Third-party data governance – investment industry entities
Large superannuation funds, managed funds and insurance companies have a responsibility to develop systems and processes according to their tax risk management framework.
- ensures accurate reporting of third-party data
- mitigates the risks of errors in income tax reporting and distribution statements.
To understand your third-party data governance obligations, read the supplementary guide Governance over third-party data guide together with the Tax risk management and governance review guide.
On this page
Who this guide applies to
The Governance over third party data guide applies to:
- trustees of large superannuation funds including
- registrable superannuation entities
- pooled superannuation trusts
- exempt public sector superannuation schemes
- trustees of managed investment trusts (MITs)
- trustees of attribution managed investment trusts (AMITs)
- trustees of unit trusts involved in the managed funds and/or investment industry
- boards of insurance companies.
It doesn't apply to self-managed superannuation funds or small APRA-regulated superannuation funds (with less than seven members).
Obligations this guide applies to
The expectations for tax controls over third-party data in this guide apply to third-party data received by the investment industry entity for the following reporting obligations:
- the entity's income tax return and associated schedules
- the Attribution Managed Investment Trust Member Annual (AMMA) Statement for AMITs, standard distribution statement (SDS) for MITs and distribution statements for unit trusts.
Third-party data tax controls for indirect taxes (such as GST) are not in scope for the guide which is limited to income tax.
In addition, the following are not in scope for this guide:
- superannuation fund obligations to report member account information to the ATO
- PAYG withholding obligations on member superannuation benefits.
Better practice tax control frameworks
A third-party data tax control framework is part of an overall tax risk management approach. This approach manages and mitigates the risk of inaccuracies over third-party data that feed into an entity’s income tax reporting obligations and distribution statements.
A 'better practice' tax control framework should:
- be fit for purpose
- adopt a risk-based assessment
- manage the specific tax risks that apply to an entity depending on its investment profile.
How to use the guide
The Governance over third party data guide will help you understand what better practice third party data tax controls look like so you can:
- develop or improve your own third-party data tax controls using the principles-based examples in the guide
- test the robustness of the design of your third-party data tax controls.
What to do if the examples don't apply
If the better practice examples in the guide don't exactly line up with your entity's circumstances, you should document:
- why the better practice examples in the guide aren't applicable to your entity's circumstances
- how you're adopting compensating controls to demonstrate that the principles of the examples provided are being applied to manage tax risks.
Our approach to reviews
Our approach to reviewing third-party data tax controls is to:
- Encourage entities to adopt the better practice examples throughout the Governance over third party data guide that are applicable to their circumstances, or appropriate compensating controls.
- Assess and rate an entity’s third-party data tax controls based on whether the entity has demonstrated it has taken steps in establishing processes to manage and mitigate the risk of inaccuracies in third party data.
- Continue to update this guide to help you prepare for your review, understand how to improve your ratings and obtain higher assurance outcomes.
- Include a review of tax controls relating to third-party data, including how entities are adopting this guide and applying the existing ratings guide to these controls, in future income tax assurance reviews for large superannuation funds, managed funds and insurance companies.
To prepare for your review you can also refer to the Tax risk management and governance – a practical guide to prepare for a combined assurance review.
When we assess third-party data tax controls
Until 1 July 2024, a transition or implementation phase is in place to allow entities time to develop processes and procedures and implement tax controls for governance over third-party data. We expect entities to have implemented controls to address the BLCs and MLCs outlined in this guide and they are designed effectively by 1 July 2024.
During the transition phase, for assurance reviews starting before 1 July 2024, we will not be rating your third-party data tax controls in your report. However, we encourage you to provide documented evidence of third-party data controls you may have in place or implementation plans for how you intend to adopt this guide.
We will consider this evidence and provide guidance on your third-party data tax controls or implementation plans in your report to support you during the transition phase of the guide.
How we assess third-party data tax controls
We acknowledge that tax governance over third-party data is a journey and entities will be at various stages of this journey.
We look for evidence that a third-party data tax control framework exists using the following staged rating system:
The level of complexity of investments or investment vehicles will determine what an entity must do in relation to tax risk management over third-party data.
We will work with entities during our assurance engagement programs to determine what are appropriate controls in the context of the entity’s circumstances. For example, their investment and tax risk profile.
Justified Trust assurance engagement programs
In undertaking our Justified Trust assurance engagement programs for income tax, we will rate third-party data tax controls separately from the seven controls in the Tax risk management and governance review guide that we focus on for income tax governance ratings. However, the ratings for third-party data tax controls will contribute towards the overall income tax governance rating.
We have tied the third-party data tax governance principles in the Governance over third-party data guide to the following Board and Managerial Level Controls in the Tax risk management and governance review guide:
- The Board is appropriately informed (BLC3)
- Periodic Controls Testing (BLC4)
- Roles & Responsibilities are clearly understood (MLC1)
- Significant transactions are identified (MLC3)
- Documented Control Frameworks (MLC6)
Where we observe the better practice examples or appropriate compensating controls, we will provide a Stage 2 rating (designed effectively).
Once we’ve established that a third-party data tax control framework exists, we then look for objective evidence that the framework is designed and operating effectively (a Stage 3 rating).
The Governance over third-party data guide doesn't provide detailed information on what is required for Stage 3 as this is covered in the Tax risk management and governance review guide.
The requirements (for example, independently tested and subject to auditing standards) and methods for testing for operational effectiveness (Stage 3) as outlined in the Tax risk management and governance review guide will also apply to testing third-party data tax controls.
Tax risk management is a key part of good corporate governance. This information will help you develop and test your tax governance and tax control frameworks.