SMSF engagement letters overhaul
The Accounting Professional and Ethical Standards Board Limited (APESB) has recently updated APES 305 Terms of Engagement requiring SMSF professionals to include the details of all outsourced services and cloud computing in their SMSF engagement letters.
The revised standard has practical implications for SMSF firms, especially those using outsourced services.
The reason is that some engagement letters hide outsourced services as “third parties” to avoid specifying the offshore processing of their client’s personal and confidential financial information.
An example of this type of arrangement is a company in India performing the accounting work for an Australian firm, but it also covers onshore processing.
Undoubtedly, some firms may find this new requirement challenging as their SMSF clients may not be aware of who is doing the work and where.
Revised engagement letters
SMSF practitioners should be mindful that the new rules provide updated definitions for outsourced services and cloud computing.
An outsourced service means a service involved in outsourcing a material business activity to an outsourced service provider, who may not be located in the same country or may not even be a member of a professional body.
On the other hand, cloud computing refers to computing resources provided over the internet, including on-demand access to networks, servers, data storage, databases, software and applications. Cloud computing entrusts the remote third party with data and information of the SMSF firm’s clients.
Where either of these new requirements is met, SMSF practitioners must document and communicate with their SMSF trustee clients by updating all engagement letters to include:
- The details of the provider
- The geographic location of where the services will be performed
- The nature and extent of the services to be utilised
The new standard is effective for engagements commencing on or after 1 July 2021, with earlier adoption permitted.
Compliance and privacy issues
Paragraph 3.5 of APES 305 states that using outsourced services or cloud computing may impact the amount of risk associated with delivering professional services and managing a client’s confidential information.
The revised standard also references APES GN 30 Outsourced Services (APES GN 30) to help firms identify whether a service is an outsourced service. It can also provide guidance with the professional and ethical obligations regarding these services.
Additional risks of non-compliance with applicable laws and regulations, such as the Privacy Act 1988 (Cth) (Privacy Act), may also occur.
The Privacy Act outlines 13 principles for the secure handling of personal information and minimising the risk of a data breach.
With the average cost of a reported data breach in Australia valued at $3.35 million, and finance listed as one of the top three industries impacted, there is much at stake.
It also provides a timely reminder that the SMSF practitioner retains the primary responsibility to deliver the service in line with their engagement letter and must comply with the ethical requirements of APES 110 and all other professional standards.
The best practice is to obtain written consent from the SMSF trustee acknowledging the acceptance before implementing the outsourced service.
Risk management
APES GN 30 also recommends that firms develop and document an outsourcing policy framework containing policies and procedures to manage business, operational and other risks.
The framework will assist with setting the performance of the agreement and enable the SMSF firm to conduct appropriate due diligence before working with the outsourced service provider.
Fact-finding is an integral aspect of outsourcing but can be sadly lacking within the SMSF industry.
Matters which should be considered and assessed include, but are not limited to, the following aspects of the service provider’s business:
- Policies and procedures that meet professional obligations
- Sufficient staff with the necessary professional competencies and skills
- Communication skills of the provider and their personnel
- Adequacy of contingency and business continuity plans
- Ability to conduct the services on an ongoing basis
The reality is that the SMSF firm retains the obligation to monitor and review their work to ensure it complies with professional standards applicable to the engagement.
To this end, developing an outsourcing agreement will manage the risks of transition and implementation.
It will also ensure that SMSF firms check whether their professional indemnity insurance policy contains adequate coverage for these services.
Material business activity
One of the critical issues is whether the professional services being outsourced constitutes a firm’s material business activity.
It would be a mistake to underestimate the concept of material business activity as it does not just refer to fees.
Material business activity refers to an entity or firm whose business activities have the potential, if disrupted, to significantly impact the quality, timeliness or scale of services.
A fundamental aspect is to ensure a material business activity assessment is performed from both the firm’s and the SMSF trustees’ perspectives: it is essential to judge each case based on the particular facts and circumstances.
An outsourcing arrangement covering less than 5 per cent of the firm’s clients may not be a material business activity from the firm’s perspective. However, it may be a material business activity due to unique circumstances from the client’s perspective.
The consideration here is whether the client is materially impacted, in which case clarification should be obtained from APES GN 30.
Conversely, where outsourcing activity impacts 10 per cent of the firm’s revenue base, it may be considered a material business activity from both the firm’s and client’s perspectives. The firm should once again refer to APES GN 30.
Conclusion
There is much to consider with the revised standard, such as challenging firms to establish policies and procedures designed to manage risk, putting appropriate quality control requirements in place and overhauling SMSF engagement letters.
Documenting and communicating the terms of engagement will also ensure a clear understanding between SMSF trustees and advisers, which is in both parties’ best interests.
There’s no doubt that the benefits of implementing the new requirements far outweigh the costs once SMSF practitioners remind themselves they are ultimately responsible for delivering outsourced services and cloud computing.
Shelley Banton, head of education, ASF Audits