ato logo
Search Suggestion:

Policies and controls are regularly assessed

Last updated 24 August 2022

Board-level control (BLC) 4: Periodic internal control testing

BLC4a: A testing plan prepared by management to determine the effectiveness of the control framework. This may include a gap analysis to identify which key controls are not tested via existing assurance processes – for example, internal or external audits.

Procedure

Obtain management's testing plan to determine the effectiveness of their internal control/risk management framework.

Entities often have three-year or five-year strategic audit plans that describe rotational audits of key processes and controls and tax-related controls might be tested in conjunction with other processes such as testing of controls in the financial reporting framework.

Inspect the testing plan, page reference and note:

  • the methodology to test the design effectiveness of controls
  • the methodology to test the operational effectiveness of controls

Identify and list of tax key controls covering both income tax, excise and indirect taxes, including:

  • tax key controls that are tested under existing assurance processes
  • tax key controls that are not tested under existing assurance process and alternate plan on how these controls would be tested

Enquire if tax key controls are in scope for SOX (only if the US Sarbanes Oxley legislation applies).

If the listed items above are absent or have not been documented, enquire the reasons for their absence, report their response and raise an observation.

Obtain evidence that the testing plan or results thereof have been tabled to the board (or sub-committee) (BLC-4c) by management. If absent, enquire of the entity's reasons, report their response and raise an observation.

If a testing plan does not exist, enquire of the entity's reasons for its absence, report their response and raise an observation.

Better practice report inclusions

  • Extracts from internal / external audit plan relating to tax elements covered as part of engagement.
  • Listing of tax-related key controls as part of the organisation's internal control framework.
  • Gap analysis that identifies which tax key controls are not tested via existing assurance processes
  • Documented testing plans for tax key controls that are not tested via existing assurance processes
End of example

BLC4b: Reports from independent assurance providers (internal or external) that present findings on the effectiveness of the tax control framework, whether conducted primarily for tax controls or other interdependent controls.

Procedure

When performing this step, we suggest that you leverage information potentially disclosed in Part B of the Tax Transparency Code which includes a description of assurance regimes the organisation is subject to, for example internal audit, external audit and ATO compliance products.

If some or all the entity's tax key controls are tested under their existing or planned internal audit cycle or are considered as part of the external audit program, obtain audit reports and note:

  • the name of audit report or audit plan
  • the date of report
  • the provider
  • the scope of audit/review including the testing of design effectiveness and operational effectiveness?
  • the sample sizes.

If the audit is complete, list the findings/qualifications regarding tax controls and proposed remediation plans then page reference the sections that state the findings on effectiveness of tax controls.

Audits might not be conducted primarily to review tax controls but tax controls may be included with other interdependent controls.

For all the audit reports obtained, obtain board (or sub-committee) agenda and/or minutes to evidence that these reports (or a summary) have been tabled to the board (or sub-committee) by management.

If absent, enquire of the entity's reasons, report their response and raise an observation (BLC-4c).

Better practice report inclusions

  • Extracts from internal or external audit report where tax-related controls might be included in the scope of review
  • Internal and external auditor report – IT controls review (with a sub-section related to the tax function if applicable)
  • Report on compliance by independent assurance provider
  • Information disclosed in the organisation's Tax Transparency Report.
End of example

BLC4c: Evidence that the board (or sub-committee) has reviewed the results presented by management of control framework testing and any proposed remediation plans to be implemented by management for tax control failures.

Procedure

Refer to BLC-4a (testing plan tabled to the board or sub-committee) and BLC-4b (audit reports tabled to the board or sub-committee)

Enquire of the entity how the board (or sub-committee) provides oversight on management’s progress to implement proposed remediation plans. For example, entities may have periodic follow up reviews to report the progress of audit recommendations.

Report the entity's response and obtain copies of follow up reports (if any) and page reference the section(s) that are related to tax controls recommendations.

Better practice report inclusions

  • Board (or sub-committee) agenda/minutes
  • Follow up report presented by management to relevant board or board sub-committee
End of example

BLC4d: Documented assurance (such as an attestation) from senior management concerning the capability and capacity of the tax control framework covering income tax, excise and indirect taxes.

Procedure

Obtain management's documented assurance (such as an attestation) from senior management concerning the design and operational effectiveness of the tax control framework and note:

  • the findings and deficiencies
  • the remediation plans
  • the implementation dates
  • the follow up testing.

If senior management’s attestation or assurance document regarding the design and operational effectiveness of the internal control framework (of which tax should be an element) does not exist, enquire of the entity's reasons, report their response and raise an observation.

Better practice report inclusions

  • Senior management attestation on the capability and capacity of the control framework (of which tax is an element)
End of example

Next step

QC82065