OnestopQMS
Log in / Sign up
Features Mobile app How it works
For Teams Pricing
FAQ What's new About Contact
Log in / Sign up
Walkthrough

Onestop QMS in detail.

How everything fits together — org setup, the QMS Manual, documents, the five registers, mandatory sign-offs, role-based access, the audit trail and exports. Read it cover to cover, or jump to what you need.

Looking for the short version? Read the 7-step overview.

Overview

Onestop QMS is the operational Quality Management System for Australian regulated practices. It's not a folder of templates — it's a live system of registers, documents, sign-offs and audit trails that proves your practice runs to a defined standard.

Why this product exists: TPB Code & ICB Standards

From 1 July 2025 the TPB Code of Professional Conduct requires every registered tax practitioner to operate a documented QMS. ICB members have had a similar QMS expectation in place for some years. Both standards expect the same things:

  • Documented policies and procedures — current, owned, reviewed.
  • Registers — risk, complaints, breaches, conflicts of interest, incidents.
  • Staff competency — training, supervision, mandatory sign-offs.
  • Operational evidence — not just templates on a shared drive, but proof that the system is in use.
  • Audit trail — who changed what, when.
The TPB asks: "show me your QMS in operation." A folder of Word docs can't answer that. Onestop QMS can.

Org setup

The first sign-in walks you through the org. The data you enter here flows into every other part of the system — the auto-generated manual, the registers, the dashboards.

Org details

  • Trading name and ABN/ACN.
  • Business structure (sole trader, partnership, company, trust).
  • Primary contact and registered office address.

TPB registration

  • BAS Agent, Tax Agent or Tax (Financial) Adviser.
  • Registration date and registration number.
  • Registered services (declared on TPB).

Professional memberships

  • ICB, IPA, CPA Australia, CA ANZ — whichever apply.
  • Membership number and renewal date for each.

Professional indemnity insurance

  • Insurer, policy number, cover amount.
  • Renewal date — the system flags before expiry.

You can come back to any of these any time; the audit log captures every change.

The QMS Manual

The QMS Manual is the document the regulator (TPB or ICB) wants to see. Onestop QMS auto-generates it from the live system — org details, services, memberships, insurance, registers, current procedures — and lets you fill in or override the policy sections.

How it's built

  • Auto sections are pulled from live data. Updating the org once updates the manual everywhere.
  • Policy sections start with a sensible default and you adapt them to your practice.
  • Generation produces a versioned PDF, audit-stamped, with a contents page and section numbering the regulator expects.

Versioning

Every export is versioned with a sequence number, the user who triggered it, and a timestamp. Old versions don't disappear — they're archived so the audit can see the manual as it stood on any given date.

Why this matters. Most QMS products give you a Word template. You save it locally. Two months later you tweak it. Six months later someone else tweaks it differently. The audit asks "what was your QMS on the 15th of March?" and you can't answer. Onestop QMS auto-generates from the live system; the answer is built in.

Documents

Beyond the auto-generated manual, your practice has a library of documents — code of conduct, cyber policy, WHS, terms of engagement, privacy policy, client-specific procedures. Each one in Onestop QMS gets:

  • Version control — old versions archived when superseded.
  • Owner — one person responsible.
  • Approval workflow — new versions go through review before publication.
  • Review cadence — annual, biannual, quarterly. The system surfaces overdue reviews on the dashboard before docs go stale.

Upload PDF, Word or plain text. Documents export with their version metadata.

Registers

Five operational registers, all live, all audit-logged. Each one runs on the same model: an entry, a status, an owner, a review cadence. The differences are what each tracks and how the system scores it.

Risk register

The 5×5 likelihood-impact matrix is built in. Add a risk; pick its likelihood and impact; the system auto-calculates the rating. Track:

  • Existing controls and their effectiveness.
  • Treatment plan (mitigate, transfer, accept, avoid).
  • Residual risk after controls.
  • Review cadence and next review date.

Incident log

Workplace injuries, near misses, IT and security incidents, environmental events. Each entry has:

  • Severity scoring.
  • Investigation notes.
  • Follow-up actions and preventative measures.
  • Closure status with audit log.

Complaints register

Client complaints with automatic SLA deadlines:

  • Urgent: 1 business day
  • High: 3 business days
  • Medium: 5 business days
  • Low: 10 business days

SLAs are calculated on Australian business days — weekends and public holidays are skipped automatically. The dashboard surfaces breaching SLAs before they become audit findings.

Breach register

Data breaches, privacy breaches, security incidents, compliance breaches. Each entry has severity scoring, an investigation timeline, notification tracking (relevant for notifiable data breaches), and a closure record.

Conflict of interest register

Declarations and ongoing management. Staff members can declare a conflict (existing client, family relationship, prior engagement) which gets reviewed by an Admin or Compliance Officer. Active conflicts have a status; closed ones stay in the audit record.

Operate

The QMS is only as good as the next entry into it. Day-to-day operation looks like this:

Mandatory sign-offs

Configure the sign-offs your practice requires — code of conduct, cyber policy, WHS, conflict-of-interest declaration. Set the cadence (annual, quarterly). The system asks each staff member to acknowledge and dates the sign-off.

  • The dashboard shows who's outstanding.
  • Auto-reminders before sign-offs lapse.
  • Audit shows the trail of every acknowledgement.

Training records

Track training, qualifications and competency assessments per staff member. Each record carries an expiry date where applicable. The dashboard surfaces lapsing certifications.

For CPE / CPD tracking specifically, use our sister product Onestop CPE — it integrates the role-specific cycles (TPB, ICB, ASIC, professional bodies). The two products complement each other.

Insurance and memberships

Professional indemnity insurance, ICB membership, IPA / CPA / CA ANZ memberships — each tracked with renewal date. The system flags before they expire, not after.

Review cadence

Every register and document has a review schedule. Overdue items surface on the dashboard. Risks come up for re-rating; documents come up for re-approval.

Roles & access

Four roles. Each one sees what they need.

Admin

Full read-write across the org. Org settings, member invites, role assignment, billing.

Compliance Officer

Operate the QMS. Manage registers, schedule reviews, approve documents, investigate incidents and breaches. Same data access as Admin minus org-config.

Staff

Live the QMS. Log incidents, complete training, sign off mandatory items, declare conflicts. See what's required and what's outstanding.

Auditor

Read-only access across the org. Full audit trail, every register, every document version. Can't edit anything.

Best practice: create a dedicated Auditor account for your external auditor or peer reviewer. They get full visibility for their review without write access. Disable the account when the review's done.

Audit & export

The TPB and ICB don't ask you to have a QMS — they ask you to operate one. The audit trail proves the second part.

The audit log

Every create, update, status change and approval is logged with:

  • The user who performed it.
  • The timestamp.
  • The entity affected.
  • The values that changed (old vs new).

The log is read-only and append-only. It can't be edited; it can only have new entries added.

Exports

FormatWhat you get
QMS Manual PDFVersioned, audit-stamped, full table of contents, all live data inlined.
Register PDFsEach register exports with filters by date, status, owner, severity. Cover page shows totals and SLA status.
Register CSVsSame data, machine-readable. For spreadsheet analysis or onward reporting.
Audit log CSVFull who-when-what-changed trail for any date range.
Document archiveEvery document with its version metadata, exported as a zip.

Retention

Audit data is kept for the life of the org — which means as far back as you've been a customer. Old document versions stay archived. Old register entries stay accessible. The TPB or ICB asking about a record from three years ago has an answer.

In a nutshell

ConceptWhat it means
QMS ManualThe auto-generated document the TPB / ICB wants to see.
DocumentsYour policies and procedures, version-controlled.
RegistersRisk, incident, complaint, breach, conflict — all live.
Sign-offsMandatory acknowledgements per staff member.
TrainingWhat each staff member has done; when it expires.
RolesAdmin, Compliance Officer, Staff, Auditor.
Audit logEvery change, who, when, what.
ExportOne-click PDF for the regulator.

Ready to set up your QMS?

First month free, no credit card.

Start free trial Back to overview