Director's summary

Corporate governance and risk management

If you have good corporate governance processes in place, many of the key controls we identify will already exist within your organisation. A good corporate governance model will include a robust risk management framework and procedures to identify, implement and report on the design and operational effectiveness of internal controls in place to mitigate the identified risks.

Tax risk management will normally be one of these risks and some entities may wish to leverage their existing corporate governance practices as much as possible, such as the company’s existing financial reporting internal control framework. For this reason, and to ensure consistency and synergy in our approach, we have considered information released by the Australian Securities Exchange (ASX) and global tax regulators, and provisions in the Corporations Act 2001.

If we need to assess your tax governance processes, having a strong tax control framework within the company gives us confidence that tax risks are well managed. This means it may take less time to assess whether your controls align with the principles outlined in this guide. Alternatively, the absence of a strong tax control framework may signal to us that more resources are necessary to fully assess tax risks.

Justified trust and key controls

The existence, application and testing of a risk management and governance framework (with tax as an element) is one of the key focus areas for the ATO achieving justified trust and having objective evidence that a particular taxpayer is complying with their tax obligations.

Although we tailor our approach to suit each client, our areas of focus in relation to tax risk management and governance will be aligned with the following 'justified trust' objectives:

• understanding an entity's tax governance framework        
  • Board-level control 1: Formalised tax control framework
  • Board-level control 4: Periodic internal control testing
  • Managerial control 1: Roles and responsibilities are clearly understood
  • Managerial control 6: Documented control frameworks
   
• identifying risks flagged to the market        
  • Board-level control 3: The board is appropriately informed
   
• understanding significant and new transactions        
  • Managerial control 3: Significant transactions are identified
   
• understanding why the accounting and tax results vary        
  • Managerial control 7: Procedures to explain significant differences
   

In addition to the above areas of focus, in line with the updates made to this guide in January 2018, ATO will also consider the following focus area in order to achieve 'justified trust' with respect to excise and indirect taxes:

• Understanding an entity's tax governance framework    
  • Managerial control 4: Controls in place for data
   

See also

• Justified trust
• GST Governance, Data Testing and Transaction Testing Guide

Three lines of defence

Many businesses adopt a 'three lines of defence' approach to risk management:

• risk owners or management
• risk management or compliance function, which reviews and challenges activities and decisions
• board committees and independent assurance functions.

This guide is designed to assist each line of defence by describing what the ATO considers to be better practices for tax risk management and governance.

Board-level controls

The board's role is oversight and monitoring, including ensuring effective governance processes and appropriate risk management frameworks are in place to ensure compliance with applicable laws and regulators’ policies.

Managing day-to-day controls and processes to ensure compliance with tax obligations is not a matter for the board, but a responsibility of management.

The board of directors (or authorised board level sub-committee) should oversee an internal control framework that provides guidance on how all risks, including tax risks, are identified and managed within the business.

In addition to having in place effective controls to manage your entity’s identified tax risks (which could be evidenced by formalised policies and procedures), you should be able to demonstrate that those controls have been operating effectively over the relevant period. This could be part of the same procedure that is used to demonstrate the effectiveness of all key controls.

See also:

• Board-level responsibilities

Internal controls testing

The ATO intends to apply an evidence-based approach to assessing tax governance, covering income tax, excise and indirect taxes. At the board level, we anticipate directors will possess a general understanding of internal controls, the board’s oversight functions and the various points of communication where controls testing results are reported to the board.

Where the ATO compliance product requires the consideration of tax risk management and governance the company should, in the usual course of its dealings with the ATO, provide access to the right individual or internal audit team that can evidence the results of controls testing (eg internal audit reports or management self-assessments).

Managerial-level controls

Underpinning the operational effectiveness of the key controls that form your entity’s overall internal control framework with regard to tax, the managerial-level responsibilities would also be assessed. As part of your oversight role, you should get comfort from your management team that managerial-level responsibilities have been met and demonstrated based on evidence. This may be done in the form of assurance reporting from management to the board.

See also

• Managerial-level responsibilities

Directorship responsibilities and liability

Responsibilities

The role of company director is to govern a company on behalf of the shareholders or members of the company. The Corporations Act 2001 specifies the main duties of directors, including their responsibility for ensuring that their company complies with the Act's financial records and financial reporting requirements.

There are a number of legislative and regulatory requirements or guidance for the directors of a company, including:

• ASX Corporate Governance Principles and Recommendations 4th editionThis link will download a file – Principle 1 and Recommendation 4.2
• APRA – Probability and Impact Rating SystemThis link will download a file
• ASIC information sheet 183 – Directors and financial reportingExternal Link
• Corporations Act section 189External Link
• Case law: ASIC v Healey & Ors [2011] FCA 717External Link

Liability

There are federal, state and territory laws that make directors liable for the actions of their companies. Where a corporation commits a taxation offence, a person who takes part in the management of the corporation (such as a director) may be considered to have committed the taxation offence and may be punishable accordingly.

Under the director penalty regime, directors can become personally liable for:

• unpaid PAYG withholding amounts
• unpaid super guarantee charge (SGC) obligations applicable from and including 30 June 2012 (that is, the June 2012 or later quarters).

The director penalty regime will not affect directors if they ensure their company complies with its PAYG withholding and super guarantee obligations.

Public officers

A public officer is the company's representative to the ATO and has specific responsibilities under tax law. In some cases the public officer might also be a director.

See also

• Public officer