Access to Records, Confidentiality and the Privacy Act — Why Trust Matters in Auditing
Can your organisation legally provide committee minutes, payroll records and other confidential documents to its auditor or independent reviewer without breaching the Privacy Act? The answer is yes—and understanding why is essential for every Australian charity, incorporated association and not-for-profit.
Who Can See Your Records? Privacy, Audits, Reviews and Why Chartered Accountants Take Confidentiality Seriously
“Do you really need to see our committee minutes?”
It is one of the most common questions we receive from new clients.
Many volunteer treasurers are comfortable providing bank statements, invoices and financial reports, but hesitate when asked for committee minutes or other governance documents.
The concern is understandable.
Committee minutes may discuss complaints, staff matters, legal issues, pastoral care, disciplinary matters or sensitive decisions. Volunteers naturally want to protect the privacy of their members.
The good news is this:
Australian law already recognises both obligations.
An auditor or independent reviewer has a legal right to obtain the information necessary to complete their engagement, while at the same time being legally and professionally required to keep that information confidential.
These two obligations work together—not against each other.
What are “books and records”?
Many people assume accounting records simply mean:
bank statements
invoices
receipts
accounting software
payroll records.
In reality, an organisation’s records are much broader.
Depending on the organisation, they may include:
committee minutes
AGM minutes
constitutions
registers of members
contracts
leases
grant agreements
employment records
banking authorities
correspondence supporting significant decisions
policies and procedures
financial reports and working papers.
For incorporated associations, maintaining proper records—including minutes—is one of the management committee’s core responsibilities.
Why do auditors and reviewers ask for committee minutes?
Committee minutes are not requested out of curiosity.
They provide important audit and review evidence.
Minutes help us understand whether there are matters that could affect the financial statements, including:
approval of significant expenditure
new loans or finance arrangements
legal disputes
grant approvals
property purchases or sales
related party transactions
major contracts
commitments entered into after year end
changes in banking authorities
going concern issues
fraud allegations or internal investigations.
Professional auditing and review standards require accountants to obtain sufficient appropriate evidence before expressing a conclusion. Reviews and audits exist to improve the reliability and credibility of financial reporting for members, donors, regulators and other stakeholders.
What does the law say?
For charities registered with the ACNC, the position is very clear.
Section 60-55 of the Australian Charities and Not-for-profits Commission Act 2012 requires a registered entity to ensure that its auditor or reviewer:
has access at all reasonable times to the books of the registered entity; and
receives the information, explanations and assistance reasonably required to complete the engagement.
This is not simply an auditor’s preference.
It is a legal requirement that supports independent assurance.
But what about the Privacy Act?
This is where many committees become understandably concerned.
Questions we regularly hear include:
“Our minutes contain confidential discussions.”
“What if there are complaints about members?”
“Can we legally provide payroll information?”
“Won’t we breach the Privacy Act?”
In almost every case, the answer is no.
Providing information to your independent auditor or reviewer as part of a professional engagement does not mean your information becomes public.
Quite the opposite.
The Privacy Act works alongside professional obligations
The Privacy Act 1988 places obligations on organisations that collect, store and use personal information.
Professional accounting firms take these obligations extremely seriously.
When you appoint a Chartered Accountant to perform an audit or review, your information is protected through multiple layers of confidentiality.
These include:
the Privacy Act
professional standards
ethical requirements
engagement contracts
secure record storage
quality assurance requirements.
For most accounting firms, confidentiality is not simply good practice.
It is a professional obligation.
Chartered Accountants are held to a higher standard
Members of Chartered Accountants Australia and New Zealand (CA ANZ) must comply with strict ethical requirements regarding confidentiality.
Information obtained during an engagement cannot simply be shared because someone asks for it.
Unless required by law or authorised by the client, confidential information must remain confidential.
This obligation continues even after the engagement has finished.
Breaches of confidentiality may result in:
disciplinary action
professional sanctions
legal consequences
significant reputational damage.
Protecting client information is one of the foundations of the Chartered Accounting profession.
What happens to your information?
Many organisations are surprised by how routine confidential information is within an accounting practice.
Every year we securely receive:
payroll records
employee files
bank statements
credit card statements
tax information
grant documentation
committee minutes
contracts
legal correspondence.
These records are handled using secure systems and are only accessed by staff involved in the engagement.
For most accounting firms, confidential information is an everyday responsibility.
Can sensitive information be removed?
Sometimes, yes.
If committee minutes contain:
legally privileged advice
confidential complaints
pastoral matters
sensitive personnel issues
that have no impact on the financial report, it is often appropriate to redact names or other identifying information before providing the minutes.
In many cases we are interested in understanding:
what decision was made;
whether a financial commitment exists; or
whether disclosure is required in the financial statements.
The identity of individuals is frequently irrelevant.
If you are unsure, simply discuss the matter with your auditor or reviewer before providing the documents.
Independence requires complete information
An independent audit or review only works when the accountant receives complete and unrestricted access to the information needed.
If important records are withheld, the accountant may be unable to obtain sufficient evidence.
This can lead to:
delays;
additional enquiries;
modifications to the report; or
in some circumstances, an inability to complete the engagement.
Providing complete records helps everyone.
Trust is the foundation of the profession
Every successful audit or review depends on trust.
Your committee trusts your accountant with sensitive information.
Your members trust the committee to protect that information.
The public trusts Chartered Accountants to maintain confidentiality while performing independent work.
These responsibilities are taken extremely seriously.
For most Chartered Accountants, confidentiality is not simply a legal requirement—it is part of our professional identity.
If your auditor or reviewer requests committee minutes, payroll records or other confidential documents, it should not be viewed as an invasion of privacy.
It is part of obtaining the evidence necessary to perform an independent engagement in accordance with Australian law and professional standards.
At the same time, those records are protected by strict confidentiality obligations, professional ethics and, where applicable, the Privacy Act 1988.
Independent assurance depends on both access and trust—and the accounting profession is built on protecting both.
Technical Note for Auditing Students
APES 110 – Confidentiality and Professional Behaviour
Why Confidentiality is Fundamental to the Audit Profession
One of the defining characteristics of the accounting profession is that clients entrust accountants and auditors with highly sensitive information. Payroll records, committee minutes, legal correspondence, bank account details, tax information, strategic plans and personal employee information are routinely provided during an audit or review engagement. Without confidence that this information will remain confidential, organisations would be reluctant to provide auditors with unrestricted access to their records.
Accordingly, APES 110 Code of Ethics for Professional Accountants identifies Confidentiality as one of the five Fundamental Principles that every professional accountant must observe.
Learning Objectives
After studying this technical note you should be able to:
Explain the principle of confidentiality under APES 110.
Identify when confidential information may be disclosed.
Distinguish confidentiality from privacy.
Understand the continuing duty of confidentiality after an engagement ends.
Explain the principle of professional behaviour.
Apply these principles to common audit situations.
1. The Fundamental Principle of Confidentiality
Section 114 of APES 110 requires professional accountants to respect the confidentiality of information acquired through professional and business relationships.
Confidentiality extends far beyond simply “not telling other people.”
It includes protecting information:
during an engagement;
after the engagement;
after leaving the employer;
after leaving the accounting firm.
The obligation exists regardless of whether the information is written, electronic or verbal.
Paragraph R114.1 – Practical Requirements
Professional accountants must:
✔ Maintain confidentiality of all client information.
✔ Be alert to accidental disclosures.
✔ Maintain confidentiality even during discussions with prospective clients.
✔ Never disclose confidential information unless authorised or legally required.
✔ Never use confidential information for personal advantage.
✔ Never assist another person to profit from confidential information.
✔ Continue protecting information after leaving an employer or firm.
✔ Ensure employees, contractors and experts engaged on the audit also understand their confidentiality obligations.
These requirements form part of the ethical framework expected of every Chartered Accountant.
2. Confidentiality is Broader than Privacy
Although the terms are often used interchangeably, confidentiality and privacy are not the same concept.
Confidentiality
Confidentiality is an ethical obligation imposed on professional accountants by APES 110.
It:
Applies to all client information, not just personal information.
Protects commercial, financial and strategic information.
Requires accountants to keep information confidential during and after an engagement.
Continues even after leaving a firm or employer.
Privacy
Privacy is a legal obligation imposed by the Privacy Act 1988 (Cth).
It:
Primarily applies to personal information about identifiable individuals.
Regulates how organisations collect, use, store and disclose personal information.
Protects individuals from the misuse of their personal information.
The Key Difference
A document can be confidential without containing any personal information.
For example:
An organisation’s strategic business plan.
Audit working papers.
Internal financial forecasts.
Tender pricing.
Proposed acquisition plans.
These documents may not fall within the Privacy Act but must still remain confidential under APES 110.
Conversely, employee payroll records, personnel files and customer databases may be protected by both the Privacy Act and the ethical duty of confidentiality.
Remember: Privacy is a legal concept that protects personal information. Confidentiality is a broader ethical obligation that protects all information obtained through professional relationships.
3. Accidental Disclosure
Paragraph R114.1 of APES 110 specifically requires accountants to be aware of inadvertent disclosure.
Common examples include:
discussing clients in public places;
speaking about engagements in lifts;
leaving audit files open on desks;
sending emails to the wrong recipient;
attaching the wrong document;
losing laptops or USB drives;
discussing clients with family or friends.
Modern confidentiality extends to:
Teams meetings
Zoom meetings
cloud storage
mobile phones
social media
AI tools.
The duty is proactive.
It is not enough to avoid intentional disclosure.
Accountants must actively prevent accidental disclosure.
4. When Can Confidential Information Be Disclosed?
Confidential information is not absolute.
Paragraph 114.1 A1 of APES 110 recognises that disclosure may sometimes be appropriate.
Examples include:
A. Disclosure Required by Law
Examples include:
Court orders
Search warrants
Legislative reporting obligations
Anti-money laundering reporting
Certain fraud reporting obligations
B. Client Authorisation
Clients may authorise disclosure, for example:
providing information to bankers;
providing information to regulators;
sharing records with another accountant;
responding to funding body requests.
C. Professional Duty
Disclosure may also be necessary when:
CA ANZ performs a quality review;
a professional investigation occurs;
defending yourself in legal proceedings;
complying with auditing standards;
complying with APES standards.
Whenever disclosure is uncertain, APES 110 recommends seeking legal advice before releasing confidential information.
5. Confidentiality Continues Forever
Many students incorrectly assume confidentiality ends when the engagement finishes.
It does not.
The duty continues:
after resignation;
after retirement;
after changing firms;
after the client relationship ends.
Former clients deserve exactly the same confidentiality as current clients.
6. Professional Behaviour (Section 115, APES 110)
Professional behaviour requires accountants to comply with relevant laws and regulations while avoiding conduct that could discredit the profession.
The profession relies heavily upon public confidence.
Even behaviour outside the workplace may damage that confidence.
Professional behaviour includes:
honesty;
courtesy;
respect;
complying with legislation;
maintaining professional competence;
avoiding misleading conduct.
7. Advertising and Marketing
APES 110 specifically prohibits misleading promotion.
Professional accountants should not:
❌ exaggerate experience;
❌ overstate qualifications;
❌ claim expertise they do not possess;
❌ guarantee audit outcomes;
❌ make false comparisons with competitors;
❌ unfairly criticise other accountants.
Examples of inappropriate statements include:
“We are Australia’s best auditors.”
“Other accountants don’t understand charities.”
“Guaranteed clean audit.”
These statements damage public confidence in the profession.
Marketing should be factual, balanced and capable of substantiation.
8. Audit Example
During an audit of a sporting club, an auditor discovers that an employee has received a significant salary increase.
A friend later asks:
“How much does the manager earn these days?”
The auditor must refuse to answer. The information is confidential and cannot be disclosed merely because someone asks.
The answer remains the same even if:
the friend is a committee member of another organisation;
the auditor no longer acts for the club;
the information would not breach the Privacy Act.
The ethical duty of confidentiality still applies.
9. Key Examination Points
Students should remember:
Confidentiality is one of the five Fundamental Principles in APES 110.
Confidentiality protects more than personal information.
Privacy and confidentiality are not the same concept.
Confidentiality continues after employment or engagements end.
Disclosure is only appropriate when authorised, legally required, or permitted by professional duty.
Professional behaviour requires compliance with laws and conduct that enhances the reputation of the accounting profession.
Advertising must be truthful, objective and not bring the profession into disrepute.
Discussion Question
Scenario
During a review engagement, you discover that a committee member has approved unusually large reimbursements to themselves. After the engagement ends, another client asks whether they should appoint that individual as treasurer of their organisation.
Question
Under APES 110, can you disclose what you discovered during the previous engagement? Explain your answer by referring to the principles of confidentiality and professional behaviour, and discuss whether any exceptions permitting disclosure apply.
Further Reading
Chartered Accountants Australia and New Zealand, What Can I Share? Practical Ethics Advice Series.
APESB.APES 110 Code of Ethics for Professional Accountants (including Independence Standards). Sections 114–115.
https://apesb.org.au/standards-guidance/apes-110-code-of-ethics/
Privacy Act 1988 (Cth). Objects of the Act and Australian Privacy Principles.
https://www.legislation.gov.au/C2004A03712/latest/text
Academic References
APA 7th Edition
O’Connor, J. (2026, July 3). Access to records, confidentiality and the Privacy Act — Why trust matters in auditing. J O’Connor Pty Ltd. https://www.joconnorptyltd.com/blog/access-to-records-confidentiality-and-the-privacy-act
Harvard Referencing
O’Connor, J. 2026, Access to records, confidentiality and the Privacy Act — Why trust matters in auditing, J O’Connor Pty Ltd, viewed 3 July 2026, https://www.joconnorptyltd.com/blog/access-to-records-confidentiality-and-the-privacy-act.
AGLC4 (Australian Guide to Legal Citation)
Jason O’Connor, ‘Access to Records, Confidentiality and the Privacy Act — Why Trust Matters in Auditing’ (Blog Post, J O’Connor Pty Ltd, 3 July 2026) https://www.joconnorptyltd.com/blog/access-to-records-confidentiality-and-the-privacy-act.
Chicago Style
O’Connor, Jason. “Access to Records, Confidentiality and the Privacy Act — Why Trust Matters in Auditing.” J O’Connor Pty Ltd. July 3, 2026. https://www.joconnorptyltd.com/blog/access-to-records-confidentiality-and-the-privacy-act.