We remain very concerned about the ATO's current approach to allowing technical service providers (in some contexts described as “Sending Service Providers”) to be a part of the submission of taxpayer data to the ATO. The future authentication and authorization framework must be enhanced and the ATO must take a far more active and authorisation-based approach to accreditation of technology providers.
If technology providers are to be permitted to have a greater role in the interaction of taxpayer data to the ATO, in theory by reducing the role of the TP, then the technology providers must raise their level of accountability and competence in provision of those services.
We are not yet convinced about the appropriateness of the ATO's “risk” assessment applied in its current form, opening the ATO to submission of data from new technology. There appears to be a theory that the ATO can open itself up to receive any data and its internal analytics will detect any threats. We believe there is a requirement for the ATO to conduct an assurance process upon every technical channel that is permitted to provide data to the ATO. As regulator of the tax system, they must enable digital interaction but, they must be responsible for certainty about the source of data, and responsible as to whom and how they provide ATO data.
The ATO must conduct assurance processes on the technical channels of data in and out of the ATO.
The ATO must also respect the existing principles (in law) of the “Approved Form” and respect the relationships of who can provide information to the ATO on behalf of a taxpayer; the taxpayer themselves or a TP. Provision of electronic data is the same as submission of that same information in paper form. The ATO cannot allow software to prepare data in a form that the ATO then accepts without accountability to the preparer or the method of preparation of the data. Software can be considered a calculation tool and a form (or data) preparation tool, but software must also provide a capacity to obtain the taxpayer or TP declaration on the accuracy and accountability for the data being submitted. Alternatively, the software provider must become a TP in their own right and meet all the obligations of the TASA code of conduct.
Business expects the TP or the tools they use to produce the right result. They rely on government to ensure the appropriate environment and regulation of the TP.
Updated: 30th August, 2017