Governance over third-party data
Supplementary guide for large superannuation funds, managed funds and insurance companies on third-party data tax controlsContents
1. Executive Summary | 3 |
1.1 Background | 3 |
1.2 About this Guide | 4 |
1.3 Benefits of a well-designed third-party data tax governance framework | 6 |
1.4 Our governance ratings | 7 |
2. Our approach to reviewing third-party data tax controls | 9 |
3. Practical guidance to self-review the entity's third-party data tax controls | 14 |
3.1 Roles and responsibilities of outsourced service providers are clearly understood (MLC 1, Design effectiveness, Stage 2) | 16 |
3.2 Documented third-party data tax controls framework (MLC 6, Design effectiveness, Stage 2) | 19 |
3.3 Significant transactions are identified (MLC 3, Design effectiveness, Stage 2) | 26 |
3.4 The board is appropriately informed (BLC3, Design effectiveness, Stage 2) | 33 |
3.5 Periodic controls testing program (BLC4, Design effectiveness, Stage 2) | 35 |
4. Independent assurance of the control environment at the outsourced service provider | 38 |
5. Data analytics and sample testing | 43 |
Appendix 1: Tax controls for complex foreign investments | 45 |
1. Executive Summary
Entities that operate within the investment industry make a significant contribution to the tax system. It is important that confidence is obtained over these entities' compliance with their tax and reporting obligations. In this guide, we refer to entities which include large superannuation funds, managed funds and insurance companies.
Such entities rely on third-party data from outsourced service providers as commercial viability in the institutional investment environment generally requires the outsourcing of non-core record keeping activities. Outsourced service providers include custodians and administrators that collate and present third-party data in tax reports from sources such as investment managers, actuaries and employers.
The high volume of transactional data means that tax risk management and mitigation on a transaction-by-transaction basis is difficult and onerous. By outsourcing to outsourced service providers, entities may leverage the expertise, control environment, scale and network benefits of such providers to reduce their tax risk and increase compliance in a cost-effective manner.
Further, these outsourced service providers themselves rely on data, systems, calculation engines and / or software of additional service providers.
Therefore, effective tax risk management, mitigation and assurance may be obtained through the establishment and testing of controls and processes over the third-party information that feeds into the entity's reporting obligations.
Lodgment responsibilities and duties are statutory requirements as set out in the Income Tax Assessment Act 1936 (ITAA 1936) and Income Tax Assessment Act 1997 (ITAA 1997) and Taxation Administration Act 1953. Lodging entities carry the legal responsibility for ensuring that false and or misleading statements (for example, tax returns and the Annual Investment Income Report (AIIR)) are not made to the ATO. Therefore, the use of outsourced service providers does not extinguish the legal responsibility of the lodging entity.
We expect the outsourced service providers to have contractual obligations to correctly capture and present the tax reporting accurately. However, entities relying on outsourced service providers should take steps to obtain a high level of confidence over the accuracy of the information provided.
The quality and integrity of outsourced service providers and third-party data is essential for accurate reporting.
Entities that rely on third-party data from outsourced service providers should document how they assess the integrity of the underlying data that feeds into their reporting obligations. The aim of third-party data tax controls is to provide a framework so that an entity does not need to examine every single transaction but will have comfort that there are controls in place to manage and mitigate tax risk, error and/or misstatement. This means having controls designed to mitigate the risk of inaccuracies in third-party data and to test that these controls are operating effectively.
Entities would be expected to have an understanding of the following:
- •
- knowledge of the different sources of tax data
- •
- where calculation engines are used to calculate amounts required for the tax reporting, knowledge of how the calculations are performed, and
- •
- how this tax data is used to complete the relevant lodgments to the ATO.
For many entities, in relation to investment income and gains, this starts with their custodian and obtaining confidence that the data received from a custodian is accurate. This also extends to the direct receipt of investment information from both domestic and foreign sources.
The trustees or boards (or the relevant sub-committee) of these entities have a responsibility to develop systems and processes in accordance with their tax risk management framework to manage and mitigate the risk of inaccuracies over third-party data that feed into their income tax reporting obligations.
This guide explains how the Justified Trust methodology is applied by the ATO to review the existence, design effectiveness and operational effectiveness of third-party data income tax controls as part of an effective tax control framework.
In July 2015, the ATO published the Tax Risk Management and Governance Review Guide (ATO Guide).
In applying the Justified Trust methodology, the following controls are considered:
- •
- Formalised Tax Control Framework (Board-level Control BLC 1)
- •
- The board is appropriately informed (BLC 3)
- •
- Periodic internal control testing (BLC 4)
- •
- Roles and responsibilities are clearly understood (Managerial-level Control MLC 1)
- •
- Significant transactions are identified (MLC 3)
- •
- Controls in place for data (MLC 4 - GST only)
- •
- Documented control frameworks (MLC 6)
- •
- Procedures to explain significant differences (MLC 7).
The above controls focus on different types of potential tax risks that we consider need to be managed to have an effective tax governance framework. The controls also focus on the entity's internal systems and processes. They do not extend to and accordingly do not appropriately provide guidance on circumstances where entities obtain and rely upon third-party data to meet their lodgment and other obligations.
This Guide on third-party data tax controls supplements the ATO Guide and should be reviewed together.
To the extent that it impacts on income tax reporting and distribution statement obligations, some sources of third-party data are:
- •
- custodians
- •
- administrators
- •
- unit registries
- •
- managed investment schemes
- •
- investor directed portfolio service providers
- •
- external tax advisers
- •
- actuaries
- •
- investment managers
- •
- valuers for unlisted assets.
Scope of this Guide
The entities to which this guide applies include:
- •
- trustees of superannuation funds (other than small funds)[1]
- •
- trustees of managed investment trusts (MITs) and attribution managed investment trusts (AMITs) and trustees of unit trusts involved in the managed funds and/or investment industry
- •
- boards of insurance companies.
These entities rely on data from third parties for the preparation and finalisation of their income tax reporting obligations and Attribution Managed Investment Trust Member Annual (AMMA) Statement for AMITs, standard distribution statement (SDS) for MITs and distribution statements for unit trusts.
Where an entity (such as a superannuation fund) invests through a wholly owned special purpose vehicle such as an AMIT, a MIT or a unit trust, the tax controls over third-party data may be part of the superannuation fund's tax governance framework or the AMIT, MIT or unit trust's tax governance framework.
The expectations for tax controls over third-party data in this guide apply to third-party data received by the entity for the following reporting obligations:
- •
- the entity's income tax return and associated schedules
- •
- the AMMA statement, SDS and distribution statement.
These entities, as investors in a MIT, AMIT or unit trust, are able to rely on the SDS, AMMA statement or distribution statement to an extent. However, as sophisticated investors we consider there needs to be some controls in place to sense check the amounts. The following are examples where the investor should consider if there is an issue with the statement (not exhaustive):
- •
- if there is a significant difference in amounts as compared to previous years
- •
- franking credits significantly exceed gross up amounts
- •
- the final amounts do not seem to align with the interim distribution position.
These entities typically have significant investment and asset holdings and enter into service agreements with the outsourced service provider to manage these holdings. The service agreement governs the relationship between the two parties. These entities rely on several reports produced by the outsourced service providers in respect of their investment and asset holdings to prepare their lodgments (for example, income tax or fund tax returns).
We are also aware that entities typically rely on data from several third-party sources in preparing their lodgments and that this brings its own challenges in consolidating data for final use.
Examples of these reports include:
- •
- custodian tax and supplementary reports (monthly and annual)
- •
- administrator reports
- •
- actuarial certificates.
We also recognise that some entities within the investment industry perform many investment and reporting functions 'in-house'. Although not a traditional outsourced service provider relationship, our expectations for third-party data tax controls apply equally to entities that have these in-house functions.
What is not in scope?
The following are not in scope for the purpose of this Guide:
- •
- superannuation fund obligations to report member account information to the ATO
- •
- PAYG withholding obligations on member superannuation benefits
- •
- GST controls, risks and tax implications which are considered in the GST Governance, Data Testing and Transaction Testing Guide .
While some of the principles in this Guide may be relevant to member reporting, PAYG withholding and GST reporting obligations, they are not covered in this Guide.
Finally, this Guide does not apply to other reporting requirements these entities may have to other regulatory authorities, such as financial reporting and reporting to the Australian Prudential Regulation Authority (APRA).
1.3 Benefits of a well-designed third-party data tax governance framework
Tax risk is the risk that entities may be paying or accounting for an incorrect amount of tax, or that the tax positions that an entity adopts are out of step with the tax risk appetite that the trustee board has authorised or believe is prudent. As tax will ultimately impact members' balances and/or what beneficiaries report in their income tax returns, entities have an obligation to ensure that they manage tax risk through a strong tax governance framework to ensure accurate reporting of information.
Throughout this Guide, a reference to the board also includes a reference to the relevant authorised board level sub-committee, for example, an audit, a risk and compliance and/or an investment committee.
The benefits of documenting and having a well-designed framework that is operating effectively for third-party data tax controls include the following:
- •
- Members or unitholders and the ATO will have trust in the board that it has processes in place to manage tax risks associated with third-party data and tax reporting and ensure member or unitholder outcomes are reported correctly. Trustee boards have statutory and general law obligations to perform their duties and exercise their powers in members' or unitholders' best interests.
- •
- It provides insights into the strength of the third-party data tax governance framework and through ongoing testing may help:
- -
- to identify potential systems or process gaps to prevent tax control breakdowns in advance
- -
- to reduce the incidence of misreporting. Where errors are made there is a process in place to ensure they are identified and addressed in a timely and efficient manner. Misreporting results in an administrative burden to correct reporting of member balances (which in turn impacts member reporting to the ATO) and amending income tax returns and distribution statements (which in turn may impact reporting by beneficiaries). A strong tax governance framework reduces reputational risk to the entities from misreporting to members and beneficiaries in addition to reduced compliance costs.
- -
- with more accurate reporting as it allows entities to quantify returns with greater accuracy, allowing investment decisions to be made optimally and in the best interests of its members or unitholders.
- •
- It assists management with:
- -
- clarifying accountabilities for managing tax risks to the board (or relevant committee) or senior management - who is responsible for what and why
- -
- helps the board (or relevant committee) or senior management to manage tax reputational risk
- -
- appropriately balancing the level of engagement required with its external tax advisers against the role and capabilities of its in-house tax team.
- •
- It provides evidence to support a higher assurance rating in the entity's Tax Assurance Report or Combined Tax Assurance Report. This may in turn:
- -
- help to reduce the risk of unexpected reviews or audits
- -
- provide a point of reference for statements the entity makes in its tax transparency reports
- -
- assist us in reducing the intensity of our enquiries because we can have confidence in the entity's tax disclosures.
1.4 Our governance ratings
Once we've established a tax control framework exists, we then look for objective evidence that the framework is designed effectively and is 'lived', that is, operating effectively. In this regard, we use the following staged rating system:
- •
- Red flag: The entity has not provided sufficient evidence to demonstrate a tax control framework exists or we have significant concerns with its tax risk management and governance.
- •
- Stage 1: The entity has provided evidence to demonstrate that a tax control framework exists.
- •
- Stage 2: The entity has provided evidence to demonstrate that a tax control framework exists and has been designed effectively.
- •
- Stage 3: The entity has provided evidence to demonstrate that a tax control framework exists, has been designed effectively and is operating effectively in practice.
To reach Stage 3, the entity must be able to demonstrate that its tax control framework has not only been designed effectively but is also operating as intended. This stage can be evidenced by a periodic tax controls testing program as well as reports describing the outcomes of that testing. When considering eligibility for a Stage 3 rating, we look for evidence of an independent review that tests tax controls, for example by internal or external auditors that provide an independent level of assurance to the audit (and/or risk) committee and the board. Typically, internal or external audit reviews occur every 2-3 years.
The third-party data tax control framework is made up of the controls described in Sections 3.1 to 3.4, Section 4 and Appendix 1 of this Guide. The testing program will include these third-party data tax controls that meets the criteria for design effectiveness. For operating effectiveness, the periodic testing program will be performed by an independent reviewer. The ATO Guide has further information on Stage 3 and what is required for operational effectiveness.
We may assign a 'red flag' where the entity cannot provide evidence to demonstrate a tax control framework exists or if we have significant concerns with the entity's tax risk management and governance. These concerns may include the entity's approach to tax compliance, for example, where there are significant errors that the entity's tax control framework is not detecting.
2. Our approach to reviewing third-party data tax controls
Our approach to reviewing third-party data tax controls will adopt a similar approach to the ATO Guide which sets out our expectations and better practice examples, rather than prescriptive checklists.
In future assurance reviews of investment industry entities, it is our intention to include a review of tax controls relating to third-party data adopting this Guide and apply the existing ratings guide to these controls.
In undertaking our Justified Trust assurance reviews for income tax, we will rate third-party data tax controls separately from the seven controls in the ATO Guide that we focus on for income tax governance ratings. However, the ratings for third-party data tax controls will contribute towards the overall income tax governance rating.
The controls for third-party data are integral to the preparation of the entity's income tax reporting obligations and the information contained in these returns. These controls are important in assessing the entity's overall approach to income tax governance. An overall income tax governance rating which will consider an assessment of the controls for third-party data will be provided as part of an assurance review.
We acknowledge that tax risk management and governance over third-party data is a journey for investment industry entities. The establishment of a documented third-party data tax control framework, the implementation of controls, processes and procedures that are both designed effectively and, through independent testing, operating effectively and lived, is a staged process.
Not all entities will be at the same stage at the same time, and our engagements through the assurance programs will assess each entity based on the stage it can achieve at the time of the review and be based on objective evidence provided as part of the review. As part of the review, we will outline areas of focus that will assist an entity in progressing through the incremental stages of third-party data governance at a pace suited to its own facts and circumstances.
Principles-based approach
There are four principles that an entity needs to address to manage and mitigate the risk of inaccuracies in the third-party data that feed into the income tax reporting or distribution statements.
A principles-based approach recognises the differences in business structures, size and investment behaviours of entities within the investment industry.
Entities will apply the principles and determine appropriate controls to their own circumstances so that the approach is fit for purpose to provide them comfort on the data they are relying on.
An entity may employ compensating or alternate controls depending on its circumstances.
Each of the above principles is aligned to one of the Justified Trust controls.
The following table summarises the Justified Trust controls we consider when assessing an entity's tax governance framework against the ATO Guide and this Guide in our reviews:
Principle | Tax Risk Management and Governance Review Guide | ATO Supplementary Guide Governance over third-party data (this Guide) |
1. Roles and responsibilities | Formalised Tax Control Framework (Board-level Control
BLC 1)
The board is appropriately informed (BLC 3) Roles and responsibilities are clearly understood (Managerial-level Control MLC 1) |
The board is appropriately informed
(BLC 3)
Roles and responsibilities are clearly understood (MLC 1) |
2. Tax policy in accordance with the law | Documented control frameworks (MLC 6) | Documented control frameworks (MLC 6) |
3. Returns and tax outcomes properly reflected in tax reporting | Significant transactions are identified
(MLC 3)
Controls in place for data (MLC 4 - GST only) Documented control frameworks (MLC 6) Procedures to explain significant differences (MLC 7) |
Significant transactions are identified
(MLC 3)
Documented control frameworks (MLC 6) |
4. Independent assurance | Periodic internal control testing (BLC 4) | Periodic internal control testing (BLC 4) |
Better practice framework
A better practice framework is fit for purpose, adopts a risk-based assessment, and manages the specific tax risks that apply to an entity depending on its investment structure and profile.
This Guide is not intended to become form over substance, nor should users attempt to comply with every element. Tax risk controls should be fit for purpose and we encourage entities to adopt the better practice examples throughout this Guide that are applicable to their circumstances. The better practice examples that are relevant to an entity's circumstances will depend on its investment structure and profile.
This Guide provides the opportunity to contrast an entity's third-party data tax governance framework against our better practice examples. During a third-party data tax governance review, entities are encouraged to describe their compensating controls, to demonstrate how the entity manages tax risks if the framework does not align exactly with better practice examples, and to document why they might not be applicable to their circumstances. An 'if not, why not' approach is suggested.
We suggest an initial gap analysis be performed and then entities should look to leverage existing processes or identify compensating controls where relevant better practice examples are either not present or only partially present.
What is required for Stage 2 (design effectiveness)?
There is no legislative or administrative compulsion to adopt the better practices detailed in this Guide and a fit for purpose approach is acceptable.
Where applicable, the better practice examples outlined in this Guide provide examples of documented evidence of third-party data tax controls that we expect to see to provide a Stage 2 rating (designed effectively). We recognise that the better practice examples provided below may not exactly align with the actual controls in place for all entities, for example, those with a simple investment profile (for example, a passively managed Australian equities index fund). As with all internal controls, tax risk controls should be fit for purpose. We encourage entities to adopt the elements of our recommended better practices that are applicable to their circumstances
In addition, there may be an appropriate compensating control (that is, an alternative control that still satisfies the ATO principles) for the better practice examples provided.
What is required for Stage 3 (operational effectiveness)?
Once we've established that a third-party data tax control framework exists, we then look for objective evidence that the framework is designed effectively and is 'lived', operating effectively. To reach a Stage 3 rating, entities must be able to demonstrate that their tax control framework has not only been designed effectively but is also operating as intended. See Section 1.4 of this Guide and the ATO Guide for further information on Stage 3 and what is required for operational effectiveness.
This Guide does not provide detailed information on what is required for Stage 3 (operational effectiveness) as this is covered in the ATO Guide. The requirements (for example, independently tested and subject to auditing standards) and methods for testing for operational effectiveness (Stage 3) as outlined in the ATO Guide will also apply to testing third-party data tax controls.
Who should implement the tax controls?
This Guide outlines the better practice examples of third-party data tax controls but it does not prescribe how third-party data tax controls are implemented. That is, the entity may choose to implement third-party data tax controls itself (for example, through its in-house tax function), engage an external tax adviser or request the outsourced service provider to implement these tax controls which are included in the service level agreement with the entity. This is likely to be influenced by the size and investment behaviours of the entity, as well as how the relevant tax reporting of the entity is prepared and reviewed (for example, by the administrator, the in-house tax or finance team or the external tax agent).
Going forward
We recognise that tax governance is a journey and entities will be at various stages of this journey.
Our focus in rating an entity's third-party data tax controls will be on whether the entity is on the journey of improvement. That is, it has demonstrated that it has taken steps in establishing processes to manage and mitigate the risk of inaccuracies in third-party data that feed into the entity's income tax reporting obligations or distribution statements to unitholders.
The community recognises the importance of good governance especially within the investment industry. An entity with a robust tax risk management framework including over third-party data can demonstrate to members, investors and the community at large that it has a high degree of transparency and accountability.
These entities may choose to outline their approach to tax risk management through the adoption of the Voluntary Tax Transparency Code .
3. Practical guidance to self-review the entity's third-party data tax controls
Evidence
Our approach to reviewing governance as part of our Justified Trust methodology is evidence based. We look at the policies, procedures, testing and reports the entity has provided to demonstrate the existence, design and operation of the entity's tax control framework in place for managing tax risk.
This Guide clearly articulates our expectations in terms of the design effectiveness of the five fundamental controls relevant for the third-party data tax controls framework, which are:
- •
- Roles and responsibilities are clearly understood (MLC 1)
- •
- Documented control frameworks (MLC 6)
- •
- Significant transactions are identified (MLC 3)
- •
- The board is appropriately informed (BLC 3)
- •
- Periodic internal control testing (BLC 4)
Note: the types of objective evidence listed below as better practice examples are included as illustrative examples only. We recognise the exact documents will differ between entities.
The better practice examples outlined in this section provide examples of third-party data tax controls that we expect to see, with the entity to have documented evidence to obtain a Stage 2 rating for design effectiveness. However, this Guide adopts a principles-based approach where controls may be designed to suit an entity's circumstances to meet the four principles for third-party data tax controls.
It is recognised that these better practice examples may not exactly align with the actual controls in place for all entities, for example, those with a simple investment profile. Entities should adopt the elements of our recommended better practices that are applicable to their circumstances or investment profile. The entity should identify compensating controls where relevant better practice examples are either not present or only partially present.
Summary of the Guide
Where an entity chooses complex or significant investments or transactions (or not straight-through processing transactions) we expect the entity to have in place additional third-party data tax controls due to the increased tax risk.
We also have expectations for entities that rely on outsourced service providers such as custodians and administrators to capture, collate and present tax data that feeds into its tax and reporting obligations. For straight-through processing transactions (that is, vanilla debt and listed equity security transactions processed by a custodian), we consider that a high quality, appropriately scoped and tested independent assurance report such as a ASAE 3402/GS 007 report[2] may provide assurance over the control environment of the outsourced service provider, if the user entity adopts the better practice examples. By understanding and providing evidence of the independent assurance report and the testing of the control environment at the outsourced service provider, this may enable the user entity to have confidence that a robust control environment exists at the outsourced service provider. This will in turn provide confidence in the data integrity of the outsourced service provider's tax reporting to the user entity.
3.1 Roles and responsibilities of outsourced service providers are clearly understood (MLC 1, Design effectiveness, Stage 2)
3.1.1 Intent
Principle 1: The entity needs to understand the roles and responsibilities of outsourced service providers |
To satisfy Principle 1 - roles and responsibilities of outsourced service providers are clearly understood - we expect clear accountability to reduce the risks associated with outsourcing. The roles and responsibilities of the entity and the outsourced service providers should be clearly defined and documented within the entity's tax control framework.
3.1.2 Core elements
Management of the entity needs to understand the relationship, the tax role and tax controls of the outsourced service providers (custodian and administrator) to manage and mitigate the risk of inaccuracies in third-party data. This should be documented in the entity's tax control framework policy.
3.1.3 What we look for
Better practice can be demonstrated by formal documents, policies or procedures for all outsourced service provider roles and responsibilities relating to tax compliance and risk management.
Better practice examples:
The entity can demonstrate better practice by:
|
Example 1 - Attribution managed investment trust (AMIT) and custodian
(for illustrative purposes only) XYZ is an AMIT and holds investments in Australian equities. It has a custodian, ABC, that holds title to all assets held by the AMIT and provides tax reporting services to XYZ for its tax return and AMMA statements to unitholders. XYZ has entered into an SLA with ABC that outlines the services that are offered and service level expectations such as the deliverable dates for tax reporting services. XYZ has a tax risk management framework (TRMF) policy that includes a section on outsourcing arrangements. In addition, the roles and responsibilities matrix clearly outline the responsibilities of outsourced service providers including compliance with the SLA. The TRMF also outlines the tax controls that XYZ has in place to review and verify the tax reports it receives from ABC (for example, the realised and unrealised capital gains tax reports). The review and verification process is outsourced to XYZ's external tax adviser with expectations outlined in the letter of engagement. On an annual basis, XYZ will review the SLA to ensure that ABC has met the benchmarks for providing services as agreed in the SLA. An annual meeting is held with ABC to update XYZ on any systems changes and process improvements that have been made and for XYZ to raise any issues of concern. Any major process improvements that impact the tax reporting is reported immediately. There is also regular communication between ABC and XYZ. Any issues that ABC becomes aware of that may impact tax reporting are communicated to XYZ on a timely basis. In assessing the third-party data tax controls against the Supplementary ATO Guide for Governance over third-party data, the ATO will accept the following documented evidence to assess whether MLC1 is designed effectively (Stage 2):
|
3.2 Documented third-party data tax controls framework (MLC 6, Design effectiveness, Stage 2)
3.2.1 Intent
Principle 2: The entity needs to be satisfied that the tax policies of the outsourced service providers are prepared in accordance with the tax law and reflected in the tax reporting relied upon by the entity |
Principle 3: The entity needs to be satisfied that the returns and tax outcomes of investments are properly reflected in reporting obligations |
A documented third-party data tax controls framework will ensure that Principles 2 and 3 are satisfied. Both these principles will be met where there are processes in place to ensure the third-party data in the entity's tax reporting reflects the correct tax treatment in line with the custodian's or administrators tax policies.
This control provides the entity with the comfort that the risk of inaccuracies in third-party data that flows through to the reports used to complete the income tax return or distribution statements is managed and mitigated.
This procedure should not result in a review of every transaction which is impossible due to the high volume of transactions but rather a documented process and application of well-designed controls to manage and mitigate the risk of inaccuracies in the flow of information from the custodian or administrator's records into the reports provided to the entity.
3.2.2 Core elements
There is a documented internal tax control framework that specifically ensures the entity's compliance with tax law. This includes the complete and accurate flow of third-party information from the outsourced service provider to the tax return and distribution statements.
3.2.3 What we look for
The entity has a limited ability to oversee the activities at the outsourced service provider on a transaction-by-transaction basis.
To obtain comfort over the integrity of the third-party data provided in tax reporting from outsourced service providers, the entity requires assurance over the following:
- 1.
- Tax policies are prepared in accordance with the tax law and reflected in the custodian or administrator's reporting.
- 2.
- Returns and tax outcomes of investments are properly reflected in the tax reporting obligations.
1. Custodian's or administrator's tax policies prepared in accordance with tax law and reflected in the custodian's or administrator's reporting
To ensure accurate flow of information from the outsourced service providers records into the tax reporting provided, the entity needs to be satisfied that the tax policies of the outsourced service provider are prepared in accordance with the tax law. In addition, the outsourced service provider's tax policy is reflected in the tax outcomes in the tax reports.
It is recognised there may be system limitations and the tax policy will outline where default positions may apply due to these limitations.
Further, it is recognised that proxies may be used by a custodian as a way of applying the tax law. The use of proxies should be outlined in the tax policy.
Better practice examples for custodian's tax policy and reporting
Better practice examples of documented controls to ensure the custodian's tax policy is prepared in accordance with tax law include the following:
Compensating controls could include the entity being provided with evidence (such as through the ASAE 3402 / GS 007 report) that the service provider's tax policy has been reviewed by an external tax adviser on an annual basis and there is confirmation by management that the tax policy is in accordance with Australian tax laws subject to the user entity not providing an override to any default positions in the policy. The third-party data tax controls should be documented in the entity's tax control framework policy. |
Better practice examples for administrator's tax policy and reporting
|
2. Returns and tax outcomes of investments are properly reflected in the tax reporting obligations
The entity needs to be satisfied that the returns and tax outcomes of investments are properly reflected in the reporting obligations. We expect entities to understand the tax consequences of the underlying investment and not just rely on the custodian tax reports.
The custodian tax reports will flow into the income tax reporting and distribution statements. Therefore, the integrity of the third-party data that is received and processed by the custodian and included in the custodian tax reports is critical to managing and mitigating the risk of inaccuracies in the income tax return and distribution statements to unitholders.
An entity will obtain confidence in the custodian's tax reports for straight-through processing transactions where it is satisfied with the design and operating effectiveness of the internal tax control environment at the custodian. This requires the entity to have a good understanding of the scope of the tax controls covered in the testing plan and the testing methods undertaken by an independent party to provide assurance that the controls are operating effectively. This is covered in further detail at Section 4 of this Guide.
Better practice examples of documented controls
|
Tax controls for complex foreign investments
The proper characterisation and quantification of tax outcomes on foreign investments is one of the key challenges for entities in obtaining assurance over third-party data received. This can be influenced by several factors, including:
- •
- complexity of international structures and uncertainty over their characterisation for Australian tax purposes
- •
- difficulty in accessing information from foreign sources, due to holding a minority interest or differences in accounting periods
- •
- inherent differences between Australian and international tax laws.
We expect that entities that invest offshore should have tax controls for classifying the investment vehicles and establishing the tax treatment for entry, holding and exit of the different structures for foreign investments. This will provide them with a high level of confidence that the tax outcomes reported are consistent with the underlying economic substance of the transactions of their foreign investments. Where an external custodian provides tax reporting on these foreign investments, the entity needs to understand the tax controls that the custodian has in place to review the information provided by the offshore investment manager.
In addition to the tax controls outlined in Section 3.3 of this Guide, better practice examples of documented tax controls for outbound Australian investors are outlined as follows.
Better practice examples for offshore investments
Corporate limited partnerships (CLPs), foreign hybrid limited partnerships, controlled foreign companies and foreign trusts that are significant or complex investments or transactions (see Section 3.3.3 of this Guide)
|
Example 2 - Ongoing monitoring of CFC status by an AMIT that holds an interest in a foreign limited partnership
(for illustrative purposes only) An AMIT holds a 30% interest in a foreign limited partnership which is characterised as a CLP for Australian tax purposes in prior income years. During the year, one of the other non-resident partners redeemed its interest in the foreign limited partnership. As the AMIT holds at least 10% in the foreign limited partnership, it has in place processes for the ongoing monitoring of CFC status of the CLP for the purpose of the assumed controller test (if a single Australian entity owns or is entitled to acquire, an associate inclusive control interest of at least 40%). The monitoring of the CFC status is required each income year as this will establish whether the foreign limited partnership should be characterised as a foreign hybrid limited partnership (FHLP) or continue to be treated as a CLP. The AMIT has included a requirement in its Side Letter Agreement with the investment manager for reporting and confirmation of its interests in the foreign limited partnership. In addition, each year the AMIT sends a questionnaire to the investment manager to confirm that its interests in the foreign limited partnership have not exceeded the thresholds that would result in the investment being considered a CFC. As a result of the questionnaire the AMIT becomes aware that its interest has increased to 40% due to the redemption of a non-resident partner's interest in the foreign limited partnership. Accordingly, the foreign limited partnership will be characterised as a FHLP in relation to the income year. In assessing the third-party data tax controls against the Supplementary ATO Guide for Governance over third-party data, the ATO will accept the following documented evidence to assess whether MLC6 is designed effectively:
|
Better practice examples for foreign income tax offsets (FITO)
|
3.3 Significant transactions are identified (MLC 3, Design effectiveness, Stage 2)
3.3.1 Intent
Principle 3: The entity needs to be satisfied that the returns and tax outcomes of investments are properly reflected in reporting obligations |
- In
- the context of third-party data tax controls, the focus of this managerial-level control (MLC3) is on the entity identifying investments or transactions where there is uncertainty that the returns and tax outcomes are properly reflected in the tax reporting obligations. Entities rely on tax information provided directly from investment managers or to the custodian and included in the custodian's tax reports.
- From a custodian perspective, investments or transactions that are not subject to straight-through processing are likely to require manual processing, review and controls that may justify additional controls in the entity's third-party data tax control framework to mitigate any uncertainty in the returns and tax outcomes reported in the custodian tax reports.[4] For example, there may be limitations in the systems that result in uncertainty that the returns and tax outcomes are properly reflected in the custodian tax reports (for example, 45-day reporting where shares are not held at risk or process limitations for foreign limited partnerships). The concept of straight-through processing is covered further in Section 4 of this Guide.
- Where this applies, we expect the entity to have additional tax controls in place for these transactions not subject to straight-through processing by a custodian due to the complexity in applying the tax law to determine the correct tax outcome.
- There are four stages where we expect to see controls for these complex or significant investments or transactions:
- •
- on-boarding of the entity - to ensure the entity level tax settings are established correctly
- •
- on-boarding of the investment
- •
- ongoing monitoring
- •
- dissolution of the investment.
Entities should be mindful of the need for adequate controls required when entering into investments or transactions not subject to straight-through processing. An example of such investments includes investments in foreign limited partnerships. We consider that entities should factor these additional tax controls into their decision-making process when choosing investments not subject to straight-through processing.
See Section 3.3.3 of this Guide for factors that indicate when we would consider an investment or transaction to be 'complex' or 'significant'. Entities have a responsibility to ensure that the correct tax outcome for these investments is reported in their income tax return or distribution statements.
3.3.2 Core elements
Transactions or arrangements with a significant tax impact are systematically identified, categorised and reported on.
Tax due diligence processes and checklists will form the basis of the evidence of controls for new investments pre-transaction.
Post-transaction controls to manage the tax outcomes of existing investments or transactions include evidence of questionnaires, data analytics and sample testing of custodian data on investments and a register of significant and complex investments or transactions.
3.3.3 What we look for
To ensure tax outcomes are properly reflected in the reporting obligations, the entity needs to have documented evidence to demonstrate it has a robust system in place to appropriately identify and manage tax risks of new and existing significant or complex investments or transactions. This includes internal controls for on boarding of new investments (including through a successor fund transfer) and post-transaction controls to manage the tax outcomes of existing investments. These controls will provide comfort to the entity that the tax outcomes of new and existing investments are properly reflected in its reporting obligations.
Factors that indicate an investment or transaction is 'significant' or 'complex'
Tax controls should differ based on the complexity of each investment or transaction. Entities should ensure that their tax risk management framework clearly defines the criteria as to how the complexity of each investment will be assessed, as well as the processes and procedures for investments of varying complexity. In addition, it will outline the criteria for identifying what is a significant transaction. In line with the ATO Guide, an entity's tax risk management framework will outline its enterprise-wide risk thresholds or specific tax thresholds for signification transactions.
Some of the factors that may indicate an investment or transaction is likely to be significant or complex include:
- •
- the size of the investment
- •
- investments or transactions where there are limitations in the custodian's tax reporting (for example, limitations in some custodian software systems for off-market share buybacks or TOFA elections) or where the entity overrides the default positions in the custodian's tax policy
- •
- investments where external advice is required in line with the entity's tax risk management framework (for example, application of the law or facts in areas that are uncertain or lack precedent)
- •
- investments involving complex tax structures, including where there are a number of steps to a transaction making it more complex, whether or not it results in a preferential tax outcome
- •
- new investment requiring a new special purpose vehicle (SPV) to be established
- •
- non-portfolio investments (entity acquires or disposes of a greater than 10% stake in an investment entity)
- •
- other unlisted investments (not captured above) in foreign entities that are treated as fiscally transparent under foreign tax laws
- •
- infrastructure acquisitions and disposals
- •
- investment transactions that adopt various legal structures across a number of jurisdictions
- •
- investments into or dealings with new or low tax jurisdictions or asset classes which the entity is unfamiliar with
- •
- new or significant corporate actions (for example, demergers and share buy-backs) with a large and material after-tax outcome
- •
- successor fund transfers
- •
- changes to third-party service providers that involve a migration of data.
Better practice examples for onboarding of the complex or significant investment
|
Better practice examples post-transaction (ongoing monitoring of the complex or significant investments or transactions)
|
Better practice examples on dissolution of the complex or significant investments or transactions
|
Example 3 - Tax due diligence process and tax checklist for significant new investment
(for illustrative purposes only) In accordance with ABC's Tax Risk Management Framework, all new investments are subject to Head of Tax sign-off before they are finalised. As part of this process, the ABC in-house tax team provides a tax due diligence report which sets out the appropriate tax treatment of investments, including the manner in which investment vehicles should be characterised for tax purposes and the appropriate tax treatment of investment returns (if any). The investment is a new overseas private equity investment. A tax due diligence review is required as the new investment is considered a 'significant investment'. A tax due diligence checklist must be completed in accordance with ABC's tax risk management framework as part of the tax due diligence review of a new overseas private equity fund. The purpose of the checklist is to identify if there are any material tax risks and the nature and characteristics of any income/disposal from an Australian and foreign tax perspective. The in-house tax team applies the analysis of the report as part of its day-to-day operations. Where relevant, these procedures also involve verification procedures against the custodian's tax reporting. In assessing the third-party data tax controls against the Supplementary ATO Guide for Governance over third-party data, the ATO will accept the following documented evidence to assess whether MLC3 is designed effectively
|
Better practice examples for a migration of data due to a change in outsourced service provider
|
Better practice examples for a successor fund transfer
|
3.4 The board is appropriately informed (BLC3, Design effectiveness, Stage 2)
3.4.1 Intent
Principle 1: The entity needs to understand the roles and responsibilities of outsourced service providers |
The board (or the relevant sub-committee) or the trustee has been briefed by management on tax risk matters and the effectiveness of its tax control framework in relation to third-party data.
The board or trustee plays a critical role and is ultimately responsible even where activities of the entity are outsourced. In line with Principle 1, it is important that the board understands its role and ensures there are processes in place so that it is appropriately informed of the risks of outsourcing including tax risks.
A reference to the board also includes a reference to the authorised board level sub-committee, for example, an audit committee.
3.4.2 Core elements
The core elements of BLC 3 include:
- •
- who informs the board
- •
- what matters the board is informed on
- •
- how the board is informed, and
- •
- when the board is informed.
3.4.3 What we look for
The entity should have in a place a policy, procedure or manual that addresses the above core elements in line with the ATO Guide for BLC3.
In relation to the matters the board is informed on, we would expect tax risk matters and the effectiveness of the control framework in relation to third-party data would also be included.
Better practice examples:
|
Example 4 - The board is appropriately informed
(for illustrative purposes only) The AMIT's tax risk management framework policy includes a section on significant outsourced providers (custodians and administrators) which notes that management is required to monitor and report to the board on the performance of the service providers against its service agreements and contracts on an annual basis. The Outsourcing Framework outlines the responsibilities of the significant outsourced service providers. This process is provided to the outsourced service provider that has a responsibility to notify the AMIT where there has been a breach of the SLA or contract. At the quarterly meeting with the custodian, it is raised that there has been a breach of the SLA or contract as there has been an error in its tax reporting to the fund. Management is required to brief the board outlining how the breach was rectified and what controls have been put in place to ensure it does not happen again. In assessing the third-party data tax controls against the Supplementary ATO Guide Governance over third-party data, the ATO will accept the tax risk management framework policy document that evidences the process for monitoring and reporting to the board on the performance of significant outsourced service providers. |
3.5 Periodic controls testing program (BLC4, Design effectiveness, Stage 2)
We recommend that the testing program include the entity's third-party data tax controls that meet the criteria for design effectiveness as part of BLC4. For operating effectiveness, we recommend the periodic testing program be performed by an independent reviewer.
A well-designed testing program which covers third-party data tax controls will help ensure that once the testing is complete, the test results will provide the entity's tax function with evidence that the third-party data tax controls are operating (as designed) in practice and are 'lived' (operationally effective).
These test results will help the entity to identify and address any deficiencies in the operation of the third-party data tax controls which may be the cause of the misapplication of the income tax law and potential reporting errors.
3.5.1 Intent
As part of its oversight role, the board (or audit committee) must obtain assurance that the internal control framework it has endorsed is operating effectively. The design of the testing program helps determine whether the review is robust enough to provide a reasonable level of assurance that the tax control framework including third-party data tax controls are operating effectively. The testing program must include testing of third-party data tax controls for operating effectiveness. The design effectiveness of BLC 4 is a pre-requisite for being eligible to reach the highest rating for governance across all controls (that is, Stage 3).
Independent assurance of the third-party data tax control framework
Periodic internal control testing is conducted to assure the board (or audit committee) that the internal third-party data tax control framework is robust enough to effectively manage income tax compliance risk.
The third-party data tax control framework is made up of the controls described in this section and in Section 4 of this Guide. The relevance of the controls to the entity will depend on the investment profile of the entity. Where relevant, these controls are what we expect to see for an entity to achieve a Stage 2 rating unless compensating controls apply. We expect these controls to be included in the scope of the internal tax controls testing plan for the entity (if the third-party data tax controls are owned by entity's tax function) and conducted by an independent party (for example, internal or external audit or an independent third party) in line with the auditing standards. Typically, internal or external audit reviews occur every two to three years.
3.5.2 Core elements
A periodic testing program that covers the following elements.
Scope of controls tested, and taxes covered
For the ATO to rely on testing, the test scope must include the testing of the following income tax controls:
- •
- the board (or audit committee) is appropriately informed (BLC 3)
- •
- roles and responsibilities of outsourced service providers are clearly understood (MLC 1)
- •
- significant transactions are identified (MLC 3)
- •
- documented third-party data tax control framework (MLC 6).
These third-party data tax controls are described in detail in this section and in Section 4 of this Guide.
The test scope should be set out in a plan put together by the independent reviewer which has been signed off describing:
- •
- taxes to be reviewed
- •
- tax controls to be reviewed
- •
- control owners
- •
- frequency.
In terms of frequency of testing, this should be periodic, that is, not once-off testing, but rather, ongoing testing, with the frequency determined by an appropriately skilled person, for example an internal or external auditor.
Who is conducting the testing - independent reviewer
For us to place reliance on the entity's testing program, it needs to be conducted by an independent tester. This means someone with a suitable degree of independence and skill. The most common scenario is the internal audit function conducting independent testing; as they have the skills and requisite level of independence, because they are not tax control owners.
Testing of certain third-party data tax controls by the tax function could qualify as independent testing if the tax function is not the owner of those controls.
Testing methodology
We acknowledge that the testing methodology and frequency of testing will vary depending on the type of controls. We require sufficiently detailed evidence of the testing methodology including any sampling methods applied, to assess the adequacy of the work performed and place reliance on the testing. We note these various testing methodologies in order of preference as follows:
- 1.
- re-performance
- 2.
- examination or inspection
- 3.
- observation.
3.5.3 What we look for
The tax controls adopted will depend on the investment profile of the entity. To meet the requirements for BLC 4 Periodic internal control testing, we expect:
- •
- policies or procedures documenting the tax controls testing program (including third-party data tax controls), that is, operational effectiveness testing.
- •
- an extract from the actual test plan for the next three years or past three years setting out the above information (see Section 3.5.2 of this Guide), plus
- -
- proposed or actual commencement date for testing within the next three years or past three years
- -
- controls tested align with the third-party data tax controls forming our areas of focus on a rotation basis
- -
- evidence that the test plan is finalised and approved
- -
- agreed dates and deliverables
- -
- reporting process for test results (that is, that the test results are tabled with the board or their delegated authority).
4. Independent assurance of the control environment at the outsourced service provider
Principle 4: The entity needs to seek assurance from independent parties in relation to the accuracy of the data received and processed by outsourced service providers. |
The purpose of Principle 4 is to ensure that the entity understands the scope of the independent assurance reports on the control environment at the outsourced service provider and identifies if there are any gaps in these reports. The key outsourced service providers that receive and process data and provide reports to user entities that flow into their income tax reporting or distribution statements reporting include:
- •
- custodians
- •
- administrators.
As noted in Section 3.2 of this Guide, most of the custodian's business is straight-through processing (that is, vanilla transactions for equity and debt securities).[5] For straight-through processing, there is no manual intervention (other than client instructions for fund or asset set-up) and the user entity does not need to modify or adjust the data. This presents less risk around the integrity of the data. Likewise, with superannuation fund administrators, processing of assessable employer contributions could be considered straight-through processing and assessable personal contributions not straight-through processing.
For the straight-through processing at the custodian or administrator, it is generally expected that a high quality and appropriately tested independent assurance report (such as an ASAE 3402/GS 007) could provide an entity with assurance over the control environment at the custodian or administrator and confidence in the tax reporting it provides.[6] We expect the ASAE 3402/GS 007 report to include the taxation control objectives referred to in Guidance Statement GS 007. A report that does not include taxation control objectives in the scope of the report will not be designed effectively. To be satisfied there is data integrity in the underlying systems, an entity will need to understand these independent assurance reports and have documented evidence that it includes in scope the controls that impact on tax reporting, the nature, timing and extent of the testing process and the outcomes of the testing process undertaken by the independent assurer. This evidence will be required to achieve Stage 3 or operational effectiveness across the straight-through processed third-party data.
The investment profile of the user entity will impact the extent to which the investment transactions of the entity are subject to straight-through processing or not.
For third-party tax data, that is not derived from straight-through processing, the entity will need to assess the level of automation used to generate that data, the outsourced service provider controls in place to ensure the completeness and accuracy of that data and the inclusion and effectiveness of those controls in the independence assurance reports. There may be limitations to the custodian's systems which should be clearly outlined in their tax policy. To the extent that there are any weaknesses in the controls at the outsourced service provider identified, we expect entities to have additional third-party data tax controls to manage and mitigate the risk of inaccuracies in the reporting obligations of the entity (income tax returns and distribution statements). These additional third-party data tax controls are covered in Sections 3.2 and 3.3 of this Guide and the process of independent periodic control testing to achieve operational effectiveness of these controls is outlined in Section 3.5 of this Guide.
Example 5 - independent assurance report on control environment at the custodian
(for illustrative purposes only) An AMIT invests 50% in a passively managed Australian equities index fund that tracks the ASX 200 index and 50% in CLPs. The AMIT would need to consider the independent assurance report on the control environment at the custodian (for example, ASAE 3402/GS 007 report) to obtain assurance over the 50% invested in the passively managed Australian equities index fund that tracks the ASX 200 index. The AMIT would require evidence as outlined in this section that the independent assurance report on the control environment at the custodian has been independently verified to be designed and operating effectively. However, additional tax controls as outlined in Sections 3.2, 3.3 and Appendix 1 of this Guide would be required for the 50% invested in CLPs due to the increased tax risk that the characterisation of the income may not reflect the underlying economic substance of the transactions. As the custodian's controls do not include CLP processes, it is expected that additional tax controls would need to be undertaken by the entity as described in Appendix 1. These additional tax controls would need to be designed effectively as outlined in Sections 3.2 and 3.3, and Appendix 1 and independently verified to be operating effectively by internal or external audit of the fund in line with the internal testing plan requirements (see Section 3.5 of this Guide). |
Expectations of user entities in understanding independent assurance reports
Where the entity obtains an independent assurance report (for example, ASAE 3402/GS 007 report) that provides independent assurance of the control environment at the outsourced service provider for tax reporting services, the following applies:
- •
- The entity must understand the scope of the controls for tax reporting services included in the testing plan, the testing methodology and review the findings of these reports. The testing methodology should be consistent with the
ATO Guide
. In particular
- -
- the testing plan should describe the method of testing, methodologies for sample population selection, sample size selection, frequency of testing, areas and personnel responsible for controls
- -
- provide the outcomes of testing undertaken including subsequent actions undertaken.
- •
- The entity is required to report the findings and any exceptions to the board (or audit committee). Where any exceptions are identified a rectification strategy to address the deficiencies needs to be developed.
- •
- Where the entity identifies gaps in the independent assurance report for controls for tax reporting services, these gaps should be raised with the outsourced service provider. Alternatively, the entity may implement its own controls to provide comfort over these gaps.
- •
- The entity should review the custodian's or administrator's tax policy on an annual basis to ensure it is appropriate and aligns with the tax law. Where there are default positions built into custodian's or administrator's tax policy or reporting the entity needs to assess these default positions to ensure they are appropriate to their circumstances and the right tax outcome is achieved. See the better practice examples in Section 3.2.3 of this Guide.
Control environment at the custodian for tax reporting
The third-party data tax control framework at the custodian includes a set of controls applicable to the tax attributes of the user entity and its investment profile. For efficiency and integrity purposes, custodians will process transactions in their investment accounting systems once for multiple purposes, including portfolio valuations, financial reporting and tax reporting. Many of the standard processes and controls implemented by the custodian to ensure completeness and accuracy of valuations and financial reports also provide assurance over the integrity of tax reports.
We expect the internal control environment of the custodian that is subject to independent assurance reviews to include the following:
- •
- Controls for the exchange of data - controls should be in place across the data transport process to ensure that in any exchange of data between participants, the signed-off data being sent is identical to the data being received by the various participants.
- •
-
Controls over input investment data
- the custodian implements effective controls over the underlying investment source data used in tax reports provided to the tax reporting entity to ensure accuracy and completeness in processing such data. Documented controls include
- -
- simple data validation rules - exception checks and review processes over reasonableness of source data (for example, percentages of foreign withholding tax payments or franking credits relative to source income is within tolerance limits)
- -
- processes in place to ensure that any changes to tax reporting systems are subject to change management controls and are reflected in updates to the custodian's tax policy
- -
- processes in place to ensure that client instructions (including for overrides or exceptions) are processed consistently and correctly on an ongoing basis. A key control over the client instructions processes for fund set-up, asset set-up and any annual updates is the maker and checker controls (or four eyes controls) and client sign-off[7]
- -
- processes to ensure the correct tax attributes are applied on fund set-up or asset on-boarding, asset purchase, asset sale, income entitlements and corporate actions
- -
- regular monitoring of tax regulatory changes to assess if system or tax policy changes are required
- -
- change management processes or controls over any changes to systems or tax policy to ensure correct tax attributes of any relevant change. Where system changes are required, there should be processes to build and test (including user acceptance testing sign-off) before live client data is uploaded to the system. The IT controls in the independent assurance reports are critical to these processes
- -
- controls in place to mitigate risks associated with any other manual interventions that are part of the entire investment lifecycle and reporting
- -
- controls in place around issue identification, escalation and remediation. There needs to be prompt communication to user entities when issues are identified together with actions taken to rectify the issues and prevent recurrence.
Better practice examples of documented controls at the user entity
To obtain confidence in the control environment at the outsourced service provider, we recommend the user entity implement the following documented third-party data tax controls:
Evidence of these third-party data tax controls should be documented in the entity's tax risk management framework policy documents or included as part of the contract or service level agreement with the outsourced service provider. |
5. Data analytics and sample testing
The way in which third-party data is captured, collated and reported in the entity's income tax return or distribution statements to unitholders is fundamental to the correct reporting of the entity's reporting obligations. The calculation engines applied to the data and aggregation of the data will also impact on correct reporting.
We consider this to be a significant focus area for an income tax assurance review because systemic errors in reported transactions from third-party data can often lead to significant income tax revenue effects over time. For example, an undetected error could extrapolate to significant income tax shortfalls when replicated throughout large volumes of transactions.
In assessing the correct reporting of third-party data that feeds into the entity's income tax reporting obligations, we expect the entity (or an external tax adviser on behalf of the entity) should undertake assurance and verification procedures that align with its business and are tailored to its operating environment. Data analytics and sample testing are considered critical to this process.
Better practice examples for data analytics
This involves running pre-determined tests against a defined data set to identify reporting errors and exceptions for further investigation and or correction. Simple data validation testing could be applied across the entire data set to ensure:
Data analytics which could be applied across the entire population of relevant transactions within the custodian tax reports include:
The data analytics could be applied to the custodian's quarterly tax reports or the year-end tax reports. The data analytics review should detail the description, outcome, and further actions where exceptions (or outliers) are identified. These data analytics assurance and verification tests could be applied by the custodian or administrator, conducted by the in-house tax team or outsourced to an independent third party. |
Better practice examples for sample testing
This involves a review of a particular transaction from the source to the custodian tax reporting to ensure the tax treatment applied is correct. Where data analytics testing has identified exceptions, these transactions could be investigated further using sample testing. In addition, a sample approach could be applied to review various unlisted Australian unit trusts to ensure the tax components are accurately recorded in the custodian's tax reporting. Where an investment or transaction is significant or complex, an entity should undertake sample testing using a risk-based assessment to manage and mitigate the risk of inaccuracies in the custodian tax reports. Examples of investments or transactions where sample testing is appropriate include:
|
Data analytics and sample testing may be conducted in-house, by the custodian or outsourced to an independent third party, or a combination of all three approaches.
Where third-party data tax controls are undertaken by the outsourced service provider (on behalf of their client or user entity) we would expect the service level agreement to clearly outline this additional service.
Appendix 1: Tax controls for complex foreign investments
Due to the challenges of characterising the investment vehicle and income, entities should conduct a review of third-party data on foreign investments (either conducted internally or outsourced to an external tax adviser) that are considered 'significant/complex investments or transactions' (see Section 3.3.3 of this Guide). This will allow them to obtain a high level of confidence that the tax outcomes reported are consistent with the underlying economic activity of their foreign investments.
Where outsourced to an external tax adviser, the letter of engagement should clearly outline the scope of the engagement that is, the review process. The entity should understand the review process undertaken by the custodian and be confident that they have the capability to perform the service. The independent assurance report provided by the custodian as described in Section 4 of this Guide should include the CLP review processes in place at the custodian to ensure that they are operating effectively.
Corporate Limited Partnerships
The following better practice examples apply to investments in foreign limited partnerships that are taxed as CLPs for Australian income tax purposes under Division 5A of Part III of the Income Tax Assessment Act 1936.
Investments in CLPs may be held directly in investment entities that are generally Limited Partnerships (LPs) or Limited Liability Partnerships (LLPs). Typically, the LPs own 99% and the general partner owns 1% of the investment entity. The investment entity invests the capital received from investors on a collective basis, and each investor generally shares in the profits and losses in direct proportion to its interest in the investment entity.
Entities may also invest indirectly into these offshore LPs or LLPs through an Australian-domiciled trust (flow through vehicle). Where an entity invests through an externally managed and administered Australian MIT/AMIT/unit trust that, in turn, invests in CLPs we expect the external manager (of the MIT/AMIT/unit trust) to apply the better practice processes outlined below. This will provide the entity with a high level of confidence that the distributions are correctly characterised by the external manager (of the MIT/AMIT/unit trust).
Where the entity invests indirectly into these offshore LPs or LLPs through an Australian-domiciled trust and the entity is the only unitholder and/or the investment is material to the asset class, the entity may apply better practice processes in place of the interposed trust.
As the source information is from offshore entities, entities are expected not to rely solely on the custodian reporting but also to have - and apply - an understanding of the Australian tax treatment of the underlying investment.
An entity's approach will ultimately depend on the size and complexity of its CLP holdings and subject to the entity's risk appetite and materiality threshold. Where an entity does not consider the controls appropriate for their circumstances (for example, due to materiality thresholds), we expect the entity to document the reasons why they consider the controls are not appropriate. However, where an entity has elected to invest in offshore CLPs, we expect processes to be put in place to ensure that the tax outcomes reported are consistent with the underlying economic transaction. Where an entity chooses to invest in these complex offshore investments, they need to factor these additional third-party data tax controls into their investment decision making.
To obtain a high level of confidence that the characterisation of CLP distributions received is correct, better practice includes:
- •
- when a new investment is entered into (or a successor fund transfer occurs), a tax checklist is completed that ensures all relevant tax risks for significant investments have been considered, and correct classification of the investment vehicle and investment returns (see Section 3.3 of this Guide)
- •
- implementing a Side Letter Request Process to ensure the necessary information is provided by the general partner
- •
- maintaining a policy which documents in detail the entity's approach to reviewing CLP distributions. This policy should document the annual review process and the risk-based criteria to identify distributions which will require a more detailed examination (see Better practice examples below)
- •
- a proportion of the CLP distributions not identified for detailed examination using a risk-based assessment should be subject to random sample testing over a rolling cycle.
Better practice examples: Side Letter Process / information requests
The entity (the Australian Limited Partner) should seek to include provisions in the Side Letters of Limited Partnership Agreements (LPAs) which require the general partner to provide detailed distribution breakdowns. However, in respect of minority investments, it may not be possible to successfully negotiate with the general partner to provide detailed reports. Nevertheless, the entity or its representative should use best endeavours to seek to obtain relevant information in respect of each capital call/distribution notice. Entities investing into CLPs would typically receive the following information from the fund:
|
As a matter of better practice, entities should ensure they are able to obtain such information from the CLP in a timely manner, including any additional information that may be required to comply with their Australian tax compliance obligations.
The entity may also provide the general partner with a copy of its Tax Code of Conduct (where available) which outlines its expectations of investment managers.
Better practice example: Where information not available
We expect entities to request the above necessary underlying information at the CLP level from the general partner even if they have nominal holdings in investments. If entities are unable to obtain underlying information from the general partner (for example, due to a minority interest), an entity exhibiting better practice will have in place a number of additional controls, including:
|
Better practice example: Annual review of CLPs
Cash flows from CLP investments may not be correctly characterised in the custodian's systems without client instruction. The purpose of the annual review of CLPs by the entity (or taxpayer) is to have oversight of the flows going through the custodian's system and consider whether those flows are treated correctly for tax purposes. Where the flows are not treated correctly, this may require an update to the custodian's reporting through a client instruction, for example, updating the cost base. However, the obligation is on the entity to ensure the correct income flows are reported in the fund income tax return so that the correct amount of tax is paid. It is noted, that in some cases, CLPs may be held via an internally managed special purpose vehicle or by foreign hybrid entities without a custodian. However, the following annual review process is largely the same whether a custodian is involved or not. Step 1 - Gather the following information:
Step 2 - Determine amount paid or credited to the entity during the income year:
Step 3 - For each capital call / distribution notice for the CLP, determine the tax components of the notice, namely:
As the components on the notice may not match the underlying economic substance of the transactions, capital call and distribution notices from the general partner of the CLP are examined in detail. To identify which CLP distributions to examine in detail, the entity should apply the criteria outlined below in the Better practice - risk-based assessment to identify distributions for annual review. These risk-based identified distributions should be subject to the following sub-steps:
3.2 Further information is requested to confirm or determine the component split, including Based on the above steps, determine the components of the distributions having regard to the underlying economic substance of the investment. This step includes a reasonableness check that the tax treatment is appropriate having regard to the entity's understanding of the investment. To assist in identifying risk-based distributions the entity could apply data analytics based on some of the criteria (outlined below) over the data set of CLP distributions. A deep dive examination through testing of a small sample of the remaining non-risk based identified distributions, as described in this step, including the use of additional sources of information, could be used to confirm that distributions have been characterised correctly. See Better practice - random sample testing over a rolling period and Example 3 in this Guide. Step 4 - Translate to Australian currency (A$) the different components, being gross assessable income, foreign income tax offsets (if any), and net assessable income. Step 5 - For each CLP:
Step 6 - Advise the custodian to update their records of errors or tax adjustments required in the Cash Flow Report or the Income Report and request confirmation from the custodian. Step 7 - Review tax treatment of any disposals or partial disposals of the CLP. |
Example 1 - Step 2 - is the amount paid or credited?
(for illustrative purposes only) ABC Super Fund is a limited partner in XYZ foreign LP that is taxed as a CLP for Australian tax purposes. The additional information attached to the distribution notice mentions undistributed proceeds. In line with its process for annual review of CLPs, ABC Super Fund examines the notice in detail to confirm the tax treatment by taking the following steps:
The manager advises that the undistributed proceeds (from capital gains) represents ABC Super Fund's share of cash withheld for working capital needs. In effect, there is a netting of the gross cash payment in exchange for a capital call. The additional investment of capital is recorded in the partnership's statutory record. Accordingly, in line with TR 2017/D4, the cash withheld is treated as having been credited and included as an assessable foreign sourced dividend under section 94M of the ITAA 1997. The undistributed proceeds are treated as a capital call into the CLP and would increase ABC Super Fund's cost base for its interest in the CLP investment. |
Better practice - a risk-based assessment to identify distributions for annual review
As the components on the notice may not match the underlying economic substance of the transactions, capital call and distribution notices from the general partner of the CLP are examined in detail. To determine the character of the distributions received from CLPs, we would expect the entity to conduct an annual review of, at a minimum, distributions from CLP investments using a risk-based assessment. Specifically, if any of the following criteria are met, an entity should examine the distribution by applying Step 3 in the Better practice - annual review of CLPs:
|
Example 2 - Step 3 - components on the notice don't match the underlying economic substance of the transactions
(for illustrative purposes only) XYZ Super Fund is a limited partner in the ABC foreign LP. The notice provided that the distribution of A$2 million was 100% return of capital and no explanatory comments were provided. XYZ Super Fund applies the processes it has in place for CLPs and accordingly the distribution notice from ABC foreign LP is identified using a risk-based assessment. In line with its process for annual review of CLPs, XYZ Super Fund examines the notice in detail to confirm the tax treatment by taking the following steps:
Given the nature of the investment, it would be expected to provide regular interest income distributions. However, all four distribution notices received during the income year were characterised as 100% return of capital. As a result, XYZ Super Fund was not satisfied that a 100% return of capital tax treatment matched the underlying economic substance of the transactions. XYZ Super Fund contacted the manager to ascertain what percentage or dollar amount of each distribution was sourced from gains/income. The manager advised that this distribution comprised interest income on loans and is 100% interest income. XYZ Super Fund then considered whether 100% income treatment was consistent with its understanding of the investment and other reporting provided by the manager. As indicated in the Private Placement Memorandum of the fund, the underlying investment is senior secured debt and current income received on the investment portfolio net of expenses will generally be distributed quarterly. The principal repayments are not expected to commence until two income years following the current year. Accordingly, the process followed by XYZ Super Fund which examined the nature of the distribution to understand the economic substance driving the distribution, resulted in A$2 million being re-characterised from a return of capital to being treated as a distribution of profits and therefore an assessable foreign sourced dividend for the income year. In line with Step 6, the custodian was advised to update its records for the tax adjustment (subject to timing restrictions) to ensure the accuracy of its Income Report. However, the obligation is on the entity to ensure the correct income flows are reported in the fund income tax return so that the correct amount of tax is paid. To satisfy the ATO as part of a Justified Trust assurance review that its third-party data tax governance processes for its CLP investments are designed effectively (Stage 2), XYZ Super Fund provides its policy which documents its approach to reviewing CLP distributions. This policy should document the criteria by which the entity will review CLP distribution data in detail. In order to satisfy operational effectiveness, the third-party data tax controls including the processes for CLP investments would need to be included in the scope of the testing and tested by an independent party to determine if they are operating effectively (Stage 3). |
Better practice - random sample testing over a rolling period
A proportion of the remaining CLP distributions, not identified as distributions using the risk-based assessment criteria above, should also be subject to random sample testing on a rotational basis. See Example 3 in this Guide. However, where an entity has received a low assurance rating for CLPs in its last Top 1000 review, we would expect to see testing of a larger sample size of the remaining pool of CLP distributions not identified using the risk-based assessment criteria. Following a risk-based assessment where random sample testing identifies incorrect characterisation of distributions, then distributions from those CLP investments should be included in the following year as part of the Better practice example: Annual review of CLPs. |
Example 3 - Rotational random sample testing over a five-year rolling period of the remaining CLP distributions not identified as distributions
(for illustrative purposes only) DEF the limited partner in ABC foreign LP from the example above, has identified that it has received two distributions from the 12 distributions received from CLPs it holds using the criteria outlined in the Better practice - a risk-based assessment to identify distributions for annual review. For the remaining 10 distributions, DEF will conduct sample testing on two distributions (20%) on a rotational basis every year over five years for these CLPs. The two CLP distributions will be selected at random each year from the pool (with no duplicates). The sample testing will be conducted in line with Step 3 where DEF will examine the components on the notice to ensure that it matches the underlying economic transactions. To satisfy the ATO that as part of a Justified Trust assurance review its third-party data tax governance processes for its CLP investments are designed effectively (Stage 2), DEF provides its policy which documents that a proportion of the remaining CLP distributions not identified using the criteria outlined in the Better practice - a risk-based assessment to identify distributions for annual review, are subject to sample testing on a rotational basis over a rolling period. To satisfy operational effectiveness, the third-party data tax controls including the process described above would need to be included in the scope of the testing plan and tested by an independent party to determine if they are operating effectively (Stage 3). |
Estimates or conservative approach due to delay in availability of information
Due to the differences in accounting periods (for example, calendar rather than financial) for foreign investments, there may be delays in the receipt of third-party information required by the superannuation fund to complete the third-party data tax governance processes for complex foreign investments before the date of lodgment of the fund return at 15 January each year.
As a result of this outstanding information, the superannuation fund could adopt an estimates approach (for example. based on previous years, if appropriate) for the income it expects to be included as assessable and lodge an amendment once all unlisted assets information is confirmed.
Includes registrable superannuation entities, pooled superannuation trusts and exempt public sector superannuation schemes. It does not include self-managed superannuation funds or small APRA funds (that is, less than seven members).
Reports on the outsourced service providers (for example, custodian and administrators) internal controls are generally prepared in accordance with the Australian Standard of Assurance Engagements ASAE 3402 Assurance Reports on Controls at a Service Organization (ASAE 3402) and with reference to Guidance Statement GS 007 Audit Implications of the Use of Service Organisations for Investment Management Services (GS 007).
Ibid
In October 2021, the concept of straight-through processing was discussed at a custodian workshop between the ATO and industry. Custodians described an 80/20 rule where about 80% of their business could be described as vanilla equity and debt instruments processing (or straight-through processing). The remaining 20% is not straight-through processing.
In October 2021, the concept of straight-through processing was discussed at a custodian workshop between the ATO and industry. Custodians described an 80/20 rule where about 80% of their business could be described as vanilla equity and debt instruments processing (or straight-through processing). The remaining 20% is not straight-through processing.
Reports on the outsourced service providers (for example, custodian and administrators) internal controls are generally prepared in accordance with the Australian Standard of Assurance Engagements ASAE 3402 Assurance Reports on Controls at a Service Organization (ASAE 3402) and with reference to Guidance Statement GS 007 Audit Implications of the Use of Service Organisations for Investment Management Services (GS 007).
The maker/checker control ensures where there is manual input that there is a "maker" to input those attributes into the system and a "checker" to review that the client instructions have been entered correctly.