Bookkeeper Cyber Security Health Check
Your ATO portal credentials are worth thousands to criminals. They're actively hunting for them.
BAS agents are prime targets for credential theft.
Criminals know that one set of compromised bookkeeper credentials can unlock access to dozens—sometimes hundreds—of client businesses. Your ATO portal login isn't just a password; it's a gateway to lodge fraudulent BAS refunds, change bank details, and steal money from every client you service.
BAS fraud losses are in the millions. The scam is simple: steal your credentials, lodge inflated BAS refunds, redirect the money to criminal accounts. By the time the ATO reverses it, the money is gone—and your clients are asking why you let this happen. Some bookkeepers have lost their entire client base overnight.
The TPB and Privacy Act have real consequences.
As a registered BAS agent, you're bound by the Code of Professional Conduct. The TPB has made clear that maintaining appropriate security over client information is part of your professional obligations—and investigations can result in suspension or termination of your registration. The Privacy Act adds another layer: penalties for failing to protect personal information can reach $50 million. "I didn't know" won't save your registration or protect you from fines.
Working from home? Working from client sites? The risks multiply.
Many bookkeepers work across multiple locations—home offices, client premises, shared workspaces. Each location is another opportunity for credentials to be stolen, devices to be compromised, or sensitive data to be exposed. Do you know if your setup is actually secure?
Xero, MYOB, QuickBooks—your accounting software is a target too.
It's not just the ATO portal. Attackers who compromise your accounting software access can see bank feeds, create fraudulent invoices, and manipulate financial records. Multi-factor authentication, strong passwords, and proper access controls aren't optional anymore.
This health check is built specifically for bookkeepers and BAS agents.
Plain-English questions covering ATO portal security, accounting software protection, client data handling, email security, phishing recognition, and the specific risks of working across multiple locations. No technical jargon—designed so any bookkeeper can complete it and understand the results.
What you get:
What You Receive
Every assessment generates a comprehensive report. Download a sample below.
Summary Report
Plain-English findings with scores, prioritised improvement plan, risk associations, and resources
Download SampleComplete it in about 60 minutes. No technical knowledge required. Your data never leaves your device.
Who is this for?
Registered BAS agents, contract bookkeepers, and bookkeeping practices. Whether you work solo from home, visit client sites, or run a small team—if you handle client financial data and ATO portal access, this health check is designed for you.
Your Assessment Includes a Personal AI Security Advisor
Two AI assistants are built into the tool — one to help you during the assessment, one to help you make sense of your results. Like having a security professional on call.
Not sure what a question is asking? Just ask.
Every question in the assessment has an AI helper built in. Tap it and ask anything — "What does this question actually mean?", "Can you give me an example?", "Why does this matter for my business?" — and you'll get a plain-English explanation instantly.
- ✓ Explains technical concepts in everyday language
- ✓ Gives real-world examples relevant to your industry
- ✓ Never suggests how to answer — just helps you understand
- ✓ No technical background required to complete the assessment
Your Personal Security Advisor — available the moment you see your results.
Once your results are in, an AI security advisor has your full assessment in front of it and is ready to answer any question about what it means — in plain English, as if you're talking to a security professional.
- ✓ "Explain my highest risk gap in simple terms"
- ✓ "Walk me through how to fix action #3"
- ✓ "Which gaps are easiest to fix myself?"
- ✓ Ask anything — your advisor knows your specific results
No consultants. No jargon. No guesswork.
For the first time, small businesses get the same quality of guidance that used to cost hundreds of dollars an hour — built directly into the assessment.
Common Questions
Why are bookkeepers and BAS agents targeted by cyber criminals?
Bookkeepers and BAS agents hold direct access to client ATO portals, bank feeds, payroll systems, and financial accounts. Criminals target bookkeeper credentials specifically because one compromised login can provide access to multiple client businesses simultaneously. BAS fraud — where criminals redirect GST refunds to their own accounts — is a growing threat that directly implicates the bookkeeper's systems.
What obligations do BAS agents have around cyber security?
The TPB Code of Professional Conduct requires registered BAS agents to take reasonable steps to protect client information and maintain the integrity of the tax system. The Privacy Act applies to BAS agents who collect personal information. ATO's Online Services for Agents requires practitioners to protect their myGovID credentials and report suspected compromises promptly.
What does the Bookkeeper Health Check cover?
The health check covers myGovID and ATO portal security, cloud accounting software access controls, bank feed and payment system security, client data handling practices, email security against phishing, backup procedures, and incident response planning for BAS agents and bookkeeping practices.
What do I receive after completing the health check?
You receive a professional Word report with an overall score and prioritised action list. Recommendations are specific to bookkeeping practice risks — not generic IT advice. The report is suitable for sharing with your PI insurer or keeping on file as evidence of TPB compliance.
Further Reading
Resource
Cyber Security for Bookkeepers and BAS Agents
Why bookkeepers are prime targets for ATO portal fraud, what the TPB requires, and the specific steps that protect your practice and your clients.
Read the guide