Information system risk assessment tool

The Information system risk assessment (ISRA) tool is available for privately owned business clients. It helps you to self-assess the integrity of your Information Technology (IT) systems.

On this page

• What the tool does
• Using the tool
• Report results
• Self-assess your systems
• Download the ISRA tool

What the tool does

The tool establishes if the IT systems have appropriate controls to help businesses meet tax and super reporting obligations.

The ISRA tool will help you to:

• self-assess the potential risks and integrity of your IT systems for effectiveness of internal controls to manage financial information and reporting
• put recommended actions in place to reduce any determined IT system risks
• reassess your IT governance after new controls have been developed.

The ISRA tool is based on the guidelines and assurance frameworks set out by the Information Systems Control Association and the IT Governance Institute published at the time that the ISRA tool was developed.

Using the tool

Under the Top 500 private groups tax performance program, the ISRA tool has been used in some engagements that commenced prior to 1 July 2020 to support with assessing private group's tax governance framework. For any new engagements under this program commencing from 1 July 2020, this tool is not used. For the approach used in this market, refer to:

• How we assess tax governance for Top 500 privately owned groups
• Seven principles of effective tax governance

The ISRA tool is not used as part of tax governance reviews for public and multinational businesses. For the approach used in this market, refer to:

• Top 100 GST assurance program
• Top 1,000 GST assurance program
• Top 1,000 combined assurance program
• Reviewing tax governance for large public and multinational businesses

Tool set up

The ISRA tool is set up with a series of questions that you answer across five key auditable units, which are:

• Systems inventory to assess the size and complexity of the inventory of IT systems
• Interface inventory to understand the extent of the data manipulation and the complexity of data mapping
• Customisation inventory to assess the level to which systems have been customised to determine the risk level
• IT projects and methodologies to establish the maturity level of the IT systems and the business processes they support
• IT governance to gauge the adequacy of internal policies, procedures and methodologies for effective and productive management of the IT function in the business.

Report results

Once you answer these questions, the tool provides you with a report that shows your risk rating against each question. You will be receive a risk rating of:

• green, which is a low-risk rating
• orange, which is a medium-risk rating
• red, which is a high-risk rating.

It is important to record the evidence that supports your answers after each question. For instance, where a risk is mitigated record the reason and how the risk has been mitigated.

What a medium or high risk rating means

Medium or high-risk ratings mean your systems may not have the right internal controls to support the accuracy and completeness of your tax and super reporting and lodgment activities.

If you have a medium or a high-risk rating for a particular question, the report will give you a link to relevant information on our website with recommendations on how you can reduce the risk.

High-risk ratings are an indication of potential risks that you may wish to explore further to determine if stronger controls are required to mitigate the risk.

You may choose to:

• look into the processes and controls to see if you can improve them or mitigate the risks by introducing additional controls
• talk with your management team or board of directors to explore options to manage or address the risk
• consult your tax adviser to decide next steps
• do some research into processes or programs that can mitigate the risk. For example, manual data reconciliation would be a high risk however this can be mitigated where the reconciliation process is automated.

Self-assess your systems

The ISRA tool will help you to:

• self-assess the overall integrity of your IT systems for effectiveness of internal controls. This will assist you in managing financial information and reporting
• put recommended actions in place to reduce any determined risks to comply with taxation and reporting obligations
• reassess your IT governance after new controls have been developed.

Download the ISRA tool

The ISRA tool runs on a Microsoft Access database.

To use the tool you must have Microsoft Access and Microsoft Word available on the computer or device you are downloading the file to.

Follow the below steps to download the ISRA tool database:

• Download a copy of the ISRA tool Microsoft Access database (ACCDB 2.9MB).
• Select save to save the tool.
• A macro single step box will pop up – select X in the corner.
• Select Enable content from the bar.
• Make this a trusted document pop up by selecting Yes.

The ISRA database is now ready for you to use.

We have created detailed instructions in the ISRA tool manual to help you use the ISRA tool.

You can download the ISRA tool manual (PDF 668KB)This link will download a file.

See also Tax governance for privately owned groups.