Key facts: IT and cybersecurity compliance for Perth accounting firms
- APRA CPS 234: Applies directly to APRA-regulated entities (banks, insurers, superannuation funds) and indirectly to their suppliers — includes mandatory ASD notification within 72 hours of a material security incident
- Privacy Act 1988: Applies to firms with $3M+ turnover; financial data is personal information under the APPs. Penalties up to $50M under 2024 amendments
- Tax Practitioners Board: Registered tax agents must protect client tax information under the Code of Professional Conduct
- AML/CTF expansion — 1 July 2026: Accounting firms providing certain trust and company services become AUSTRAC reporting entities with customer due diligence, record-keeping, and suspicious matter reporting obligations
- Mandatory ransomware reporting: Firms with $3M+ turnover must report payments to the ASD within 72 hours (Cyber Security Act 2024)
- Notifiable Data Breaches: 30-day notification window to OAIC and affected clients after a qualifying breach
- Recommended framework: SMB1001 Gold for most firms; Essential Eight ML1–ML2 for firms supplying to government or APRA-regulated entities
- Key software: MYOB, Xero, Reckon, GreatSoft, Sage HandiSoft — your IT provider must understand these platforms
Accounting firms and financial services businesses in Australia operate under a compliance environment that directly shapes their IT requirements. APRA CPS 234 governs financial services organisations regulated by the Australian Prudential Regulation Authority. ASIC has expectations around operational resilience and data integrity for its licensees. The ATO has specific requirements for tax agents handling client financial data. And the Privacy Act — with significantly strengthened penalties since the 2024 amendments — applies to every firm handling client personal information.
This guide explains the specific IT and cybersecurity requirements for Perth accounting firms and financial services businesses in 2026, what the key regulations actually require from an IT perspective, and how to assess whether your current setup meets the standard.
The regulatory landscape for financial services IT in Australia
Key compliance obligations affecting financial services IT
- APRA CPS 234 — Information Security: Applies to APRA-regulated entities. Requires documented information security capability, incident response, and control testing. Boards are accountable for CPS 234 compliance. Material security incidents must be notified to APRA within 72 hours
- Privacy Act 1988 (Cth): Financial data is personal information under the APPs. Firms handling client financial records, tax information, and personal details have strict obligations. Penalties up to $50M for serious breaches under 2024 amendments
- Notifiable Data Breaches scheme: Qualifying breaches must be reported to the OAIC within 30 days
- Tax Practitioners Board requirements: Registered tax agents must maintain systems that protect client tax information and meet the TPB’s Code of Professional Conduct
- ASIC operational resilience expectations: AFSL holders are expected to maintain operational resilience and have systems and controls commensurate with their licence obligations
- AML/CTF Act (from 1 July 2026): Significantly expanded obligations apply to a broader range of professional services, with data security and record-keeping implications
- Mandatory ransomware reporting: Firms turning over $3M+ must report ransomware payments to the ASD within 72 hours
APRA CPS 234 — what it means for IT in practice
CPS 234 is the most demanding IT security standard in the Australian financial services sector. While it applies directly to APRA-regulated entities, its influence extends to their suppliers and service providers — meaning accounting firms and financial advisors that provide services to banks, insurers, or superannuation funds may face CPS 234-aligned requirements from their clients.
The core requirements of CPS 234 from an IT perspective include documented information security policy and framework approved at board level, an information asset register identifying all assets and their criticality, systematic testing of controls including penetration testing and vulnerability scanning, incident response capability with defined escalation paths, and notification to APRA of material information security incidents within 72 hours.
The AML/CTF expansion from July 2026
From 1 July 2026, Australia’s anti-money laundering regime expands significantly. The updated AML/CTF Act brings a broader range of professional services — including accounting, legal, and trust and company services — within the reporting entity framework. For accounting firms newly captured by the expanded AML/CTF regime, this means record-keeping systems that can produce the required reports, customer identification and verification records that meet the prescribed standards, and the ability to produce transaction monitoring data if required by AUSTRAC.
The IT controls financial services firms need
Multi-factor authentication — no exceptions
Every account that accesses client financial data — accounting software, client portals, email, cloud storage — needs MFA enforced. Financial services firms are a prime target for business email compromise, where attackers impersonate firm principals or clients to redirect payments or obtain sensitive data.
Privileged access management and segregation of duties
Role-based access controls should mirror your internal segregation of duties — senior accountants, junior staff, administrative personnel, and contractors should have access scoped to what they genuinely need for their role.
Accounting software security
MYOB, Xero, Reckon, and practice management platforms like GreatSoft and Sage HandiSoft are the systems where your most sensitive client data lives. Your IT provider needs to understand how these platforms handle data, what their backup and recovery options are, and how they integrate with Microsoft 365.
Audit logging and evidence trail
CPS 234 and the Privacy Act both require the ability to demonstrate what happened when a security incident occurs. Audit logging needs to be enabled across your key systems — Microsoft 365, accounting software, client portals — and logs need to be retained for a period that meets your regulatory obligations.
Data retention and secure disposal
Tax records have specific retention obligations under the Income Tax Assessment Act — generally five years, with some records longer. Your IT systems need to support retention policies that are enforced technically, not just on paper, and secure disposal processes for data at end of retention.
How financial services firms should approach cybersecurity frameworks
| Framework |
Best for |
Certification available? |
Typical timeline |
| SMB1001 Bronze |
Starting point for any firm — basic cyber hygiene |
Yes — self-assessed |
Weeks |
| SMB1001 Gold |
Most Perth accounting firms — governance, policies, training |
Yes — external audit |
3–6 months |
| Essential Eight ML1 |
Firms supplying to government or APRA-regulated entities |
No — self-assessed maturity rating |
3–6 months |
| Essential Eight ML2 |
Firms with formal government or enterprise contracts requiring ML2 |
No — self-assessed maturity rating |
6–12 months |
| ISO 27001 |
Larger firms or those supplying to enterprise / international clients |
Yes — JAS-ANZ accredited body |
6–12 months |
Frequently asked questions
- Does APRA CPS 234 apply to my accounting firm?
- CPS 234 applies directly to APRA-regulated entities — banks, insurers, superannuation funds, and ADIs. If your accounting firm is not itself APRA-regulated, CPS 234 does not apply directly. However, if you provide services to APRA-regulated entities, they may impose CPS 234-aligned requirements on you as a supplier.
- What are the new AML/CTF obligations from July 2026?
- From 1 July 2026, the expanded AML/CTF Act captures a broader range of professional services firms including accountants providing certain services. Newly captured firms become reporting entities under the AUSTRAC framework, with obligations including customer due diligence, record-keeping, suspicious matter reporting, and annual compliance reporting. Your IT systems need to support these requirements before the July deadline.
- What should I do if a client’s financial data is breached?
- Under the Notifiable Data Breaches scheme, you must notify the OAIC and affected individuals if the breach is likely to result in serious harm within 30 days. Contact your IT provider immediately to contain the incident and preserve evidence. Do not delay containment while assessing notification obligations.
- How do I securely share financial documents with clients?
- Unencrypted email is not appropriate for financial statements, tax returns, or any document containing client financial or personal information. Options include secure client portals built into your practice management software, Microsoft SharePoint with guest access, or encrypted file sharing services. Your IT provider should be able to configure a secure sharing workflow that integrates with your practice management system and Microsoft 365.
- How much does managed IT cost for a Perth accounting firm?
- For a typical Perth accounting firm, managed IT runs $100–$150 per user per month for fully managed IT with unlimited helpdesk. Adding cybersecurity controls appropriate for financial services brings this to $180–$220 per user per month. See our full IT support pricing guide.
For cybersecurity, we implement the Essential Eight and SMB1001 frameworks, with endpoint detection and security awareness training as standard. Our managed security services are built for regulated industries like accounting.
IT support built for financial services
Epic IT has supported Perth accounting firms and financial services businesses since 2003. We understand APRA, Privacy Act obligations, and the IT controls your clients and regulators expect.
Book a Free IT Assessment
Or call 1300 EPIC IT (1300 374 248)
