ato logo
Search Suggestion:

Ensure information technology controls are in place

Last updated 24 August 2022

Managerial-level control (MLC) 4: Controls in place for data

Refer to MLC-6a for the procedures relating to the entity's overall tax, excise and BAS return preparation process. Refer to MLC-6a for the list of systems and application where data is sourced and processed. MLC-4 specifically addresses system and application controls.

MLC4a: Effective IT system and application controls that maintain the integrity and security of data.

For MLC-4, the ATO notes that the level of sophistication of IT controls in relation to tax data might vary. Some entities might use off the shelf software while others might have in-house software or rely on detailed data extracts from sub-systems to complete elements of the tax return, income tax, excise, GST calculation and the excise return and the BAS

The focus of this procedure should be on systems or sub-systems that are used in the tax, excise and BAS return preparation process with their related IT controls.

We note that application controls relating to tax might be covered by enterprise wide controls and suggest these are leveraged for this procedure provided tax systems are included in their scope.

Procedure

Enquire of the entity if they have identified the IT system and application controls that are related to the tax function or preparation of the tax, excise and BAS return. If so:

  • List the IT system and application controls that relate to the tax function or preparation of the tax, excise return and BAS preparation process (including data extracts or feeds from sub-systems). Where tax-related IT controls are documented, obtain a copy and attach to the report.
  • List the maintenance of IT system and application controls that ensure adequate tax data integrity and security. For example, data integrity is the accuracy and consistency of data stored in a database. Data security is protecting data from unauthorised access and other destructive forces. Note that application controls relating to tax can also be maintained or tested as part of a wider IT General control environment.

If the entity indicates that there are reviews of system and application controls related to the tax function or preparation of the tax, excise and BAS return, enquire:

  • Is the review undertaken in-house or outsourced?
  • When was the last review performed?
  • When is the next scheduled review?

A review of system and application controls relating to tax might also be performed as part of a wider IT General control review.

Obtain the report for the most recent review/audit and enquire of the entity which part of the review scope relates to tax applications or data. Report their response and page reference the report.

Inspect the review/audit report and note any findings raised and remediation plans that are related to systems and data used by the tax function.

If the entity has not identified systems and application controls that are related to the tax function or preparation of the tax, excise or BAS return then:

  • enquire of the entity’s reasons
  • enquire how the management ensure the completeness and accuracy of the tax function and preparation of the tax, excise or BAS return
  • report their response.

If the entity has identified tax-related systems and application controls but has no mechanisms in place to maintain the control design and operating effectiveness of those systems and applications, enquire of the entity’s reasons, report their response and raise an observation.

Better practice report inclusions

  • Review/audit of IT system and application controls report
End of example

MLC4b: For entities with organisational-level IT General Controls (ITGCs), a tax function should identify the relevant IT controls that are key to the tax function in their tax internal control framework. These relevant IT controls should be designed and operating effectively and instances of IT control breakdowns should be remedied. Breakdown instances should be communicated to the tax function to assess and remediate any impact on the tax, excise and BAS return.

Procedure

Enquire if they have organisational-level (or enterprise wide) ITGCs in place where the tax function can be identified and is documented. Document their response. If so, obtain the document and highlight tax key controls, noting how often these controls are tested.

In the most recent ITGC review, enquire if any IT control breakdowns were noted that related to the tax function. If so, obtain a copy of the ITGC report and note the remedial plans, due dates and action owners.

Enquire if the breakdown of tax-related controls was communicated to the tax function? If so, how was it communicated? Obtain copies of any written evidence (for example, emails). Report their response.

If the tax function is informed of IT control breakdowns that are associated with the tax function, enquire of the entity how does the tax function assess and remediate any impact on the tax, excise or BAS return? Report their response.

Note that IT general controls relating to tax might be reviewed as part of wider IT general control review for all systems.

End of example

MLC4c: An effective process that allows the tax function to provide input on IT controls/functions, where the preparation of the tax, excise and BAS return is dependent on IT (For example, extracts of data from sub-ledgers, interfaces between systems, set-up/maintenance of master files for customers, vendors, products, tax codes/rates, plants, permissions and similar).

Procedure for the income tax return preparation

Enquire of the entity in relation to preparing the tax return what software applications (for example, tax integrator) are used to perform tax return calculations (refer to MLC-4d) and note:

  • the name of the application
  • whether in-house or purchased (if purchased, details of provider/vendor and whether it is bespoke or off-the-shelf software)
  • the frequency of the software update
  • how the entity ensures that the programming of the application is updated to reflect law changes as they arise
  • the relevant automated key controls built into the software with a brief description of the control
  • when these controls were last tested for design and operating effectiveness and what results have been included in MLC-4a (if not, repeat MLC-4a).

If the entity uses spreadsheets for calculating their tax return (refer to MLC-4d) enquire:

  • What controls are in place to ensure that formulas are correct?
  • What controls are in place to ensure that the spreadsheets are only accessed and used by authorised personnel?
  • When were spreadsheet controls last tested for design and operating effectiveness and have the results been included in MLC-4a (if not, repeat MLC-4a)?
  • What datasets (for example, general ledger, and tax asset register) are required to perform the tax calculation?
  • Which systems are data extracted from?
  • How does data from sub-systems integrate with the software used to perform the tax calculation?
  • How does the tax team ensure that the required data extracted from sub-systems is accurate and complete?

Where the tax team has previously identified issues (including changes required because of change of tax laws) with the IT controls or functions then identify:

  • the nature of the issue
  • how reported
  • who it was reported to
  • how it was rectified.

If issues are documented, obtain the document and page reference. Report their response.

End of example

 

Procedure for the BAS/excise return preparation

Enquire of the entity what accounting systems are used to capture transactional data to prepare the BAS/excise return (refer to MLC-4d) and document:

  • the name of the application/system
  • whether in-house or purchased - if purchased, details of provider/vendor and whether it is bespoke or off-the-shelf software
  • the frequency and nature of the system updates/change
  • whether all members of the GST group use a common accounting system or how their systems are integrated
  • whether all excise transactions are captured within one system or multiple systems? How does the inventory management systems interact with systems recording and calculating the excise liability on transactions?
  • how the entity ensures that the systems are updated to reflect law changes as they arise
  • what controls and authorisation processes are there to ensure the accuracy of master file data including creation, amendments and changes
  • what the settings, rules and conditions within the master files that affect the payment of excise liability and related categories including delivery location, unbonded/bonded status, excisable/duty paid goods, customer status (Lifter pays) and sales type
  • what the procedures are for changing the classification of products in the accounting system including the authorisation process
  • the relevant automated key controls built into the system with a brief description of it
  • the controls in place to ensure the accuracy of data input and processing
  • the ability to track changes to the adjustments made including changes to GST/excise classification of transactions
  • any process to ensure staff responsible for entering data into the accounting systems understand the correct GST/excise treatment of a transaction
  • how the accounting payable and accounts receivable process is recorded
  • whether any or all the accounting functions and billing activities are outsourced
  • as to when were these controls last tested for design and operating effectiveness and if the results were included in MLC-4a. (if not, repeat MLC-4a).

Enquire of the entity the following in relation to the BAS/excise return preparation process and note:

  • the source system reports are used to extract data for the BAS/ excise return preparation
  • whether all systems are integrated or are there any legacy/unintegrated systems requiring manual intervention to collect the BAS/excise return preparation data
  • whether there are manual adjustments/journals required to correct/update system extracted data
  • the process for ascertaining and correcting errors via the Out of Period Adjustment (OOPA) in excise reporting
  • the controls are in place to ensure the extracted data is accurate, complete, classified, reconciled and reported correctly
  • the controls in place to ensure the manual/automated journals are reviewed and validated for accuracy.

If the entity uses spreadsheets for preparing the BAS/excise return (refer to MLC-4d) enquire:

  • the controls in place to ensure that formulas are correct
  • the controls in place to ensure spreadsheets are only accessed and used by authorised personnel?
  • when the spreadsheet controls were last tested for design and operating effectiveness and results included in MLC-4a (if not, repeat MLC-4a).

Where the indirect tax team previously identified issues (including changes required as a result of change of tax laws) with the IT controls or functions then note:

  • the nature of the issue
  • how it was reported
  • who it was reported to
  • how it was rectified.

If issues are documented, obtain the document and page reference, reporting their response.

Better practice report inclusions:

  • Accounting system architecture overview or a diagram(s) that outlines how sales, acquisitions transactions and inventory movements flow through the system(s) to the BAS and sales reported for excise and/or WET
  • BAS/excise return preparation instructions
  • GST and excise manuals
End of example

MLC4d: Consideration of the automated controls key to the tax function may include:

  • the extent to which automated calculations/coding or data-processing routines programmed into the applications are used
  • the extent to which manual interventions are allowed in systems ,for example transaction tax code overrides, changes to tax rates and product classifications
  • the volume of transactions processed by a control as an indication of whether management should consider the application of ITGCs
  • the extent to which your organisation makes use of complex spreadsheets, where the risk of formula error with unauthorised changes or access to complex calculation, could increase
  • whether identified information system-control risks have been investigated via an internal or external review by assurance provider (per audit plan)
  • whether reporting mechanisms exist between the tax unit and owners of ITGCs (and the rest of the organisation) regarding IT and system-related control weaknesses.

Procedure

We note that application controls relating to tax might be covered by enterprise-wide controls and suggest these are leveraged for this procedure provided tax systems are included in the scope of these controls:

  • MLC-4d-1. Refer to MLC-4c for details of software applications used to automate tax return calculations/BAS/excise return preparation or data-processing.
  • MLC-4d-2. Refer to MLC-3b for details on the consideration of automating manual controls used for large volume transaction processes.
  • MLC-4d-3. Refer to MLC-4c relating to spreadsheets used to automate tax return calculations/BAS/excise return preparation or data-processing.
  • MLC-4d-4. Enquire of the entity if the tax team have considered the all information system control risks If so, enquire of the following and report entity's response:        
    • What risks were identified and which IT systems are the risks related to? List risk and IT systems.
    • Has internal/external audit identified these risks? If so, obtain documented risks by internal/external audit? Ensure these risks are related to the tax function and information systems.
    • Is internal / external audit planning to review these risks and the associated controls? If so, obtain internal/external audit plan and note the following:        
      • scheduled reviews to assess information system risks that are related to the tax function
      • synopsis of review scope
      • timing of scheduled review.
       
     
  • MLC-4d-5: Refer to MLC-4c for details of reporting mechanisms from the tax team to the IT function.        
    • Enquire of the entity if there is a reporting mechanism in place from other areas of the business to the tax team regarding IT and system-related control weaknesses? Report their response.
     

Better practice report inclusions

  • ITGCs scoping document or engagement letter
  • Spreadsheet templates for calculating tax return and preparing excise return, BAS/WET calculations
  • Internal (or external) audit plan
  • Documented processes for reporting and remediating IT control breakdowns
End of example

Managerial-level control (MLC) 5: Record-keeping policies

MLC5a: A formally documented record-keeping policy for tax, including appropriate timeframes for the retention of records.

Procedure

Obtain the entity’s record-keeping policy for tax and note:

  • the name of the document
  • the date of approval
  • the document approver (name and title)

Identify if this policy is specific to tax and covering all tax types (if not, page reference the sections of the policy pertaining to tax).

Identify if the document specifies appropriate timeframes for the retention of records and requirements for retaining work papers that details tax calculations, including where work paper should be stored (password protected share drive).

If a tax specific record-keeping policy does not exist or is not formalised, enquire of the entity's reasons, report their response and raise an observation.

Better practice report inclusions

  • Formally documented record-keeping policy for tax
End of example

MLC5b: Staff access to guidance notes via an intranet, or a set of procedures that are readily accessible explaining record-keeping requirements.

Procedure

Enquire of the entity how staff get access to policies and procedures regarding record-keeping requirements for tax. Report their response.

If access is provided via intranet, obtain a screen print and check that intranet link’s accessibility that it leads to the correct policy document.

End of example

MLC5c: Internal or external audits that verify compliance.

Procedure

Enquire of the entity if record-keeping policy compliance reviews have been undertaken as part of its internal or external audit program. Report their response.

If so, obtain a copy of the audit report and note:

  • the name of the report
  • the date of report
  • the internal or external auditor
  • the findings related to tax (if so, page reference and list findings raised and remediation plans).

Better practice report inclusions

  • Report on the review of record keeping
End of example

MLC5d: Evidence of staff training on record-keeping requirements for tax purposes.

Procedure

Obtain the entity’s training materials and note if the material provides guidance on record-keeping requirements for tax purposes and note:

  • the date of last training session
  • the training content
  • the name of provider
  • the list of staff attendance

If no training materials or attendance registers on record keeping for tax does not exist, enquire of the entity's reason and report their response.

Better practice report inclusions

  • Training materials on record-keeping requirements
End of example

Next steps

QC82068