Show download pdf controls
  • Integrated risk management

    Whole-of-government requirements for risk management are set out at section 16 of the PGPA Act – specifying that agencies have a duty to establish and maintain an appropriate system of risk oversight, management and internal control – and in the Commonwealth Risk Management Policy.

    Our risk management approach

    The Commissioner of Taxation is the accountable authority for risk management within the ATO. He and the other members of the ATO Executive team promote a positive and managed approach to risk management and support the continuous improvement of risk practice across the ATO.

    Risk management is built into the ATO's planning at all levels, from the corporate plan through to plans developed at the ATO business line, branch and team levels. Separate plans for large individual projects also consider the risks to delivery.

    The ATO applies the 'Three Lines of Defence' model for risk management and internal control, where:

    1. Senior managers of different business areas own and manage risks and are responsible for operationalising governance controls and implementing corrective actions to address process and control deficiencies.
    2. Corporate functional areas, such as Risk and Assurance, facilitate, monitor and provide assurance on implementation of effective risk management practices by the business areas.
    3. Internal audit, through a risk-based approach, provides independent assurance and advice to the ATO’s Audit and Risk Committees and management, on how effectively the ATO assesses and manages its risks.

    The ATO's Enterprise Risk Management Framework is administered in accordance with the requirements of the Commonwealth Risk Management Policy and is aligned with the AS/NZS ISO 31000:2009 Risk Management Standard. It provides a structured enterprise-wide approach to risk management, including risk methodology and management processes.

    In 2016–17, the ATO maintained an overall risk management maturity level of ‘Advanced’ in the Comcover Risk Management Benchmarking Program’s annual survey.

    Internal audit arrangements

    Our Audit and Risk Committee provides independent assurance and advice on the ATO's risk control and compliance frameworks; reviews the management of strategic risks; and monitors the effectiveness and performance of the risk management framework. The Audit and Risk Committee is, in turn, supported by specialised subcommittees for financial statements and performance statements. The committee complies with Section 45 of the PGPA Act and Section 17 of the PGPA Rule (on audit committees for Commonwealth entities).

    Further support is provided by the Internal Audit Unit. The Chief Internal Auditor directs a comprehensive program of work in the form of risk-based reviews, audits, consultancy advice and assessments of effectiveness of governance and control frameworks. This area works with internal and external scrutineers discussing matters of mutual interest, coordinating assurance activity and reducing duplication of audit effort.

    External fraud and corruption

    The ATO recognises it is not possible, or desirable, to eliminate all the inherent risks in our activities. Accepting some risk is necessary to foster innovation within business practices. As part of our reinvention, we have moved from an approach of identifying errors through audits 'after the fact', to one of working collaboratively with taxpayers through providing advice and having open and transparent discussions before returns are submitted. Our work with various client segments using a preventative approach is outlined in Part 2 of this report.

    Acknowledging there will always be a segment of the community that seeks to evade its obligations, we also manage the risks of tax fraud which may affect revenue collection. We have a responsibility to the community to ensure everyone complies with the laws we administer.

    We sometimes review the accuracy of the information taxpayers provide. In addition, we use sophisticated data-mining techniques for those clients that have limited publicly available information (for example, privately owned companies have limited financial reporting requirements when compared with public companies). We compare the tax and economic performance between similar businesses, the complexity of the group structure, and specific indicators of compliance risk, in order to undertake a risk assessment. After identifying potential non-compliance, our staff review identified risks to establish which ones require further investigation. To support people who are subject to a review or audit, we have specialised information available in our Taxpayers' Charter.

    Along with our own measures, we investigate information volunteered by others. The ATO operates the Tax Evasion Reporting Centre, which receives and assesses reports of tax evasion submitted by members of the community, government agencies and industry bodies or internally from ATO staff.

    Unless the actions of a person or an organisation give reason to think otherwise, we will presume they are trying to meet their obligations. Even if a discrepancy is found, we accept that mistakes can be made. If the law allows us to, we take this into account when we consider penalties.

    Fraud prevention and internal investigations

    Across the year, we continued to prevent, detect, disrupt and investigate potentially fraudulent activity in the ATO, in line with the Commonwealth Fraud Control Framework 2014. Primary responsibility for doing so sits with the Fraud Prevention and Internal Investigations (FPII) branch.

    FPII proactively looks to identify potentially fraudulent behaviour, and receives reports through a variety of channels, both internal and external. All reports are considered and assessed, and actioned appropriately, including collaborating with the Australian Federal Police if necessary. Over the course of this year, we assessed 404 allegations or reports, of which:

    • 122 were substantiated
    • 134 were unsubstantiated
    • 35 were not able to be determined
    • 113 remain open at the end of the year.

    Unauthorised access continues to be the largest category of substantiated allegations, and is identified through proactive monitoring and integrity scanning. Unauthorised access predominantly involves access to the employees own records or those of their family members or other people to whom they are connected. While such access may not result in any fraud, that it is actively examined by FPII shows the seriousness with which the ATO treats the matter.

    FPII also actively engages with business lines and projects to minimise the risk of internal fraud and corruption, and invests extensively in fraud prevention activities and support for staff. A continually developing range of self-help material and contemporary communication products are involved.

    Conformance with obligations

    The ATO's ‘Conformance with obligations’ program monitors our level of conformance with legislative, whole-of-government and key internal requirements. The program requires business lines to identify and manage potential risks and instances of regulatory non-compliance. Each quarter, our findings are reported to the Audit and Risk Committee

    We also monitor corporate integrity as a means of determining our level of conformance to legislative, whole-of-government and key internal requirements in areas of risk, priority and improvement. This is achieved through a suite of reports using enterprise data to measure how well our behaviours are meeting our organisational values and beliefs.

      Last modified: 30 Oct 2017QC 53646