PRECISION

COMPLIANCE SOLUTIONS

Cyber Protection and Data Breach Policy

About this Document

At Precision Compliance Solutions, safeguarding digital assets, protecting sensitive data, and ensuring the security of our systems are top priorities. This Cyber Protection Policy outlines the rules and best practices that all employees and stakeholders must adhere to in order to uphold the integrity of our information and systems.

Objectives

The purpose of this policy is to mitigate cybersecurity risks, ensure compliance with relevant regulations, and protect Precision Compliance Solutions from cyber threats, including unauthorized access, data breaches, and malware attacks.

Scope

This policy applies to all employees, contractors, and third-party service providers who access or use company systems, networks, or data.

Policy Guidelines

Access Control:

· Only authorized personnel are allowed access to sensitive data or systems.

· Multi-factor authentication must be implemented for accessing critical systems.

· Employees must use strong, unique passwords and update them regularly.

Data Protection:

· Confidential data must be encrypted during transmission and storage.

· Data backups must be performed regularly and stored securely.

· Sensitive information must not be shared without written authorisation.

Network Security:

· Firewalls and intrusion detection systems must be deployed and maintained.

· Regular network vulnerability scans must be conducted to identify and mitigate risks.

· Employees must avoid connecting personal devices to company networks without approval.

Device Security:

· Company devices must be kept updated with the latest security patches.

· Anti-virus and anti-malware software must be installed on all company devices.

· Lost or stolen devices must be reported immediately to the IT department.

Training & Awareness:

· Employees must undergo regular cybersecurity training to stay informed about evolving threats.

· Phishing simulations and awareness campaigns must be conducted periodically.

· Employees must promptly report suspicious activities or potential security incidents.

Incident Response:

· A clear incident response plan must be in place to address security breaches swiftly.

· Employees must notify the IT department immediately in the event of a suspected cyber attack.

· Post-incident reviews must be conducted to improve processes and mitigate future risks.

Compliance:

· All employees must comply with applicable cybersecurity laws and regulations.

· Vendors and third-party providers must meet [Company Name] cybersecurity standards.

Review and Updates: This policy will be reviewed annually to ensure its effectiveness and alignment with the latest cybersecurity developments.

Acknowledgment: By accessing or using Precision Compliance Solutions systems, networks, or data, employees and stakeholders agree to adhere to this Cyber Protection Policy.

Incident Response Plan

Preparation:

Develop an Incident Response Team (IRT) comprised of representatives from IT, legal, HR, and management.

Ensure all employees are aware of reporting procedures and contact points for security incidents.

Maintain an inventory of tools, resources, and documentation needed for responding to incidents effectively.

Detection and Reporting:

Implement monitoring systems to detect unusual activities or potential breaches.

Train employees to recognize and report suspicious activities, such as phishing attempts or unauthorized access.

Establish a centralized communication channel for reporting incidents (e.g., a dedicated email or hotline).

Containment:

Isolate affected systems to prevent further damage or data loss.

Disable compromised accounts and revoke access as needed.

Assess the scope and impact of the incident to determine containment strategies.

Investigation:

Analyze logs, network traffic, and affected systems to identify the root cause and entry point of the incident.

Collaborate with cybersecurity experts to determine the nature of the attack (e.g., malware, ransomware, data breach).

Document findings and evidence for reporting and future reference.

Eradication:

Remove malicious software, unauthorized accounts, or vulnerabilities that were exploited during the incident.

Apply security patches and update configurations to prevent recurrence.

Conduct thorough scans to ensure all traces of the threat are eliminated.

Recovery:

Restore affected systems and data from backups.

Validate the integrity and functionality of systems before bringing them back online.

Communicate with stakeholders about the resolution and steps taken to restore normal operations.

Post-Incident Analysis:

Conduct a detailed review of the incident to identify lessons learned and gaps in the existing security measures.

Update policies, procedures, and training programs to address the identified vulnerabilities.

Prepare a comprehensive report for management and stakeholders, including a timeline of events and corrective actions taken.

Communication:

Notify regulatory bodies, law enforcement, or affected parties if required by law.

Be transparent with employees, customers, and partners, while maintaining discretion on sensitive details.

Ensure all communications are aligned with legal and compliance requirements.

This detailed approach ensures we are all equipped to handle cybersecurity incidents swiftly and effectively while minimizing damage and learning from each experience

https://www.scamwatch.gov.au/

https://www.cyber.gov.au/

https://www.idcare.org/

Document Sharing & IT Policy

About this Document

At Precision Compliance Solutions, we have seen firsthand how devastating financial fraud can be to businesses, which is why we've implemented robust security measures to protect your sensitive information from day one of our partnership.

Objective

Our objective is protecting your business and private information in today’s digital reality. Financial fraud increased 30% last year, with 68% of cases targeting small businesses through intercepted emails. Right now, Australian small businesses are losing an average of $88,000 per data breach incident. These aren't distant corporate concerns - they're everyday realities for local businesses.

Our secure sharing protocols aren't just procedural - they're practical safeguards for your business's financial health and your personal privacy.

Document Sharing Guidelines

DO NOT email bank statements, financial documents, employee information, pretty much anything... Instead, please use our secure sharing options:

Upload to our shared OneDrive folder:

Document Types: Bank Statements, Financial Statements, Employee Agreements, Shared reports, anything you need to share

· You'll receive an email, via Microsoft advising you that we have shared a Folder with you

· You'll need a Microsoft profile to access this folder

· You can create one for free using your existing email address (including a Gmail address)

· The email must match the primary contact email we have on file

· If you need to use a different email, please notify us so we can update sharing permissions

· For first-time access, you'll be prompted to enter a verification code

Onboard Self-Service Employee Information

Document Types: Employee Details, Tax File Number Declarations, SuperChoice forms

We manage employee information via the accounting software your use (MYOB, QBO, Xero)

All employee onboarding must be completed by the employee via the link sent from the software.

Any changes to employee personal information must be entered by the employee’s access.

This ensures data protection compliance and streamlines Payroll information

Security Reminders

NEVER send bank statements, tax documents, financial records or employee details via email

ALWAYS use our secure platforms for sharing sensitive information

NOTIFY US if you need to change your primary contact email

REPORT any suspicious communications claiming to be from our firm immediately by calling our office.

These measures help us maintain the highest standards of privacy and security while providing you with efficient service.

A Small Effort for Significant Protection

We understand these security measures may initially seem like extra steps in your busy day. However, the few minutes spent using these secure methods can save you countless hours, significant financial loss, and immeasurable stress that would result from a security breach. This small investment of time provides substantial protection for what matters most - your business's financial wellbeing and your peace of mind.

Outsourcing and Offshoring Policy

About this Document

To ensure you comply with your Code of Professional Conduct (Code) obligations, you must obtain your client’s permission to disclose information relating to their affairs to a third party. When obtaining permission, you must inform the client as to whom and where the disclosure will be made, including whether the disclosure will be made overseas.

You must ensure that any tax agent services provided to clients in Australia from a location outside Australia are provided competently, just as must occur within Australia. It’s also important to recognise that while supervisory arrangements are an important factor in ensuring services are provided to a competent standard, it won’t ensure competency. You need to make sure that:

・there are adequate supervisory and review arrangements, including having a sufficient number of individuals (being registered tax practitioners) for the work being carried out

・internal procedures are used to satisfy supervisory and control requirements, which may include activities such as:

- training for offshore staff in Australian tax

- registered tax practitioners or other experts being onsite overseas

- rotation for overseas staff to gain experience

- appropriate quality assurance and review systems.

・registered tax practitioners are involved so that the work being completed overseas is considered competent for Australian tax law purposes

・registered tax practitioners are meeting their requirements for maintaining knowledge and skills relevant to the services they’re providing

・registered tax practitioners are maintaining competence by continuing awareness, understanding and up-to-date knowledge of relevant technical, legal and business developments.

Under Code item 7 tax practitioners must ensure that any tax agent service they provide, or that is provided on their behalf, is provided competently. This includes services that are outsourced or provided offshore by an unregistered third party.

If you outsource part or all of your tax agent services (including BAS services) to an unregistered third party, you need to ensure that the work performed by the third party is under your supervision and control, or the supervision and control of another registered tax practitioner.

You are ultimately responsible for the quality of the work of the unregistered third party, including ensuring there are appropriate supervisory arrangements.

The level of supervision and control must be adequate, and commensurate with the nature and extent of the work being undertaken by the third party. You need to make sure that:

・there are adequate supervisory and review arrangements, including having a sufficient number of individuals (being registered tax practitioners) for the work being carried out

・internal procedures are used to satisfy supervisory and control requirements, which may include activities such as:

- training for offshore staff in Australian tax

- registered tax practitioners or other experts being onsite overseas

- rotation for overseas staff to gain experience

- appropriate quality assurance and review systems.

・registered tax practitioners are involved so that the work being completed overseas is considered competent for Australian tax law purposes

・registered tax practitioners are meeting their requirements for maintaining knowledge and skills relevant to the services they’re providing

・registered tax practitioners are maintaining competence by continuing awareness, understanding and up-to-date knowledge of relevant technical, legal and business developments.

For further information on adequate supervisory arrangements when you are outsourcing work to an unregistered third party, refer to our Practice note.

A third party means any entity other than the client and you, the registered tax practitioner. This includes entities:

・engaged to outsource work, for example another registered tax practitioner, a legal practitioner or a contractor

・related to the client and/or the tax practitioner

・within the same service trust structure, unless the client is defined (for example, in the engagement letter) as the whole structure

・that maintain offsite data storage systems, including ‘cloud storage’.

Before disclosing any client information to a third party registered tax practitioner, you must obtain your client’s permission to disclose this information, including to whom and where the disclosure will be made, for example to an overseas entity.

33. There is no standard process to determine if tax practitioners have adequate supervisory arrangements in place. A number of factors may be relevant in determining whether adequate supervisory arrangements are or have been in place, noting that this will vary from entity to entity having regard to the particular circumstances. These factors include:^[20]

・the level and depth of oversight over the provision of tax agent, BAS or tax (financial) advice services, noting that this will vary according to the skills and experience of the individuals providing the services and the complexity of the service being provided

・the physical or geographic proximity of the tax practitioner to the person carrying out the work

・whether there is substantial supervision, rather than mere checking of documents, while recognising that the oversight will vary according to the knowledge, skills and experience of the person doing the work and the complexity of the tax matters involved

- in particular, it is noted that merely checking a document prepared by an unskilled employee / contractor / other provider to determine whether the contents of the document seems reasonable does not demonstrate a sufficient degree of supervision and control

- further, it is noted that while it is not necessary to closely monitor all work carried out on behalf of the tax practitioner, a substantial degree of oversight of the individuals carrying out the work is required

・whether the tax practitioner performs periodic and spot checks of relevant material prepared

・quality assurance mechanisms such as conducting regular reviews of work performed or undertaken to ensure the accuracy and completeness of the services provided on their behalf

・the degree of control exercised by the tax practitioner over the way in which work is carried out on their behalf

・the level of relevant initial and ongoing educational and practical training undertaken by those performing work on behalf of the tax practitioner, recognising that staff engaged to provide the services are required to possess an adequate level of education and understanding of the relevant tax legislation concepts to undertake the tasks for which they are responsible

・whether there are documented procedures to ensure relevant processes can occur, including escalation of issues that are beyond an individual’s knowledge or experience to an appropriate supervisor.

34. Determining whether appropriate supervision and control has been exercised or if there are appropriate supervisory arrangements in place, will require an assessment of the measures taken by a tax practitioner to supervise and control relevant activities in the context of the circumstances of their practice.

35. Ultimately, what is adequate will be a question of fact to be determined on the basis of the specific facts of a particular case.

36. It is also highlighted that in the event that there are any changes in circumstances relevant to the registration of a registered individual, company or partnership tax practitioner, which may include when ceasing to be a supervising agent for another registered entity, it is imperative that the tax practitioner notifies the TPB as required under section 30-35 of the TASA.

37. For further information, see TPB 36/2021 Supervisory arrangements under the Tax Agent Services Act 2009.