Guide to independent data testing by third-party advisers

GST
Top 100 and Top 1000 GST Assurance Programs
19 December 2024

We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connection to land, waters and community. We pay our respects to them, their cultures, and Elders past and present.

Contents

Our commitment to you

If you rely on this document, you have the protections that apply to Guidance – see How our advice and guidance protects you. To the extent that this document outlines a compliance approach, and you apply that approach in good faith to your own circumstances, the Commissioner will act in accordance with that approach.

What this Guide is about

The purpose of this Guide is to assist taxpayers that may be contemplating engaging the services of a third-party adviser to undertake independent data testing with respect to a notified ATO Top 100 or Top 1000 GST assurance review.

We have previously published separate guidance to assist Top 100 and Top 1000 taxpayers with self-reviewing GST governance and correct reporting through data and transaction testing.^[1]

This Guide provides practical guidance on our expectations and the conditions that must be met for a taxpayer's third-party adviser to undertake the independent data testing that can be relied upon in a GST assurance review. There is no requirement for taxpayers to undertake independent data testing. A reference to third-party adviser includes both the individual adviser and the advisory firm.

Taxpayers will need to agree the scope of the independent data testing with us in order for us to rely on the results in an assurance review. Where taxpayers are undertaking preparation work prior to the notification of a GST assurance review, including data testing, there is no guarantee that the scope, methodology and data testing plan undertaken as part of the preparation work will be accepted by us in the assurance review. However, we will leverage, where possible, the data testing undertaken prior to the commencement of the review where the scope, methodology and tests performed align with the review.

This Guide provides the framework for a uniform, consistent and transparent approach to independent data testing conducted by a third-party adviser.

The importance of robust business systems

The way in which a taxpayer's business systems create, capture, collate and report GST impacted transactions is fundamental to the correct reporting of GST obligations. To ensure the correct reporting of GST obligations, we expect that taxpayers will undertake data and transaction testing regularly as part of their assurance and verification procedures.

As part of our GST assurance ( Justified Trust ) reviews in the Top 100 and Top 1000 markets, we will test the taxpayer's data and transactions to assess whether their business systems are capable of correctly calculating and reporting its GST liabilities. This may involve either us undertaking the data and transaction testing, or us reviewing and verifying the independent data testing that a third-party adviser undertakes for a taxpayer.

Where the taxpayer chooses to engage a third-party adviser to undertake independent data testing, prior agreement is required to be sought from us in respect to the scope, methodology and the testing plan, including the full details of each test. This ensures that we are able to rely on the results as part of the assurance review. During the review, it is likely that we will further analyse transactions (and request source data) for identified errors, anomalies, outliers or other exceptions from the data testing.

Further information on our GST justified trust assurance reviews, and the Top 100 and Top 1000 programs, should be reviewed in conjunction with this Guide at Large business justified trust.

When independent data testing is appropriate

The approach detailed in this Guide in relation to independent data testing may be appropriate where all of the following conditions are met:

•

The taxpayer requests that data testing be undertaken by a third-party adviser.

•

The third-party adviser has the requisite system capability and GST expertise to undertake the data testing.

•

The third-party adviser is independent (see Independence of the third-party adviser).

•

The third-party adviser is able to undertake and complete the data testing within the agreed timeframes (including by reference to the taxpayer's circumstances in relation to accessing the data and any other relevant considerations).

•

The scope, methodology and the data testing plan, including the full details of the procedures for each test, will be agreed to with us before the commencement of any data testing.

•

The taxpayer considers that it is preferable as part of its justified trust review to adopt this process, and any additional cost of compliance incurred by the taxpayer is considered by the taxpayer to be appropriate and manageable.

•

The taxpayer and the third-party adviser collaboratively engage with us as part of this process, including to resolve any issues or concerns identified by us with the data and transaction testing process.

When the conditions for independent data testing cannot be met

Where the conditions for independent data testing cannot be met, we will conduct the data testing.

Process for independent data testing

The process for independent data testing will be tailored for the individual circumstances of each business, and it is anticipated that in a justified trust review for a Top 100 or Top 1000 taxpayer that the third-party adviser's scope of engagement will reflect the requirements articulated in this Guide (including Appendix 1).

As noted as one of the conditions, the scope should be discussed and agreed with the ATO in advance.

•

For a Top 100 taxpayer, we will confirm the scope, methodology and tests to be performed after the walkthrough of the taxpayer's business systems. This enables all parties to have a clear understanding of the way in which the business systems and processes operate to better inform the scope and methodology of the data testing.^[2]

•

For Top 1000 taxpayers, we will seek to engage with the taxpayer during the notification period^[3] before the commencement of the assurance review to discuss its data testing requirements.

•

The taxpayer must ensure that the data testing is adhered to and includes the scope, methodology and data tests determined by us.

•

We will request full details of the third-party adviser's testing and procedures for each test to ensure the data testing meets the ATO's requirements.

•

The taxpayer will retain the full data and provide it to us if requested. We will work with the taxpayer in relation to the data and information requirements throughout the assurance review process including in respect of errors and exceptions referenced below, as well as in applying the other elements of the justified trust methodology.^[4]

•

The taxpayer will provide to us the third-party adviser's full report of factual findings. The factual findings report will contain sufficient detail for each test performed including procedures performed and errors or exceptions identified (see Report of factual findings).

•

The report of factual findings will not be binding on us or preclude us from undertaking further verification and validation of the findings or conducting its own testing.

•

We will analyse the errors and exceptions noted and where the errors or exceptions are unable to be validated or reconciled by the taxpayer, we may request the taxpayer to provide the full data set or request secondary testing to re-run the tests. We may select a sample of transactions from any identified errors or exceptions for transaction testing.

•

We will assess whether or not the taxpayer's GST systems are capable of recording and reporting the right amount of GST as part of the justified trust review. The assessment will be based on all of the objective evidence provided by the taxpayer including underlying source documentation (for example, invoices, journals entries, et cetera), the results of the data and transaction testings undertaken and the factual findings report.

Report of factual findings

The report of factual findings must contain:

•

the scope of engagement and data tests performed

•

a statement attesting to the independence of the third-party adviser

•

a statement that the procedures performed were those agreed with us

•

a statement of full and true disclosure of all matters

•

a statement detailing the bespoke data testing undertaken and the reasons why

•

a statement as to the GST expertise of the third-party adviser

•

a listing of the specific procedures performed, detailing the nature, timing and extent of each procedure

•

a description of factual findings in relation to each test or procedure performed, including

a.

the step-by-step details of the actions completed to format, manipulate or add to the raw data

b.

the control checks (reconciliation) of the raw data uploaded to the third-party adviser's data analysis platform that clearly shows the process confirming the data integrity and reliability of the test outputs

c.

the full criteria of each test or procedure and the transaction (line-by-line) results for each test^[5]

d.

full details of all errors and exceptions found including

•

total number of transactions in the data set

•

total number of transactions covered by each test

•

total number of errors and exceptions for each test

•

transaction listing of exceptions and errors (including false positives) identified and the aggregated monetary value (GST-inclusive) and the GST amounts for each test

•

full details of transaction testing undertaken in relation to any errors or exceptions found

e.

a reconciliation of the raw data to the general ledger ( GL ) and the business activity statements ( BAS ) for the data testing period

•

the identification of any of the procedures agreed in the terms of the engagement which could not be performed and the reasons why

•

the third-party adviser's name, address, signature and the date of its report.

Independence of the third-party adviser

We will require the third-party adviser to attest that it is independent from the day-to-day operations of the taxpayer's business and has not been involved in any aspect of the underlying data to be tested and that its independence is not otherwise compromised as a result of a contingent fee (see Scenario 6) or other arrangement. This should be set out in the report of factual findings.

This requirement must be met by a third-party adviser (and should also be continuously considered throughout the engagement) before we can rely on the testing undertaken by a third-party adviser.

The adviser must not be involved in the data input or BAS preparation exception reporting process or be responsible or accountable for controls in place for data and BAS preparation.

The following scenarios provide practical guidance on the application of the independence in respect to third-party advisers undertaking data testing. The examples illustrate and highlight some of the factors that may impact on the independence of the third-party adviser, but it is not feasible to cover every possible scenario. Where there is uncertainty as to the independence of the third-party adviser this should be raised with us at the earliest opportunity.

Scenario 1: Third-party adviser is engaged to assist the taxpayer to prepare for the justified trust review

The adviser's engagement to assist the taxpayer to prepare for the justified trust review will not prima facie preclude the adviser from undertaking the data testing provided that the adviser was not involved in any aspect of the underlying data to be tested.

There is low perceived risk to objectivity and independence, and the engagement will meet the independence requirement.

Scenario 2: Taxpayer uses the third-party adviser's proprietary software to prepare the BAS

The taxpayer may be using the third-party adviser's proprietary software or aspects of the software to prepare its monthly BAS. However, the mere use of the software will not undermine the adviser's independence provided that the adviser has not been involved in the taxpayer's business or any aspect of the underlying data to be tested or controls related to data or involved in testing the errors and exceptions.

Each case will be assessed and considered on its facts and circumstances to determine whether the functionality of the product and the software licence agreement in terms of the additional service offerings that are provided to support the software will impact on the adviser's independence.

Scenario 3: Taxpayer has outsourced the tax function or has a co-sourcing arrangement with the third-party adviser

Where the taxpayer's tax function is outsourced or co-sourced with the adviser, this will impact on the independence of that adviser and we will revert to normal procedures in that the data testing will be undertaken by us.

There is significant perceived risk to objectivity and independence such that the engagement will not meet the independence requirement.

Scenario 4: Third-party adviser was involved in the design and set up of the taxpayer's business systems

If the third-party adviser was involved in designing or implementing IT systems of the taxpayer which represent a significant part of internal controls over GST reporting or the business systems which generate information significant to accounting records or financial statements, the adviser will be precluded from undertaking the data testing.

There is significant perceived risk to objectivity and independence such that the engagement will not meet the independence requirement.

Scenario 5: Taxpayer embeds into its own system, and runs, data testing based on testing developed by an adviser

A taxpayer who chooses to undertake its own data testing, where the testings are developed by an adviser who has not been involved in the day-to-day operations of the taxpayer's business and any aspect of the underlying data to be tested, will not of itself be fatal to meeting the independence requirement.

Each case will be assessed and considered on its facts and circumstances to determine how the requirements for independent data testing can be met in these circumstances. We would highly encourage taxpayers to discuss and confirm the scope and expectations with us in advance.

Scenario 6: Third-party adviser receives fees, in full or part, for data testing based on a contingent fee arrangement

Where a third-party adviser has been engaged to conduct data testing and receives any form of commission, on a contingent or 'success' fee basis, this creates a threat to the independence of the third-party adviser and will not constitute independent testing.

In considering whether the third-party adviser is independent, we will take a holistic view of the arrangement or arrangements between the taxpayer and the adviser and consider whether any component of the fee structure includes a contingent fee arrangement, such as where there has been a bifurcation of the engagement.

Role of the ATO, including e-auditors

The ATO team undertaking the justified trust review will support and assist the taxpayer with the data and transaction testing requirements.

As part of the ATO case team, an e-auditor will be engaged from the commencement of the case to assist the ATO case team with planning and undertaking the walkthrough and the data and transactional testing processes. Additional information on the walkthroughs and data and transactional testing processes can be found in the GST governance, data testing and transaction testing guide. For Top 1000 taxpayers, the ATO will seek to engage with the taxpayer during the notification period before the commencement of the assurance review to discuss its data testing requirements.

The ATO e-auditor will work closely with the case team in a justified trust review to determine the appropriate scope, methodology and data tests to be undertaken as part of the review and will also assist with reviewing the details of the proposed data testing to be undertaken by a third-party adviser.

For more information

If you have any queries in relation to this Guide, please email us at Top100@ato.gov.au or Top1000GSTProgram@ato.gov.au

Amendment history

Appendix 1 – Data testing scope

The scope of the data testing depends on whether the taxpayer is a Top 100 or Top 1000 taxpayer.

To draw a reasonable conclusion that a taxpayer's business systems are capable of correctly capturing, recording and reporting its GST obligations, it is important that sufficient coverage over the whole economic group is obtained.

The process for determining the scope is set out in this Appendix. This is also replicated, in part, in the GST Governance, Data Testing and Transaction Testing Guide (and that guide should be referenced in designing the data testing process).

Selecting the entity

Top 100

We consider that a BAS relating to the largest GST reporter that provides at least 75% coverage of the GST throughput of the economic group represents sufficient coverage. You should use the following criteria:

•

where the economic group is comprised solely of one GST reporting entity, select that entity

•

where the sole GST reporter's BAS is comprised of a number of GST divisions, identify the division that provides at least 75% coverage

•

where the economic group is comprised of a number of GST reporting entities, identify the reporting entity that provides at least 75% coverage

•

where the entity or division that contributes to the economic group provides less than 75% coverage, your scope should include the

–

largest contributor based on GST throughput, and

–

next largest contributor until the required 75% coverage is achieved

•

entities or business divisions including branches with unique or complex transactions including input taxed supplies, GST-free supplies and property transactions such as 'built-to-rent' that may present a GST risk

•

entities or business divisions including branches that have recently undergone major business system upgrades or introduced new IT systems, changed business operations models, have a high turnover of staff, where business reporting functions have been outsourced or business operations have introduced special purpose vehicles such as joint venture structures.

Top 1000

Generally, we review the largest GST reporter in the economic group. We may include additional entities that we consider may present potential GST risks, that is entities which undertake complex transactions or have recently undergone major business system changes.

Selecting the data test period

We consider that it is better practice to test data that relates to the 12-month period that aligns to the most recent income tax return lodged. This will ensure that any improvements to the business system and data controls that a taxpayer has implemented will be included in the testing scope.

We consider a data set of at least 3 consecutive months (approximately 25% of all transactions – the 'testing period') used as a representative sample of a full 12-month period as appropriate for business operations that involve a stable supply and acquisitions base.

The testing period data allows for month-end processes to be tested, trend and variance analysis to be performed and timing adjustments identified. It is also possible to test for the most common types of GST reporting errors made by large businesses from this data sample size.

Some of the factors that should be considered when selecting the data testing period include:

•

rapid growth in the business

•

changes in existing accounting systems, accounts receivable, accounts payable and BAS preparation processes and controls

•

changes in key accounting staff or GST tax managers

•

changes in business model, that is outsourcing or co-sourcing of finance or tax functions

•

restructuring of the group

•

merger and acquisition activity, that is recent merger, demerger and acquisitions (via assets or shares)

•

significant increase or decrease in the volume of transactions

•

the presence of any transactions involving GST risks flagged by us

•

the presence of any identified significant or new transactions.

Where any of the factors listed above exist or are identified during the review from discussions with the taxpayer consideration will be given to extending or amending the data testing to mitigate sampling risk and to achieve the intended outcomes. The third-party adviser needs to ensure that it has considered these factors in nominating the proposed data test period.

For Top 1000 taxpayers, the test period should, subject to the above, be agreed during the early notification period.

Selecting the test data

The data set should contain sufficient detail to ensure the correctness and completeness of the data to be tested. Often this includes data from accounting systems and source systems such as point of sale, billing systems or staff expense reimbursement systems, et cetera.

The data set should include reports with the following minimum fields.

•

GL transactions:

–

entity or business unit

–

journal source

–

account number

–

account name or description

–

reference number

–

transaction date

–

posting date

–

description

–

debit amount

–

credit amount

–

tax code

•

general journal transactions:

–

account number

–

account name

–

reference number

–

transaction date

–

posting date

–

description

–

debit amount

–

credit amount

–

tax code

•

purchase transactions:

–

entity or business unit

–

invoice date

–

posting date (to GL)

–

invoice number

–

purchase order number

–

transaction description

–

cost centre

–

supplier code, name, address and Australian business number ( ABN )

–

GL account number

–

GL account name

–

tax code

–

gross amount

–

net amount

–

GST amount

•

sales transactions:

–

entity or business unit

–

journal source

–

invoice number

–

invoice date

–

store or register number (for point-of-sale data)

–

transaction description

–

customer name and code

–

GL account number

–

GL account name

–

tax code

–

amount including GST

–

amount excluding GST

–

GST amount

•

GST codes:

–

GST code

–

GST code description

–

GST rates (%)

•

supplier master file:

–

supplier code, name and ABN

–

supplier address

–

GST status of supplier (registered for GST, reverse charge, recipient created tax invoices, et cetera)

–

tax code

•

chart of accounts:

–

entity code

–

entity code description

–

account number

–

account name

–

account description

–

GST code or codes

–

GST code description

–

chart of account structure (asset, liability, income, expense account, et cetera).

Developing the testing plan and data tests

Key elements to consider when developing the data testing plan include:

•

the availability of data analytics software to undertake the data testing

•

the capability and capacity of staff to undertake the testing

•

ensuring that the scope and methodology of the data tests and procedures to be performed are documented

•

ensuring the data request or data extraction contain the required fields to conduct the testing

•

consideration of secondary systems such as staff expense (for example, Concur) for batched and totals posted to the general ledger. Note that for Top 1000 taxpayers, we would focus on the primary accounting or enterprise resource planning system and only review secondary or subsystems where these systems contribute to the majority of transactions for either accounts payable or accounts receivable and are batch interfaced to the GL, point-of-sale system for a retailer

•

ensuring the tests include those specific to the industry, bespoke to the business and a description of each test including data scripts and fields required to run the tests

•

documenting data transformation steps including data export, data cleansing for import, reconciliations and uploading to analytics tool

•

identifying potential errors and exceptions, including anomalous transactions

•

capturing and reporting of identified errors and exceptions.

Tests, as appropriate, should be included from the list of ATO e-audit tests. This is important to ensure that we can assess the results and minimise the need to undertake further testing.

E-audit tests include:

•

BAS reconciliation

•

reversals (with or without GST)

•

monthly trends

•

delays in entering transactions into the accounting system

•

correct calculation of GST for taxable sales and purchases

•

tax code anomalies

•

vendor, supplier or GL tax coding anomalies

•

gaps in sales invoice or sequence numbers

•

correct tax code and amount – sales

•

reconciliation of major sub-systems to main accounting system data, for example point-of-sale, commission systems, leasing systems, et cetera.

•

reconciliation of stock data or stock purchases to sales

•

duplicate purchases

•

supplier summary with ABN validity check

•

correct tax code and amount – purchases

•

manual GL entries or adjustments

•

supplier, vendor or product master file anomalies.

It is expected that the third-party adviser will work with the taxpayer to assess the GST risks associated with the business in relation to routine, non-routine, significant and new transactions. Additionally, the third-party adviser will ensure that additional specific tests are included in the data testing and the outcome is documented in the report of factual findings.

For the Top 100, a more bespoke in-depth approach will need to be used to determine what additional specific tests will be required based on the unique attributes of the taxpayer's business and risks identified in ATO public or private rulings and guidance documents.

For both Top 100 and Top 1000 taxpayers, testing will need to address industry specific risks, for example, the property, insurance and financial services industries, et cetera.