there is substantial supervision, rather than mere checking of documents, while recognising that the oversight will vary according to the knowledge, skills and experience of the person doing the work and the complexity of the tax matters involved

      • in particular, it is noted that merely checking a document prepared by an unskilled employee / contractor / other provider to determine whether the contents of the document seems reasonable does not demonstrate a sufficient degree of supervision and control

      • further, it is noted that while it is not necessary to closely monitor all work carried out on behalf of the tax practitioner, a substantial degree of oversight of the individuals carrying out the work is required

    • whether the tax practitioner performs periodic and spot checks of relevant material prepared

    • quality assurance mechanisms such as conducting regular reviews of work performed or undertaken to ensure the accuracy and completeness of the services provided on their behalf

    • the degree of control exercised by the tax practitioner over the way in which work is carried out on their behalf

    • the level of relevant initial and ongoing educational and practical training undertaken by those performing work on behalf of the tax practitioner, recognising that staff engaged to provide the services are required to possess an adequate level of education and understanding of the relevant tax legislation concepts to undertake the tasks for which they are responsible

    • whether there are documented procedures to ensure relevant processes can occur, including escalation of issues that are beyond an individual’s knowledge or experience to an appropriate supervisor.

34. Determining whether appropriate supervision and control has been exercised or if there are appropriate supervisory arrangements in place, will require an assessment of the measures taken by a tax practitioner to supervise and control relevant activities in the context of the circumstances of their practice.

35. Ultimately, what is adequate will be a question of fact to be determined on the basis of the specific facts of a particular case.

36. It is also highlighted that in the event that there are any changes in circumstances relevant to the registration of a registered individual, company or partnership tax practitioner, which may include when ceasing to be a supervising agent for another registered entity, it is imperative that the tax practitioner notifies the TPB as required under section 30-35 of the TASA.

37. For further information, see TPB 36/2021 Supervisory arrangements under the Tax Agent Services Act 2009.

Code items 9 and 10^[21]

38. Code item 9 provides that a tax practitioner must take reasonable care in ascertaining a client’s state of affairs, to the extent that ascertaining the state of those affairs is relevant to a statement they are making or a thing they are doing on behalf of the client.

39. Code item 10 provides that a tax practitioner must take reasonable care to ensure that taxation laws are applied correctly to the circumstances in relation to which they are providing advice to a client.

40. When it comes to outsourcing or offshoring tax agent services, there is no set formula for determining what it means to take reasonable care. Rather, whether a tax practitioner has taken reasonable care in a given situation will depend on an examination of all the circumstances, including:

    • the nature and scope of the tax agent services being provided^[22]

    • the terms of engagement between the tax practitioner and the outsourced provider or offshore entity

    • the agreed terms of engagement between a tax practitioner and their client, including whether the client, or another entity, checks or reviews the work before purporting to rely on it^[23]

    • the skills, experience, qualifications and abilities of the outsourced/offshore provider

    • the degree of supervision and oversight the tax practitioner exercises over the provider’s provision of tax agent services

    • the client’s circumstances, including their level of sophistication (such as education standard and level of tax knowledge or experience in the area which is the subject of advice) and

    • the nature of any pre-existing relationship between the tax practitioner and their client. 

41. The standard generally requires a tax practitioner to act in a way consistent with how a competent and reasonable person, possessing the knowledge, skills, qualifications and experience of a tax practitioner, objectively determined, would act in the circumstances. The TPB expects that, due to the nature of the use and/or engagement of an outsourced or offshore provider, tax practitioners will be required to take additional steps and measures to those that they would ordinarily need to take. This will ensure that the applicable technical and professional standards are met and that a client receives competent professional services.

42. For further information, see the following TPB information products:

    • TPB(I) 17/2013: Code of Professional Conduct – Reasonable care to ascertain a client’s state of affairs for tax and BAS agents

    • TPB(I) 18/2013: Code of Professional Conduct - Reasonable care to ensure taxation laws are applied correctly for tax and BAS agents

    • TPB(PN) 3/2019: Letters of engagement

Code item 13 – Professional indemnity insurance

43. Code item 13 provides that a tax practitioner must maintain the professional indemnity insurance (PI insurance) that the Board requires them to maintain.^[24]

44. The objective of the TPB's PI insurance requirements is to ensure those entities that are registered with the TPB have adequate PI insurance cover for the tax agent services / BAS services / tax (financial) advice services they provide. Features include, among other things, scope of cover, amount of cover, persons covered, exclusions, and insurance provider.

45. A tax practitioner who outsources or provides outsourced services should review their PI insurance policy to assess whether appropriate coverage exists for the outsourced services.

46. The TPB’s PI insurance requirements (including features of adequate PI insurance cover and minimum requirements and exclusions) are outlined in the explanatory paper TPB(EP) 03/2010: Professional indemnity insurance requirements for registered tax and BAS agents from 30 June 2013. 

Privacy Act

47. In addition to their obligations under the Code in the TASA, tax practitioners should also be aware that the Privacy Act 1988 (Cth) (Privacy Act) sets out a number of Australian Privacy Principles (APPs) which govern the use of, storage and disclosure of personal information.  Some of these APPs may have a direct impact on the requirement to obtain consent from clients.

48. Tax practitioners should seek their own advice about whether the provisions of the Privacy Act apply to them. Information about obligations under the Privacy Act is provided by the Privacy Commissioner and is accessible from the Office of Australian Information Commissioner’s website at www.oaic.gov.au

Consequences of having inadequate outsourcing arrangements

49. The TPB appreciates that any relevant changes made by a tax practitioner for the purpose of complying with the above requirements could take time to implement (for example, where modification is not possible until the end of an existing contract).

50. Where modification is required, the TPB will take a pragmatic approach in assessing whether a tax practitioner has implemented adequate procedures and policies in relation to their outsourcing or offshoring arrangements.

51. If a tax practitioner has inadequate procedures and policies in relation to their outsourcing or offshoring arrangements, the TPB may find that the tax practitioner has breached the Code and may impose one or more of the following administrative sanctions:

    • a written caution

    • an order requiring the tax practitioner to do something specified in the order

    • suspension of the practitioner’s TPB registration

    • termination of the practitioner’s TPB registration.

52. In addition to the above consequences of any breach of the Code, the tax practitioner may also contravene other relevant legislation (such as, from the Privacy Act or the Corporations Act 2001 (Cth)).

53. Ultimately, determining whether a tax practitioner has complied with their obligations under the Code will be a question of fact. This means that each situation will need to be considered on a case-by-case basis having regard to the particular facts and circumstances.

Further information

54. Outlined below is a listing of reference material that may provide further guidance in relation to what is outsourcing and offshoring, and general considerations and issues to consider in contemplating an outsourcing / offshoring arrangement:

Organisation	Information product	Purpose of document
Tax Practitioners Board	TPB(PN) 1/2017: Cloud computing and the Code of Professional Conduct	Provides guidance to assist tax practitioners to understand their obligations under the Code of Professional Conduct, as contained in section 30-10 of the Tax Agent Services Act 2009 (TASA), in relation to the use of cloud computing
	TPB(I) 21/2014: Code of Professional Conduct – Confidentiality of client information (for tax and BAS agents)	Further information regarding obligations under Code item 6 – Confidentiality (as contained in subsection 30-10(6) of the TASA) for tax practitioners
	TPB(PN) 3/2019: Letters of engagement	Further information regarding engagement letters
	TPB(I) 17/2013: Code of Professional Conduct – Reasonable care to ascertain a client’s state of affairs	Further information regarding Code item 9 in the TASA (reasonable care to ascertain a client’s state of affairs) for tax practitioners
	TPB(I) 18/2013: Code of Professional Conduct - Reasonable care to ensure taxation laws are applied correctly	Further information regarding Code item 10 in the TASA (reasonable care to ensure taxation laws are applied correctly) for tax practitioners
	TPB(I) 26/2016: Labour hire/on-hire firms	Provides guidance to assist labour hire/on-hire firms involved in the provision of tax related services to understand the operation of the tax agent services regime and whether or not they need to register with the TPB
	TPB(I) 13/2012: Contractors	Provides guidance to help contractors to understand the operation of the tax agent services regime, including registration requirements for contractors and employees
	TPB(I) 09/2011: Software providers and the Tax Agent Services Act 2009	Provides guidance to assist software providers who provide tax related software systems to understand the operation and impact of the tax agent services regime
	TPB(I) 08/2011: Reports or other advice incorporating tax agent services provided by a third party	Provides information about the TPB’s position on reports or other advice incorporating tax agent services provided by a third party
	TPB(EP) 02/2010: Fit and proper person	Provides a detailed explanation of the Board’s interpretation of the fitness and propriety requirements in subdivision 20-A of the TASA
	TPB(EP) 01/2010: Code of Professional Conduct	Provides a detailed explanation of the TPB’s interpretation of the Code of Professional Conduct contained in Division 30 of the TASA
	TPB(EP) 03/2010: Professional indemnity insurance requirements for tax and BAS agents	Explains the TPB's interpretation of the provisions in the TASA relating to the professional indemnity insurance requirements for tax practitioners
Accounting Professional & Ethical Standards Board Limited	Guidance Note GN 30: Outsourced Services	Provides information in regard to managing risks associated with providing or utilising outsourced services, including steps that may be taken
Australian Prudential Regulation Authority	APRA Prudential Standard SPS 231: Outsourcing	Sets out APRA’s requirements in relation to outsourcing / outlines factors to consider when entering into outsourcing arrangements
	APRA Prudential Standard CPS 231: Outsourcing	Outlines requirements that apply for applicable APRA-regulated institutions, including outlining information to address in an outsourcing agreement
	APRA Prudential Standard SPG 231: Outsourcing	Provides guidance to assist registrable superannuation entity licensees in complying with APRA’s requirements in relation to SPS 231 and, more generally, to outline prudent practices in relation to managing outsourcing
	Information paper: Outsourcing involving cloud computing services	Includes guidance on general considerations (including governance arrangements, risk considerations and assurance mechanisms) when assessing the use of cloud services
	Prudential Practice Guide: CPG 234 – Information security	Includes guidance in relation to managing security risk
	Prudential Practice Guide: CPG 235 - Managing data risk	Includes guidance in relation to managing security risk
Australian Securities and Investments Commission	ASIC Regulatory Guide RG 105: Licensing - Organisational competence	Describes what ASIC looks for when assessing compliance with the organisational competence obligation in s912(1)(e) of the Corporations Act 2001 (Cth)
	ASIC Regulatory Guide RG 168: Disclosure: Product Disclosure Statements (and other disclosure obligations)	ASIC guidance on disclosure obligations, including noting ASIC ‘good disclosure’ principles
Australian Securities Exchange (ASX)	ASX 24 Operating Rules: Guidance Note 9 – Offshoring and Outsourcing	ASX information to assist market participants to understand and comply with their obligations under the ASX 24 Operating Rules, providing guidance on some of the issues to address when offshoring or outsourcing activities as a participant
Australian Taxation Office	ATO portal access and Standard Business Reporting, refer to www.ato.gov.au and www.sbr.gov.au	For further information in relation to ATO portal access and Standard Business Reporting
Department of Communications	Consumer factsheet Cloud computing and privacy	Includes information in relation to privacy
	Consumer factsheet Questions to ask about a cloud service	Includes information in relation to a list of potential questions to ask a potential cloud service provider in relation to privacy and security
Department of Defence (Cyber Security Centre)	Cloud Computing Security Considerations	Includes information in relation to security considerations
Department of Finance	Better Practice Guide: Negotiating the cloud – legal issues in cloud computing agreements	Includes information in relation to a checklist of some legal issues to consider and address in contemplating a cloud computing arrangement
	Better Practice Guide: Privacy and Cloud Computing for Australian Government Agencies	Includes information in relation to privacy and cloud computing, including a guiding summary of checkpoints
Department of the Prime Minister and Cabinet	Australia’s Cyber Security Strategy	Notes themes of action for Australia’s cyber security
Digital Transformation Agency	Secure Cloud Strategy	Includes information about the Australian Government’s cloud computing policy.
Office of Australian Information Commissioner	Guide to securing personal information	Provides guidance on protecting personal information and in relation to destroying or de-identifying personal information once information is no longer needed
	Australian Privacy Principle Guidelines	Outlines requirements of the Australian Privacy Principles (APPs), how the Office of the Australian Information Commissioner (OAIC) will interpret the APPs, and matters the OAIC may take into account when exercising functions and powers under the Privacy Act 1988 (Cth)