• Tax risk management and governance review guide

    We have embraced the increasingly global view that tax risk management must be a part of good corporate governance. The presence and testing of a tax internal control framework are an integral part of the risk-assessment protocols used by tax authorities.

    This guide was developed primarily for large and complex corporations, tax consolidated groups and foreign multi-national corporations conducting business in Australia. The principles outlined can have application to a corporation of any size if tailored appropriately.

    See also:

    When appropriate we do assess the tax governance processes of large business taxpayers that we have under review, however the aim of this guide is to help you understand what we believe better tax corporate governance practices look like, so you can:

    • develop your own tax governance and internal control framework
    • test the robustness of the design of your framework against our benchmarks
    • understand how to demonstrate the operating effectiveness of your key internal controls to your stakeholders.

    Our guide is focussed at two levels:

    • Board-level responsibilities – Here we outline how a board can ensure they are both independent and effective. Note this includes where applicable, their delegated representatives, such as an audit committee.
    • Managerial Level responsibilities – Here we provide examples of the controls that can be implemented to help mitigate tax risks and how management can test and provide assurance for the operational effectiveness of their controls.

    Corporate governance and key controls

    If you have good corporate governance processes in place, many of the key controls we identify will already exist within your organisation. We expect you will be using existing corporate governance practices and internal control frameworks as much as possible, such as your existing financial reporting internal control framework. For this reason, and to ensure consistency and synergy in our approach, we have considered information:

    • published by the Australian Stock Exchange (ASX)
    • contained in the Corporations Act
    • distributed by other global tax regulators.

    If we do need to assess your tax governance processes, having a strong tax control framework within the company gives us confidence that tax risks are well managed. This means it may take less time to assess whether your controls align with the principles outlined in this guide. Alternatively, the absence of a strong tax control framework may signal to us that more resources are necessary to fully assess tax risks.

    See also:

    Board-level responsibilities

    Establish a framework to identify and manage tax risk

    The board of directors (or authorised sub-committee) establishes an internal control framework to identify and manage all major tax risks. For a business headquartered overseas, we would expect the Australian-based board to perform the oversight role in respect of Australian tax risks.

    Board level control 1: Formalised tax control framework

    The board endorses a formalised tax control framework that is understood across the organisation.

    Better practice can be demonstrated by:

    • A formal tax strategy document, such as a board tax policy that provides details of how the organisation identifies and manages tax risk.
    • Policies endorsed by your board of directors that  
      • outline the organisation's tax risk appetite
      • detail an acceptable level of tax risk for day-to-day operations and what requires escalation
      • are published internally and in your annual report.
    End of example

    Board level control 2: Roles and responsibilities are clearly understood

    The board understands and formalises company director roles and responsibilities for tax risk management.

    Better practice can be demonstrated by:

    • Documented role and responsibility descriptions for company directors
    • Programs for inducting new directors with appropriate accounting skills and knowledge so they can perform their oversight of tax risk management strategies
    • Ongoing support and briefings for directors regarding tax risk management strategies
    • An established tax risk committee or allocating tax risk to an appropriate and independent board sub-committee – for example, an audit committee
    • Clear communication of expectations for managing tax risks from the board or sub-committee to management
    • A board of directors 'skills matrix' as suggested in the ASX corporate governance principles (PDF, 1.4MB) This link will download a fileto help identify gaps in the collective skills of the board. Gaps should be addressed as part of a listed entity’s professional development initiatives for directors and successors.
    End of example

    Board level control 3: The board is appropriately informed

    The board (or sub-committee) is familiar with tax risk matters and the effectiveness of their tax control framework.

    Better practice can be demonstrated by:

    • Board or sub-committee charters include review of tax risks
    • Regular summarised progress updates to the board or sub-committee on how tax issues and risks are trending (ie high, medium or low risk) at board meetings.
    • Board (or sub-committee) minutes or documentation that demonstrate members have been briefed on the effective tax rate of the business, including whether the amount of tax paid aligns with business results and, where relevant, reasons for significant misalignment.
    • Board (or sub-committee) endorsement for positions taken that fall outside published ATO safe harbours – for example, debt-to-equity ratios.
    • Tax-risk registers and escalation of issues where appropriate – you should note if you have sought external advice on the relevant risk or issue.
    • An annual report that includes a statement from the board attesting that they have effective policies and processes in place to manage tax risk.
    End of example

    Policies and controls are regularly assessed

    The board ensures adequate tax risk management policies are in place and adhered to, as well as systemically assessing internal controls and procedures on a regular basis.

    Board level control 4: Periodic internal control testing

    Periodic internal control testing is conducted to assure the board that the internal control framework is robust enough to effectively manage tax compliance risk.

    Better practice can be demonstrated by:

    • A testing plan to determine the effectiveness of the control framework. Note: this may include a gap analysis to identify which key controls are not tested via existing assurance processes – for example internal or external audits.
    • Reports from independent assurance providers (internal or external) that present findings on the effectiveness of the tax control framework, whether conducted primarily for tax controls or other interdependent controls.
    • Evidence that the board (or sub-committee) has reviewed the results of control framework testing and any proposed remediation plans for tax control failures.
    • Documented assurance (such as an attestation) from senior management concerning the capability and capacity of the tax control framework.
    End of example

    Managerial-level responsibilities

    Management should have the capacity to enforce policies and implement strategies approved by the board. They should develop and implement systems that identify, assess, manage and monitor tax risks. Management also play a vital role in monitoring the appropriateness, adequacy, and effectiveness of risk management systems.

    Ensure sufficient capacity and capability

    Management should ensure there is sufficient capacity and capability to enable effective management of tax risk.

    Managerial control 1: Roles and responsibilities are clearly understood

    Staff, management and board roles and responsibilities are clearly defined and documented within the control framework to ensure tax obligations are well managed and satisfied.

    Better practice can be demonstrated by:

    • Formal documents, policies or procedures for all roles and responsibilities relating to tax compliance and risk management. These generally detail  
      • role descriptions for tax compliance, administration and risk management
      • roles and responsibilities for reporting of tax matters, formalised and understood by management and appropriately trained personnel formal delegations (or authorisation levels)
      • segregation of duties – for example, dual sign-off
      • policies or committee charters that specify methods and frequencies for reviewing and escalating risks in the tax risk register, including follow-up of identified tax risks.
    End of example

    Managerial control 2: Senior management confident of capacity and capability

    Senior management, such as the CFO/CEO or Head of Tax, are confident in the capacity and capability of tax governance processes and personnel.

    Better practice can be demonstrated by:

    • A control framework approved by senior management that includes both preventative and detective controls.
    • Clearly identified key controls, including how often they are tested. Staff with appropriate experience are designated as control owners.
    • Senior management approval of the design and operating effectiveness of the internal controls governing tax compliance.
    • Internal or external assurance reviews of tax corporate governance or control framework procedures.
    • Staff training on tax corporate governance procedures.
    • Staff reviews, KPIs and performance agreements that incorporate tax corporate governance and risk management elements.
    • Key personnel with professional qualifications and standards to ensure capability.
    • Impacts of tax compliance risks are considered by an appropriate management or board sub-committee; for example, a mergers and acquisitions sub-committee considers the tax risks of acquiring an entity.
    • Existing channels for personnel outside of the tax function to identify and escalate tax risks.
    • Tax-related reports generated and presented to senior management.
    End of example

    Managerial control 3: Significant transactions are identified

    Transactions or arrangements with a significant tax impact are systemically identified, categorised and reported on – for example, into strategic, operational, reputational, compliance and financial matters.

    Better practice can be demonstrated by:

    • A policy for significant tax transactions that  
      • specifies the value of what would constitute a significant transaction requiring authorisation from the tax area
      • details the types of transactions, issues or risks that are significant enough to be escalated to senior management or the board (and, by default, tax matters not requiring escalation)
      • outline the threshold where independent external tax advice should be sought and levels of management sign-off required for the transaction.
    • A risk-identification process that accounts for qualitative and quantitative risk factors. Examples of typical risk factors include  
      • volume of transactions affecting disclosures in the tax return
      • financial accounting and tax reporting complexities and inconsistencies
      • volume of manual adjustments made by management
      • related-party transactions
      • dealings involving low-tax jurisdictions
      • year-end arrangements resulting in tax benefits
      • revaluations resulting in tax benefits
      • transactions or arrangements where  
        • there is a legal versus substance disconnect
        • there are steps added to a transaction making it more complex than necessary, resulting in a tax preferential outcome.
      • the use of new and complex financial instruments or arrangement.
    • Tax risks have been rated, for example high/medium/low, with the appropriateness of the rating evaluated on a yearly or half yearly basis.
    • Reporting templates that are adhered to.
    End of example

    Consider our tax risk information at our building confidence website when carrying out your risk-identification processes.

    Ensure Information Technology controls are in place

    The internal control framework includes the implementation of appropriate Information Technology General Controls (ITGCs) to ensure information systems that process and store financial data accurately calculate, allocate, record and report tax data correctly.

    Managerial control 4: Controls in place for data

    Data integrity as a result of data transfer between various accounting/subsidiary systems should be subject to internal control processes.

    It is generally understood that the Information Technology (IT) function will provide assurance that appropriate ITGCs are in place to support the various operations of the business including tax.

    General IT controls

    ITGCs are policies and procedures that relate to many applications and support the effective functioning of application controls. ITGCs that maintain the integrity of information and security of data commonly include controls over:

    • data centre and network operations
    • system software acquisition, change and maintenance
    • program change
    • access security
    • application and system acquisition, development and maintenance.

    These controls are generally implemented to address the following specific risks that IT poses to an entity's general control environment:

    • Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both.
    • Unauthorised access to data – particular risks may arise where multiple users access a common database or IT personnel gain access inappropriately.
    • Unauthorised changes to systems, programs or data in master files.
    • Failure to make necessary changes to systems or programs.
    • Inappropriate manual intervention.
    • Potential loss of data or inability to access data as required.

    Evidence of data integrity controls can include:

    • Effective IT system and application controls that maintain the integrity and security of data.
    • For entities with organisational-level ITGCs, a tax function should identify the relevant IT controls that are key to the tax function in their tax internal control framework. These relevant IT controls should be designed and operating effectively and instances of IT control breakdowns should be remedied. Breakdown instances should be communicated to the tax function to assess and remediate any impact on the tax return.
    • An effective process that allows the tax function to provide input on IT controls/functions, where the preparation of the tax return is dependent on IT – for example, extracts of data from sub-ledgers, interfaces between systems, and similar.
    • Consideration of the relevant automated controls key to the tax function. This may include  
      • the extent to which automated calculations or data-processing routines programmed into the applications are used
      • the volume of transactions processed by a control is an indication of whether management should consider the application of ITGCs
      • the extent to which your organisation makes use of complex spreadsheets, where the risk of formula error, unauthorised changes or access, and complex calculation, could increase the risk of error
      • whether identified information system-control risks have been investigated via an internal or external review by assurance provider (per audit plan)
      • reporting mechanisms exist between the tax unit and owners of ITGCs (and the rest of the organisation) regarding IT and system-related control weaknesses.
    End of example

    When developing your internal controls for tax, you may leverage existing control frameworks by documenting all tax-related key controls. You should also document how these controls are tested, by whom, communication protocols and testing frequencies (for example via internal audit on a rotational basis), to ensure tax function involvement in the event of any control breakdowns or changes.

    Managerial control 5: Record-keeping policies

    The organisation employs procedures to support record keeping for tax requirements as prescribed by law and our guidelines.

    Better practice can be demonstrated by:

    • A formally documented record-keeping policy for tax, including appropriate timeframes for the retention of records.
    • Staff access to guidance notes via an intranet, or a set of procedures that are readily accessible explaining record-keeping requirements.
    • Internal or external audits that verify compliance.
    • Evidence that staff have been trained on record-keeping requirements for tax purposes.
    End of example

    Assure the flow of information from accounting records

    Ensuring there is a complete and accurate flow of information from accounting records to the tax return or relevant activity statement.

    Managerial control 6: Documented control frameworks

    There is a documented internal control framework that specifically ensures the group’s compliance with tax law. This includes the complete and accurate flow of information from accounting records to the tax return and activity statements.

    Better practice can be demonstrated by:

    • Documented procedures for reviewing the tax return, including reconciliation back to the audited financial statements.
    • Retention of working papers detailing the calculation of the tax return.
    • Working papers reviewed and approved by management, indicating that they have checked the correct application of tax law to accounting transactions and accurate calculation of the tax return.
    End of example

    Managerial control 7: Procedures to explain significant differences

    There are procedures in place requiring explanations for significant differences between accounting disclosures, financial statements and the tax return.

    Better practice can be demonstrated by:

    Documented procedures detailing:

    • methods for reconciling the tax calculation prepared for the financial statements and the completed tax return
    • methods for preparing deferred tax assets and deferred tax liabilities calculations for the financial statements
    • methods for preparing tax calculations based on accounting transactions
    • methods for reconciling completed tax return to accounting transactions as retained by the taxpayer’s accounting records
    • management have a mechanism in place to appropriately explain the tax performance of the entity when compared to the accounting result
    • narratives to explain variances between tax calculations for the financial statements and the completed tax return.
    End of example

    Managerial control 8: Complete and accurate tax disclosures

    Management are confident that tax disclosures have been accounted for properly and disclosed correctly in the relevant tax return

    Note: some of these matters may be outside of the responsibility of the tax area.

    Better practice can be demonstrated by:

    • Assurance that a tax return or statement review has occurred prior to lodgment. This reduces the likelihood of incorrect allocation and classification of line items, and that the relevant law, administrative guidelines and record-retention requirements have been taken into account in relation to issues such as  
      • income tax
      • capital gains tax
      • transfer pricing
      • GST
      • research and development
      • reportable tax positions.
    • Appropriate controls to review compliance risk for other types of taxes managed elsewhere, such as  
      • fringe benefits tax
      • the super guarantee charge
      • pay as you go (PAYG) (instalments and withholding)
      • employee mobility (who bears and claims the labour costs)
      • customs and excise duty
      • state-based payroll taxes
      • stamp duty.
    End of example

    Dealing with law and administrative updates

    Processes are in place to deal with law and administrative updates, such as including legislative amendments, ATO guidance updates and budget announcements, while ensuring these are operating effectively.

    Managerial control 9: Legal and administrative changes

    Tax corporate governance policies and procedures are required to be regularly reviewed and updated for law and administration changes.

    Better practice can be demonstrated by:

    • Walkthroughs of process changes to assess whether changes to the law require updates to the internal control framework and development of new controls.
    • Change requests have been submitted to senior management and changes to systems or control mechanisms have been implemented.
    • Policy that states you will inform us of any law update implementation difficulties.
    • Correspondence sent to us advising of difficulties.
    End of example

    Find out about:

    Appendix A: How to test controls

    We have included the following guidance to assist you to understand the type and frequency of control testing that can be applied to assess a tax governance framework. When we conduct a review of tax governance processes we generally adopt the walkthrough approach to determine if your existing controls and assurance processes are adequate.

    Given the unique and specialised nature of the tax reporting function, tax-related controls may not always be independently tested under existing internal or external audit schedules. Consideration should be given to an independent review of key tax controls to evaluate their effectiveness, even if they are only tested on a rotational basis.

    You may rely on existing processes to test your overall control framework and tax function (preparing tax returns and other tax matters). However, you should be able to demonstrate that such assurance processes are sufficient to evaluate the effectiveness of tax related key controls. For example, there may be testing of tax-related controls for entities that have an existing financial reporting control framework which is tested as part of the annual external audit of the financial reports.

    Ultimately we consider a large complex organisation should be able to demonstrate that:

    • all key controls related to the tax function have been clearly identified, including but not limited to tax sign-off of major transactions, system changes and the management of the tax issues register
    • testing frequencies of these controls are known by the tax function
    • testing results are reported to the tax function
    • any control breakdowns and remediation actions are communicated to the tax function.

    Methods used to test controls

    The requirements and methods we outline below can be used to test and evaluate your tax control framework. This information, although consistent with the external audit approach to evaluate internal control frameworks, should be considered general guidance only, serving a range of people conducting controls testing, including:

    • internal auditors
    • in-house operational staff
    • management staff.

    Your tax control framework is made up of individual control activities designed to prevent or detect the tax risks that your organisation has identified.

    There are two components to testing controls; they are design effectiveness and operational effectiveness.

    1. Testing control design effectiveness

    To determine the control design effectiveness (if a control is adequately designed to address a specific risk) the most common method is to perform a walkthrough of the control processes.

    How to perform a walkthrough of controls

    A walkthrough includes the following actions:

    • conducting an inquiry into appropriate personnel
    • observing of the company’s operations
    • inspecting relevant documentation and addressing the following objectives:  
      • objective 1: understanding the flow of transactions related to the relevant tax return line item, including how these transactions are initiated, authorised, processed, recorded and treated for tax purposes
      • objective 2: identifying the points within the process at which a potential error is likely to occur
      • objective 3: identifying the controls that you have implemented to address these potential errors.

    Upon completing a walkthrough, the end-to-end flow of transactions or sub-processes should be mapped out or narrated from beginning to end, with clear markers indicating the points of potential errors (objective 2) and controls (objective 3).

    In some cases, particularly in lower risk or less complex manual or automated controls, a walkthrough would provide sufficient evidence of operating effectiveness. The specific procedures performed as part of the walkthrough and the results of those procedures should be clearly documented and justified.

    Example of a walkthrough scenario

    In the table below we outline an example of how you may document a tax function process to provide a clear view of your key control points. The walkthrough example below documents typical processes and controls for preparing a corporate tax return.

    For taxpayers with consolidated tax groups, we acknowledge that your tax return preparation processes and controls may be slightly different.

    Tax return process narration


    (  )?


    Manual or automated controls?


    Frequency of control?


    How is the operation of the control evidenced?

    Review closing balance and carry forward items from previous year's tax return

    Control A



    Sign-off of year end checklist by tax team member and review by tax team manager.

    Review various factors that would impact the current year tax return (including new tax laws, changes in accounting standards, internal accounting system upgrades, etc.)

    Control B



    Sign-off of year end checklist by tax team member and review by tax team manager.

    Extract general ledgers from finance system for the relevant period (eg, 12 months ending 30 June 2014) by team member

    Not a key control




    Check that the extractions of general ledgers include all relevant legal entities under Parent Co at month end (eg, reconcile to Parent Co group structure)

    Control C



    Sign-off of month end checklist by team member and review by team manager.

    Upload general ledgers to tax calculation software

    Not a key control




    Tax calculation software is proprietary software that has been programmed to map general ledger to pre-defined tax classification categories

    Not a key control




    Working papers are prepared for all manual adjustments

    Not a key control




    Manual adjustments are inputted into the tax calculation software by tax staff

    Not a key control




    Individual entity tax returns are reviewed by a second tax staff member via tax calculation software

    Control D


    Yearly (Income tax)

    Sign-off of year end checklist by tax team member and review by tax team manager.

    Third-level review (such as a senior manager) on the tax return and completes a tax calculation checklist

    Control E


    Yearly (income tax return)

    Sign-off of year end checklist by tax team member and review by tax team senior manager.

    Finalised individual entity tax returns are aggregated within tax calculation software

    Not a key control




    Reconciliation of accounting profit/loss to taxable income/loss to ensure completeness and incorporate explanatory notes for all differences

    Control F



    Sign-off of year end checklist by tax team member and review by tax team manager.

    Review of consolidation and elimination entries to ensure completeness and accuracy

    Control G



    Sign-off of year end checklist by team member and review by team manager.

    Working papers are prepared for supporting schedules

    Not a key control




    Group tax return and schedules are reviewed and signed off by tax review team

    Control H



    Sign-off of year end checklist by tax team member and review by tax team senior manager.

    Executive memorandum is prepared and tabled to a governing committee summarising the analysis on Parent Co’s tax position as per tax return

    Control I



    Tax manager submission to relevant board committee.

    Final review and lodgment of tax return by company's head of tax

    Control J



    Head of tax sign off of tax return.

    Copy of the tax return, schedules and associated paperwork is stored and filed centrally

    Control K



    Copies of tax return, schedules and associated paperwork is retrieved

    The process can also be represented diagrammatically with the controls highlighted in the green circles as per the example in the below diagram:

    Example of a walkthrough scenario flowchart 

    End of example

    Having narrated and mapped out the relevant processes related to your tax functions, an assessment of the control design effectiveness can be undertaken.

    The assessment of control design effectiveness should include:

    • whether the control, as designed, achieves the control objective (a control objective should clearly describe the specific risks or potential errors that the control aims to reduce or eliminate)
    • the timeliness of the control procedures
    • the rigour and precision at which the control is designed to operate
    • the appropriateness of assigned roles and responsibilities.

    Conclusions on both effective and ineffective control designs should be clearly documented. Effective designs should be further tested to assess the operational effectiveness of controls through the period under review. Ineffective designs should be reported and replaced with better practice recommendations as part of a remediation plan.

    If the design effectiveness of a control is determined to be inadequate, no further testing is required and a new control should be designed. Where this is the case, consideration should be given to conducting a review to assess the impact on current and previously lodged returns.

    2. Testing the operational effectiveness of a control

    If the design effectiveness of a control is adequate and is expected to reduce the identified tax risk, the control should then be tested for operational effectiveness. This determines whether controls have operated effectively throughout the period under review. To determine control operational effectiveness, a combination of methods can be used, including:

    • Re-performance – provides the most evidence in determining operational effectiveness of a control.
    • Examination/inspection – these tests provide the second-most amount of evidence.
    • Observation – provides the third-most amount of evidence.
    • Inquiry – provides the least amount of evidence.
      Note: Inquiry alone does not provide sufficient evidence to support a conclusion about the effectiveness of a control.
    Testing plan

    Auditors and other assurance providers are guided by auditing standards to exercise their professional judgment in assessing the operational effectiveness of key controls. We advocate a similar approach be taken. The objective of a control testing plan is to identify the key controls that have a significant impact on tax risk and assess the existing level of assurance you have that they are operating effectively.

    Many key tax controls will be subject to existing internal or external audit review schedules or a second level review within the tax or finance function. If a key tax control is reviewed independently and the review is considered robust enough to provide a reasonable level of assurance, the control may in effect be considered tested for operational effectiveness. Additionally, you may have evidence from previous control testing that may support a notion that your tax controls are effective and would continue to be so.

    If no testing has taken place in relation to a key tax control you should map out the frequency and assumed population of control occurrences. To obtain a reasonable level of assurance, independent testing should then take place. Auditing standards do not specify set sample sizes to test within a population of control occurrences. The level and frequency of any control testing necessary for a reasonable level of assurance is determined by an appropriately skilled person, for example an internal auditor.

    Example: Sample sizes for controls testing

    An example of minimum sample sizes for controls testing is provided below:

    Frequency of control

    Assumed population of control occurrences

    Number of items to test for a reasonable level of assurance










    Ad hoc

    Ad hoc

    As appropriate

    Example: Testing of control operational effectiveness

    Key control: Reconciliation of document A to document B is completed and independently reviewed

    Frequency: Monthly

    Method of testing: Inquiry and inspection

    Sample size: 5

    Test: Randomly select a sample of 5 reconciliations performed between 1 July and 30 June and verify that they have been completed and reviewed independently. Note the control in the example below would not have been considered to be operating effectively (since sample 2 and 3 failed) – all 5 instances should have passed for it to be deemed to operate effectively.



    Test (Pass/Fail)



    Sample #1



    Sample was completed by Staff A and reviewed by Staff B.


    Sample #2



    Reconciliation was not completed for this week.


    Sample #3



    Sample was not independently reviewed. Preparer sign off only.


    Sample #4



    Sample was completed by Staff A and reviewed by Staff B.


    Sample #5



    Sample was completed by Staff A and reviewed by Staff B.



    End of example
    Assessing the effectiveness of the control framework

    The extent to which an assessment of effectiveness can rely on the work of others will vary, depending on the level of competency of those performing the work.

    The following list – in order of reliance from high at 1, to low at 4 – shows the typical relationship between the role of the person performing the procedures and the amount of evidence we may obtain from that work:

    1. external auditor testing
    2. internal audit/third party on behalf of management
    3. management testing
    4. management self-assessment.

    When relying on the work of others, the competency of those undertaking controls testing should be assessed by obtaining and evaluating the following items:

    • educational level and professional experience
    • professional certification and continuing education
    • supervision and review of work performed
    • quality of working-paper documentation, reports, and recommendations.

    When evaluating if a control is effective, you should consider the definitions in Auditing Standard ASA 265; Communicating Deficiencies in Internal Control to Those Charged with Governance and Management (we have replaced 'financial report' with 'tax return').

    A deficiency in internal control means either a control:

    • designed, implemented or operated in such a way that it is unable to prevent, or detect, and correct, misstatements in the tax return on a timely basis
    • necessary to prevent, or detect, and correct misstatements in the tax return on a timely basis is missing.

    A significant deficiency in internal control means: a deficiency or combination of deficiencies in internal control that in the judgment of the external/internal* auditors or the judgment of management* is of sufficient importance to merit the attention of those charged with governance.

    *Modified from original standard to reflect that controls attestation might be done by internal or external auditors or management (self-attestation).

    • Upon completing these tests, evidence collected for testing should be adequately retained and testing results should be clearly documented.
    • Exceptions and findings regarding both control design and operational effectiveness should be reported and tabled to a governing committee, such as a board or risk committee. Following up on recommendations or remediation should be carried out annually and evidence of board of directors/committee oversight should be recorded in the respective minutes.

    Outsourced tax functions

    Taxpayers with outsourced tax functions should demonstrate in their controls framework the methods that enable directors to rely on information, or professional expert advice in accordance with Section 189 of the Corporations ActExternal Link – specifically, directors should understand the information or advice before making an independent assessment. The testing of controls for a taxpayer should include the following that are linked to the preparation and submission of the tax return:

    • the directors' independent assessment processes
    • internal controls
    • checklists
    • source documentation
    • communication protocols.

    Management should consider the content of this document when meeting with service providers.

    Appendix B: Directorship responsibilities

    In addition to the corporate governance guidelines for publicly listed entities as published by the ASX, there are a number of legislative and regulatory requirements on the directors of a company.

     Australian Prudential Regulation Authority

    APRA states that the board of directors is responsible for providing stewardship and broad oversight of the regulated entity and determining its risk appetite.

    See also:

    ASX Corporate Governance Principles

    The ASX states that a listed entity should establish and disclose the respective roles and responsibilities of its board and management, and how their performance is monitored and evaluated.

    Recommendation 2.6 states that a listed entity should have a program for inducting new directors and provide appropriate professional development opportunities and where necessary resources to help directors develop and maintain the skills and knowledge needed to perform their roles effectively. This includes, in the case of a director who does not have specialist accounting skills or knowledge, ensuring that he or she has a sufficient understanding of accounting matters to fulfil his or her responsibilities in relation to the entity’s financial statements. It also includes, for all directors, ensuring that they receive ongoing briefings on developments in accounting standards.

    ASX Corporate Governance Principle 7.1 states boards of listed entities should have a committee to oversee risk. The committee should be independently chaired with at least three members, the majority of whom are independent. If they don’t have such a function in place, they should disclose why they haven’t and what alternative processes are used for overseeing the risk management framework.

    See also:

    Australian Securities & Investments Commission

    ASIC states that as a director you have a core, irreducible requirement of involvement in the management of the company. You must take reasonable steps to place yourself in a position to guide and monitor the management of the company.

    Your responsibilities are not limited by your particular background knowledge and experience. You must become familiar with the business of your company and how it is run, and ensure that your company is being properly run by management.

    If you take on a role with special responsibilities, such as the chair of an audit committee or the role of an executive director, you must discharge the increased responsibilities expected of directors in such positions with appropriate care and diligence.

    You must take reasonable steps to comply with, or secure compliance with, the financial reporting and audit requirements of the Corporations Act, including the requirement to keep proper books and records.

    See also:

    ATO – Director penalty regime

    Directors can become personally liable for unpaid PAYG withholding and/or Super Guarantee Charge (SGC) amounts.

    The director penalty regime applies to:

    • unpaid PAYG withholding amounts
    • unpaid SGC obligations applicable from and including 30 June 2012 (that is, the June 2012 or later quarters).

    The director penalty regime will not affect directors if they ensure their company complies with its PAYG withholding and/or superannuation guarantee requirements.

    ATO – Public officer responsibilities

    Australian tax legislation requires that every company carrying on business in Australia must have an appointed public officer to represent the entity. Public officers are answerable for the doing of all such things required to be done by the company under the relevant Act or associated regulations and shall be liable to the same penalties.

    Tax control frameworks for medium and small corporations

    We recognise that different entities may legitimately adopt different governance practices based on a range of factors, including their size, complexity, history and corporate culture. For that reason, the principles outlined in this document are not mandatory, but are an indication of our expectations in relation to corporate tax governance.

    The concepts underlying control activities in medium and small entities are likely to be similar to those in larger entities, but the formality with which they operate may vary:

    • Medium and small entities may find that certain types of control activities are not relevant because of controls already applied by management, such as  
      • management’s sole authority for granting credit to customers and approving significant purchases can provide strong control over important account balances and transactions, lessening or removing the need for more detailed control activities
      • control activities relevant to the audit of a medium or small entity are likely to relate to the main transaction cycles such as revenues, purchases and employment expenses.
    • The control environment within medium or small entities is likely to differ from larger entities, in that  
      • those charged with governance in medium or small entities may not include an independent or outside member
      • the role of governance may be undertaken directly by the owner-manager where there are no other owners.
    • The nature of the control environment may also influence the significance of other controls, or their absence, such as  
      • while the active involvement of an owner-manager may mitigate certain risks arising from a lack of segregation of duties in a medium or small business, it may, however, increase other risks; for example, the risk of override of controls
      • audit evidence for elements of the control environment in medium or small entities may not be available in documentary form, in particular where communication between management and other personnel may be informal, yet effective; for example  
        • medium or small entities might not have a written code of conduct, but instead develop a culture that emphasises the importance of integrity and ethical behaviour through oral communication and by management example.

    We recommend that medium and small businesses consider adopting our better practice examples appropriate to their circumstances and the relevant requirements of the Corporations Act when assessing the robustness of their tax control and governance framework.

    If you are a privately owned group we encourage you to refer to the Tax Governance guide for privately owned groups where the ATO have provided practical principle-based tax governance advice tailored to the circumstances facing privately owned groups.

      Last modified: 12 Aug 2016QC 46292