Better practice steps
There are four key steps to establishing a better practice risk management framework for FBT administration:
- Establish context.
- Determine FBT objectives.
- Identify FBT risks.
- Evaluate risks and design controls.
Step 1: establish context
Entities should consider FBT risk management as part of their overall risk management plan, recognising that FBT risks will, in many cases, not be significant in the context of an entity's strategic risk.
The first stage in the risk management process is to review the extent and nature of an entity's FBT obligations. The evaluation of relevant contextual information is likely to include:
- Determining the relevant entity for FBT purposes (this may differ from the relevant entity for pay as you go (PAYG) or goods and services tax (GST) purposes).
- Determining the FBT status of the entity (for example, whether it is an income tax-exempt government body, a public hospital, a public ambulance service or an entity subject to income tax). Australian Government entities (for example, an Australian Government department, executive agency, statutory agency or an authority of the Commonwealth) are not charitable institutions or public benevolent institutions and are not eligible for a rebate under section 65J of the Fringe Benefits Tax Assessment Act 1986 (FBTAA).
- Reviewing the entity's structure to identify work area locations, disbursement of employees and any structural changes that have occurred during the FBT year.
- Developing a good understanding of the size, complexity, sophistication and resourcing of the FBT function, including whether processes are centralised or decentralised.
- Gaining an understanding of the number of common versus disparate systems and processes to provide an indication of the possible impacts on FBT data accuracy and the efficiency of processing.
- Gaining an understanding of the benefits that are likely to be provided to employees (or their associates) of both the entity and associated entities, so as to determine the likely FBT obligations that may arise.
Where an entity has a centralised FBT function (where on the job training is often easier and communications straightforward) and has a low number transactions that attract FBT, it is likely that the risks relating to FBT administration will be assessed as low.
In a large decentralised entity that provides a significant number of fringe benefits and requires coordination of FBT data from a number of work areas, FBT risks could be expected to be assessed as moderate or higher.
End of attention
Step 2: determine FBT objectives
Generally, entities will try to:
- comply with the FBT legislation in the most cost effective manner
- maintain effective communication with stakeholders
- maintain effective systems and processes.
Step 3: identify FBT risks
In this step (sometimes referred to as a risk assessment), the entity needs to identify and analyse its FBT risks.
Better practice entities undertake an FBT risk assessment annually or when a restructure occurs that increases or decreases the functions undertaken by the entity. Generally, the most appropriate time for performing a detailed annual risk assessment is within a short time after lodging the FBT return, with a less detailed review being undertaken prior to lodging the FBT return.
Undertaking an annual FBT risk assessment helps to keep information current and demonstrates that the entity is striving for continual improvement in managing its FBT obligations.
Responsibility for undertaking an FBT risk assessment should be assigned to someone with a good knowledge and understanding of FBT requirements. This could be the FBT Manager or other relevant staff such as the work area responsible for risk management. Where there is no specialist knowledge of FBT within the entity, consideration should be given to engaging external specialist advice to assist with the risk assessment.
When undertaking an FBT risk assessment, entities are encouraged to use this information to identify and apply better practice principles and processes tailored to their own particular circumstances.
Entities should document the results of the FBT risk assessment. Better practice entities maintain an FBT risk register in a form that is consistent with the entity's overall risk assessment framework. Such a register can help ensure that risks are regularly reviewed and managed effectively.
Step 4: evaluate risks and design controls
Evaluating FBT risk involves identifying a range of options for treating risk, assessing those options, and deciding the controls appropriate to the identified risks.
In the context of FBT administration, entities should consider a combination of preventative and detective controls for managing FBT risks. The level and complexity of these controls should be directly proportional to the assessment of the extent of the risk relating to FBT compliance.
As noted under step 3, risk registers can be an effective means of documenting the assessment of FBT risks and associated risk treatments. Such a register can provide entities with a formal framework for the ongoing management of risks and, thus, a level of assurance that risks have been identified and are being managed appropriately.