Show download pdf controls
  • ISRA tool manual

    About this manual

    The instructions will help you use the Information System Risk Assessment (ISRA) tool to self-asses your IT system and determine what you can do to reduce any risks you find. These risks are based on five risk areas or auditable units detailed below.

    You can download the ISRA tool manual (PDF 668KB)This link will download a file.

    In this manual:

    The standard questions were developed internally by us using the references listed below:

    • Information Systems Audit and Control Association (ISACA), IS Standards, Guidelines and Procedures for Auditing and Control Professionals, as of 1 March 2010.
    • IT Governance Institute (ITGI), COBIT Control Practices, Guidance to achieve Control Objectives for Successful IT Governance, 3rd Edition, 2012.
    • IT Governance Institute (ITGI), IT Control Objectives for Sarbanes-Oxley, The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting, 2nd Edition, September 2006.
    • IT Governance Institute (ITGI), CobiT 5., Framework, Control Objectives, Management Guidelines and Maturity Models, 2007.

    Preparing to use the ISRA tool


    This tool runs on a Microsoft Access database.

    To use the tool effectively you must have Microsoft Access and Microsoft Word available on the computer or device you are downloading the file to.

    Setting up the tool

    Follow the below steps to download and the ISRA tool database:

    1. Download a copy of the ISRA tool access database
    2. Select 'save' to save the tool
    3. A Macro Single step box will pop up – click X in right hand corner
    4. Select Enable Content from the yellow ribbon bar
    5. Make this a trusted document pop up by selecting yes.

    The ISRA database is now ready for you to use.

    To start using the tool follow the below steps:

    1. Navigate to the home tab
    2. Click on the reset database button on the home tab
    3. Enter your Australian business number (ABN) and entity name
    4. Normally you would tick each of the five auditable units to be completed. If you have made a decision to conduct a partial ISRA, you may tick only those units to be assessed
    5. Save the database.

    The tool is a standalone tool and is not connected to any of our ATO systems, which means we do not access your data in your ISRA tool database.

    We will also not be able to access to a copy of your ISRA report, your responses or supporting evidence until such time as you voluntarily submit them to us.

    Completing a ISRA

    To complete the ISRA you will need to work through each auditable unit. Each unit contains a number of questions and each question may have to be answered separately for each system, interface, customisation or project.

    As you answer each question, record the evidence that supports your answer in the 'comments box'.

    There will be further detailed instructions for each auditable unit in the guidelines in the tool.

    Depending on the number of systems and complexity of your IT architecture the ISRA can take 2–6 hours to complete.

    Who should fill out and use this tool

    A person completing this tool should have a good working knowledge of:

    • tax governance
    • financial controls
    • information systems
    • business processes.

    If understanding of all the above sits across different positions, it may be advisable to arrange a meeting, or to complete the ISRA with people who have responsibilities over the different areas to ensure a more accurate result.

    An ISRA should generally be completed by either an experienced business representative with long term business and system knowledge or an advisor.

    Where the ISRA has been completed by an independent advisor we will generally accept the outcome of the tool assessment, subject to the supporting evidence being provided to us.

    Where concerns are identified about the integrity of the output of the assessment, we may conduct an ATO generated ISRA assessment and request supporting evidence as required.

    Reviewing the ISRA report and results

    Once you have completed the ISRA you can preview the report, which will show you the risk rating for each question and auditable unit.

    What to do if you have medium or high risk ratings

    A medium or high risk rating is only an indicator of a risk. It should be used as part of your decision making process to assess if you need to address the risks raised by the ISRA based on your knowledge of your business and systems.

    Generally the focus should be on the level of control and governance you have put in place to address the risk. For guidance on how to mitigate the risk identified see Risk mitigation.

    Where the risk ratings are medium or high, you may consider engaging with your tax agent, independent advisor or us. You can discuss options regarding the risks identified, and establish a plan to mitigate the risks.


    The evidence you have based your responses on is to be recorded in the 'Comments box' within the tool and the document name recorded in the 'Documentary Evidence box'. Recording this evidence is important and will help if we ask you to provide copies of the evidence for an engagement meeting

    Saving the Report

    You can save the answers to the questions, comments and evidence you relied on by navigating to the report function. The report function will collate all the responses, evidence and comments and provide an overall rating based on your answers.

    You can save the report in PDF or Word format by selecting the 'Save to PDF' or 'Save to Word' functions from the report tab.

    Voluntarily submitting your ISRA to us

    If you want to submit your ISRA to us, you can send the completed ISRA tool report and supporting evidence to us by contacting the case officer you have been engaging with.


    We are committed to providing you with guidance you can rely on, so we make every effort to ensure the Information Systems Risk Assessment Tool is correct.

    If you act in accordance with your professional standards and follow our guidance and it turns out to be incorrect or misleading, and you fail to comply with the law as a result, we must still apply the law correctly. However, we will take the fact that you followed our guidance into account when deciding what action, if any, we should take.

    If you make an honest mistake in using the Information Systems Risk Assessment Tool and you fail to comply with the law as a result, we will take the reason for the mistake into account in deciding what action to take.

    We regularly revise the Information Systems Risk Assessment Tool to take account of any changes to the law, so make sure that you have the latest version of the Information Systems Risk Assessment Tool.

    The Australian Taxation Office:

    • provides the Information Risk Assessment Tool to take account of any changes to the law, so make sure that you have the latest version of the Information Risk Assessment Tool
    • gives no express or implied warranties (and to the full extent permitted by law excludes all statutory warranties) in relation to Information Risk Assessment Tool (including as to its performance or fitness for a particular purpose)
    • will not be liable in any way for any loss or damage (including special, indirect or consequential) arising from, or in connection with, Information Risk Assessment Tool or its use or performance.
    Last modified: 18 Jun 2019QC 59333