eBooks and iRecords – Director’s Duties in the Cloud
Cloud storage, cloud accounting packages and similar applications for communication and recording of information have changed the face of business forever. Before you run off to your lawyers in a panic, please read some of the following information.
While these advances have been beneficial to company directors who can discharge their duties at greater speed and from almost any location, we should pause for thought about whether or not these advances can potentially place directors in breach of their duties to the company.
Good commercial lawyers can explain and advise on Section 286 Corporations Act 2001 (Cth) (“Corporations Act”) requires the company to maintain records of financial information that accurately reflect the financial position of the company. The records can be kept electronically on the proviso that the electronic records can be converted into paper records within a reasonable time after a request is made (s288).
Pursuant to s289 the company can decide where to keep its financial records, however if they are kept outside of Australia the company is required to keep sufficient information to allow preparation of accurate financial information inside Australia; and notify ASIC of the place where the records are kept.
The cloud implications of this are clearly the location of the records. More often than not, the cloud server on which your data is stored will be located in a low-cost jurisdiction, generally not inside Australia. Financial information, pursuant as defined in s9 Corporations Act includes all source documents, statements, entries and adjustments in books of account.
If there are still physical archives here in Australia then the conditions of these provisions have been met. However, if the company has gone ‘paperless’ or completely digital it may be required to notify ASIC of the location where the electronic records are being kept.
Of course, in the pragmatic sense if the records can be accessed and printed out when requested it is unlikely to be an issue. However, s289 does not contain the same carve out for electronic records that s286 does.
Access and the Duty of Care and Skill
One of the most significant benefits of cloud-based applications is the ability to access it from anywhere and also to grant access to collaborators without having to reproduce physical records. However, the ease with which these services can be established can result in either too little access, or too much access.
Consider the situation where a new company has 3 directors and one of them has been charged with the responsibility of recording financial information. That director establishes a cloud accounting system in approximately 30 minutes and the next day the company bank is transferring live transaction information straight to the cloud software.
Physical documents like invoices and the like are kept on premises, but the cloud software is the only system that records and classifies the transactions so that the company’s financial position can be established. After the 3 directors have a falling out, they decide that they will remove the first director and hire an accountant. It is at this point they realise that only that first director has access to the cloud accounting software.
Additionally, because of the private agreement nature of the terms and conditions of the cloud service provider, they will not release any information to any person other than the nominated account holder.
Section 180 Corporations Act requires directors to execute their obligations with the required amount of care and skill. In Macdonald certain directors were found wanting of such care and skill in circumstances where they were told all directors were in agreement, but failed to actually confirm that state of affairs.
In our example above, it is likely that the directors have failed in their duty because the situation could have been avoided by implementing some internal controls. The result of failing to do so is likely a very expensive reconstruction of accounts from the source documents.
On the other side of the spectrum, a lack of policies and internal controls could result in access to the company’s information being inadvertently, or intentionally granted to a competitor or another party that should not be in possession of it.
Consequently, it is incumbent upon directors utilising cloud service to ensure that their storage and access systems are compliant with the Corporations Act. Further, they should devote time to designing and implementing proper systems and controls that will avoid access to the company information being compromised.