Login
iscover
A case study in the TPB's guidance on breach reporting highlights the importance of self-reporting breaches that arise from using third-party software, warns John Jeffreys.
Newsletter
Breach reporting guidance raises concerns with software errors
07 January 2025
•
12 minute read
You’re out of free articles for this month
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
Accountants should pay close attention to some of the practical examples included in recent guidance released by the Tax Practitioners Board on the significant breach reporting obligations, which commenced 1 July 2024, according to tax specialist and education provider John Jeffreys.
The Tax practitioners Board (TPB) released a detailed information sheet on the obligations, Information Sheet TPB(I) 43/2024, on 23 December.
The breach reporting obligations apply to situations where a registered tax agent or BAS agent has reasonable grounds to believe there has been a significant breach of the Code of Professional Conduct.
Once identified, the breach must be reported to the TPB within 30 days of the practitioner having, or reasonably being expected to have, knowledge of the breach, Jeffreys explained.
Jeffreys said while the new guidance, TPB(I) 43/2024, includes numerous case studies, case study 11 is "particularly eye-opening for tax practitioners".
"It highlights an obligation that many practitioners may overlook: the responsibility to self-report breaches arising from the use of third-party software from digital service providers (DSPs)," he said.
==
==
The case study involves a registered BAS agent that acquires new software after seeing it operate at a practice management conference. The software is designed to streamline transaction coding based on GST classifications.
The example notes that after initial testing reveals some bugs, Isaac proceeds to use the software.
"Over time, he notices that the software produces Business Activity Statements (BASs) that overclaim GST input tax credits. Upon further review, he discovers additional errors in other BASs," said Jeffreys.
"Isaac acts promptly: he contacts the DSP to rectify the software error, lodges amended BASs to correct the inaccuracies and implements a process to regularly review software-generated data for accuracy."
Jeffreys said while many tax practitioners would assume this was enough to address the issue, this is not the case, according to TPB(I) 43/2024.
"The TPB asserts that Isaac must self-report a significant breach of the Code of Professional Conduct," he said.
"Specifically, Isaac is deemed to have breached the Code by failing to take reasonable care in ensuring taxation laws were applied correctly and by not providing services competently."
Jeffreys said the case study raises significant concerns given that many tax practitioners rely on ATO-approved software, trusting that such tools have undergone rigorous validation.
"DSPs work closely with the ATO to ensure compliance, and practitioners generally assume they can rely on the outputs of these programs without extensive verification," he said.
"However, the TPB’s stance in this example makes it clear that such reliance is not sufficient under the Code of Professional Conduct. Practitioners must independently verify the accuracy of software calculations and outputs, as ultimate responsibility for competent service delivery rests entirely with the practitioner.
"Even when the error originates from ATO-approved software, the practitioner is held accountable."
Jeffreys said the obligation to self-report under these circumstances is likely to be met with frustration or even disbelief by practitioners.
"In Isaac’s case, despite taking all reasonable steps to resolve the issue—including correcting errors and implementing preventative measures—he is still required to report himself to the TPB," he said.
"This expectation underscores the TPB’s strict interpretation of practitioner responsibilities."
This means practitioners will need to implement robust processes to verify the accuracy of software outputs, said Jeffreys.
They will also need to ensure that all tax laws are applied correctly to each client's circumstances, even where the software has been used in the process, he added.
Practitioners should also be prepared to self-report significant breaches, he said, even if they stem from third-party software or the use of third parties to assist with the delivery of tax services.
"The TPB’s position may feel onerous, but it reflects a broader shift towards heightened accountability and professional standards in the industry," said Jeffreys.
"In a world where technology plays an ever-growing role, this case study underscores a critical truth: even the best tools cannot replace the professional judgment and vigilance of a qualified tax practitioner. The buck stops with them."
You are not authorised to post comments.
Comments will undergo moderation before they get published.