Information about outsourcing you may need in your client engagement letters

This post is primarily for Accountants utilising Felcorp Support staff

1. Disclosure of Outsourcing Services in Engagement Letter

Under APES305 (Terms of Engagement), those in public practice utilising outsourced services need to comply with the following disclosure provisions in your client engagement under APES GN 30 Outsourced Services guideline.

Section 3.9 of APES GN 30 Outsourced Services

"Where a Member in Public Practice will utilise Outsourced Services in the provision of Professional Services to a Client, the Member is required to comply with the disclosure obligations in APES 305 Terms of Engagement (APES 305), including to document and communicate the details of the Outsourced Service Provider, the geographical location of where the Outsourced Services will be performed and the nature and extent of the Outsourced Services to be utilised. These factors impact the amount of risk associated with the Outsourced Service being delivered and the management of the Client’s confidential information."

Wording to consider in your Engagement Letter:

We utilise outsourced HR and contractor staffing support through Felcorp Support of whom assist us in bookkeeping, administration, preparation of BAS, tax returns and financial statements. Our contractors are full time employees and adhere to all our internal practice security, privacy and confidentiality protections. Staff are based both in Sydney, Australia and in Chandigarh, India.

• Here is the link to PDF version APES305 (Terms of Engagement):  APES305 (PDF)

• Here is the link to PDF version APES GN 30 (Outsourced Services):  APESGN30 (PDF)

2. Summary of Key Terms (Data & Privacy Protection Policy 1 July 2024)

For our full and in-depth Data and Privacy Protection Policy please see see our PDF document here:  Data & Privacy Protection Policy (1 July 2024)

Below is a summary of key terms:

(Updated 1 July 2024)

1.POLICY OVERVIEW AND PURPOSE

This Data & Privacy Protection Policy outlines Felcorp Support's commitment to safeguarding data by adhering to the Australian Privacy Principles Act 1988 and GDPR compliance measures. Applicable to all employees and suppliers handling data, the policy ensures that data processing is lawful, fair, and transparent, with data collected only for specified, legitimate purposes. It mandates data minimization, accuracy, and appropriate storage and security measures to protect against unauthorized access, loss, or damage. In cases of discrepancies between GDPR and the Act, the latter prevails. The policy is reviewed annually to remain current with legislative, business, and technological changes.

2. COLLECTING OR RECEIVING DATA

The methods by which Felcorp Support collects or receives data primarily involve authorised channels such as email, file transfers, software environments, and approved communication portals, where permission from the Client is expressly given. Additionally, data can be collected through phone or video calls with industry suppliers under strict conditions, including a properly lodged Third Party Authority form and Client's explicit permission. All data collection practices by Felcorp must adhere to lawful purposes directly related to the Client’s activities, ensuring that the information collected is relevant, accurate, complete, and up-to-date. It is also crucial that the Client is informed about the reasons for data collection and its primary uses, maintaining transparency and compliance.

3. ORGANISING, STORING & HANDLING DATA

Effective data management involves the secure collection, organisation, storage, and access control of client data. Felcorp must store data solely within its approved file storage software (Felcorp App) or the client's designated cloud system, maintaining clear and transparent organisation. Access to data is restricted to authorised personnel and monitored to ensure compliance with access rules, maintaining minimum user privileges necessary for service delivery, and ensuring regular review of access rights. Confidential data handling mandates protection during transmission, restriction from unauthorized access, and secure storage practices, prohibiting print or unattended exposure unless expressly permitted by the client.

4. DISPOSING AND ARCHIVING DATA

Felcorp mandates archiving confidential data within 3 months of non-use; data must be transferred to the Client's system and deleted from Felcorp App promptly. Upon termination, Felcorp will securely transfer all data back to the Client within 60 days, ensuring encryption and secure transmission. Post-transfer, data will be permanently erased from Felcorp systems.

5. DATA BREACH DISCLOSURE AND PROCEDURES

Felcorp Support defines a data breach as unauthorized access, disclosure, modification, or loss of personal information or intellectual property. In the event of a suspected data breach, personnel must immediately notify Felcorp Management and the IT team, who will assess and manage the breach according to the Data Breach Management Plan. This plan includes containing the breach, assessing risks, notifying stakeholders, and complying with the Notifiable Data Breach Scheme as required by the Privacy Act 1988 (Cth). Affected users will be informed through appropriate channels such as email, direct communication, or notifications on the website or app.

6. EMAIL SECURITY

Felcorp employs stringent email security measures to enhance deliverability and reduce phishing and spam. All felcorp.com.au emails adhere to a strict DMARC policy, ensuring DKIM and SPF domains match the Header From address to prevent impersonation and spoofing. Our SPF policy verifies that only authorized Felcorp Support personnel send emails, while the DKIM policy protects against email interception during transit. TLS encryption ensures secure email transmissions by mandating encrypted connections for both outgoing and incoming messages. Additionally, felcorp.com.au is not listed on any threat intelligence databases, ensuring a high reputation and minimal risk of being flagged as spam or phishing. 

7. ANTI-VIRUS ENDPOINT SECURITY

Felcorp utilizes Bitdefender policies for all computer devices, including secure VPN internet access, comprehensive audit logs for monitoring suspicious activity, end-to-end encryption and protection of information ports, and remote enforcement of specific IT policies to ensure compliance with approved internet connections, website blacklisting, and USB port disabling.

8. PASSWORD STORAGE SYSTEMS

Felcorp utilizes LastPass for password management, ensuring protection against unauthorized password sharing, concealment of password characters, and providing management with comprehensive audit controls and user access oversight. 

9. DOCUMENT AND FILE STORAGE SYSTEMS

Felcorp manages internal information on Dropbox, while all client information is transparently stored on the Felcorp App, ensuring no other storage systems, including desktops, hold client data.

10. DEVICE SECURITY AND PERSONAL DEVICES

Accessing work accounts on personal devices (e.g., mobile phones, tablets, laptops) is permitted only within the office during work hours and under certain circumstances  which is approved by senior management on a case by case basis. Employees must use secure electronic device passwords, use verified Felcorp networks for login, update antivirus software promptly, and shut down computers/screens when away from desks.