APP 1.7 Scorecard · {{firm_name}}
{{days_until_app17}} days to APP 1.7
Stage 1 of 4 · Welcome
Setup → 3 Questions → Findings → Full Report
Loading your assessment
One moment while we pull together your firm's profile…
{{practitioner_initials}}
A note from {{practitioner_first_name}}
Before you start the assessment
Welcome to your Attesta scorecard, {{firm_name}}. Two things before you start.

The bar has shifted. Until now, a privacy lawyer could write your policy alone. From December, you have to show how AI tools handle client information — and a lawyer alone can't answer that. Nor can your IT lead. That's the work {{partner_practitioner_first_name}} and I do.

We've already done the consultant part. We've read {{firm_name}}'s privacy policy and mapped the AI and automated tools in your stack. What's left is yours — confirm or correct what we found.

{{practitioner_full_name}}
APP 1.7 Practitioner · Attesta
Before you start
Firm
{{firm_name}}
Your name
{{primary_contact_full_name}}
Email
{{primary_contact_email}}
Your scorecard journey
~8 minutes of your time
1
1 min · Now
Welcome briefing
2
3 min
Three questions
3
2 min
Your findings
4
48 hours
Signed report
First question loads next · We'll email a resume link to {{primary_contact_email}}
Resume link sent to your email. You can pick up where you left off anytime.
AI tool inventory
Question 1 of 10

Which AI or automated tools are currently in use at {{firm_name}}?

For each tool below, tell us whether it's currently in use. Tools we don't ask about — add them at the bottom.

APP 1.7 applies to every computer program your organisation has arranged to use that makes or contributes to decisions affecting clients — including programs provided by external vendors. The disclosure obligation is tool-by-tool. The count and identity of in-scope tools determines the scope of every other obligation under APP 1.7.
Source: Privacy and Other Legislation Amendment Act 2024 (Cth), Schedule 1, clause 1.7(a) and section 89(a).
Back-office accounting stack
AI assistants
Tools your firm uses Detected in your firm's public technology footprint
Most firms run on more than this.
Firms in your space typically use a dozen or more tools regularly — Otter, Notion AI, Fireflies, Asana, Practice Ignition, Karbon, and many others — that handle real client data every day. Under APP 1.7, every one of them needs to be accounted for. Add what your team uses below.
0 in use · 0 not in use · 0 unsure · 0/0 reviewed
How confident are you that this list is complete? Required to continue
Most accounting firms underestimate their AI tool footprint by a factor of two or three. Embedded AI features in tools already in use rarely make the official software list. Your confidence here shapes how we frame the gap in your report.
Question 1 of 10 · Next: Personal information
Personal information
Question 2 of 10

Do any of your AI or automated tools process personal information about {{firm_name}}'s clients?

Personal information means any information that identifies an individual — names, contact details, Tax File Numbers, financial circumstances, identity documents. If any of these passes through a tool, even briefly, the tool is in scope.

APP 1.7 only applies where personal information about the individual is used in the operation of the computer program. If no personal information passes through a tool, the law does not apply to that tool. But if personal data passes through it at any point — even occasionally — the full disclosure obligation applies.
Source: Privacy and Other Legislation Amendment Act 2024 (Cth), Schedule 1, clause 1.7(c); Privacy Act 1988 (Cth), section 6(1) — definition of personal information.
! After reviewing {{firm_name}}'s privacy policy
{{q2_finding_text}}
Select the option that best describes {{firm_name}}
Question 2 of 10 · Next: Privacy policy AI disclosure
Privacy policy — AI disclosure
Question 3 of 10

Does {{firm_name}}'s privacy policy name each AI or automated tool you use?

The standard is naming each tool individually — not mentioning AI generally. A statement like "we use AI and automated systems" does not satisfy the obligation.

APP 1.7 and 1.8 require each in-scope tool to be individually disclosed in your privacy policy — with specific information about what it does, what personal data it uses, and how clients can seek review. Generic statements do not satisfy the obligation. The OAIC has made this the primary standard it checks.
Source: Privacy and Other Legislation Amendment Act 2024 (Cth), Schedule 1, clauses 1.7, 1.8(a)(b)(c); OAIC ADM Report, January 2026 — zero of 23 agencies reviewed achieved better practice.
! After reviewing {{firm_name}}'s privacy policy
{{q3_finding_text}}
Select the option that best describes {{firm_name}}
Question 3 of 10 · Next: See your findings

You're four minutes in. Here's what happens next.

You clicked into the AI Governance Scorecard from our analysis of {{firm_name}}. Three questions in, we now have your side of the story.

The next page is a preview of your full assessment — your answers stitched against our policy review and tech footprint analysis. You'll see the gap that closes on 10 December 2026, and you'll see exactly what's in the full report before you pay for it.

Preparing your preview…
Assessment paused — 3 of 10

What you know about {{firm_name}} — and what you don't.

Q1 · Tools in use
Your AI footprint
You said
8 tools reported.
We found
{{q1_paywall_we_found_text}}
Almost certainly
Personal ChatGPT accounts processing client files.
We'd fix it
Get an underwriter-approved tool register.
Cross-check & survey. Done in 7 days.
Costs you
Your next PI renewal. A 'no' from the underwriter wipes out partner drawings.
Q2 · Personal information
Where client data flows
You said
"Haven't mapped it."
We found
{{q2_paywall_we_found_text}}
Almost certainly
Client data on vendor servers under terms no one's read.
We'd fix it
Build a Quality Review evidence pack.
Tool-to-data map & template DPAs.
Costs you
A CA ANZ Quality Review. Reviews examine all partners, not just one.
Q3 · Policy disclosure
Your public position
You said
"Policy doesn't mention AI."
We found
Policy pre-dates the APP 1.7 draft.
Almost certainly
Three partners giving three different answers.
We'd fix it
Give every partner the exact same answer to give.
Policy module & 1-page client FAQ.
Costs you
An OAIC determination. Permanent & searchable by future clients.
Stop here? Take a free 3-page PDF — full sources, citations, roadmap.
If you walk away today
The free PDF, plus updates as APP 1.7 approaches
A 3-page summary PDF with the three findings above — full sources, regulatory citations, remediation paths
The remaining 7 findings remain locked in the PDF — yours to unlock anytime by completing the assessment
Keep me updated on APP 1.7 and Australian privacy law changes. Practitioner notes from Attesta — OAIC guidance, enforcement actions, and policy updates as commencement approaches. Untick to opt out.
What's still ahead
7 questions · 9 findings locked
Q4
Of your 8 tools, 3 contribute substantially to client decisions. The most material is
Q5
Substantive update path before 10 December 2026: 4 of 6 mandatory disclosure modules required. Most urgent is
Q6
No human-review path for automated decisions — your current contact directs clients to a generic inbox. The fix is
Q7
4 of your 8 tools store client data outside Australia. Countries include United States, Ireland, and
Q8
No documented governance for adopting new AI tools — policy falls out of compliance each time a tool is added
Q9
Your policy names a generic Privacy Enquiries inbox — APP 1.4(d)(e) requires
Q10
Regulatory history scan complete. Your penalty exposure under s.13G calculated at $X based on revenue band
PDF
Plus a 12-page practitioner-signed report — executive summary, priority action register, delivered in 48 hours.
What you get for $497
A signed compliance position, in 48 hours
The remaining 7 questions, each with a practitioner-written finding
12-page report covering executive summary, domain analysis, priority action register, and gap to defensible position
Signed by Rae & Sam — practitioner accountability for the findings
Delivered to your inbox within 48 hours — no calls, no chasing