Submitting breach reports on the portal
Registered company auditors are now required to report contraventions and suspected contraventions of the Corporations Act 2001 to ASIC via the ASIC Regulatory Portal. Submitting breach reports via the portal features mandatory fields designed to help auditors comply with their obligations to report breaches.
Important note: there are no changes to the ongoing breach reporting obligations for registered company auditors to report breach as a result of this change to the lodgement process.
Navigate to the sections below for more information on specific topics.
- How the transactions work
This section covers restricting access to transactions in the portal, saving and editing draft breach reports, and how you can download a PDF version of a breach report.
- More information captured upfront
This section covers some of the key information you will be asked to provide ASIC as part of the breach report transaction. This includes the details about the nature, extent, remediation and rectification of the breach.
- Invite trusted representatives to transact in the portal on your behalf
This section covers how to invite others to act on your behalf in the portal, including how to set their access level.
The forms in the portal are known as transactions. They feature a common design and functionality. When you answer a question in a transaction, you may be requested to provide information specific to your response. This conditional logic ensures that appropriate questions are tailored to the specific details of the breach you are reporting.
About the transaction
Key information is displayed on a landing page before you begin the transaction including:
- Legislative references
- Lodgement periods
- Documents you may need to attach to the transaction
- Links to regulatory guides and related information
- Privacy information.
Restricting access to transactions
When you launch a breach report transaction (or any other transaction) in the portal you will first be asked if you want to restrict access to it on the transaction settings page.
To restrict access, click Yes – restrict access. This will take you to a set restrictions page, which allows you to select users who can access the transaction.
If you choose not to restrict access, all users connected to the account will have access to the transaction. If you choose to restrict access, only users you select will be able to access the transaction.
Once you have set these restrictions, you can add or remove users later.
For more information on restricting access to transaction see the Forms and transactions section on the FAQ page. For more information on how to invite someone to connect to your account and user access levels, see the Administration section on the FAQ page.
The breach report transaction has up to 10 sections. The total number of sections you need to complete will depend on the circumstances of the suspected breach. You will need to complete the sections of the transaction sequentially.
Save a draft, come back later
If you do not have the information required at hand, you can save the transaction as a draft and return later to complete it.
Multiple people can contribute to the draft, provided they have been given access to edit the transaction.
You can access your drafts from the ‘View all transactions’ page in the portal – where you can then click on an individual transaction. This will take you to a detailed view for that transaction. From here you can continue with the transaction by selecting the ‘Continue transaction’ button.
For more information on providing access to a transaction see the Forms and transactions section on the FAQ page. For more information on how to invite someone to connect to your account, see the Administration section on the FAQ page.
Download a PDF version
Breach reports that have been submitted via the portal can also be viewed or downloaded in PDF format at any time.
Submitting breach reports via the portal will feature mandatory fields and other questions designed to help registered company auditors comply with their obligations to report breaches. Examples of the type of information that is required from the breach report transaction are outlined below.
You will be required to confirm some current details – some of which will be pre-filled.
Based on your knowledge, you will be required to provide details about the date of the breach or suspected breach. Depending on the type of breach and the information you provide, you may be required to specify:
- When the breach or event first occurred.
- The last instance of the breach or event occurring.
- When you first became aware of the issue.
- Whether or not the breach is continuing.
Nature of the breach
There are categories to choose from to help you describe the nature of the breach.
You will be asked to specify, based on your knowledge, the cause/s of the issue/potential breach.
You will need to specify the name of the Rule or Act and relevant section(s) under the Act.
Rectification/remediation of the issue
If the organisation has rectified the issue, you will need to select how they have done so, based on your knowledge.
There are several other questions relating to the rectification/remediation of the issue including:
- Has the entity/licensee undertaken measures to prevent future issues form occurring?
- Are you aware of preventative measures that the auditor/entity/licensee will undertake to prevent similar issues occurring in future?
- Has the entity/licensee completed a remediation process for affected consumers (if applicable)?
- Are you aware of the date (or approximate timeframe) in which the remediation process will be completed?
Reduced need to attach supporting documentation
There will be limited requirement to attach documentation as part of the transaction. Most of the information ASIC requires will be asked for within the transaction.
The lead auditor or the auditor signing the audit report should submit the breach report through their portal user account. The lead auditor can invite a trusted representative to act on their behalf in the portal.
If you would like someone to act on your behalf in the portal, you first need to invite them to connect to your account. Only a user with Senior administrator or Administrator Access level can invite other users to connect.
For more information on how to invite someone to connect to your account, see the Administration section on the FAQ page.
Setting access levels
When inviting someone to connect to your account you can define user access levels that control what others can do on your behalf. For more information on how to invite someone to connect to your account and user access levels, see the Administration section on the FAQ page.
For more information, including on how to invite someone to connect to your account and user access levels, see the Administration section on the FAQ page.