Outsourcing is where you enter into an arrangement with a third-party to provide a specific process, function, service or activity. Contracting or engaging a third party external IT provider to provide IT services (for example, hosting client data on a cloud based platform) is considered outsourcing and Microsoft OneDrive is a file hosting service with cloud backup features. If using outsourced cloud computing services, you need to obtain your clients’ permission before sharing their information.

When obtaining the client’s permission, you must clearly inform the client as to whom and where the disclosure of information will be made, and where the data will be stored, for example on overseas servers. You can do this via an engagement letter or other signed agreement. For further information, refer to our Practice note.

If you are outsourcing or offshoring, you must take reasonable steps to ensure sufficient IT security controls are in place, for both you and the outsourced service provider. 

There are a number of controls that could be employed to assist in maintaining and protecting the confidentiality, integrity and availability of data to ensure that information is not disclosed beyond the scope of your client’s consent, such as an appropriate confidentiality agreement between you and your outsourced provider, or other appropriate protocols, such as:

• use of a secured website and encrypted network traffic

• security credentials

• access controls ensuring unauthorised persons do not have access to data

• standardised reporting

• audit trails

• appropriate segregation of duties

• approval and review of data changes.

An outsourcing arrangement is when you use a third party (any entity other than the client and you, the registered tax practitioner) to provide a specific process, function, service or activity. An external auditor would be considered a third party, so use of an external auditor to provide audit services on your behalf is an example of outsourcing.

You must obtain your client’s permission before you disclose information relating to their affairs to a third party. Find out more about your obligations under Code item 6 – confidentiality of client information.

Yes, we have guidance on the factors to consider if entering into an outsourcing arrangement.

The employment of a bookkeeper located overseas to provide tax agent services on your behalf is an example of offshoring. The bookkeeper may also be considered a third party in certain circumstances, such as if they are employed through a service trust arrangement, or if they maintain offsite data storage (including ‘cloud storage’).

To ensure you comply with your Code of Professional Conduct (Code) obligations, you must obtain your client’s permission to disclose information relating to their affairs to a third party. When obtaining permission, you must inform the client as to whom and where the disclosure will be made, including whether the disclosure will be made overseas.

You must ensure that any tax agent services provided to clients in Australia from a location outside Australia are provided competently, just as must occur within Australia. It’s also important to recognise that while supervisory arrangements are an important factor in ensuring services are provided to a competent standard, it won’t ensure competency. You need to make sure that:

• there are adequate supervisory and review arrangements, including having a sufficient number of individuals (being registered tax practitioners) for the work being carried out

• internal procedures are used to satisfy supervisory and control requirements, which may include activities such as: 

  • training for offshore staff in Australian tax

  • registered tax practitioners or other experts being onsite overseas

  • rotation for overseas staff to gain experience

  • appropriate quality assurance and review systems.

• registered tax practitioners are involved so that the work being completed overseas is considered competent for Australian tax law purposes

• registered tax practitioners are meeting their requirements for maintaining knowledge and skills relevant to the services they’re providing

• registered tax practitioners are maintaining competence by continuing awareness, understanding and up-to-date knowledge of relevant technical, legal and business developments.

Read our Information sheets on supervisory arrangements and outsourcing and offshoring for more information.

It is recommended that you have a separate engagement letter for each client that is designed to suit their specific engagement requirements. However, if you have written consent from the client that they accept the conditions of the engagement this would be sufficient.

The engagement letter will satisfy your obligations under Code item 6 of the Code , relating to the confidentiality of client information, provided it: 

• clearly informs your client about the information you are disclosing

• advises your client to whom and where the disclosure will be made; and

• obtains your client’s written permission to disclose the information to the third party.

However, you also have an obligation to ensure that any tax agent services provided on your behalf are provided competently. If any of the bookkeepers are not registered tax practitioners, you must ensure that the work performed by the bookkeeper is under your supervision and control, or the supervision and control of another registered tax practitioner.

You must also ensure that reasonable care is taken:

• in ascertaining the client’s state of affairs, to the extent that ascertaining the state of those affairs is relevant to a statement an unregistered bookkeeper is making, or a thing they are doing on behalf of the client, and

• to ensure that taxation laws are applied correctly to the circumstances.

Finally, you must ensure that you have adequate professional indemnity (PI) insurance coverage for the services that are being provided. A registered tax practitioner who outsources services should review their PI insurance policy to assess whether appropriate coverage exists for the outsourced services.

Even though an engagement letter is not a specific requirement under the Code, we still highly recommend you use them to set out the terms of your engagement with your clients. This includes information about offshoring. You can also use another form of signed consent or communication with the client. For example, you could obtain an email from the client accepting the use of third party offshoring to provide a service on your behalf.

To comply with Code item 6 – confidentiality of client information, the client needs to be informed of the arrangement and the client's permission to disclose their information to third parties needs to be obtained. Therefore, in your engagement letter you should specify details of the type of information to be disclosed, to whom it will be disclosed, and where the disclosure will be made, for example to an overseas entity.

Under Code item 7 tax practitioners must ensure that any tax agent service they provide, or that is provided on their behalf, is provided competently. This includes services that are outsourced or provided offshore by an unregistered third party.

If you outsource part or all of your tax agent services (including BAS services) to an unregistered third party, you need to ensure that the work performed by the third party is under your supervision and control, or the supervision and control of another registered tax practitioner.

You are ultimately responsible for the quality of the work of the unregistered third party, including ensuring there are appropriate supervisory arrangements.  

The level of supervision and control must be adequate, and commensurate with the nature and extent of the work being undertaken by the third party.  You need to make sure that:

• there are adequate supervisory and review arrangements, including having a sufficient number of individuals (being registered tax practitioners) for the work being carried out

• internal procedures are used to satisfy supervisory and control requirements, which may include activities such as: 

  • training for offshore staff in Australian tax

  • registered tax practitioners or other experts being onsite overseas

  • rotation for overseas staff to gain experience

  • appropriate quality assurance and review systems.

• registered tax practitioners are involved so that the work being completed overseas is considered competent for Australian tax law purposes

• registered tax practitioners are meeting their requirements for maintaining knowledge and skills relevant to the services they’re providing

• registered tax practitioners are maintaining competence by continuing awareness, understanding and up-to-date knowledge of relevant technical, legal and business developments.

For further information on adequate supervisory arrangements when you are outsourcing work to an unregistered third party, refer to our Practice note.

That’s right, unless you have your client’s permission you cannot disclose their information to a third party.

A third party means any entity other than the client and you, the registered tax practitioner. This includes entities:

• engaged to outsource work, for example another registered tax practitioner, a legal practitioner or a contractor

• related to the client and/or the tax practitioner

• within the same service trust structure, unless the client is defined (for example, in the engagement letter) as the whole structure

• that maintain offsite data storage systems, including ‘cloud storage’.

Before disclosing any client information to a third party registered tax practitioner, you must obtain your client’s permission to disclose this information, including to whom and where the disclosure will be made, for example to an overseas entity.