Show download pdf controls
  • How the ISRA tool works

    The Information System Risk Assessment (ISRA) tool is set up with a series of questions that you answer across five key auditable units which are:

    1. Systems inventory – to assess the size and complexity of the inventory of IT systems
    2. Interface inventory – to understand the extent of the data manipulation and the complexity of data mapping
    3. Customisation inventory – to assess the level to which systems have been customised to determine the risk level
    4. IT projects and methodologies – to establish the maturity level of the IT systems and the business processes they support
    5. IT governance – to gauge the adequacy of internal policies, procedures and methodologies for effective and productive management of the IT function within the business.

    Once you answer these questions, the tool provides you with a report that shows your risk rating against each question. You will be given a risk rating of:

    • green – low risk
    • orange – medium risk
    • red – high risk.

    If you have a medium-high risk rating for a particular question, the report will give you a link to relevant information on our website with recommendations on how you can reduce the risk.

    You may also engage with your tax agent or us for support on how to reduce the risk. To start the engagement with us talk to the ATO case officer you have been dealing with.

    It is important to record the evidence that supports your answers after each question, so you have it available should we request it. For instance, where a risk is mitigated it is important that you record the reason why and how the risk has been mitigated.

    What medium or high risk ratings mean

    Medium or high risk ratings means your systems may not have the right internal controls to support the accuracy and completeness of your tax and super reporting and lodgment activities.

    High risk ratings do not automatically mean we will audit you. It is an indication of potential risks that you may wish to explore further with your advisors or us to determine if stronger controls are required to mitigate the risk.

    You may choose to:

    • look into the processes and controls to see if you can improve them or mitigate the risks by introducing additional controls
    • talk with your management team, or board of directors and explore options to manage or address the risk
    • consult your tax advisor to determine next steps
    • do some research into processes or programs that can remove the risk. For example, manual data reconciliation is a high risk however this can be removed if the reconciliation process is automated.

    Helping you self-assess your systems

    The ISRA tool will help you to:

    • self-assess the overall integrity of your IT systems for effectiveness of internal controls to manage capturing and storing financial information and reporting
    • put recommended actions in place to reduce any determined risks comply with tax and reporting obligations
    • prepare for a review or client engagement meeting you may have with us where you have a current ATO engagement case
    • re-assess your IT governance after new controls have been put in place
    • improve your tax governance to make sure you are paying the right amount of tax and work towards establishing justified trust.

    Preparing for an engagement with us

    Once you have self-assessed your IT systems using the ISRA tool you will receive a report. You can send the report to us to help us tailor any future engagements with you and reduce the time we spend reviewing your tax and super reporting for tax governance.

    We will work with you to help you put any planned actions in place to improve your tax governance and mitigate risks in areas where you may have a medium-high risk rating.

    To start the engagement with us talk to the ATO case officer you have been dealing with.

    See also:

    Next steps:

    Last modified: 18 Jun 2019QC 59349