VA PLATINUM: Response to Tax Practitioners Board practice notes (TPB(PN)) 2/2018
Outsourcing and offshoring of tax services – Code of Professional Conduct considerations:
Factors to consider when deciding to enter into outsourcing and offshoring arrangements.
Items in bold below are taken word for word directly from the TPB practice note under section 11, and VA Platinum’s responses are right below each item (where registered tax practitioners are referred to as “advice practice”).
When entering into outsourcing and offshoring arrangements, various factors should be considered, depending on the nature of the particular arrangement and also the circumstances of the registered tax practitioner. For example, registered tax practitioners may wish to consider the following general factors:
I. If there is a clear definition of duties, obligations and responsibilities of the parties involved in the arrangement, including sufficient detail and review provisions
The definitions of duties, obligations and responsibilities of the parties involved are clearly defined as per the contract between VA Platinum Pty Ltd (VAP) and the (Advice Practice). See sections IX – XI below.
IX. SERVICE PROVIDER’S REPRESENTATION
Brian Jones represents and warrants that VAP and its supplied staff have the right to perform the services under and pursuant to this contract without violation of obligations to others, and that VAP and its supplied staff have the right to disclose (Advice Practice) all information transmitted in the performance of services under and pursuant to this contract and (Advice Practice) agrees that any information submitted by it, may be used fully and freely by VAP so that VAP can adequately perform its duties under this agreement.
VAP warrants that it will only use information supplied by (Advice Practice) in such a way that (Advice Practice) wishes for VAP to provide it and its clients with agreed services.
X. RELATIONSHIP OF PARTIES
It is understood by both parties that VAP is an independent contractor and not an employee of (Advice Practice).
XI. (Advice Practice) OBLIGATIONS
- 1. (Advice Practice) acknowledges and agrees that it will get the best outcome from the team member/s if it provides ongoing training, guidance and support for the team member/s.
- + Provide training for the team member/s on all relevant processes and policies of the (Advice Practice) for compliance with the AFSL and/or ACL and other relevant laws and compliance requirements;
- + Provide the Employee with objective and realistic key performance criteria against which the Employee’s performance can be measured;
- + On an on-going basis, provide the Employee with all information necessary to enable the Employee to provide the Services in a manner and to the standard required by the (Advice Practice);
- + Ensure the Employee is able to access at all times information relevant to the Employee’s role;
- + On an ongoing basis provide the Employee with guidance and supervision regarding the role of the Employee; and
- + Provide weekly or at least monthly feedback to VAP regarding the performance of the team member/s.
- 2. (Advice Practice) will undertake its obligations in compliance with all applicable laws and will not ask or expect VAP or its staff to break any laws.
- 3. (Advice Practice) acknowledges and agrees that the (Advice Practice):
- + Is solely responsible for compliance with all obligations imposed on it as the holder or authorised representative of an AFSL and/or ACL and at law generally; and
- + Will provide training to each team member (and each substitute or additional team member) regarding all policies and processes of (Advice Practice) necessary to enable each team member to observe all relevant requirements under the AFSL and/or ACL and any other laws which are relevant to the team member’s performance of the services.
- 4. Both parties agree that they will:
- + Promptly inform the other party as soon as practicable of any unforeseen changes, new developments, or other issues that impact and influence the provision of the Services; and
- + Wherever reasonably possible, accommodate each other’s scheduling requirements.
PI insurance is in place as per contract. VA Platinum is an offshore provider, operating in joint venture arrangements with each client, and is not an outsourced provider. Responsibility of final work output is the responsibility of the advice practice as though the staff members were working with them in their onshore office.
III. If the outsourced provider is allowed to unilaterally change relevant terms of the agreement (that is, without input from the registered tax practitioner), including in relation to change in business and/or ownership structure, how or where data is stored or managed, and review processes
VA Platinum can make changes in consultation with each advice practice so long as there is 8 weeks notice given. Data is stored and managed as per each advice practice’s requirements. VA Platinum does not require or mandate how data is stored or managed as this is the responsibility of the advice practice and VA Platinum will comply with each advice practice’s requirements.
IV. If there is flexibility to allow for changes / developments in technology and operations
VA Platinum does not require or mandate the technology and/or operations used by the advice practice and will comply based on each advice practice’s requirements. Any changes in this regard are allowed as long as it is within the scope and limitations of the agreement.
V. How information is being transferred between various systems and whether data integrity is being maintained
VA Platinum will comply with the guidelines set by the advice practice on how information is to be transferred between various systems.
As per section XV. of the offshore agreement between VA Platinum Pty Ltd (VAP) and the advice practice:
- XV. TRANSFER OF CLIENT INFORMATION
VAP adopts the method requested by (Advice Practice) for the transfer of client information and data
such as via email, internet applications, websites, file transfer applications or cloud services.
VI. How information is being stored and accessed
Access to information is at the advice practice’s discretion. As per the contact, any information submitted by the advice practice, may be used by VA Platinum to adequately perform the duties under the agreement.
Data storage will be based on each advice practice’s requirements. VA Platinum does not require or mandate how data is stored or managed as this is the responsibility of the advice practice. VA Platinum will comply with this as needed.
VII. The processes in place in relation to the backup and archiving of information (such as multiple backup servers)
It is the responsibility of the advice practice to ensure processes are in place for information/data to be backed up or archived as all servers and host information are owned and managed by the advice practice. VA Platinum will only be given remote access to this and will comply with the guidelines as per the advice practice’s requirements.
VIII. The security controls the registered tax practitioner and outsourced provider is responsible for (such as issues around passwords, encryption, backups and having security protocols in place to safeguard against unauthorised access)
VA Platinum (VAP) takes security seriously and has laid out provisions to ensure that data is protected. See section XIII of the contract below:
XIII. SECURITY OF DATA
a. Compliance with Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs)
VAP must comply with the Privacy Act 1988 (Cth) and APPs and such other data protection laws as may be in force from time to time which regulates the collection, storage, use, and disclosure of personal information as if it were regulated by those laws. For the purpose of this contractual arrangement, any Privacy Act exemptions based on business size or turnover are to be disregarded. i.e. the Australian Privacy Act and APPs are to be applied and observed by all entities and persons regardless of size or turnover.
c. Responsibility for Security of Client Data
VAP acknowledges that it is responsible for the security of client information that it collects or receives for the purpose of the provision of the service
d. Confidentiality Deed
If required to do so, VAP is willing to sign a confidentiality deed with reasonable terms and conditions included
e. Security Controls
VAP will adopt security controls given to it by (Advice Practice).
f. Destruction of Information
VAP will destroy information in the method required by (Advice Practice), otherwise, all information will be stored until such time as (Advice Practice) informs VAP to destroy the data
g. Steps Taken by VAP for Collection and Storage
Below summarises the steps VAP have taken:
- VAP uses software so that it does not have access to any (Advice Practice) passwords.
- No access to web browser emails (i.e. Gmail, Hotmail) unless specified by (Advice Practice).
- Staff members are not allowed to use their own devices (smartphone, Ipads) at work. They are kept in a secure locker.
- Staff members are well-supervised. Either the Operations Manager, Office Manager or a Team Leader will be on staff at all times.
- Our office is in a secured building that has a security guard on premise 24 hours.
- Access to the office is restricted using biometric fingerprint screening.
- No printers or USB’s are connected to PCs. Or if they are connected, they only allow specific software such as headsets or VOIP connections.
- Surveillance software is used to review emails and track computer activities. Screenshots are taken every 3 to 9 minutes.
- Our network is configured with a country based IP block that only allows IP addresses from our office PCs.
IX. The protections in place to prevent service access from being disrupted
VA Platinum will within its limitations ensure business continuity to avoid service disruption. Measures have been put in place such as a backup generator, redundant internet connection, on hand extra PCs, as well as an option for temporary relocation of business operations as needed.
X. The processes in place for managing and resolving all relevant disputes in relation to access to client information (including legal jurisdiction)
VA Platinum will follow the due process of investigating, validating and assessing the severity of each incident should one arise. This is with the aim to reduce or eliminate the likelihood of similar incidents recurring.
In the event of an escalation, VA Platinum has an indemnity clause in place to ensure the advice practice is protected. Please see section XIX. from the contract below:
VAP agrees to indemnify (Advice Practice) from all claims, losses, expenses, fees including attorney fees, costs, and judgments that may be asserted against VAP if VAP works beyond or outside its authority given by (Advice Practice).
VAP maintains a professional indemnity policy up to one million dollars ($1,000,000) which is the limit of liability that VAP will indemnify (Advice Practice) for.
For this item to be effective (Advice Practice) must provide explicit information as to the authority that VAP has to execute the services under this agreement.
If (Advice Practice) does not provide guidance as to the authority then this item is void.
XI. The processes in place to evaluate and oversee outsourcing relationships, recognising that oversight activity will depend in part on the scope and complexity of the services being outsourced
Given VA Platinum is operating in joint venture arrangements with each client, and is not an outsourced provider, evaluation and identification of oversight is the responsibility of the advice practice. VA Platinum will, however, mediate and assist in the process of rectifying such incidents should they arise.
XII. The competency and ability of the outsourced service provider to perform the services
Although VA Platinum is responsible for the sourcing and recruitment of staff, the advice practice is responsible for the selection of the staff they proceed with. Being in a co-managed arrangement with the advice practice, management of the competency and ability of the staff will be the responsibility of the advice practice as though the staff members were working with them in their onshore office.
XIII. The processes in place for the registered tax practitioner to review output of the outsourced or offshore entity
At any given time and on the advice practice’s discretion, all output provided by their offshore staff may be reviewed. Also, as per section XXI. of the agreement in place:
XXI. AUTHORITY TO AUDIT
VAP grants (Advice Practice) and/or its licensee to periodically audit VAP’s security controls.
XIV. The processes in place for exiting/changing an arrangement / when the arrangement ends (including, for example, the return of or access to data held in the cloud)
While the contract is in place, changes in consultation may be accommodated for each advice practice so long as there is 8 weeks’ notice given. If the contract is not renewed at the end of the term, all access to information and data will cease as per section XIII (f) of the contract.
f. Destruction of Information
VAP will destroy information in the method required by (Advice Practice), otherwise, all information will be stored until such time as (Advice Practice) informs VAP to destroy the data.
XV. If there are any relevant legislative and regulatory requirements associated with having any information held offshore (that is, information stored or processed in equipment not located in Australia)
“Some of the information (including health information) collected by us may be disclosed to employees or contractors of [YOUR COMPANY NAME] outside of Australia. You consent to your information being disclosed to a destination outside Australia for this purpose, including but not limited to Cebu, Philippines, and you understand and acknowledge that Australian Privacy Principle 8.1 will not apply to such disclosures of your personal information. ”
“Note: we do utilise some overseas administration.”
Either way, to comply with relevant legislative and regulatory requirements when using offshore staff, you must include a suitable disclosure that is easily identifiable in a document that the client signs-off on.
VA Platinum takes every measure to ensure privacy, compliance and professional conduct is maintained throughout the duration of the agreement set forth.