Commonwealth Bank Australia

Accenture – Due Diligence Activities

3.1 Declaration of Change in Circumstances

This declaration forms a part of several checks that make up Due Diligence Screening required to
be conducted for all Accenture resources deployed to any CBA engagement and with which
Accenture have a responsibility to maintain compliance. Due Diligence Screening is necessary
because of the potential to access Client confidential information as a port of your role on the CBA
account and is a requirement under the Master Services Agreement.

Any information disclosed by you in following the requirements of this form will be used to re-assess
your suitability as a fit and proper person to perform your role on CBA. This information may be
disclosed to the financial services human resources representative and appropriate Accenture
management as required. Disclosures made by you in relation to your responsibilities under this
form will not be shared with the Client without your permission.

By signing this form, you agree to promptly bring to the attention of the Accenture Contract Manager
(details below) any change in your circumstances since your last criminal history check was
conducted by Accenture (e.g. being charged with a criminal offence during your employment).

Please note that signing this form is not mandatory. In the event that you decide not to sign this
form, we will endeavor to redeploy you to another client account team. If you have any questions,
please feel free to reach out to your Human Resource representative or Contract Management.

Signature:

Print Name: AKANKSHA AMBADASRAO SURYAVANSHI

Title Application development associate

Company Name: Accenture

Date: 28/09/2022

(Following signature, please scan and email this form to CBA.PMOTeam [email protected])
3.2 Declaration of Conflicts of Interest

This Declaration of Conflicts of Interest form is required for all Accenture staff working on all
Commonwealth Bank engagements for security screening purposes.

By signing this form, you acknowledge that:

  you are aware of and in compliance with Accenture’s Policy 32 Conflicts of Interest: Individual; and

  you will promptly bring to the attention of the Accenture Contract Manager (details below) any matter
or circumstance which results in or may result in your non-compliance with Policy 32 Conflicts of
Interest: Individual.

Accenture Policy 32 says, in part:

 No employee may accept any offer of securities or anything else of material value from those with
whom the Company does, or is considering doing, business unless the same offer is made available
to all employees. Any employee who receives such an offer shall disclose the offer to his/her
managing director.

 If an employee holds a financial interest in an organization in which the Company is considering

investing or in which the Company currently has an investment, that employee is to identify his/her
interest and remove himself/herself from all decisions related to that organization.

 No employee may knowingly cause or direct the Company to purchase goods or services on behalf of
the Company from vendors owned or controlled by relatives of employees.

For the full version of Accenture Policy 32 see following link:

https://publishing.accenture.com/Policies/HR/PersonalResponsibilitiesBehavior/0032.htm

Signature:

Print Name: AKANKSHA AMBADASRAO SURYAVANSHI

Title Application development associate

Company Name: Accenture

Date: 28/09/2022

(Following signature, please scan and email this form to CBA.PMOTeam [email protected])
3.3 Project Confidentiality Agreement

SCHEDULE 11
Project Confidentiality Agreement

This Project Confidentiality Agreement re-affirm our collective commitment to existing Accenture policies—
they do not create new policies. Please read the following carefully, and consult the Accenture policies cited
below if you need additional information.
If you believe that you do not comply with the rules identified below, you need to become compliant. Contact
your supervisor for help and to obtain guidance on how you can bring your data protection practices in line
with Accenture policy.
I understand and will follow these rules for protecting Client Data, including:
 Personally Identifiable Information (PII) or personal data— any information which makes an individual
directly or indirectly identifiable. Different laws have different definitions, but typical examples include
employee names or email addresses, vendor and client contact details.
 Confidential Information (CI)—non-personal business information that is considered confidential by the
client (e.g. financial information, trade secrets, etc.); and
 Intellectual Property (IP)

I. I will read and comply with the following specific Accenture Policies, and will consult my
supervisor if I need help interpreting any of their requirements:
 11—Use of Accenture Delivery Methods;
 51—Use and Distribution of Packaged Knowledge;
 53—Non-Company Access to Company Systems;
 56—System Security;
 57—Security of Information and Acceptable Use of Systems;
 69—Confidentiality;
 90 - Data Privacy;
 91—Intellectual Property;
 123—Archives and Records Management; and
 1253—Internal Distribution of Company Confidential and Material Non-Public Information.

II. I will use care to identify and remain aware of any Client Data that resides on my individual
devices, including:
 Accenture –owned and/or personal electronic equipment (e.g. computers, external hard drives,
personal files on shared servers, etc.);
 portable data storage devices (eg. PDAs, CDs, DVDs, flash drives, mobile phones, etc);
 old and archival data and backups; and
 information stored in hardcopy, (e.g. paper files, day planners, etc.).

I will provide my supervisor accurate information about Client Data under my control as requested.
III. I will not use or retain any Client Data from a prior project. Following the end of each project I will
remove all Client Data associated with that project from the hardware and media under my control. If,
during my current project, I find Client Data that appears to be from a different client, I will notify my
supervisor immediately.

IV. I will access, use, disclose, and retain Client Data only as necessary to provide services for the
client who owns the data. I will not access Client Data that I do not need in order to perform my duties
on the project. I will use good judgment when collecting, using or disclosing Client Data in order to keep
it secure and confidential. I will observe the “rule of least privilege” by not allowing others to access
Client Data under my control unless they are assigned to my project and legitimately need that Client
Data to perform their duties on the project. I will never use or disclose Client Data for personal
purposes, or transfer such information to systems controlled by other clients.
V. I will take all reasonable steps to protect Client Data in my custody. I will follow all client and
Accenture requirements related to information security, and will be responsible for implementing those
requirements with respect to the Client Data under my control (e.g. use and protection of passwords,
use of encryption, etc.). I will escalate threats to Client Data, or concerns about the adequacy of
controls, to my supervisor.

VI. I will delete, destroy or return all Client Data when required or when it is no longer needed for
business purposes. I will not retain unnecessary copies of Client Data for any longer than needed to
perform services for the client who owns the data, and will delete it when it is no longer needed. I will
securely delete and overwrite Client Data from electronic media and will shred or otherwise permanently
destroy hardcopies.

VII. I will observe all rules and restrictions when adding documents to the Knowledge Exchange (KX)
or Accenture Records Management System (ARMS). I will observe Accenture Policy 0123—
Archives and Records Management. When I leave a project, I will provide copies of project materials to
the project records management lead, and delete or destroy all Client Data associated with that project
still in my possession, other than client contact information.

VIII. I will follow the established incident response procedures for identifying and escalating security
breaches affecting Client Data. I will report known or suspected data breaches to the Accenture
Security Operations Center (ASOC) at (+01) 202.728.0645 , and also as directed within the project. A
security breach includes any loss of control of Client Data, whether intentional or accidental, and can
include lost or stolen portable data storage devices, misdirected data, computer hacking, or intentional
misuse of Client Data. I will report suspected intentional misuse of Client Data immediately.

IX. I will consider the privacy of individuals when designing systems that utilize PII. I will seek to
create privacy-protective systems and services consistent with client objectives. I will consider the
privacy impact of my work and will take a conservative approach to the collection, use and disclosure of
PII when developing solutions.

X. I am responsible for my compliance with this Project Confidentiality Agreement and Accenture
policies and procedures. I understand that complying with Accenture policy also means complying
with laws and client instructions. I understand that preserving the confidentiality and privacy of Client
Data is a critical part of my job duties. I will conform to all Accenture policies and procedures with
respect to the management of company or Client Data.

Additional Responsibilities of Accenture Supervisors:

XI. I am responsible to make a reasonable effort to be aware of all Client Data in all systems,
workstations, and electronic media under my authority, including individual user resources (e.g.
laptops and portable media), and archival data and backups.
XII. I am responsible for regular, periodic review of my project’s Client Data inventory. At a
minimum, Client Data will be inventoried when the following major events occur: (a) new
systems or applications coming online, (b) new legal requirements taking effect, (c) after
upgrades, restores or rebuilds resulting from a security incident, or (d) every year, whichever
occurs first.
XIII. I will give proper attention to any information security issues or the misuse of Client Data that are
escalated to me.
XIV. I will implement and document procedures that govern the receipt and removal of hardware and
electronic media containing Client Data, including equipment reassignment, and final disposition
of equipment.
XV. I will be responsible for ensuring and confirming that required procedures are followed with
respect to all security breaches affecting Client Data under my management.

I acknowledge that I have read this document, understand its requirements and confirm that I will make my
best efforts to comply with these rules:
 Signature:

Print Name: AKANKSHA AMBADASRAO SURYAVANSHI

Title Application development associate

Company Name: Accenture

Date: 28/09/2022

(Following signature, please scan and email this form to CBA.PMOTeam [email protected])