Interpret compliance requirements

Let’s have a look at the first real-life example regarding PI insurance for BAS agents.

On 1 January 2021, the TPB updated TPB(EP)3/2010 to:

• provide additional information in relation to the minimum requirements relating to the amount of cover and recommended additional features of fidelity cover and run-off cover
• include the TASA changes for PI insurance requirements at registration renewal.³⁴

Explanatory Paper TPB 01/2010
Code of Professional Conduct
This is a Tax Practitioners Board (TPB) Explanatory Paper (TPB(EP)). It is intended for information only. It provides a provides a detailed explanation of the TPB’s interpretation of the Code of Professional Conduct (Code) contained in Division 30 of the Tax Agent Services Act 2009 (TASA), translating the provisions into practical principles that can be applied by the profession. This TPB (EP) is designed to assist registered tax practitioners, the relevant institutions, professional associations, potential registrants and the wider community to understand the factors that provide the basis for the TPB’s approach to the application of the TASA. The principles, explanations and examples in this paper do not constitute legal advice and do not create additional legal obligations beyond those that are contained in the TASA.
Document history
The TPB released this TPB (EP) in the form of an information sheet as an exposure draft on 7 April 2010. The TPB invited comments and submissions in relation to the information contained in it. The closing date for submissions was 6 June 2010. The TPB considered the submissions made and published the TPB(EP). On 13 July 2017 the TPB updated this TPB(EP) to incorporate a reference to tax (financial) advisers, and to update currency and clarity. On 18 October 2021, the TPB updated this TPB(EP) to include an additional factor that may be considered in determining if a tax practitioner has complied with taxation laws in the conduct of their personal affairs. On 1 April 2022, the TPB updated this TPB(EP) to remove references to tax (financial) advisers and replace references from the repealed Tax Agent Services Regulations 2009 to Tax Agent Services Regulations 2022. Issued: 16 December 2010 Last modified: 1 April 2022

Professional Indemnity (PI) insurance

Professional Indemnity (PI) insurance protects a professional from financial loss, injury, or damage arising from a mistake or failure by the professional to exercise the required level of skill. Also, a professional may be held liable for a mistake even though there was no negligence, and this may result in a disruption to general business or even loss of income. Therefore, if a professional hold themselves out as having a special skill, which can be relied upon by others, they should consider Professional Indemnity Insurance is crucial.

Professional Indemnity Insurance, other than just being logical, is required for many professional associations as well as BAS agents who are in the business of providing bookkeeping services. A professional bookkeeper is assisted in establishing their credibility by being able to prove that they are insured.

PI insurance is not just about you protecting your client but also yourself in the case of error.

There are three reasons why practising bookkeepers should hold PI insurance:

1. To cover against financial (civil law) claims made against a company’s work. These would usually be made by a client and could be directed at any party involved in a project for which the company might be responsible. (Examples of claims could be for input error, consumer loss etc.)
2. Under the Tax Services Act 2009, all bookkeepers who are registered BAS agents are required to hold current PI insurance.
3. Some clients, especially many government bodies, insist on this cover being in place before contracts are signed. This is to provide recourse in the event of the above.³⁵

Statutory time frames

The statutory requirement for BAS agents is to have a PI insurance policy that meets the needs of the BAS agent and the TPB requirements. Whenever a change to an act of legislation is being investigated, it is critical that any time frames for action are identified and managed. Failure to update compliance requirements by the required time limit can have serious consequences for the agent and their workplace. In this example, the required level of cover needs to be adjusted in line with business turnover, and a BAS agent needs to notify the TPB of their PI insurance details when they first register within 14 days of receiving notification of your registration or when renewing the BAS agent must demonstrate they have PI insurance that meets the TPB requirements at the time of applying for renewal. 

Questioning technique example

The BAS Agent PI Insurance - Interpreting Compliance Requirements document³⁶ is an example of how to interpret legislative changes in PI Insurance requirements for BAS agents by using the questioning technique.

Policies and procedures

Policies and procedures are living documents that should grow and adapt with a company. While the core elements of policy may stay the same, the details should change with the industry and the organisation. Policy reviews and revision is a crucial part of an effective policy and procedure management plan.³⁷

Why is it important to review policies and procedures?

Outdated policies can leave your organisation at risk. Old policies may fail to comply with new laws and regulations. They may not address new systems or technology, which can result in inconsistent practices.³⁸ Regularly reviewing policies and procedures keeps your organisation up to date with regulations, technology, and industry best practices. Policy review ensures that your policies are consistent and effective. Reviewing policies and procedures is especially important for high-risk or highly regulated industries such as healthcare, public safety, banking, and more. But organisations in every industry should regularly review and revise their company policies.³⁹

When to Review Policies and Procedures

With all the pressing daily tasks in the workplace, it’s easy for a policy review to fall through the cracks. Administrators may know that it’s important to review policies and procedures, but other tasks take precedence. However, policy review is best when it's done regularly and proactively. Company leaders shouldn’t wait for an incident to occur before they review and update company policies.

Regular policy and procedure review

The best way to proactively tackle policy and procedure review is just to build it into the corporate calendar. As a general rule, every policy should be reviewed every one to three years. But most experts recommend reviewing policies annually. Policy review doesn’t have to be as daunting a task as it sounds. A good policy management software will let you set up workflows to collaborate with your policy review committee, gather feedback, and track approvals.

Organisational changes

When your organization goes through large-scale changes, it’s a good idea to review relevant policies. Policies should line up with the company’s mission, vision, and values. So if you have a change in strategic direction or a reorganization, it’s important to review policies to make sure they align with the changes. These kinds of changes won't affect every policy. For example, a new structure probably won’t impact a vacation policy. But it may change other day-to-day policies and processes.

Changes to laws or regulations

Corporate laws and regulations change constantly. Compliance teams need to be aware of the changes and know which policies they impact. If there is a big regulatory change, you may need to gather your policy review committee for a special meeting instead of waiting until the regularly scheduled review time.

Adopting the changes to your policies as soon as possible helps you start to adjust your workplace to the new regulations. If you build them into your policies early on, you’ll have a smooth transition into compliance when the new laws go into effect.

An incident or policy violation

As mentioned before, you shouldn’t wait until an incident occurs to review your company policies. However, an incident or policy violation can indicate the need for a change. After an incident, it’s a good idea to do a debrief to make sure the policy had the intended effect. Examine the details of the incident to see if employees carried out the procedures properly. And look to see if there were any gaps in training or employee understanding of the policy.

This will help you determine whether you need to revise the policy in question.

Not every policy violation should result in sweeping policy changes. Sometimes it’s an isolated incident, calling for additional training or remediation for the employees involved. But in some cases, especially if there are many incidents in the same area, the issue may be that the policy is outdated, confusing, or requires increased training.

Identifying Policies and Procedures that need to be updated

Policy review doesn’t always result in policy revision. Sometimes, you may need to make big changes to address new regulations or gaps in policy. Other times, you may just make a few small tweaks.

And sometimes, the policy works as-is, with no revisions.

You’re not going to change or rewrite your policy manual every year. So how do you know which policies need to be updated?

Is the policy being implemented as intended?

It shouldn’t take an incident or high-profile issue to do an analysis of whether employees are complying with a policy and procedure.

If they are not, you need to determine why. Is the policy outdated?

Are the procedures difficult to follow? Have you introduced a new technology or process that the policy doesn’t address? Is it a training issue?

Gather feedback from line-level employees to help determine how you can improve the policy.

Does the policy have the desired effect?

Sometimes, employees are following the policy and procedure, but it’s not having the desired impact. Every policy should have a clear goal or objective. Over time, this will help you measure whether the policy is effective.

For example, perhaps a policy was put in place to improve employee safety. If employees are following the policy but accidents are still occurring at the same rate, it’s time to examine how you can change the policy to be more effective.

Are the policies and procedures current and relevant?

Make sure your policies and procedures line up with how your current systems and structures actually work. If policies and procedures refer back to old structures or technology, employees are more likely to ignore them or think that they don’t matter.

For example, perhaps your company has adopted flexible work arrangements, but your attendance and tardiness policy still revolves around old standard hours. You will need to update that to reflect the current system and make the new expectations clear.³⁸

Keeping up with change: An ongoing process

As change is constant, you should have a process for continuous improvement of your controls and compliance efforts. Having a defined and documented improvement process will show good 'due diligence' to your auditors.

Here are some steps and suggestions on how to keep up with changes and ensure your compliance efforts don't get lost in the daily change shuffle.

I. Monitor new or potential legislation and regulatory pronouncements

New legislation and regulatory rules are always in the works for information security, privacy and other related business controls. Some are refinements and new interpretations of existing laws. As a security or compliance professional, it is incumbent on you to keep up on the latest legislative and regulatory actions and to interpret the new rulings in regards to how they may affect your company. Here are some tips for keeping up on regulations:

1. Identify and subscribe to services that monitor and alert you to new and upcoming regulatory rulings for your specific industry.
2. Inventory current and upcoming (potential) regulations.
3. Include local, state, federal, and international governing bodies in your research.
4. Identify upcoming or potential new laws and determine the potential impact and risk to your organization.
5. Keep business management, Compliance Officer and Legal Counsel updated on new legislation.

II. Define requirements to meet new compliance requirements

For new legislation or regulatory requirements, you will need to analyse and determine the steps needed to bring your organization into compliance. Here are a few steps to follow:

1. Perform a risk assessment and gap analysis, if not already done
2. Get business management involvement
3. Identify business and IT processes affected
4. Define business requirements
5. Create/update policies that support new or changed compliance needs
6. Define technical and system requirements
7. Implement changes

III. Integrate with change control processes

Make use of your change control process to help ensure controls and compliance are maintained over time. Modify your change management practices to include a check and verification for controls and compliance requirements. Any changes to applications and systems should include a review and update to the control processes before being allowed into production. Controls processes, like other system functions, should be tested. The Information Security Officer or appropriate IT compliance manager should sign off on all changes to ensure controls were properly addressed and updated and meet regulatory requirements. Also, for tax-related applications, changes should be scheduled and timed so as not to cause issues during a quarter or year-end audit controls testing. If new controls are implemented too close to the end of a year, then auditors may not be able to test the effectiveness of the control, creating issues in their audit findings.

IV. Integrate with the project management process

Modify your project management methodology to include meeting regulatory requirements as a deliverable success factor for each project. This will help ensure all new systems and applications meet regulatory requirements. When defining business and technical requirements for a new system, including identifying and defining the regulatory and controls requirements. These should be considered upfront and integrated into the system requirements and functions. The controls should be tested along with the other functional and system testing. The final approval to move a system into production should include a review and approval of the control processes. If you can, get your Internal Auditor to review the controls design for new systems during design and before implementation. If there are issues, then you can resolve them at less cost than having to redo something after the system goes into production and creates an out of compliance issue.

The following document explains the process for writing policies and procedures.

The term compliance describes the ability to act according to an order, set of rules or request. In the context of financial services, businesses compliance operates at two levels.

1. Compliance with the external rules that are imposed upon an organisation as a whole
2. Compliance with internal systems of control that are imposed to achieve compliance with the externally imposed rules.

The most effective way to assist in ensuring compliance is to create and maintain policies and procedures that encourage the desired practice.

Writing instructions and procedures

Procedures should be designed to communicate the information that a reader needs to know. In your procedure, you may also like to add a description of why they should do this or specific times when they should use this procedure. Within the procedure should be areas on what to do if things go wrong and where to go for help on the subject.

Some questions to consider when writing a procedure to ensure it has the correct amount of detail:

• Do users have enough information to complete the action?
• Is there enough information to guide users in using good professional judgment?
• Is the level of detail appropriate for the subject?
• Is the level of detail appropriate for readers?
• How comfortable are readers with the subject?

Gather Information

Before you start writing, you will first need to gather detailed information on the process or policy you want to make into a procedure.

When gathering information, you should talk with content experts as well as others who hold key information, such as:

• Long-time staff members
• Stakeholders
• Legal professionals
• Industry professionals
• People who will use the procedure

When gathering information from experts, ensure that you take notes. Once you have gathered the information you need, you will then need to analyse it in order to gain a clear understanding of the content you have gathered.

The next step from there will be to trim the information you have and organise the information into what the user needs to know when using the procedure.

Start Writing

The main purpose of your first draft is to include the information you need and to get it all on paper. From there, you can edit and organise the information into a useable format. Some helpful steps to follow when writing a procedure are as follows:

• Write actions out in the order, from the first step to last
• Be specific enough to communicate clearly but do not go overboard on words
• Make your procedures as if you were instructing the person next to you how to do them. Make the procedure step by step
• Use lists and bullets
• Do not assume knowledge when writing instructions
• Use terms that all staff can understand, avoid jargon
• Write at an appropriate reading level

Design Elements

In many cases, a set of instructions, especially for complex tasks, are not enough to explain a procedure. You may find that a flow chart, Q&A or script may be necessary. An example of each of these can be found below:

Flowchart – This shows a process as a diagram. Using a series of symbols and arrows to indicate flow and action, you can outline a process and make it easy to follow.

Playscript – a play script, when talking about writing a procedure, will be a list of the staff within the procedure and the responsibilities each will hold. If multiple people are involved in the procedure, then a script could help the procedure.

Person responsible	Action
Writer	Gather information. Write procedure. Show draft to stakeholders.
Stakeholders	Review draft. Submit corrections and comments.
Writer	Create a final draft.
Department manager	Approve the final version.

Question and answer – FAQs on the procedure and answers to them are often a good way to ensure understanding when writing a procedure. It also helps address "what if" issues.⁴⁰

Effective Procedures

Well-written procedures can help your organisation to improve its quality of work. It can help your organisation to reduce the number of errors and omissions and ensure that new and old staff will be able to perform complex tasks quickly and effectively.

To ensure that you are as effective as possible, make sure that they are necessary and that they are written in a way that is easily understood – using simple and clear instructions to communicate as effectively as possible.

External Stakeholders and Networks

A major tool in the process of keeping updated about changes to industry regulations is professional networking. Professional networks can assist if a Financial Services Industry professional encounters tasks outside their defined role and responsibilities or beyond their skill set.

The network of professionals that members of the Financial Services Industry can build relationships with may include, but is not limited to:

Network Type	Can assist with
Fellow bookkeepers	Processes, industry updates, software assistance
Colleagues / staff	Company policies, procedures, and information
Accountants	Legislation and tax information
Lawyers	Laws and legislation
Registered tax agents	Legislation and tax information
Auditors	Adherence to company policies, legislation, and tax information
Banks, building societies, credit unions	Banking and financial tools
Suppliers	Software upgrades and advances
Mentors	Processes, industry updates, software assistance, ethical behaviours, professional development
Software consultants	Software upgrades and advances
Information technology (IT) team	Software upgrades and advances
Australian Taxation Office (ATO)	Legislation and tax information
Professional associations	Processes, industry updates, software assistance, ethical behaviours, professional development
Business or financial advisor	Processes, industry updates, software assistance, ethical behaviours, professional development
Debt collection agencies	Adherence to company policies, legislation and tax information adherence

What are statutory reporting requirements?

Statutory reporting is a core regulatory requirement, often with significant attention from investors, auditors and management. Therefore the accuracy and timely completion of reporting are imperative.⁴¹

Deadlines

In order to comply with all requirements and statutory deadlines, you will need to create a timetable. This timetable should list the times at which certain events and deadlines occur. A timetable should hold the deadlines of requirements such as:

• Financial reporting – all entities must lodge a financial statement and report within three months of the end of the financial year as described by the Corporations Act
• Income tax lodgment – the lodgment program each year focuses on providing details of when documents need to be lodged with the tax office
• ATO and GST compliance – there are three returns and lodgments that are required when complying with the ATO. These are as follows:
  • BAS – will be reported on a monthly, quarterly or yearly basis depending on the organisational preferences
  • IAS – will be reported on a monthly, quarterly or yearly basis depending on the organisational preferences
  • PAYG – generally paid quarterly. In some cases, it may be two times per year or even annually
• Annual statements – every company listed with ASIC will have an annual review and must lodge a statement annually
• Managed investment schemes – must lodge a financial statement and report within three months of the end of the financial year.

You should ensure that you create a timetable of when each of your compliance requirements is due. This will help ensure that your organisation remains compliant and will help your organisation avoid any fines or punishments involved in non-compliance.

Real-life example- ASIC

Each year, ASIC will send your company an annual statement shortly after the annual review date (which in most cases is the date you registered the company).

Your annual statement will contain:

• a statement of your company's current details,
• an invoice for your company annual review fee, and
• your company's corporate key

Example of Statement

To keep your company registered, you must complete the following steps.⁴²

• Step 1: Pay your annual company review fee
• Step 2: Check and update your company details
• Step 3: Pass a solvency resolution

ASIC Company’s annual statement

It is now time to test your understanding of the module using the Burleigh Financial Services Case Study below.