Stransact Blog

Blog

  • ICFR Is Already Here: Is Assurance Being Executed as Intended?

    ICFR Is Already Here: Is Assurance Being Executed as Intended?

    As assurance becomes more routine, it may be worth pausing to reflect on whether execution, scope, and reported assurance levels remain coherently aligned.
    Sharing a governance reflection below.

    Internal Control over Financial Reporting (ICFR) is now firmly embedded in Nigeria’s financial reporting framework under the oversight of the Financial Reporting Council of Nigeria (FRCN). As ICFR assurance becomes more routine, a natural governance question arises for Boards, CFOs, and Audit Committees: does the way ICFR assurance is being executed reflect the assurance level ultimately reported?

    This is not a technical debate, but rather, it is a governance consideration that goes directly to proportionality, cost discipline and expectation setting between auditors and Boards, and the credibility of what ICFR assurance communicates to the market.

    The Significance of the Limited Assurance Starting Point

    From inception, ICFR assurance in Nigeria was deliberately framed as a limited assurance engagement under ISAE 3000 (Revised). That design reflected regulatory judgement balancing improved governance oversight against market readiness, implementation burden, and cost efficiency.

    A limited assurance model is intended to:

    • provide moderate assurance in negative form, using procedures less extensive than those required for reasonable assurance; and
    • avoid conclusions that imply sustained operating effectiveness comparable to US SOX style regimes.

    This starting logic is important, as it defines both what ICFR assurance is designed to achieve and what it is not.

    What the Independent ICFR Attestation Report Signals

    Independent ICFR attestation reports consistently emphasize three elements:

    • negative form conclusions (“nothing has come to our attention…”).
    • explicit acknowledgment that procedures performed are less extensive than those required for reasonable assurance; and
    • clear differentiation between limited and reasonable assurance.

    These disclosures are not incidental. They establish the boundary conditions of the engagement and shape market expectations about the level of comfort being provided.

    From a governance perspective, this framing naturally prompts a simple question: should the experience of an ICFR review materially exceed what the final report itself can support?

    Where Practical Tensions Arise

    In practice, ICFR engagements often involve procedures that feel more extensive than what stakeholders typically associate with limited assurance. Operating effectiveness activities are frequently embedded within ICFR workstreams.

    Such procedures are well understood and entirely appropriate when used deliberately to support audit reliance strategies under ISA 330. However, they serve a specific audit objective and are not intrinsically required to support a negative assurance of ICFR conclusion.

    This raises a legitimate governance reflection:

    If an ICFR engagement culminates in a limited assurance conclusion regardless of whether operating effectiveness exceptions are identified, how should Audit Committees interpret the role and necessity of those procedures?

    The issue is not whether such work can be performed, but whether it is essential to the assurance outcome being reported.

    Proportionality, Cost, and Clarity

    As ICFR becomes more embedded, Boards and management increasingly bear the cost of ongoing assurance activity. With that comes a fiduciary obligation to ensure proportionality.

    From a governance standpoint:

    • assurance scope should be clearly traceable to stated objectives.
    • methodology choices should be distinguishable from mandatory requirements; and
    • cost should align with the level of assurance ultimately expressed to the market.

    Where these lines blur, there is a risk that ICFR assurance evolves through habit rather than deliberate governance intent.

    A Forward-Looking Question for the Nigerian Market

    The evolution of practice also raises a broader policy question—one that may become unavoidable over time:

    If ICFR execution increasingly resembles reasonable assurance behaviour in substance, should the assurance level remain limited in form?

    Conversely, if limited assurance remains the intended endpoint, what additional discipline is required to ensure that execution remains consistent with that intent?

    These are not questions for auditors alone. They fall squarely within the responsibility of regulators, Audit Committees, and Boards charged with safeguarding reporting integrity and cost efficiency.

    Closing Reflection

    ICFR assurance should mean exactly what it states in the report — no more, no less.

    As ICFR practices mature, the real test of governance will not be how much work is performed, but how deliberately assurance scope, assurance level, and cost are aligned. When execution quietly exceeds what reporting can support, clarity is lost, accountability weakens, and value becomes harder to demonstrate.

    For CFOs and Audit Committees, the task ahead is neither resistance nor automatic acceptance. It is intentional oversight returning to first principles, interrogating scope with precision, and ensuring that ICFR assurance evolves as a disciplined governance tool, not a matter of habit or momentum.

    In that discipline lies both credibility and confidence.

    Written by Akeem Taofik – Director, Governance, Risk and Compliance

  • Stransact and Doftwerks Achieve ISO/IEC 27001:2022 Certification, Setting the Benchmark for Secure NRS E-Invoicing in Nigeria

    Stransact and Doftwerks Achieve ISO/IEC 27001:2022 Certification, Setting the Benchmark for Secure NRS E-Invoicing in Nigeria

    Stransact, a leading professional services firm and RSM correspondent in Nigeria, together with its technology subsidiary, Doftwerks, has achieved ISO/IEC 27001:2022 certification, the globally recognised standard for information security management systems (ISMS).

    This milestone affirms the firms’ adherence to the highest international standards for data protection, confidentiality, integrity, and availability, and positions Stransact and Doftwerks at the forefront of secure, enterprise grade compliance solutions supporting Nigeria’s Nigeria Revenue Service (NRS) e invoicing mandate.

    ISO/IEC 27001:2022 is regarded as the gold standard for information security governance, requiring organisations to implement rigorous controls across people, processes, and technology. Certification confirms that Stransact and Doftwerks have established a comprehensive, independently audited framework to identify, manage, and mitigate information security risks across all operations.

    “ISO/IEC 27001:2022 certification is not a badge; it is an operating discipline,” said Eben Joels, Managing Partner at Stransact. “For our clients—particularly CFOs, CIOs, and compliance leaders—this provides board level assurance that sensitive financial and transactional data is protected in line with the most demanding global standards. It also reinforces our commitment to supporting the NRS e invoicing regime with solutions that are not only compliant, but secure by design.”

    As Nigeria advances the implementation of mandatory electronic invoicing, data security and system resilience have become critical concerns for businesses operating at scale. Through Doftwerks, Stransact delivers technology enabled compliance solutions that integrate seamlessly with enterprise finance systems while meeting regulatory and security expectations.

    “Security is foundational to trust in any digital tax infrastructure,” said Tunde Awopegba, Chief Technology Officer at Doftwerks. “This certification validates the robustness of our platforms and internal controls, and gives clients confidence that their data is handled with the same level of care expected in leading global markets.”

    What the Certification Means for Clients

    The ISO/IEC 27001:2022 certification provides tangible benefits to organisations engaging Stransact and Doftwerks, including:

    • Regulatory confidence in meeting NRS e invoicing and broader data protection expectations
    • Reduced information security risk across financial, tax, and transactional data
    • Enterprise grade governance and controls aligned with international best practices
    • Assurance for boards, investors, and regulators on data integrity and confidentiality
    • A trusted partner for organisations operating in highly regulated or data sensitive environments

    By embedding information security into service delivery and technology architecture, Stransact and Doftwerks continue to differentiate themselves as trusted advisors at the intersection of regulation, technology, and risk management.

    About Stransact

    Stransact is a multidisciplinary professional services firm providing audit, tax, advisory, transaction support, and regulatory compliance services to local and international clients. As an RSM correspondent firm in Nigeria, Stransact combines deep local expertise with global standards to support organisations navigating complex regulatory and business environments.

    About Doftwerks

    Doftwerks is the technology subsidiary of Stransact, delivering secure, scalable digital solutions across tax compliance, finance transformation, and regulatory technology. The firm specialises in building enterprise grade platforms that align with both Nigerian regulatory requirements and international best practices.

  • 5 Must-Reads for Forward-Thinking Leaders

    5 Must-Reads for Forward-Thinking Leaders

    At Stransact, we remain aligned to the ever-evolving landscape of business, regulation, and industry developments. Our weekly insights are designed to equip you with the foresight and clarity to make informed decisions and lead with impact.

    Filing your Personal Income Tax (PIT) is more than a statutory obligation; it’s a fundamental civic duty that supports national development. Learn the essentials of PIT compliance, common pitfalls to avoid, and how to ensure you stay on the right side of the law with ease.
    Read the article

    Nigeria’s e-invoicing rollout marks a decisive shift toward a transparent, efficient, and digitally governed tax system. Explore how this reform is backed by statutory authority and phased implementation that will reshape how businesses document, validate, and report transactions.
    Read the article

    For many insurers, IFRS 17 has long been seen as a complex reporting requirement. However, market leaders are shifting perspective, treating it as a management system rather than just an accounting standard. Discover how forward-thinking organizations are leveraging IFRS 17 to enhance decision-making, improve financial transparency, and gain a competitive edge.
    Read the article

    A tax system that commands respect is one built on predictability, transparency, and the rule of law. Understand the implications of Nigeria’s evolving tax laws and what they reveal about the balance between regulatory authority and taxpayer rights.
    Read the article

    Data protection is no longer optional; it’s a critical business priority. Discover why proactive organizations investing in strong data protection frameworks today are positioning themselves for long-term success in an increasingly digital economy.
    Read the article

    Follow Stransact for weekly insights on the future of business, finance, and regulation in Nigeria.

  • IFRS 17 in Nigeria: The Shift from Compliance Burden to Strategic Advantage

    IFRS 17 in Nigeria: The Shift from Compliance Burden to Strategic Advantage

    As insurers move further into their IFRS 17 journey, one thing is now clear: The conversation has moved beyond compliance. The real question is: “How do we turn IFRS 17 into a competitive advantage?”

    Across Nigeria, insurers have now completed at least one full-year reporting cycle under IFRS 17 (2023 FY) consistent with global adoption timelines and transition activity already reported by Nigerian insurers such as Leadway Assurance and others; the insights emerging from the 2024 and 2025 cycles show a striking pattern: The market leaders are the companies treating IFRS 17 as a management system, not an accounting project.

    Why IFRS17 Matters More in Nigerias 2026 Economy

    With FX volatility, inflationary pressure, higher discount rates, and rising capital costs, the insurance sector needs a clearer economic lens. IFRS 17 provides exactly that by:

    • Replacing premium‑based revenue with service‑based revenue
    • Converting unearned profit into a visible liability: the Contractual Service Margin (CSM)
    • Requiring cohort‑level discipline that exposes pricing strength (or weakness) early
    • Improving comparability and investor confidence through consistent reporting

    This is the level of transparency global investors and rating agencies expect.

    Read more: Your Tax, Your Responsibility: A Practical Guide to Personal Income Tax Filing in Nigeria

    The Biggest Mindset Shift: From Premium Volume → To Earned‑Value Profitability

    Under legacy accounting, profitability could be flattered by cash inflow.
    Under IFRS 17, this disappears.

    Instead, finance leaders now get:

    • CSM as a forward‑earnings reservoir

    It tells the truth about long‑term profitability, not just what happened this quarter.

    • Risk Adjustment as a volatility indicator

    A direct measure of uncertainty and risk appetite.

    • Coverage Units as the engine of profit release

    A methodology that needs strong governance and clear Board oversight.

    Where the Winners Are Emerging: CFOs Who Treat IFRS17 Data as Strategy

    The best‑performing insurers are using IFRS 17 insights to:

    1. Refine product pricing before underpricing becomes a balance‑sheet problem
    2. Redesign reinsurance treaties using CSM, RA and cohort analytics not negotiations alone
    3. Strengthen claims performance through clearer loss‑component identification
    4. Improve capital planning and dividend forecasts with more predictable earnings visibility
    5. Communicate with Boards and investors using business‑ready IFRS 17 dashboards instead of technical jargon

    These are the companies moving from compliance to competitive edge.

    Audit Reality: Integration Is the Make‑or‑Break Factor

    Across the 2025/2026 audit cycles, we’ve seen one constant:

    Where actuarial engines and finance systems are not aligned, IFRS 17 becomes a reconciliation nightmare. But where integration is strong:

    • Month‑end closes improve
    • Audit exceptions reduce
    • Regulatory questions are easier to answer
    • CFOs spend time on strategy, not troubleshooting

    This is where real value is unlocked.

    Read more: NRS Rolls Out Nationwide E-Invoicing Regime What It Means for Nigerian Businesses

    The Leadership Imperative for 2026

    IFRS 17 is not just a technical standard. It is a leadership standard. To lead in today’s market, finance executives must:

    • Treat CSM movement as a strategic KPI
    • Build a unified Actuarial–Finance “single source of truth”
    • Define Board‑friendly dashboards for CSM, RA, and cohort profitability
    • Link IFRS 17 insights into pricing, capital, claims, and reinsurance
    • Strengthening governance around coverage units and assumption changes

    This is how insurers differentiate themselves as the market consolidates and competition intensifies.

     Call to Action for CFOs & Finance Directors

    As we head into the 2026 reporting cycle, ask yourself:

    • Are you leveraging IFRS 17 to reshape your profit story or only to comply?
    • Is your CSM movement aligned with strategic decisions?
    • Are actuarial and finance speaking the same language?
    • Do your Board and investors understand your IFRS 17 narrative?
    • Are you using IFRS 17 data to drive pricing, capital allocation, and reinsurance strategy?

    If you see breakthroughs or friction points, we did love to hear them.

    Drop your insights in the comments or send us a mail at [email protected]. Let’s turn IFRS 17 from a requirement into a strategic weapon for the Nigerian insurance industry.

  • Your Tax, Your Responsibility: A Practical Guide to Personal Income Tax Filing in Nigeria

    Your Tax, Your Responsibility: A Practical Guide to Personal Income Tax Filing in Nigeria

    Filing your Personal Income Tax (PIT) in Nigeria is more than a statutory obligation, it is a fundamental civic duty. It ensures that individuals contribute equitably to national development while protecting themselves from the legal and financial consequences of non‑compliance. Whether you are a salaried employee, a business owner, or earn income from multiple sources, understanding your personal tax obligation is essential.

    With the annual PIT filing deadline set for 31 March, this guide provides a clear and practical overview of:

    • Who is required to file a return
    • How and where to file
    • Key documentation required
    • The consequences of non‑compliance under the Nigeria Tax Administration Act, 2025

    Read more: How to File Your Personal Income Tax in Nigeria: A Step-by-Step Compliance Guide

    Who Is Required to File Personal Income Tax?

    In Nigeria, every taxable person is required to file an annual Personal Income Tax return, regardless of whether tax has already been deducted at source.

    1. Employees under the PAYE System

    If you are in paid employment, your employer deducts tax monthly under the Pay‑As‑You‑Earn (PAYE) system and remits it to the relevant State Internal Revenue Service (IRS). However, PAYE deductions do not eliminate your obligation to file an annual return.

    An annual filing is required to formally declare your income and confirm your tax position. Additional tax may become payable where:

    • You earned income outside your employment (e.g. rental income, consulting fees, investments), or
    • Your employer under‑deducted tax during the year.

    1. Self‑Employed Individuals and Business Owners

    If you are self‑employed such as a freelancer, consultant, contractor, or business owner, no taxes are deducted on your behalf. You are therefore personally responsible for:

    • Computing your tax liability
    • Paying the tax due
    • Filing your annual Personal Income Tax return

    Failure to do so exposes you to penalties and limits your access to important business and financial opportunities.

    Read more: Avoid These Payroll Penalties: What Every Nigerian Employer Should Know

    Step‑by‑Step Guide to Filing Personal Income Tax

    Step 1: Determine Your Tax Residency

    Your tax residency determines where you are required to file and pay tax.

    • Resident Individuals

      If you live or work in a Nigerian state for 183 days or more in a year, you are deemed resident in that state and must file with its State IRS. An individual is also deemed to be resident in Nigeria if any of the following is met:

    • They serve as a Nigerian diplomat, diplomatic agent, or government employee posted abroad, OR
    • They have a permanent home available in Nigeria for domestic use, OR
    • They have a habitual place of abode in Nigeria, OR
    • They are a Nigerian who earns income from employment or business exercised wholly or partly in Nigeria, OR
    • They have substantial economic and immediate family ties in Nigeria.

    • Non‑Residents

      These are individuals who do not meet any of the above criteria for determining residency. However, Individuals living outside Nigeria but earning income sourced from Nigeria may still have Nigerian tax obligations, subject to applicable tax rules.

    Step 2: Compute Your Taxable Income

    Your taxable income includes all income earned during the year, such as:

    • Salaries, wages, bonuses, allowances, and commissions
    • Business or professional income
    • Rental income
    • Investment income (dividends, interest, etc.)
    • Any other taxable income earned within the year

    Nigeria operates a progressive tax system, meaning higher income attracts higher tax rates but only on the portion of income that falls within each tax band.

    Step 3: Pay the Tax Due

    Once your tax liability has been determined, payment can be made through any of the following channels:

    • Your State Internal Revenue Service’s online portal
    • Bank deposits using the appropriate state revenue code
    • Remita or other government‑approved payment platforms

    It is critical to retain proof of payment, as this will be required during filing and for future tax verification.

    Step 4: File Your Annual Tax Return (On or Before 31 March)

    By law, individuals must file their Personal Income Tax returns on or before 31 March each year, covering income earned in the preceding year.

    To file, you will typically need:

    • Pay slips or income statements.
    • Financial statements (for business owners).
    • Bank statements (where applicable).
    • Rental agreements (if applicable).
    • Investment documentation.
    • Evidence of tax payments made.

    Returns may be filed through:

    • Your State IRS e-filing portal.
    • Physical submission at the State IRS office.
    • Completion and submission of the Taxpayer Self‑Assessment Form (Form A) available on your State IRS website.

    Read more: NRS Rolls Out Nationwide E-Invoicing Regime What It Means for Nigerian Businesses

    Tax Clearance Certificate (TCC): Why It Matters

    Upon filing and settling your taxes, you may apply for a Tax Clearance Certificate (TCC). A TCC is official evidence that your tax affairs are in order and is commonly required for:

    • Government contracts and tenders
    • Business registration and regulatory approvals
    • Visa and immigration applications
    • Loan and credit facilities
    • Property and high‑value transactions

    Without proper tax filing, obtaining a TCC can be delayed or denied.

    Penalties for Late or Non‑Filing

    Section 101 of the Nigeria Tax Administration Act, 2025 provides that a taxable person who fails to file returns, or knowingly files incomplete or inaccurate returns, is liable to administrative penalties as follows:

    • ₦100,000 for the first month of default, and
    • ₦50,000 for each subsequent month the failure continues

    These penalties apply irrespective of whether tax is eventually paid.

    Conclusion

    Personal Income Tax compliance is not merely a regulatory formality. It safeguards you from penalties, strengthens your financial credibility, and unlocks access to critical personal and business opportunities. Proactive compliance today prevents costly consequences tomorrow.

    Your tax. Your responsibility. Your compliance.

  • NRS Rolls Out Nationwide E-Invoicing Regime What It Means for Nigerian Businesses

    NRS Rolls Out Nationwide E-Invoicing Regime What It Means for Nigerian Businesses

    Nigeria has entered a decisive new phase in tax administration. The Nigeria Revenue Service NRS has issued a public notice outlining the phased implementation of its E-Invoicing and Electronic Fiscal System (EFS), with the programme already underway for large taxpayers and scheduled to expand to medium and emerging taxpayers over the coming years.

    Also known as the Merchant Buyer Solution (MBS), the initiative fundamentally changes how businesses generate, transmit, authenticate, and store invoice data. With large taxpayers already onboarded and enforcement timelines now clearly mapped out, Nigerian enterprises must begin preparing for a fully digital fiscal environment

    A New Era of Digital Tax Compliance

    Electronic invoicing replaces paper-based billing with structured digital exchange of invoices, credit notes, and debit notes between buyers and sellers through integrated systems. By digitizing invoicing and enabling secure transmission through accredited platforms, the reform is expected to reduce tax leakages and underreporting, improve audit efficiency and revenue assurance, strengthen transparency across supply chains and simplify compliance through automation and interoperability.

    For businesses, this marks a clear shift toward technology driven compliance, where invoicing, reconciliation, reporting, and authentication become part of a unified digital workflow.

    How Nigeria’s E Invoicing Rollout Evolved

    Nigeria’s move toward electronic fiscalisation has unfolded gradually as part of a broader digital tax transformation agenda:

    • 2021- Authorities signaled plans to connect automated tax systems to taxpayers’ electronic records, laying early groundwork for digital monitoring.
    • 2024- Mandatory e invoicing policy direction emerged through the Merchant Buyer Solution framework.
    • January 2025- Pilot deployment began with selected large taxpayers to validate integrations and data transmission.
    • August 2025- Official go live for large taxpayers marked the transition from preparation to live fiscal reporting.
    • 2026 to 2028- Phased nationwide expansion covering go-live and enforcement for medium (2027) and emerging (2028) taxpayers.

    This consultation pilot, which aims to stabilise and enforce pathways, reflects international best practices for national fiscalisation programs.

    Read more: Navigating the Future of Tax Compliance: FIRS to Roll Out E-Invoicing in Nigeria

    The Legality: What Gives NRS the Authority

    A major question business often ask is what makes this mandatory.

    According to the NRS public notice on the EFS rollout, the programme is anchored in Nigeria’s tax administration legal framework. Section 23 of the Nigeria Tax Administration Act (NTAA) empowers the Service to deploy technology for efficient tax administration and collection, while Section 158 of the Nigeria Tax Act (NTA) mandates taxpayers to implement the fiscalisation system deployed by the Service.

    Taken together, these provisions establish the basis for NRS to introduce and enforce a digital fiscal regime across taxpayer categories, particularly where compliance depends on structured invoice data and electronic reporting.

    Separately, Nigeria’s technical and ecosystem governance is supported by the National Regulatory Guideline for Electronic Invoicing in Nigeria 2025 issued by NITDA, which

    • Applies to regulators, accredited service providers, and all entities generating or processing electronic invoices.
    • Defines the operational roles of Access Point Providers and System Integrators.
    • Establishes compliance, licensing, monitoring, and enforcement structures within the e-invoicing ecosystem.

    These elements collectively confirm that E Invoicing under EFS is a statutory compliance requirement and not optional modernization.

    Phased Rollout Timeline

    To ensure operational readiness, NRS is implementing EFS in structured phases aligned with turnover thresholds.

    Large Taxpayers Above ₦5 Billion

    • Go live: August 2025.
    • Post goes live review: January to March 2026.
    • Compliance enforcement: April to June 2026.

    Large enterprises are already transmitting invoice data and setting the pace for national adoption.

    Medium Taxpayers ₦1 Billion to ₦5 Billion

    • Stakeholder engagement: January to March 2026.
    • Pilot rollout: April to June 2026.
    • Go live: 1 July 2026.
    • Compliance enforcement: January to March 2027.

    Preparation timelines for this segment are now time critical.

    Emerging Taxpayers Below ₦1 Billion

    • Stakeholder engagement: January to March 2027.
    • Pilot rollout: April to June 2027.
    • Go live: 1 July 2027.
    • Compliance enforcement: January to March 2028.

    Although timelines are longer, early readiness significantly reduces disruption risk.

    What This Means for Businesses

    The nationwide mandate represents more than regulation. It is a structural digital transformation of commercial operations. Businesses must prepare to generate invoices in standardised compliant digital formats, transmit data securely via accredited e invoicing access platforms, maintain audit-ready electronic transaction records, and meet ongoing monitoring, reporting, and compliance obligations.

    Failure to prepare before enforcement windows may expose organisations to penalties, service disruption, or regulatory action, while early readiness enables faster reporting, reduced errors, improved visibility, and stronger credibility.

    The Critical Role of Technology Integration

    Compliance is now deeply technology dependent; successful adoption relies on qualified system integrators and secure digital infrastructure operating within Nigeria’s regulated E-invoicing framework.

    To support businesses through this transition, Stransact’s technology arm, Doftwerks, has been approved to assist organisations with integration, compliance-ready invoicing workflows, and secure connectivity to the national e invoicing ecosystem.

    Through Doftwerks, businesses can:

    • Integrate ERP, POS, and accounting systems with compliant e invoicing infrastructure.
    • Implement secure authentication, transmission, and audit trail capabilities.
    • Accelerate readiness ahead of enforcement timelines.
    • Minimise operational disruption during migration to electronic fiscal reporting.

    This capability complements Stransact’s broader mission of enabling seamless, compliant, and future-ready financial operations for Nigerian enterprises.

    Read more: FIRS E-Invoice Service

    Preparing for the Future Now

    One conclusion is unavoidable: Electronic invoicing is becoming the default framework for doing business in Nigeria. Organisations that digitise workflows, align with compliant infrastructure, and begin integration early will transition confidently. Those that delay risk last minute disruption as enforcement deadlines approach.

    Conclusion

    Nigeria’s E-Invoicing rollout marks a decisive step toward a transparent, efficient, and digitally governed tax system. Backed by statutory authority, national technical standards, and phased enforcement, the reform signals a permanent shift in how businesses document and report transactions.

    For forward thinking organisations, this is more than compliance. It is an opportunity to modernise finance operations, strengthen governance, and compete in a digital economy.

    Through Stransact and its approved technology arm, Doftwerks, Nigerian businesses can navigate this transition with confidence, securely, compliantly, and efficiently.

  • Nigeria’s New Tax Laws and the Limits of Administrative Power

    Nigeria’s New Tax Laws and the Limits of Administrative Power

    Introduction: Reform Raises Old Legal Questions

    The Nigeria Revenue Service (NRS) has issued formal notices to taxpayers announcing the commencement of the Nigeria Tax Act, 2025 (NTA) and the Nigeria Tax Administration Act, 2025 (NTAA), with effect from 1 January 2026. The notice, intended to provide “clarifications for ease of compliance and transition”, instead raises fundamental legal questions about the temporal application of tax laws, the scope of administrative authority, and the continued relevance of settled judicial principles.

    At the heart of the controversy is whether the NRS can, through administrative guidance, apply a new tax regime to income and transactions that arose before the commencement of the legislation.

    Year of Assessment Versus Year of Income

    The notice states unequivocally that “income tax returns due for filing in the 2026 Year of Assessment shall be prepared, filed, and assessed in accordance with the provisions of the NTA and NTAA.” On its face, this appears administratively tidy. In law, however, it is far from straightforward.

    For upstream petroleum companies, the year of assessment coincides with the year of income (i.e. actual year basis of assessment). For all other companies, Nigeria operates a preceding-year basis of assessment. Consequently, income reported in the 2026 Year of Assessment for non-upstream companies relates to profits earned in the 2025 financial year, at a time when the NTA and NTAA were not in force.

    Requiring taxpayers to compute 2025 income under a legal regime that only commenced on 1 January 2026 amounts, in substance, to retroactive taxation.

    The Presumption Against Retroactivity in Tax Law

    Nigerian courts have long held that statutes are presumed to operate prospectively unless the legislature clearly provides otherwise. This presumption is particularly strong in tax law, where statutes impose compulsory financial burdens. In Uwaifo v. Attorney-General, Bendel State and Attorney-General of the Federation v. Abubakar, the Supreme Court cautioned against interpretations that retrospectively alter substantive rights or liabilities.

    Nothing in the NTA or NTAA expressly authorizes the retrospective application of income tax provisions to profits earned before their commencement. In the absence of such language, administrative notices cannot lawfully supply what the legislature has withheld.

    The Accugas Case: A Direct Judicial Answer

    This issue is not novel. In Accugas Limited v. Federal Inland Revenue Service, the Tax Appeal Tribunal was confronted with an argument strikingly similar to the one now implicit in the NRS notice. The tax authority contended that because an amended tax law (Finance Act, 2019) was in force in the relevant Year of Assessment, it should apply to income earned in an earlier accounting period.

    The Tribunal rejected that argument in clear terms. It held that for companies assessed on a preceding-year basis, tax liability is governed by the law in force during the year the income was earned, not the year in which the assessment is made. The Year of Assessment, the Tribunal explained, is an administrative construct; it cannot be used as a legal mechanism to impose new tax rules on prior-year income.

    On appeal, the Federal High Court affirmed this reasoning, giving it binding judicial weight. The lesson from the Accugas case is unmistakable: the timing of assessment cannot override the timing of income.

    Against this backdrop, the directive that 2026 YOA returns must be assessed under the NTA and NTAA “irrespective of the actual filing date” sits on legally fragile ground for non-upstream taxpayers.

    Read more: The Limits of Regulatory Authority and the Imperative of Legislative Clarity

    Transactional Taxes: A Selective Temporal Approach

    The NRS notice adopts a different approach for transactional taxes. It states that the provisions of the NTA and NTAA shall apply to VAT, Stamp Duties and Withholding Tax “in respect of transactions occurring on or after 1 January 2026”. This is orthodox and uncontroversial. Transactional taxes attach to discrete events, and the applicable law is the law in force at the time the transaction occurs.

    The notice further preserves the validity of all VAT actions lawfully undertaken before 31 December 2025, including filings, assessments, payments and credits. This saving provision implicitly recognizes that the new law cannot disturb completed transactions.

    The difficulty arises when this logic is not consistently applied across the tax system.

    Capital Gains: An Important but Telling Concession

    The notice expressly provides that chargeable gains arising from disposals between 1 January 2025 and 31 December 2025 “shall be assessed and filed in accordance with the provisions of the repealed Capital Gains Tax Act”. Only disposals occurring on or after 1 January 2026 are brought under the new regime.

    This concession is significant. It acknowledges that capital gains crystallize at the point of disposal and must be governed by the law in force at that time. It also acknowledges, implicitly, that applying the new law to 2025 disposals would be impermissibly retrospective.

    Yet this creates an immediate tension with the broader directive on income tax for the 2026 Year of Assessment.

    Read more: One Law, Two Scripts: Navigating the Material Discrepancies in the Nigeria Tax Act 2025 – Eben Joels

    Capital Gains as Income: A Structural Conflict

    One of the most far-reaching reforms introduced by the NTA is the integration of capital gains into income tax computations. Under the new regime, chargeable gains from 1 January 2026 form part of total profits for income tax purposes. This reform makes the NRS’s transitional position even more delicate.

    The notice states that “income tax returns due for filing in the 2026 Year of Assessment shall be prepared, filed, and assessed in accordance with the provisions of the NTA and NTAA”. For non-upstream companies, the 2026 YOA relates to 2025 income. This would, in effect, require taxpayers to apply the new law to 2025 profits (except for capital gains, which are preserved under the old law).

    The result is a selective temporal application: one part of a company’s income (capital gains) is governed by the old statute, while the rest (ordinary profits, other transaction taxes) falls under the new law, all within the same assessment year. Nigerian courts, including in Accugas Ltd v. FIRS, have consistently rejected such selective retroactive application, holding that tax liability is determined by the law in force at the time income is earned, not by the year of assessment.

    In short, the NRS notice recognizes the impossibility of retroactively reclassifying capital gains yet attempts to do so implicitly for all other income in the same period, creating a legal and administrative contradiction that cannot be ignored. Tax law does not support such selective temporal logic. A single transaction carried out in 2025 cannot, as a matter of principle, be partly governed by repealed legislation and partly by new legislation absent explicit statutory direction.

    The Limits of Administrative Guidance

    Courts have consistently held that administrative circulars and notices cannot impose tax obligations beyond what the statute authorizes. In Attorney-General of the Federation v. Nigeria LNG Limited and FBIR v. Halliburton (WA) Ltd, the courts emphasized that tax liability arises strictly by operation of law, not by administrative convenience.

    The NRS notice, however well-intentioned, cannot override the statutory presumption against retroactivity or displace binding judicial authority, including the Accugas decision”.

    A Safer Path Forward

    A legally coherent transition would be to apply the NTA and NTAA prospectively to income and gains arising from financial years beginning on or after 1 January 2026. For non-upstream companies, this would mean that the 2026 Year of Assessment, which relates to 2025 income, remains governed by the repealed laws, with the new regime fully taking effect from the 2027 Year of Assessment. Such an approach would align administrative practice with judicial precedent, preserve taxpayer certainty, and protect the credibility of Nigeria’s ambitious tax reform agenda.

    A tax system that commands respect and compliance is one that is predictable, transparent and anchored in the rule of law. Nigeria’s tax reform agenda will be best served by ensuring that these principles are not sacrificed in the rush to implementation.

  • Why Your Business Must Comply with the Nigeria Data Protection Act in 2026

    Why Your Business Must Comply with the Nigeria Data Protection Act in 2026

    Data is no longer just an operational asset; it is the lifeblood of modern business. From banks processing millions of transactions to hospitals safeguarding patient records, retailers analyzing customer behavior, and manufacturers managing employee information, every organization touches personal data daily. With this power comes profound responsibility: safeguarding data is no longer optional; it is a strategic imperative.

    In Nigeria’s evolving data protection landscape, organizations that treat data security as a core governance priority will not only mitigate legal risk but also build trust, resilience, and lasting competitive advantage. Yet, despite the growing awareness of cyber threats, many organizations still approach data protection as a compliance checkbox rather than a strategic business function. This mindset is increasingly dangerous.

    As regulatory scrutiny intensifies and cybercriminals target sensitive business and customer data, the cost of inaction extends far beyond fines, it threatens reputation, customer confidence, and ultimately, market relevance. Forward-thinking leaders recognize that robust data governance is more than IT security; it is an essential component of corporate strategy, risk management, and stakeholder trust.

    By embedding data protection into every operational layer, organizations can transform a legal obligation into a strategic differentiator that drives long-term value.

    Nigeria’s Data Protection Framework: What Changed

    The Nigeria Data Protection Act (NDPA) 2023 marked a turning point in how Nigeria regulates personal data. Signed into law in June 2023, the NDPA established the Nigeria Data Protection Commission (NDPC) as an independent regulatory authority with significant enforcement powers.

    The real transformation came with the General Application and Implementation Directive (GAID) 2025, which took effect on September 19, 2025. GAID 2025 replaced the old NDPR 2019 framework with detailed, actionable requirements that leave no room for interpretation. For the first time, Nigerian organizations have clear compliance obligations for data protection rather than broad principles.

    Non-compliance carries serious consequences which could be fines of up to 2% of annual gross revenue or ₦10 million (whichever is greater), public listing on the NDPC’s non-compliance register, reputational damage, and potential loss of business opportunities. Beyond penalties, strong data protection practices create competitive advantages, enhance operational efficiency, and build customer trust.

    Read more: Why NDPA Compliance is Essential for Your Company’s Survival

    Understanding the GAID Classification System

    GAID 2025 introduced a tiered classification that determines your compliance obligations for Data Processors/Controllers:

    • Ultra-High Level (UHL): includes strategic sectors like banking, telecommunications, insurance, oil and gas, fintech, and payment gateways. These entities handle massive volumes of sensitive data of over 5000 data subjects with significant economic impact.
    • Extra-High Level (EHL): covers large-scale processors that process over 1000 data subjects including major government bodies and significant commercial enterprises processing substantial personal data.
    • Ordinary-High Level (OHL): encompasses smaller operations like educational institutions, community banks, and other entities processing personal data of over 200 data subjects.

    Your classification determines registration requirements, audit obligations, and reporting frequencies. UHL and EHL entities must register once with NDPC and file annual Compliance Audit Returns (CAR) through licensed Data Protection Compliance Organizations (DPCOs). OHL entities renew registration annually but are exempt from annual CAR filing.

    Read more: The Road to Trust: How GAID 2025 Will Shape Nigeria’s Digital Economy

    The Seven Principles Governing Personal Data

    The NDPA 2023 establishes seven foundational principles for all personal data processing:

    • Lawfulness, Fairness, and Transparency – Process data with valid legal basis (consent, contract, legal obligation, or legitimate interests) and communicate practices clearly through accessible privacy policies.
    • Purpose Limitation – Collect data for specific, explicit purposes and avoid using it for incompatible secondary purposes without fresh consent.
    • Data Minimization – Collect only data necessary for stated purposes, implementing role-based access controls and regularly reviewing holdings to eliminate redundancies.
    • Accuracy – Maintain current, accurate information with validation mechanisms, update processes, and conduct regular quality audits.
    • Storage Limitation – Retain data only as long as necessary, with defined retention schedules and automated deletion processes.
    • Integrity and Confidentiality – Implement robust technical security (encryption, access controls, network security) and organizational measures (policies, training, incident response plans).
    • Accountability – Demonstrate compliance through comprehensive documentation, audits, and governance structures including compliance schedules and audit returns.

    Key Compliance Requirements

    • Data Protection Officer (DPO) – Organizations that are Data Controllers/ Processors must appoint qualified DPOs who report to senior management, serve as contact points for data subjects, and actively participate in data processing decisions. Organizations can engage external DPO services to fulfill this requirement cost effectively.
    • Data Protection Impact Assessments (DPIAs) – Mandatory before implementing high-risk processing activities like systematic profiling, large-scale sensitive data processing, systematic monitoring, or deploying new technologies. GAID provides standardized templates and may require NDPC review.
    • Technical Security Measures – Organizations must implement encryption (AES-256 for data at rest, TLS 1.2+ for transit), multi-factor authentication, role-based access controls, network segmentation, regular vulnerability assessments, and comprehensive backup and recovery capabilities.
    • Privacy by Design – Data protection must be integrated into systems from inception, with maximum privacy settings applied by default and privacy reviews conducted during design phases.
    • Data Subject Rights – Organizations must establish processes to handle individual rights including access requests (respond within one month), rectification of inaccurate data, erasure when data is no longer necessary, data portability in machine-readable formats, and objection to processing.
    • Breach Management – Organizations must notify the NDPC within 72 hours when breaches pose risk to data subjects, provide detailed information about the incident, and notify affected individuals directly when breaches pose high risks.
    • Cross-Border Transfers – Transferring data outside Nigeria requires appropriate safeguards including adequacy decisions, standard contractual clauses, binding corporate rules, or informed consent. All transfers must be documented.

    Read more: Compliance as a Tool for Risk Management: Safeguarding Your Business in an Evolving Landscape

    Why Data Protection Applies to Every Sector

    Data protection is not just for technology companies or digital businesses. It applies to all organizations handling personal data:

    • Financial services organizations face enhanced requirements for BVN and financial data security, strong customer authentication, extended retention obligations, and anti-money laundering compliance.
    • Healthcare companies must provide heightened protection for health information, secure electronic medical records, obtain proper consent for research, and address telemedicine privacy.
    • Manufacturing and Retail companies handle employee data, customer loyalty programs, supplier information, and CCTV records which require data protection compliance.
    • Educational Institutions must process student records, employee information, and parent contact details under strict privacy requirements.
    • Professional Services Firms manage confidential information requiring robust protection and clear data processing agreements.

    Whether your operations are digital, traditional, or hybrid, if you collect, store, or process personal data about identifiable individuals, data protection compliance is mandatory.

    The Critical Role of Licensed DPCOs

    Here’s What Many Organizations Do Not Realize:

    UHL and EHL entities cannot file their mandatory annual Compliance Audit Returns directly with the NDPC. The law requires these submissions to go through licensed Data Protection Compliance Organizations. This requirement recognizes that effective data protection compliance demands specialized expertise which most organizations lack internally. Licensed DPCOs provide independent compliance audits (meeting NDPC standards), gap analysis (identifying specific deficiencies), CAR preparation and filing (ensuring proper submission), expert guidance (navigating complex regulations), ongoing compliance monitoring (adapting to regulatory changes), DPO services (fulfilling appointment requirements), DPIA support for high-risk activities, and staff training (building organizational capacity).

    Licensed DPCOs are compliance partners who help organizations build sustainable frameworks rather than check boxes. They bring practical knowledge of NDPC expectations, industry best practices, and proven implementation methodologies.

    The Business Value of Strong Data Protection

    Beyond regulatory compliance, robust data protection practices create tangible business advantages:

    • Market Differentiation – Privacy conscious customers increasingly choose vendors demonstrating compliance. In competitive markets, certified compliance becomes a deciding factor.
    • Partnership Opportunities – Multinational corporations and government agencies require verified compliance before awarding contracts. Strong data protection opens doors to lucrative opportunities.
    • Risk Reduction – Comprehensive security measures reduce breach likelihood and impact, avoiding incidental costs, legal liabilities, and reputational damage.
    • Operational Efficiency – Disciplined data management often reveals redundancies and inefficiencies, streamlining operations and reducing costs.
    • Innovation Enablement – Clear governance frameworks allow responsible innovation, providing confidence to explore new technologies and business models.

    Organizations viewing data protection as strategic investment rather than a compliance burden position themselves for sustainable competitive advantage.

    Critical Compliance Deadlines

    The NDPC requires that UHL and EHL entities file their annual Compliance Audit Returns before the 31st day of March 2026 through licensed DPCOs. The compliance audit and CAR preparation process typically requires 4- 8 weeks for most organizations. Organizations starting late can face compressed timelines, rushed implementations, and increased non-compliance risk. Those missing deadlines face financial penalties, public listing on non-compliance registers, and intensified regulatory scrutiny.

    Beyond March 2026, data protection compliance remains an ongoing process. Regulations evolve, threats change, and business operations develop. Sustainable compliance requires continuous monitoring, regular audits, staff training updates, and adaptation to new requirements.

    Taking Action: Your Path to Compliance

    If you are just starting your compliance journey or seeking to strengthen existing frameworks, partnering with a licensed DPCO makes the difference between compliance as a burden and compliance as a competitive advantage.

    As a licensed Data Protection Compliance Organization, Stransact Chartered Accountants assists organizations across all industries to achieve and maintain compliance with Nigeria’s data protection requirements. Our certified professionals bring deep regulatory knowledge, practical implementation experience, and tailored solutions addressing your specific business context.

    Our comprehensive services include:

    • Compliance assessments identifying current gaps
    • Annual Compliance Audit Returns preparation and filing
    • Data Protection Officer services
    • Policy development and staff training
    • Data Protection Impact Assessments
    • Breach response planning and support
    • Ongoing compliance monitoring and advisory

    Conclusion

    Every organization’s data protection journey is unique. We begin by understanding your specific challenges, then develop solutions meeting regulatory requirements while aligning with operational realities and business objectives. Proactive organizations that invest in strong data protection frameworks today position themselves for success while those delaying face mounting risks and compressed timelines.

    Reach out to us today to discuss your data protection compliance needs. Let us help you build a sustainable framework that protects your organization, respects individual rights, and positions you for success in Nigeria’s evolving regulatory landscape.

  • PAYE Deductions Are Not Enough: Key Compliance Gaps Organizations Must Address in Nigeria

    PAYE Deductions Are Not Enough: Key Compliance Gaps Organizations Must Address in Nigeria

    As organizations commence a new financial year, it is imperative to take a strategic look at statutory compliance obligations particularly those related to employee taxation. While many employers consistently deduct and remit monthly Pay-As-You-Earn (PAYE) taxes, a key compliance requirement is often overlooked: the Annual PAYE Returns Filing. 

    Annual filing is not merely an administrative formality; it is the statutory confirmation of an employer’s year-round PAYE compliance. A clear understanding of filing requirements, deadlines, and the risks associated with non-compliance ensures that organizations maintain robust governance practices and avoid unnecessary penalties. 

    What Exactly Is the Employer Annual PAYE Returns Filing? 

    Annual PAYE returns provide the State Internal Revenue Service (SIRS) with a consolidated record of an organization’s payroll-related tax activities for the entire fiscal year. These returns typically include: 

    • A comprehensive list of all employees on the payroll 
    • Total emoluments paid to each employee 
    • Pension and other statutory deductions 
    • Monthly PAYE deductions and remittances 

    Why Does It Matter? 

    • For Relevant Tax Authorities:

      It is a key tool for reconciling monthly PAYE remittances, validating employer compliance, and maintaining accurate taxpayer records. 

    • For Employees:

      Accurate annual filings ensure that their tax contributions are correctly documented—supporting applications for Tax Clearance Certificates (TCCs), banking transactions, employment verification, contract bidding, and visa processing. 

    Monthly deductions alone do not constitute full compliance. The annual filing is the formal legal confirmation of PAYE deducted and remitted through the year.

    Statutory Deadline: 31 January 

    The Nigeria Tax Administration Act (NTAA) 2025 retains the long-standing statutory deadline of 31 January following the assessment year for filing annual PAYE returns. This deadline is fixed and not subject to extension. 

    Timely filing: 

    • Confirms compliance with the law. 
    • Prevents administrative escalations by tax authorities.
    • Facilitates the prompt issuance of TCCs to employees.

    Missing the deadline, even by a short period, exposes organizations to penalties under Section 101 of the NTAA 2025. 

    Penalties for Late, Incorrect, or Incomplete Filing 

    Under Section 101 of the NTAA 2025: 

    • ₦100,000 penalty for the first month of default 
    • ₦50,000 for every subsequent month until compliance is achieved 

    These penalties are administrative and not punitive; but they can accumulate quickly, resulting in unnecessary financial burdens. Early preparation and filing remain the most cost-effective strategy.

    The Compliance Challenges Many Organizations Overlook

     Even organizations with strong compliance cultures may encounter challenges such as: 

    • Incomplete employee records (e.g., missing TINs or biodata) 
    • Delayed year-end payroll processing, especially in December 
    • Third-party payroll errors arising from outsourced service arrangements 
    • Lack of awareness, many companies assume monthly PAYE remittance alone is sufficient 

    Most of these issues are preventable through early planning and enhanced data governance. 

    Practical Steps to Strengthen Compliance 

    Employers can improve the filing process by taking the following actions: 

    • Audit payroll records early to confirm accuracy and completeness. 
    • Verify employee Tax Identification Numbers (TINs) to avoid submission delays. 
    • Reconcile monthly PAYE filings with year-end totals to ensure consistency. 
    • Engage payroll teams and service providers ahead of time, reinforcing expectations. 
    • Submit returns well before 31 January to avoid the rush and mitigate risks. 

    These steps help eliminate errors, reduce pressure, and ensure seamless compliance. 

    Beyond Compliance: Why Timely Filing Truly Matters 

    Annual PAYE filing offers benefits that extend beyond legal requirements: 

    • Employees: Accurate tax records ensure the facilitation of certain key personal and professional transactions. 
    • Employers: Enhance their corporate governance profile and reinforce stakeholder confidence. 
    • State tax authorities:  Improve revenue planning and maintain reliable taxpayer databases. 

    Timeliness reflects organizational professionalism and strengthens trust among employees, regulators, and business partners. 

    Conclusion 

    Annual PAYE returns filing remains a vital obligation under Nigerian tax law. Whilst monthly PAYE deductions are fundamental, they are not a substitute for the statutory annual filing that confirms compliance for the entire year. The 31st of January deadline and the penalties outlined in the NTAA 2025 underline the importance of proactive planning, not to intimidate organizations, but to encourage best-practice governance. 

    With early preparation, accurate data management, and a proactive compliance strategy, organizations can meet their obligations seamlessly supporting their workforce, enhancing their reputation, and maintaining regulatory peace of mind. 

    Start the financial year on a compliant foundation. It is smarter, safer, and ultimately more professional. 

  • Cybersecurity Risks in Tax Technology and How Nigerian Firms Can Stay Protected

    Cybersecurity Risks in Tax Technology and How Nigerian Firms Can Stay Protected

    The digital transformation of the accounting industry has brought unprecedented efficiency, especially in tax preparation and filing. However, this reliance on tax technology from cloud-based software to secure client portals also introduces a critical set of cybersecurity challenges.

    For organizations handling highly sensitive financial and personal data, protecting these digital assets is no longer optional; it’s the foundation of client trust and regulatory compliance.

    Tax season, in particular, has become peak hunting season for cybercriminals, with attacks on accounting firms surging as workloads increase and vigilance drops.

    The Top Cybersecurity Risks in Tax Technology

    Cybercriminals are sophisticated, targeting both large and small firms with a variety of attack vectors. Here are the most prominent risks your firm must actively defend against:

    1. Phishing and Social Engineering

    This is overwhelmingly the initial entry point for most breaches. Threat actors send deceptive emails (phishing) or use voice calls (vishing) that mimic trusted entities like the IRS, QuickBooks, or a firm executive. Their goal is to trick employees into:

    • Clicking on malicious links that download malware or ransomware.
    • Revealing login credentials or two-factor authentication codes.

    1. Ransomware and Malware

    Once an attacker gains access, often via a phishing link or an unpatched vulnerability, they can deploy ransomware. This malicious software encrypts your files and systems, holding critical client data hostage until a ransom is paid. The disruption, downtime, and cost of recovery can be catastrophic. Malware can also be installed to steal usernames, passwords, and other confidential data over time.

    1. Third-Party and Cloud Vulnerabilities

    Modern tax practices rely on a network of external services: cloud-based tax software, e-signature platforms, and managed IT services. If one of your vendors a third-party partner suffers a breach due to an unpatched system or weak security, your firm’s data can be exposed. Furthermore, misconfigurations in cloud environments remain a significant security gap.

    1. Insider Threats

    Not all threats come from outside. Insider threats stem from employees, contractors, or other personnel. This can be malicious (intentionally leaking data) or, more commonly, accidental (negligently clicking a link, using an unsafe mobile connection, or mishandling sensitive files). Given that 95% of cybersecurity breaches are reportedly due to human error, staff training is paramount.

    1. Outdated Software and Weak Access Controls

    Failing to regularly update tax software, operating systems, and network hardware leaves systems vulnerable to known exploits. Equally dangerous is a lack of strict access controls and reliance on weak passwords, which are easily guessed or compromised, giving attackers an effortless entry into your sensitive systems.

    Read more: Cybersecurity as a Boardroom Priority: Moving from IT to Strategic Risk

    How Firms Can Stay Protected: Best Practices

    Protecting client data requires a multi-layered, proactive security strategy. A single firewall or antivirus won’t cut it.

    1. Establish an Unbreakable Digital Foundation

    • Mandatory Multi-Factor Authentication (MFA): This is the single most effective defense against unauthorized access. Make MFA mandatory for all systems email, tax software, client portals, and VPNs. It requires users to verify their identity using a second factor (like a mobile code or authenticator app) in addition to a password.
    • Encrypt Everything: Ensure all sensitive data is encrypted at rest (on your servers or cloud storage) and in transit (when being sent to a client or vendor).
    • Strong Password Protocols: Enforce the use of complex, unique passwords (at least 12 characters with a mix of types) and require the use of a secure password manager for all staff.

    1. Prioritize Data and System Resilience

    The 3-2-1 Backup Rule: To mitigate the damage of a ransomware attack, you must be able to restore your data.

    • Keep 3 copies of your data (the primary and two backups).
    • Store them on 2 different types of media (e.g., local server and cloud).
    • Ensure 1 copy is kept off-site or offline (air-gapped).

    Keep Software Patched and Updated: Implement a policy for automatic, timely patching of all operating systems, antivirus software, and tax-specific applications to close known security gaps.

    Implement Role-Based Access Control (RBAC): Limit employee access to only the specific data and systems absolutely necessary for their job function. This minimizes the scope of a breach if an account is compromised.

    1. Invest in People and Processes

    • Continuous Cybersecurity Training: Since human error is the top vulnerability, frequent, mandatory training is essential. Teach employees to spot phishing, recognize social engineering tactics, and report suspicious activity immediately.
    • Due Diligence on Vendors: All third-party software and IT providers must adhere to your firm’s security standards. Conduct regular security assessments of your vendors to manage supply chain risks.
    • Develop an Incident Response Plan: No system is impenetrable. Have a comprehensive, documented plan detailing the immediate steps to take in the event of a breach, including roles, communication protocols, data recovery steps, and client notification procedures. Test this plan regularly.

    1. Maintain Compliance and Oversight

    • Security Audits and Penetration Testing: Hire third-party experts to conduct annual security audits, vulnerability scans, and simulated attacks (penetration tests) to identify and address weaknesses before criminals exploit them.
    • Formal Written Information Security Plan (WISP): Create a formal document outlining all security policies and procedures, as this is often required for compliance with industry regulations and standards.
    • By treating cybersecurity as a year-round, top-tier priority, not just a tax-season concern, your firm can build the resilience needed to protect client data, maintain trust, and safeguard your reputation in the digital age.
    • Read more: One Law, Two Scripts: Navigating the Material Discrepancies in the Nigeria Tax Act 2025 – Eben Joels
    • Conclusion
    • The stakes are too high to leave your firm’s security to chance. At Stransact Chartered Accountants, we provide specialized cybersecurity and tax technology services designed to protect your most sensitive assets. From implementing Multi-Factor Authentication and robust encryption to developing Written Information Security Plans (WISP) and conducting staff training, we ensure your firm is defended against the latest threats.
    • Do not wait for a breach to take action. Contact us today at [email protected] to schedule a security assessment and let us help you build a secure, resilient digital environment for your tax operations.