We have published a GST Governance, Data Testing and Transaction Testing Guide on how the justified trust methodology is applied to help conduct a self-review of your tax control framework for GST purposes.
You should document your assessment of your tax risk management and governance framework, identifying any gaps. We will ask if you have undertaken a gap analysis against our published guidance or have applied the self-assessment procedures in our guidance and request evidence where you have.
GST fundamental controls
We will ask specifically about the 3 following controls, which are fundamental for GST.
BLC 4: Periodic internal control testing
We will request a copy of your documented tax control testing plan including:
- if the testing plan has been finalised and approved by the Board or delegate
- if any controls testing has been undertaken in the review period – if so, provide evidence of the controls tested, date, testing undertaken, results and any action taken to address any deficiencies.
MLC 4: Controls in place for data.
We will request the following in relation to your data controls:
- details of whether GST codes in the Accounts Payable (AP) / Accounts Receivable (AR) systems are automated via the use of a tax engine
- your documented AP / AR process which incorporates the application of GST codes, including a list of GST codes/rates
- your documented procedures in relation to GST tax codes including set-up, maintenance, changes, and review
- a systems architecture diagram identifying the systems / platforms used to capture transactions for GST reporting (if available)
- the documented procedures for the creation and maintenance of vendor and customer master data.
- details of any IT, internal audit or third party testing of controls that has taken place to ensure the accuracy and integrity of data input and processing
- procedures for processing manual transactions (entries) that occur outside the AR & AP systems – examples include journal entries for transactions that have not been invoiced; HR transactions (e.g., post-tax employee contributions)
- details of how your IT team interacts with your tax team to remedy any IT control breakdowns that may have an impact on GST reporting.
MLC 6: Documented control frameworks
We will request:
- a copy of your documented end to end BAS preparation procedures (this may include documents used by staff such as manuals, instructions, guides and flowcharts)
- details of any software package you use to prepare your BAS including circumstances where a third-party provider is involved in the BAS preparation.
Common controls for GST and Income Tax
In addition to these fundamental controls, we will request evidence for the following controls which are also requested in the income tax section of our information request:
- Board level control 1
- Board level control 3
- Management level control 1
- Management level control 3
- Management level control 7.
Where a common control extends to GST, we will be largely relying on the evidence provided as part of the income tax component of the review where the results are equally applicable across income tax and GST. Additional evidence will need to be provided if the documentation submitted for these governance controls does not extend to GST. You can also refer to appendix 2 of the GST Governance, Data Testing and Transaction Testing Guide
The following are examples of the documents and evidence we will request.
BLC 1: Formalised tax control framework
Documents:
- that set out the formal tax strategy and details of how the organisation identified and manages income tax and GST risk
- that evidence that these tax strategy documents were approved by the Board or its delegated authority.
BLC 3: The board is appropriately informed
- The policy, procedure, and process that management follows to brief the board on tax matters.
- Where reporting templates are used when briefing the Board, copies of these templates. The minimum matters ('minimum board reporting matters') which are to be included for consideration by the Board, sub-committee or its delegate are
- Effective tax rate, whether GST paid/refunds claimed aligns with business results, reasons for misalignment
- Potential and actual GST risks arising from significant transactions or events
- Transactions which require approval of the board or its delegate.
MLC 1: Roles and responsibilities are clearly understood
Evidence that the roles and responsibilities relating to tax compliance, tax advice and tax risk management are documented, including:
- role descriptions for tax compliance, administration, and tax risk management
- segregation of duties – for example, dual sign off
- roles and responsibilities for reporting of tax matters and escalation of tax risks.
MLC 3: Significant transactions are identified
Documentation evidencing the policy for managing risk relating to significant transactions such as a policy specifying the criteria for identification and referral of significant tax risks, transactions, or events to the tax area, escalated to senior management or the board and require independent external tax advice.
MLC 7: Procedures to explain significant differences
Your documented process to reconcile your BAS reported figures to the general ledger and financial statements – for example, using the GST Analytical Tool (GAT).