Managerial-level control (MLC) 1: Roles and responsibilities are clearly understood
MLC1: Formal documents, policies or procedures for all roles and responsibilities relating to tax compliance and risk management including excise and applicable indirect taxes. These generally detail:
- role descriptions for tax compliance, administration and risk management
- roles and responsibilities for reporting of tax matters, formalised and understood by management and appropriately trained personnel (formal delegations or authorisation levels)
- segregation of duties (for example, dual sign-off), BAS/excise return preparation is segregated from review and authorisation prior to lodgment
- policies or committee charters that specify methods and frequencies for reviewing and escalating risks in the tax risk register, including follow-up of identified tax risks.
Procedure
Enquire if the entity has documented roles and responsibilities relating to tax compliance and risk management for their tax function and noting:
- name of document
- date of document
- document approver (name and title)
- if the document is formally endorsed by senior management and, if not, report an observation
Inspect the document, extract and page reference the sections of the document that describe the following:
- role descriptions for tax compliance, administration and risk management
- roles and responsibilities for reporting of tax matters, formalised and understood by management and appropriately trained personnel (or authorisation levels)
- formal responsibility or process for excise and indirect tax staff members to partner with accounting/finance/operations and systems staff to consider the appropriate excise and indirect tax consequences of transactions
- formal responsibility for liaising with the ATO excise and GST relationship managers
- segregation of duties (for example, dual sign-off).
If documented roles and responsibilities do not exist, enquire of the entity's reasons for its absence, report their response and raise an observation.
Enquire about the entity's processes for reviewing, escalating and following up risks in the tax risk register and noting:
- name of document (if documented)
- date of document
- document approver (name and title)
If the document is not formally endorsed by senior management report as an observation.
Where available page reference the sections where methods and frequencies for reviewing, escalating and following up tax risks are described.
When escalation is required, identify any dollar threshold set for matters like errors and law changes.
If documented methods do not exist, enquire of the entity's reasons, report their responses and raise an observation.
Better practice report inclusions
- Documented roles and responsibilities relating to tax compliance and risk management
- Documented methods and frequencies for reviewing, escalating and following up tax risks
Managerial-level control (MLC) 2: Senior management confident of capacity and capability
MLC2a: A control framework approved by senior management that includes both preventative and detective controls. Note that an organisation might have a separate income tax, excise and indirect tax control framework or tax will be an element of an overarching risk management/internal control framework.
Procedure
Obtain the entity's tax control framework (or overarching risk management/internal control framework of which tax is an element) and note the following:
- name of the document
- date of document
- document approver (name and title)
- list of preventative and detective controls related to tax and page reference
- frequencies at which controls operate and sample size guide
- whether the tax control framework includes policies/procedures to ensure sufficient capacity of tax function - for example, management might consider the capacity of the tax function is not compromised by cost saving measures by
- the benchmarking of team headcount numbers versus industry peers
- the comparison of tax obligation deliverables versus staff resources.
If documented control framework is absent, or is in draft, or is not approved, enquire of the entity's reason, report their response and raise an observation.
Better practice report inclusions
- Approved tax control framework (including both preventative and detective controls)
- Approved overarching risk management/internal control framework of which tax is included as an element
MLC2b: Clearly identified key controls, including how often they are tested. Staff with appropriate experience are designated as control owners. Note that an organisation might have a separate tax control framework covering income tax as well as excise and applicable indirect taxes or tax will be an element of an overarching risk management/internal control framework.
Procedure
Obtain the entity's documented key controls related to tax, testing frequencies and assigned control owners and note:
- name of document
- date of document
- identified key controls related to tax
- how often controls are tested and sample sizes
- transaction cycles for which walkthroughs have been completed
- details of owners for each tax key control (name and title).
If the above items are not documented, enquire of the entity’s reason for its absence, report their response and raise an observation.
Some of the information required for this procedure will be obtained in MLC-2a.
Better practice report inclusions
- Documented key controls related to tax, testing frequencies and assigned control owners
MLC2c: Senior management approval of the design and operating effectiveness of the internal controls governing tax compliance covering all tax types
Procedure
Enquire of the entity if management have undertaken an assessment of their design and operating effectiveness of the internal controls governing tax compliance. Report their response.
Enquire if assessment results have been documented and approved by senior management. If so, obtain a copy and note findings raised from the assessment.
If documented assessment is not approved or in draft, raise an observation. Note that an organisation might review design and operating effectiveness of tax controls in conjunction with other controls in the risk management framework.
Better practice report inclusions
- Documented assessment of their design and operating effectiveness of the internal controls governing tax compliance, approved by Senior Management.
MLC2d: Internal or external assurance reviews of tax corporate governance or control framework procedures covering income tax, excise and indirect taxes
Procedure
Refer to BLC-4b for reviews of the tax control framework carried out by independent assurance providers.
Refer to MLC-6b where the review of tax provisions or tax positions as part of the year end external audit fieldwork can be leveraged.
Enquire of the entity if they have internal audits or management self-assessment reviews to examine their tax corporate governance or control framework as it relates to tax.
For example, organisations may adopt their own three lines of defence risk management framework for testing the design and operational effectiveness of their tax function.
Report their response.
If the testing of tax corporate governance or control framework has been undertaken by management, obtain a copy of their report, extract and page reference:
- the name of report
- the details of staff who performed the review (name, title, division)
- the synopsis of review scope
- the list of tax key controls
- the transaction cycles for which walkthroughs have been completed
- the sample size
- the findings or testing results
- the recommendations.
Better practice report inclusions
- Documented internal or external assurance audit plan (includes the examination of tax corporate governance or control framework procedures)
- Elements of the risk management framework relating to tax that might be tested as part of external or internal audits (reflected in the audit plan), for example, annual GST apportionment reviews
MLC2e: Staff training on tax-related topics. The training should also include excise, GST and other indirect tax topics as applicable to the entity
Procedure
Obtain the entity's training materials and training attendance registers for staff training on tax-related topics and note:
- training to date
- training type (in-house, external workshop, course, briefing or presentation by external advisors or professional bodies (for example, Tax Institute).
- training topics
- staff who attended.
Also note any personnel who have not attended training in the last twelve months and who work in the tax function. Enquire of the entity's the reasons for their absence, report their response and raise an observation.
If the tax training materials and attendance registers are absent, enquire of the entity's reasons, report their response and raise an observation.
Better practice report inclusions
- Tax-related training packs
- Tax-related training attendance register
MLC2f: Staff reviews, KPIs and performance agreements that incorporate tax corporate governance and risk management elements.
Procedure
Enquire of the entity if tax corporate governance and tax risk management metrics have been incorporated into tax personnel staff reviews, KPIs and performance agreements. Report their response. An example would be the requirement to attend tax technical update training periodically.
Better practice report inclusions
- Documented KPIs or performance agreements (includes tax corporate governance and tax risk management)
MLC2g: Key personnel with professional qualifications and standards to ensure capability.
Procedure
Enquire of the entity how they ensure adequate capabilities of key personnel within their tax team. Report their response.
If the entity's response relates to on-going training, obtain documented training documents or training attendance registers to tax-related training sessions held in the last 12 months.
The work performed in MLC-2e can be leveraged here.
Better practice report inclusions
- Role description for key personnel used in the hiring process
- Documented training documents or training attendance registers to tax-related training sessions
MLC2h: Impacts of tax compliance risks are considered by an appropriate management or board sub-committee; for example, a mergers and acquisitions sub-committee considers the tax risks of acquiring an entity.
Procedure
Refer to MLC-3a and MLC-3d for consideration of how tax compliance risks are managed in significant transactions.
Refer to BLC-3b for consideration of how management ensure the board (or sub-committee) is appropriately informed.
Better practice report inclusions
- Documented policy or procedure describe the responsibility of considering tax compliance risks
MLC2i: Existing channels for personnel outside of the tax function to identify and escalate tax risks.
Procedure
Refer to MLC-3a for documented processes for business areas to identify and communicate significant transactions to the tax team.
Better practice report inclusions
- Documented procedure describing how personnel from areas outside the tax function identify and escalate tax risks
MLC2j: Tax-related reports generated and presented to senior management.
While the guide contemplates all taxes ATO officers considering tax risk management and governance as part of PCR, ACA or similar products should focus on income tax elements. ATO officers should consider work of other business lines such as an annual compliance arrangement for GST to ensure credit is given where the requirement has been tested in a related process or product.
Procedure
Enquire of the entity what tax-related reports are produced for senior management and who have these reports been circulated to. Include reports for all tax types and entity's response.
Of the reports that are presented to senior management, enquire of the entity to identify reports that include tax information or calculations, obtain a copy and note:
- name of report
- date of report
- distribution list
- type of tax (for example, Capital gains tax, GST, FBT, stamp duty).
Better practice report inclusions
- Tax-related reports presented to senior management
ATO officers: refer to Interacting with PS LA 2004/14.
End of exampleManagerial-level control (MLC) 3: Significant transactions are identified
MLC3a: A policy for significant income tax, excise and indirect tax transactions that:
- specifies the value of what would constitute a significant transaction requiring authorisation from the tax area
- details the types of transactions, issues or risks that are significant enough to be escalated to senior management or the board (and, by default, tax matters not requiring escalation)
- outline the threshold where independent external tax advice should be sought and levels of management sign-off required for the transaction.
Procedure
Obtain the entity's documented definition of significant transactions for tax purposes and note:
- where value would constitute a significant transaction requiring authorisation from the tax function types of transactions, issues or risks that are significant enough to be escalated to senior management or the board (or sub-committee)
- whether the escalation process is automatic or manual (automatic escalation process is a system enabled approval process via workflows that are programmed in accordance with the entity's delegation of authority)
- the process other business areas use to identify and communicate significant transactions to the tax team (also refer to MLC-3d in relation to reporting templates)
- the threshold where independent external tax advice should be sought and levels of management sign-off required for the transaction
- the requirement to perform a Financial Acquisitions Threshold (FAT) test to ensure costs associated such significant transactions incorporate appropriately denied GST credits.
If documented definition of significant transactions for tax purposes does not exist, enquire of the entity's reasons for its absence, report their response and raise an observation.
Better practice report inclusions
- Documented processes for identifying, managing and escalating significant tax transactions
- New product or transaction approval documents
- Documented processes that capture information relating to:
- the identification of potential supplies made under significant transactions ( e.g. share sale/purchase is input taxed or asset sale/purchase is taxable/GST-free)
- timing of proposed transactions, including any changes regarding the structure or type of transactions to be undertaken
MLC3b: A risk-identification process that accounts for qualitative and quantitative risk factors. Examples of typical risk factors include:
- volume of transactions affecting disclosures in the tax return, excise return or BAS financial accounting and tax reporting complexities and inconsistencies
- volume of manual adjustments made by management
- related-party transactions, including offshore related parties (like branches) dealings involving low-tax jurisdictions
- year-end arrangements resulting in tax benefits
- revaluations resulting in tax benefits
- transactions or arrangements where
- there is a legal versus substantial disconnect
- there are steps added to a transaction making it more complex than necessary, resulting in a tax preferential outcome
- the use of new and complex financial instruments or arrangements
- ongoing monitoring and assessment procedures relating to determination of whether GST recovery apportionment models are fair and reasonable
- transactions within GST groups
- GST treatment of international cross border transactions including dealings via a digital medium
- classification or treatment of uncommon, new or unusual GST transactions (for example, a sale of property involving margin scheme, and sales or acquisition of shares)
- excise classification and treatment for new product releases.
Procedure
Enquire of the entity the following and report responses:
- How does management identify risks (such as a change in business, change in law) that would potentially warrant a change in the internal controls relating to tax?
- What are the triggers that would lead management to assess its risk and controls pertaining to the tax function?
- Does management have a process in place to automate controls for large volume transaction processes to improve efficiency?
Enquire of the entity whether the following examples of risk factors are part of their risk identification or risk assessment process:
- volume of transactions affecting disclosures in the tax return or excise return or BAS financial accounting and tax reporting complexities and inconsistencies
- volume of manual adjustments made by management
- related-party transactions
- transactions within GST groups dealings involving low-tax jurisdictions
- year-end arrangements resulting in tax benefits
- revaluations resulting in tax benefits
- GST recovery apportionment methodology assessment and monitoring (if applicable)
- transactions or arrangements where there is a legal versus substance disconnect
- there are steps added to a transaction making it more complex than necessary, resulting in a tax preferential outcome
- the use of new and complex financial instruments or arrangements.
- Classification or treatment of uncommon, new or unusual GST transactions. (for example a sale of property involving margin scheme, sale or acquisition of shares)
- GST treatment and classification of transactions involving overseas suppliers and customers, including transactions with offshore related parties
- excise treatment of new 'developed' products.
In reporting their response:
- Enquire of the entity if there are any other tax risk factors considered by the management. If risk factors are documented by the entity, obtain and attach a copy to the report.
- Enquire of the entity if there have been any changes to the control framework in the past 12 months, as a result of errors or exceptions found in its tax control framework. If so, list them and the corresponding new controls or remediation plans in the report. Report entity's response.
Better practice report inclusions
- Tax risk identification document
- Internal control framework change request or IT control change request form
MLC3c: Tax risks for all tax types have been rated, for example high/medium/low, with the appropriateness of the rating evaluated on a yearly or half yearly basis.
Procedure
Enquire of the entity what risk rating scales are being used and how often tax risks are assessed to ensure its ratings are appropriate. Report their response. If documented, obtain a copy and note the sections that correspond to risk rating scales and review frequencies.
Inspect the entity’s risk register and note:
- the number of risks in the risk register
- if each risk been assigned a risk rating
- the date when the risk register was last reviewed.
In addition, non-ATO personnel should note the nature of risks considered, who reviews these risks, who approves revised risk ratings, when was the risk register last presented to the senior management or the board or (sub-committee).
Better practice report inclusions
- Documented processed for ranking risks and review frequencies
- Risk registers that may include tax risks, or a separate tax risk register if that exists
- Risk registers that incorporate review of matters when ATO advises industry that certain industry issues/risks are under review
MLC3d: Reporting templates that are adhered to.
Procedure
Enquire of the entity if they have processes for reporting tax risks for all relevant taxes and significant transactions staff are required to use when identifying and reporting tax risks. Report their response.
Obtain evidence of how the process was adhered to when reporting tax risks and significant transactions. Note the reporting format, date, issue and tax law references in the report. For example, some industries make use of a New Product Approval template that would include a section for the tax team to complete.
If the reporting templates require the consideration of:
- what taxes apply to a significant transaction
- formal advice or consultation sought to assess the impact of all relevant taxes including excise, GST and other indirect taxes
- strategies or controls to manage any identified tax risk
- post implementation review to consider if the transaction was implemented as originally planned and if not reasons for changes are documented.
If the processes do not exist, enquire of the entity the format used for reporting tax risks and significant transactions (for example, emails). Document their response, obtain an example of the format used and attach to the report.
Better practice report inclusions
- Reporting template for reporting identified risks and/or significant transactions
ATO officers: refer to Interacting with PS LA 2004/14.
End of exampleNext steps