Income tax risk management and governance

Guidance for Top 1000 taxpayers preparing for a combined assurance review

The purpose of this document is to assist Top 1000 taxpayers review their income tax risk management and governance frameworks and prepare for a Top 1000 combined assurance review. It supplements existing guidance and should be read in conjunction with that guidance.

We recognise that the Top 1000 population is diverse and different entities may adopt different governance practices based on a range of factors, including their size, complexity, history, and corporate culture. For that reason, we are providing examples of our view of better practices in relation to income tax governance for different types of Top 1000 corporate entities. The broad approaches illustrated in this document can be extrapolated for other Top 1000 entity types.

Additional governance controls over outsourced tax data should be considered for investment industry entities, including APRA regulated superannuation funds, managed investment trusts, attribution managed investment trusts and others, where given the nature of the institutional investment environment these entities use outsourced data or third-party data service providers, and this tax data feeds into the tax returns of these entities. Supplementary guidance for tax controls to manage and mitigate tax risk over outsourced data will be issued separately, along with best practice examples and should be considered in addition to those outlined in this document for impacted entities.

Existing guidance

This document builds on guidance published on ato.gov.au to assist large public and multinational businesses to review their income tax governance frameworks:

Why tax governance is important

Tax governance is a key focus area under the justified trust methodology for large public and multinational businesses. Demonstrating how good income tax governance is embedded in positions taken, disclosures in returns and tax calculations provides us with evidence we can rely upon which can reduce the intensity of enquiries.

Good tax governance can reduce the risk of inadvertent errors and support tax positions being in step with the direction of the Board. Properly documented tax controls that are designed effectively and subject to periodic independent controls testing provides evidence that those controls will continue to operate effectively and are not dependent on the expertise of specific individuals.

A Stage 2 rating for governance is required to achieve an overall high assurance rating. When a Top 1000 taxpayer attains an overall high assurance rating under our justified trust assurance program, this means that we have confidence that they have complied with Australian income tax laws and have paid the right amount of income tax. In recognition of the level of trust we have in the reported tax outcomes of these taxpayers, we will tailor our engagement approach to focus on maintaining our high level of confidence. In the absence of significant business changes or tax treatment, this will result in shorter and lighter intensity reviews in the future.

How we assess income tax governance

This document sets out the approach we use in a Top 1000 combined assurance review for assessing income tax governance for Top 1000 taxpayers.

We look for evidence that a tax control framework exists (such as a board-endorsed tax policy and/or documented procedures for preparing tax returns) that is commensurate to the organisation's size, complexity, and tax profile. We then look for objective evidence that the framework is designed effectively and is operating effectively or "lived".

We focus on the key controls set out in the director's summary within the the Guide. While we encourage taxpayers to consider all the controls in the Guide our initial areas of focus are aligned with the following 'justified trust' objectives:

How we rate income tax governance

We take a holistic approach in assessing the stage rating for tax governance and do not assign a stage rating for each individual key control. We consider whether each key control is in existence and is designed effectively having regard to the size, complexity, and tax profile of the organisation. We also encourage organisations to describe any compensating controls, if their framework does not align with our better practices and to document why they might not be applicable to their circumstances.

We use the following staged rating system:

Stage 1: You provided evidence to demonstrate that a tax control framework exists.

We look for evidence in the form of policies, processes and procedures demonstrating the existence of a tax control framework. This includes one or more of the following:

  • Board endorsed tax policy documentation describing how the organisation identifies and manages tax risk
  • Documented end-to-end procedures for preparing income tax returns

Stage 2: You provided evidence to demonstrate that a tax control framework exists and has been designed effectively.

When we have established a tax control framework exists, we then look for objective evidence that the framework is designed effectively having regard to the size, complexity, and tax profile of the organisation. A gap analysis that assesses the design of the organisation's tax control framework against the Guide will assist in assessing whether the tax control framework is designed effectively. If a gap exists, we look for compensating controls and an explanation why aspects of the Guide are not applicable. There must also be a formal organisation level commitment to ongoing periodic internal control testing of key justified trust controls (e.g., endorsed by the Board or its delegate).

Stage 3: You provided evidence to demonstrate that a tax control framework exists, has been designed effectively and is operating effectively in practice.

This is the highest rating for tax governance. To achieve this stage, you must be able to demonstrate that your tax control framework is designed effectively and is operating as intended. It can be evidenced by a periodic tax controls testing program and reports describing the outcomes of that testing. The testing should cover the key justified trust controls as set out in the director's summary. We look for the independent review and testing of tax controls. Refer to our practical guidance for more information.

Red flag: You have not provided sufficient evidence to demonstrate a tax control framework exists or we have significant concerns with your tax risk management and governance.

A red flag may be assigned where there is no objective evidence to demonstrate a tax control framework exists or if we have significant concerns with your tax risk management and governance, for example, where there are significant errors your tax control framework is not detecting.

You can refer to the governance observations in our Top 1000 Findings report for our latest insights into common causes of lower governance ratings.

Where inadvertent errors arise, we encourage businesses to make voluntary disclosures. Where those errors are identified, promptly reported and control gaps/deficiencies addressed, this should not adversely impact the entity's rating for tax governance.

How existence of key controls may be evidenced

Our focus is on whether the organisation has processes and policies (collectively the "tax control framework") in place which effectively manages the organisation's tax risks and issues which are relevant to the organisation. For this reason, there is a not a prescribed set of documents/policies which must be in place for a taxpayer to achieve a particular stage rating. We focus on whether the organisation has in place a 'fit for purpose' set of processes and policies to manage its income tax risks.

The Top 1000 population is diverse, and each organisation is unique. In this document we outline the purpose and intent of each control and provide examples for different types of organisations. We have included case studies and examples of the types of evidence we consider may demonstrate the existence of each key control. The cases studies are intended to reflect a broad cross section of the Top 1000 population. We may add to these examples from time to time.

The case studies are illustrative only and should not be considered a 'checklist' as each organisation needs to assess their governance processes considering the size, complexity, and tax profile of their own business.

Each case study example is necessarily simplistic. As each business in unique, we do not expect any organisation to fit neatly into a specific case study example. The case studies have been provided to illustrate our broad approaches. It is also important to recognise that a 'fit for purpose' tax governance framework is expected to evolve over time to reflect changes in the organisation.

Approach to Board level controls

A company's Board of Directors has the oversight and monitoring role with respect to tax governance. For some Top 1000 taxpayers it may be appropriate for the board to delegate their tax governance responsibilities to a Board sub-committee, executive leadership team or other senior representative or delegate.

In the context of overseas headquartered groups, where the group's main Board is located offshore, the main Board may have the ultimate oversight and monitoring role for the global group. This oversight and monitoring role may be facilitated by management and reporting from the local Australian Board and/or Australian or regional executive leadership team. In these cases, for the Board Level Controls (or BLCs) as set out in the Guide it may be appropriate to take into account the governance structure of the organisation in practice (e.g. to reflect the role of the Board's delegate).

Summary table

As set out in the Guide, there are 4 Board Level Controls and 9 Managerial Level Controls. We acknowledge that, in the first instance, some businesses may choose to prioritise their resources and focus on the justified trust controls listed in the director's summary. The following table sets out the justified trust controls required for each stage rating with links to explanations and examples for each control.

For each key control, we look for objective evidence that the control exists, is designed effectively and is operating effectively in practice. We have regard to the size, complexity, and tax profile of the organisation. Refer to our practical guidance for more information.

Key control

Control

Stage 1

Stage 2

Stage 3

Link to examples

A formalised tax control framework setting out how the organisation's tax risks are managed, which is endorsed by the board or its authorised delegate.

BLC1

Check or MLC6

Check

Check

link

A document that sets out how the board is appropriately informed on tax risk management.

BLC3

 

Check

Check

link

A document that demonstrates how key roles and responsibilities are clearly understood.

MLC1

 

Check

Check

link

A document or matrix that demonstrates how significant transactions are identified.

MLC3

 

Check

Check

link

A documented control framework setting out the end-to-end procedure for completing the income tax return.

MLC6

Check or BLC1

Check

Check

link

Documented procedures to explain significant differences reconciling tax calculations to the financial statements.

MLC7

 

Check

Check

link

Organisation level commitment to on-going periodic internal control testing of key justified trust controls (e.g., endorsed by the Board or its delegate).

BLC4

 

Check

Check

link

Periodic internal control testing of the above controls has been carried out and all gaps have been appropriately addressed.

BLC4

 

 

Check

link

 

Example tax profiles to illustrate 'fit for purpose' approach

To illustrate the 'fit for purpose' approach, we have included below the tax profiles of four taxpayers which reflect the diversity of the Top 1000 population. In the following sections we provide examples of policies or procedures which may demonstrate the existence and design effectiveness of those policies or procedures in addressing the justified trust controls having regard to the size, complexity, and tax profile of the four case study taxpayers.

The cases studies are intended to reflect a broad cross section of the Top 1000 population. We may add to these examples from time to time.

The examples are illustrative only and should not be considered a 'checklist' as each organisation needs to assess their governance processes considering the size, complexity, and tax profile of their own business.

Company 1

Company 2

Company 3

Company 4

  • A company listed on the Australian Stock Exchange (ASX)
  • Australian headquarters
  • Local corporate governance requirements
  • Operates multiple business segments
  • Changes in group structures and systems
  • New and significant transactions
  • Complex tax issues
  • Tax group/s do not align with financial reporting group
  • Generally, but not necessarily, a larger group
  • Tax function is managed by a sophisticated tax team in Australia
  • A private company ultimately majority foreign owned by private foreign interests / consortium.
  • Predominantly Australian business
  • Operates multiple business segments
  • Complex tax issues
  • Tax function is managed by dedicated tax manager
  • Company has a board of directors, but key business decisions are generally the responsibility of the executive leadership team. The Board has delegated authority for tax matters to executive leadership team
  • Provisional head company of a multiple entry consolidated group.
  • Ultimately wholly owned by an offshore listed multinational group
  • Operates multiple business segments
  • Complex tax issues
  • Has a dedicated tax team in Australia
  • Tax function is managed by a dedicated tax manager who reports to local CFO with dotted line reporting to the offshore Global Head of Tax
  • Regular reporting to the ultimate parent on tax and financial matters
  • The Board of Directors in Australia meets infrequently and key decisions on the business is delegated to Executive leadership team in Australia
  • Standalone subsidiary of a listed multinational group
  • Operates a single business segment in Australia
  • Generally, a smaller entity
  • Consistency in transactions and tax positions
  • Minimal change in group structures and systems
  • Limited significant or new or transactions
  • No tax risks flagged to market present
  • Regular reporting to the ultimate parent
  • All significant or strategic matters require offshore approval process.
  • Australian tax function is managed by local finance manager, with reporting to global tax team located offshore

 

Examples of how key controls may be evidenced

Existence of formalised tax control framework (BLC1)

The purpose of this control is to ensure that the organisation has clearly set out its parameters for how tax risks are to be managed and that these parameters are clearly understood by the organisation as a whole.

We look for a board (or sub-committee) endorsed tax policy that details how the organisation identifies and manages tax risk that is understood across the organisation. If tax is included in the organisation's board endorsed overarching risk management framework, the tax policy document may be owned by management.

For an Australian subsidiary of a foreign multinational group that has simple tax affairs (Company 4), the existence of a formalised tax control framework may be demonstrated through the adoption of a global tax policy which appropriately covers the Australian operations and details how Australian tax risks are managed as outlined above. However, there will be instances where the global tax policy does not adequately address the Australian tax risks of the Australian entity. Where that is the case, the global tax policy needs to supplemented by another document which appropriately addresses the tax risks and obligations which are specific to the Australian operations.

For an additional description of this control, refer to BLC1 and self-assessment procedures.

The existence of a tax control framework, or a documented control framework for the income tax compliance process (MLC6) is required to be in existence to achieve a stage 1 rating for governance.

Company 1

Company 2

Company 3

Company 4

Company 1 has in place a detailed Tax Policy document which has been endorsed by Board or by the Audit and Risk Committee, a subcommittee of the Board of Directors).

The policy includes:

  • Organisation's tax risk appetite
  • Details on acceptable level of tax risk for day-to-day operations and when tax matters need to be escalated

The policy has been published internally, for example on the organisation's intranet and can be accessed by all relevant personnel so it is understood by the organisation as a whole.

Company 2 has in place a detailed Tax Policy document which has been approved by the executive leadership team and is also endorsed by the Board of Directors.

The policy includes:

  • Organisation's tax risk appetite
  • Details on acceptable level of tax risk for day-to-day operations and when tax matters need to be escalated

The policy has been published internally, for example on the organisation's intranet and can be accessed by all relevant personnel so it is understood by the organisation as a whole

The Global Tax Policy has been endorsed by the Board of Directors of the offshore ultimate parent entity.

The Global Tax Policy is available on the organisation's intranet and can be accessed by all relevant personnel of the global organisation.

The global policy covers all global operations but does not expressly cover Australian income taxes. Nor does it address the tax profile and complexity of the Australian MEC structure.

The Executive leadership team in Australia confirms that the Global Tax Policy applies to Australia, with more specific detail included in the Australian tax operations manual detailing the tax policies and procedures for the Australian group, including:

  • the organisation's tax risk appetite and
  • Details on acceptable level of tax risk for day-to-day operations and when tax matters need to be escalated.

It is available on the organisation's intranet and can be accessed by all relevant personnel, so it is understood by the Australian organisation

The Global Tax Policy has been endorsed by the Board of Directors of the offshore ultimate parent entity.

The Global Tax Policy is available on the organisation's intranet and can be accessed by all relevant personnel of the global organisation.

The global policy expressly covers the Australian operations and how Australian income tax risks are managed. It includes:

  • The global organisation's tax risk appetite
  • Details on acceptable level of tax risk for day-to-day operations and when tax matters need to be escalated

There is a program of annual training that is completed by all finance personnel including those involved in the Australian tax function of the group to ensure the Australian personnel are familiar with group policies including the Global Tax Policy and how they apply in Australia

The board is appropriately informed (BLC3)

The board has the leading role in overseeing risk management structures and policies. To do this, the board (or sub-committee) must be appropriately informed of the tax risks in the organisation and the effectiveness of their tax control framework.

The minimum matters ("minimum board reporting matters") which are to be included for consideration by the Board, sub-committee or its delegate are:

  • Effectiveness of their tax control framework
  • Effective tax rate
  • Potential and actual significant tax risks arising from significant transactions or events
  • Transactions which require approval of the board or its delegate

For companies that do not have an active board in Australia, the offshore Board or sub-committee may be the focus of this control or may have delegated the role of oversight to the Australian Executive Leadership Team.

In communications with a board, taxpayers should have regard to the concession that applies to advice provided to a corporate board on tax compliance risk as contained in Practice Statement Law Administration 2004/14.

For an additional description of this control, refer to refer to BLC3 and self-assessment procedure.

Company 1

Company 2

Company 3

Company 4

The Tax Policy document that Company 1 has in place includes the following requirements:

  • The Head of Tax reports to the Audit and Risk Committee (ARC) on a six-monthly basis (half year and full year)
  • The reporting to the ARC includes the preparation of a board paper (which covers the minimum board reporting matters) and attendance by the Head of Tax at the ARC meetings to answer any questions the committee may have on tax matters

The company has in place a board reporting template.

The Tax Policy document that Company 2 has in place includes the following requirements:

  • The tax manager prepares a report (which covers the minimum board reporting matters) to the Executive Leadership Team on a six-monthly basis (half year and full year).
  • Upon review of the report, the Executive Leadership Team prepare a Board report which includes extracts from the tax report where there are tax matters considered significant.

The Australian tax operations manual that Company 3 has in place includes the following requirements:

  • The tax manager prepares a report (which covers the minimum board reporting matters) to the Executive Leadership Team on a six-monthly basis (half year and full year).

The tax manager is separately required to provide the global tax team a quarterly tax report using a template. Matters which are considered significant (generally based on a dollar threshold or that may be a risk to reputation) are included a report provided to the offshore Board of Directors.

The Global Tax Policy that Company 4 has in place includes the following requirements:

  • The finance manager provides the global tax team a quarterly tax report using a template (which covers the minimum board reporting matter plus details of transactions that require approval of the global tax team).
  • The finance manager reports matters considered significant (generally based on a dollar threshold or that may be a risk to reputation) for inclusion in a report provided to the offshore Board of Directors.
  • A copy of this report is also shared with the Australian Board or their delegate.

Roles and responsibilities are clearly understood (MLC1)

The purpose of this control is to ensure that there is clear accountability between departments or individuals, reducing the risk of conflict or ambiguity in responsibilities that could lead to inefficiencies, delayed work, or mismanagement of key tax risks.

We look for documentation outlining the roles and responsibilities relating to tax compliance and risk management, demonstrating that the roles and responsibilities are formalised and understood by management with appropriate authorisation levels and segregation of duties in place.

For an additional description of this control, refer to MLC1 and self-assessment procedure.

Company 1

Company 2

Company 3

Company 4

Company 1 has in place a detailed Tax Operations manual which clearly demonstrates segregation of duties and sets out who prepares, reviews, and signs off:

  • income and withholding tax compliance obligations (including returns)
  • tax effect accounting calculations
  • income tax advice for the organisation
  • income tax advice on significant transactions

The manual also sets out:

  • the reporting chain for income tax matters including timing and format of reporting.

Who is responsible for the maintenance of the tax control framework (see MLC6)

Company 2 has prepared a RACI1 matrix which clearly demonstrates segregation of duties and sets out who prepares, reviews, and signs off:

  • income and withholding tax compliance obligations (including returns)
  • tax effect accounting calculations
  • income tax advice for the organisation
  • income tax advice on significant transactions

The Tax Policy document includes details on:

  • The reporting chain for tax matters (including timing and format of reporting)

Who is responsible for review and maintenance of the tax control framework (see MLC6)

The Australian tax operations manual clearly demonstrates segregation of duties and sets out who prepares, reviews, and signs off:

  • income and withholding tax compliance obligations (including returns)
  • tax effect accounting calculations
  • income tax advice for the organisation
  • income tax advice on significant transactions

The Australian tax operations manual specifies that the tax manager will review the tax compliance process on an annual basis to ensure it remains relevant and up to date.

The Global Tax Policy specifies when tax matters are to be escalated to the global tax team and the Australian tax operations manual specifies when tax matters are to be escalated to the Executive Leadership Team.

The Global Tax Policy requires that for each key compliance process (including income tax returns and tax effect accounting) a checklist must be completed evidencing a sign-off by the preparer, reviewer, and approver.

The Global Tax Policy specifies when tax matters are to be escalated to the global tax team including income tax advice for the Australian organisation.

Significant transactions are identified (MLC3)

The purpose of this control is to manage tax risks relating to significant transactions and events, which may have a significant impact on a company's tax position. This control focuses on the end-to-end process from identification of the significant tax risk or event through to risk mitigation strategies.

We look for documentation such as a policy specifying the criteria for identification and referral of significant tax risks, transactions, or events to the tax area, escalated to senior management or the board and /or require independent external tax advice.

For an additional description of this control, refer to refer to MLC3 and self-assessment procedures.

Company 1

Company 2

Company 3

Company 4

Company 1 has in place a detailed Tax Operations manual which clearly sets out:

  • Definition of a significant transaction/matter (by value) which requires authorisation from tax team
  • How business units notify the tax team (contact person etc..)
  • A risk matrix for assessing and classifying tax risks (high, medium or low risk) based on quantitative and qualitative factors and the steps to be taken based on the risk rating
  • When external advisors should be engaged and the level of opinion that should be obtained
  • What matters require approval from senior management and the board and the process by which this is undertaken
  • Maintenance of a tax risk register.

The Tax Policy document that Company 2 has in place includes:

  • Definition of a significant transaction/matter (by value) which requires authorisation by the tax manager
  • The requirement for the tax manager to report to the Executive Leadership Team on significant tax matters (see related BLC3)
  • A risk matrix for assessing and classifying tax risks (high, medium or low risk) based on quantitative and qualitative factors and the steps to be taken based on the risk rating
  • When external advisors should be engaged and the level of opinion that should be obtained
  • What matters require approval by the Executive Leadership Team.
  • Maintenance of a tax risk register.

The Australian tax operation manual that Company 3 has in place includes:

  • Definition of a significant transaction/matter (by value) which requires review by the tax manager
  • The requirement for the tax manager to report to the Executive Leadership Team on significant tax matters (see related BLC3)
  • A risk matrix for assessing and classifying tax risks (high, medium or low risk) based on quantitative and qualitative factors and the steps to be taken based on the risk rating
  • When external advisors should be engaged and the level of opinion that should be obtained
  • What matters require approval by the Executive Leadership Team
  • Maintenance of a tax risk register.

The Global Tax Policy that covers Company 4 includes definition of:

  • when tax matters are to be escalated to the global tax team based on dollar threshold and level of opinion.
  • when a matter is material and uncertain and will be entered into the global tax risk register maintained by head office.
  • the materiality threshold for matters to be recorded in the global tax risk register is appropriate having regard to the size of Company 4.

All contracts over a specified dollar threshold or non-routine in nature needs to be reviewed and signed-off by the global or regional tax team. This sign-off is evidenced on the contract cover page.

Due to the limited size and complexity of Company 4's operations in Australia, the commercial teams are aware and comfortable in approaching the finance manager for any tax related matters. If the matter cannot be resolved locally, then the finance manager (as required in the Global Tax Policy) escalates the matter to the global tax team.

Documented control framework (MLC6)

The purpose of this control is to ensure that there is a documented income tax return process in place. As the compliance process involves repetitive tasks, documenting the process ensures consistency in tax positions and adjustments and mitigates key person risk. It also focuses on ensuring there is a complete and accurate flow of information from accounting records to the tax return.

For many organisations the tax return process leverages off work completed in the tax provision process (e.g., material tax adjustments may be calculated during the tax provision). As such the documented tax return process may include steps performed at tax provision time as well as during the income tax return process.

We look for documented procedures for preparing and reviewing the tax return including reconciliation back to the audited financial statements and working papers reviewed and approved by management.

This control may be demonstrated in several ways, including (but not limited to):

  • Detailed income tax compliance flowchart with narratives which set out step by step instructions
  • Narrative description of the income tax preparation process

For an additional description of this control, refer to MLC6 and self-assessment procedures.

Company 1

Company 2

Company 3

Company 4

Company 1 has prepared a detailed income tax compliance flow chart with narratives which set out step by step instructions covering:

  • How to prepare the income tax return
  • Where and how data is sourced (including trial balance, GL reconciliations, fixed asset information, etc...)
  • How to determine whether an account requires a book to tax adjustment
  • Who prepares, reviews and signs-off the income tax return
  • Parameters for when to seek additional information or advice (including external assistance)
  • Lodgement responsibility and document retention

Company 2 has prepared a detailed income tax compliance flow chart with narratives which set out step by step instructions covering:

  • How to prepare the income tax return
  • Where and how data is sourced (including trial balance, GL reconciliations, fixed asset information, etc...)
  • How to determine whether an account requires a book to tax adjustment
  • Who prepares, reviews and signs-off the income tax return
  • Parameters for when to seek additional information or advice (including external assistance)
  • Lodgement responsibility and document retention

Company 3 has prepared a detailed narrative description of the income tax preparation process which set out step by step instructions and includes:

  • Where and how data is sourced (including trial balance, GL reconciliations, fixed asset information, etc...)
  • How to determine whether an account requires a book to tax adjustment
  • Lodgement responsibility and document retention

For each key compliance process (including ITR and TEA) a checklist is also completed evidencing a sign-off by the preparer, reviewer, and approver.

The Australian operations manual provides guidance on when tax matters (including those identified in the tax compliance process) are to be escalated to the Executive Leadership team and / or the global tax team.

Company 4 has prepared a detailed narrative description of the income tax preparation process which set out step by step instructions and includes:

  • Where and how data is sourced (including trial balance, GL reconciliations, fixed asset information, etc...)
  • How to determine whether an account requires a book to tax adjustment
  • Review of transfer pricing adjustments/intercompany charges and the need to obtain an updated transfer pricing analysis on an annual basis
  • Lodgement responsibility and document retention

For each key compliance process (including ITR and TEA) a checklist is also completed evidencing a sign-off by the preparer, reviewer and approver.

The Global Tax Policy provides guidance on when tax matters (including those identified in the tax compliance process) are to be escalated to the global tax team.

Procedures to explain significant differences (MLC7)

The purpose of this control is to ensure that there is a process to explain differences between accounting disclosures (tax note), the financial statements and the income tax return. As the process involves repetitive tasks, documenting the process ensures consistency, reducing fluctuations (such as large unders/overs) year-on-year and mitigates key person risk.

We look for documented procedures that detail the process for reconciling the tax calculation prepared for financial statements and the completed tax return and explain the tax performance of the entity compared to the accounting outcome.

For an additional description of this control, refer to MLC7 and self-assessment procedures.

Company 1

Company 2

Company 3

Company 4

Company 1's detailed income tax compliance flowchart includes steps related to the tax accounting process which involves provision to return true-up steps.

Under the provision-to-return true-up steps:

  • Each difference is identified and classified as permanent or temporary
  • Where the difference is material, an explanation is required to be provided
  • True-up journals are prepared (by the tax manager), reviewed (by finance lead) and uploaded (by GL accountant)

Company 2's detailed income tax compliance flowchart includes steps related to the tax accounting process which involves provision to return true-up steps.

Under the provision-to-return true-up steps:

  • Each difference is identified and classified as permanent or temporary
  • Where the difference is material, an explanation is required to be provided
  • True-up journals are prepared (by the tax manager), reviewed (by finance lead) and uploaded (by GL accountant)

Company 3 is required to complete a Provision-to-Return template as part of the global accounting process.

As part of this template:

  • Each difference is identified and classified as permanent or temporary
  • Where the difference is material, an explanation is required to be provided
  • The template automatically proposes true-up journals
  • The template requires a sign-off by the preparer (tax manager), reviewer (regional head of tax) and final approver (finance lead)

Company 4 is required to complete a Provision-to-Return template as part of the global accounting process.

As part of this template:

  • Each difference is identified and classified as permanent or temporary
  • Where the difference is material, an explanation is required to be provided
  • The template automatically proposes true-up journals
  • The template requires a sign-off by the preparer (tax manager), reviewer (regional head of tax) and final approver (finance lead)

Commitment to periodic internal control testing (BLC4)

The purpose of internal control testing is to obtain assurance that the internal control framework is operating effectively. An organisation level commitment by the company to periodic internal control testing is therefore required to evidence that the tax control framework is designed effectively. To achieve a stage 2 rating for tax governance, the company must evidence a commitment to undertake periodic internal control testing but need not have commenced the testing (this is required for a stage 3 rating).

Examples of the commitment to this control can be in the form of:

  • A statement as part of the Board endorsed tax control framework that all key tax controls will be tested by an appropriately qualified independent reviewer. This testing may take place annually or periodically e.g., every three years. This must specify which controls are being tested and must specifically include:
    • The board is appropriately informed (BLC3)
    • Roles and responsibilities are clearly understood (MLC1)
    • Significant transactions are identified (MCL3)
    • Documented control framework (MLC6)
    • Procedures to explain significant differences (MLC7)
  • Where the Tax Policy is not clear or specific about the requirements in relation to the testing of the key tax controls, the company should provide a testing plan which specifies which controls are being tested and over what period. Where there is a clear commitment in the board endorsed Tax Policy, and the company has provided a timeframe for commencement of testing, a detailed testing plan is not required to achieve a stage 2 tax governance rating. However, we may seek to verify whether this work has occurred in later reviews.
  • Written confirmation from the Board, a Board sub-committee, executive leadership team or other senior representative or delegate of the Board (for example the Australian CFO) that all key tax controls will be tested by an appropriately qualified independent reviewer and this testing will take place annually or periodically e.g., every three years.

In assessing a stage 2 tax governance rating, we will look for an indicative timeframe of when testing will commence and will follow-up on that commitment in subsequent assurance reviews.

We require tax control testing to be undertaken by an appropriately qualified independent reviewer such as internal audit. The reviewer must be independent of the tax control owner. For tax controls owned by the tax function this means that someone outside of the tax function should review the tax controls such as internal (or external) audit, internal risk, or a third party.

If a company has made a definite commitment to undertake periodic internal control testing, the next time we undertake a review, we expect that a program of testing has been completed or is well progressed. Accordingly, we expect this organisation level commitment to be documented.

For an additional description of this control, refer to BLC4 and self-assessment procedures.

Company 1

Company 2

Company 3

Company 4

Company 1 has specified in its Board endorsed Tax Policy that the internal audit function will undertake periodic testing of the Justified Trust controls (i.e., BLC3, MLC1, MLC3, MLC6 and MLC7). The controls will be tested on a rotational basis such that all controls will be tested over a 3-year period. Given the size, complexity and tax profile of the Company 1, management has determined that rotational testing over a 3-year period is appropriate.

Company 2 has specified in its Board endorsed Tax Policy that it will engage an independent third party to undertake periodic internal control testing of its tax controls but has not specified which controls will be tested.

A testing plan has been prepared which specifies which controls will be tested and particulars of the testing (including method, frequency, etc...) and covers the justified trust controls. The testing plan has been endorsed by the executive leadership team.

As part of the global internal audit program for the group, internal controls in respect of the tax effect accounting and tax return processes (which covers MLC6 and MLC7) are tested every three years with the findings presented to both the Australian executive leadership team and (on an aggregate/summarised basis) the offshore Board.

To supplement the procedures performed under the global internal audit program, the Australian risk manager has developed a testing plan to test the remaining Justified Trust controls (i.e., BLC3, MLC1 and MLC3). This testing plan has been endorsed by the executive leadership team.

As part of the global internal audit program for the group, internal controls in respect of the tax effect accounting and tax return processes (which covers MLC6 and MLC7) are tested every three years with the findings presented to both the global head of tax and (on an aggregate/ summarised basis) the offshore Board.

To supplement the procedures performed under the global internal audit program, an independent third party has been engaged to undertake periodic internal control testing of the remaining justified trust controls (i.e., BLC3, MLC1 and MLC3). This testing plan has been endorsed by the global head of tax or global head of internal audit.

Stage 3 - Periodic internal control testing has been carried out (BLC4)

To achieve a stage 3 rating for tax governance, we need to be provided the outcomes of the testing including:

  • Testing methodology
  • Sample sizes selected
  • Types of source documents relied upon by tester
  • Final test results
  • If issues are identified in the testing, the report should also outline what steps have been undertaken to address those issues
  • Board (or Board delegate) acknowledgement of the test results and actions to be taken to address any adverse findings or issues identified

This may be in the form of a report which has been tabled with the Board (or Board delegate), together with workpaper(s) which include additional detail on the testing procedures undertaken and the outcome of those testing procedures. A report which only sets out the exceptions noted in the testing will not be sufficient.

Test scope should be set out in a document put together by an appropriately qualified independent reviewer which has been signed off by control owners (i.e., tax function) describing:

  • Taxes to be reviewed
  • Tax controls to be reviewed
  • Control owners
  • Purpose of the review
  • Frequency of testing
  • Who will conduct testing
  • Method of testing (i.e., re-performance, validation of process, calculation), noting that inquiry only is not acceptable

Once periodic internal control testing has been completed and it has been established that the framework is designed and operating effectively, we expect that all controls would be retested within a rolling three- to-five-year period. The frequency of the retesting may vary according to the characteristics of the organisation and the outcomes of prior tax control testing.

In limited circumstances, the retesting period may extend beyond five years, up to a maximum of seven years. For example, this may occur where initial testing results are satisfactory, there are no changes in the organisation's processes and technology during the intervening period, and the extended period aligns with the organisation's internal review cycle.

Where prior testing has resulted in satisfactory outcomes, subsequent retesting may build on those prior outcomes as appropriate.

For an additional description of this control, refer to BLC4 and self-assessment procedures.

Set out below is an example of a control that may be tested and particulars we would expect to see in a detailed testing plan in relation to each control tested:

Example

Control description

Provision to return reconciliation and narratives for material differences

Control owner

Tax manager

Control objective

To identify variances between income tax provision and income tax return calculations

ATO control reference

MLC6 and MLC7

Control frequency

Annual

Preventative or Detective control

Detective

Evidence

Completed provision-to-return template and narrative for material differences

Testing method

Inspection

Expected test procedure

1. Obtain provision to return workpaper

2. Inspect whether there are material variances

3. If there are material variances, obtain evidence of narratives and note whether reasons provided are sufficient and have been reported to management

Timing of testing

Review in year 1 and then every alternate financial year

Control tester

Internal audit team

1    Responsible, Accountable, and Consulted and Informed

Amendment History

Date of amendment Part Comment
5 May 2023 How we rate income tax governance Removed last dot point from Stage 1.

© AUSTRALIAN TAXATION OFFICE FOR THE COMMONWEALTH OF AUSTRALIA

You are free to copy, adapt, modify, transmit and distribute this material as you wish (but not in any way that suggests the ATO or the Commonwealth endorses you or any of your services or products).