Better practice can be demonstrated by a tax strategy document prepared by management, such as a board tax policy that provides details of how the organisation identifies and manages tax risk across all taxes.

This would include policies prepared by management and endorsed by your board of directors that:

• outline the organisation's tax risk appetite
• detail an acceptable level of tax risk for day-to-day operations and what requires escalation
• are published internally and in your annual report.

Better practice can be demonstrated by:

• documented role and responsibility descriptions for company directors
• programs for inducting new directors include briefings on key accounting and tax issues so they can perform their oversight of tax risk management strategies
• ongoing support and briefings by management for directors regarding tax risk management strategies
• allocating tax risk to an appropriate and independent board sub-committee – for example, an audit committee
• clear communication of expectations for managing tax risks from the board or sub-committee to management.

A board of directors 'skills matrix' as suggested in the ASX corporate governance principlesThis link will download a file to help identify gaps in the collective skills of the board. Consideration should be given to whether it would be beneficial to include tax in the skills matrix. The ATO notes the board ‘skills matrix’ is generally tailored to each organisation's unique circumstances.

Better practice can be demonstrated by:

• board or sub-committee charters include oversight of tax risks
• regular summarised progress updates to the board or sub-committee by management on how tax issues and risks are trending (i.e. high, medium or low risk) at board meetings
• board (or sub-committee) minutes or documentation that demonstrate members have been briefed by management on the effective tax rate of the business, including whether the amount of tax paid aligns with business results and, where relevant, reasons for significant misalignment
• board (or sub-committee) endorsement for positions taken by management that fall outside published ATO safe harbours or arrangements subject to tax-payer alerts issued by the ATO
• tax-risk registers tabled by management and escalation of issues by management where appropriate – note if you have sought external advice on the relevant risk or issue
• an annual report that includes a statement from the board attesting that they have effective policies and processes in place to manage tax risk – for example, a statement prepared in accordance with the principals in the Tax Transparency Code.

Better practice example: Periodic internal control testing

Better practice can be demonstrated by:

• a testing plan prepared by management to determine the effectiveness of the control framework. (this may include a gap analysis to identify which key controls are not tested via existing assurance processes – for example internal or external audits)
• reports from independent assurance providers (internal or external) that present findings on the effectiveness of the tax control framework, whether conducted primarily for tax controls or other interdependent controls
• evidence that the board (or sub-committee) has reviewed the results presented by management of control framework testing and any proposed remediation plans to be implemented by management for tax control failures
• documented assurance (such as an attestation) from senior management concerning the capability and capacity of the tax control framework.

Better practice example: roles and responsibilities

Better practice can be demonstrated by formal documents, policies or procedures for all roles and responsibilities relating to tax compliance and risk management.

These generally detail:

• role descriptions for tax compliance, administration and risk management
• roles and responsibilities for reporting of tax matters, formalised and understood by management and appropriately trained personnel formal delegations (or authorisation levels)
• segregation of duties – for example, dual sign-off, Business Activity Statement (BAS)/ excise return preparation is segregated from review and authorisation prior to lodgment
• policies or committee charters that specify methods and frequencies for reviewing and escalating risks in the tax risk register, including follow-up of identified tax risks.

Better practice can be demonstrated by:

• a control framework approved by senior management that includes both preventative and detective controls
• clearly identified key controls, including how often they are tested by staff with appropriate experience designated as control owners
• senior management approval of the design and operating effectiveness of the internal controls governing tax compliance
• internal or external assurance reviews of tax corporate governance or control framework procedures
• staff training on tax-related topics including excise, GST and other relevant indirect taxes
• staff reviews, KPIs and performance agreements that incorporate tax corporate governance and risk management elements
• key personnel with professional qualifications and standards to ensure capability
• impacts of tax compliance risks considered by an appropriate management or board sub-committee; for example, a mergers and acquisitions sub-committee considers the tax risks of acquiring an entity
• existing channels for personnel outside of the tax function to identify and escalate tax risks
• tax-related reports generated and presented to senior management.

Better practice examples: identifying significant transactions

Better practice can be demonstrated by a policy for significant tax transactions that:

• specifies the value of what would constitute a significant transaction requiring authorisation from the tax area
• details the types of transactions, issues or risks that are significant enough to be escalated to senior management or the board (and, by default, tax matters not requiring escalation)
• outline the threshold where independent external tax advice should be sought and levels of management sign-off required for the transaction.

A risk-identification process that accounts for qualitative and quantitative risk factors. Examples of typical risk factors include:

• volume of transactions affecting disclosures in the tax return, excise return or BAS
• financial accounting and tax reporting complexities and inconsistencies
• volume of manual adjustments made by management
• related-party transactions
• dealings involving low-tax jurisdictions
• year-end arrangements resulting in tax benefits
• revaluations resulting in tax benefits
• transactions or arrangements where there      
  • is a legal versus substance disconnect
  • are steps added to a transaction making it more complex than necessary, resulting in a tax preferential outcome.
   
• the use of new and complex financial instruments or arrangement.
• manual coding and classification of transactions for GST and excise where systems were overridden Intra group transactions with GST groups
• reversals or corrections to lodged BAS
• tax risks have been rated, for example high/medium/low, with the appropriateness of the rating evaluated on a yearly or half yearly basis.
• reporting templates that are adhered to.

Note:

Consider our tax risk information when carrying out your risk-identification processes.

Better practice examples: Controls in place for data

Evidence of data integrity controls can include effective IT system and application controls that maintain the integrity and security of data.

For entities with organisational-level ITGCs, a tax function should identify the relevant IT controls that are key to the tax function in their tax internal control framework. These relevant IT controls should be designed and operating effectively to allow instances of IT control breakdowns to be remedied. Breakdown instances should be communicated to the tax function to assess and remediate any impact on the tax return/excise return/BAS.

This includes effective processes that allow the tax function to provide input on IT controls and functions, where the preparation of the tax return/BAS/excise return is dependent – for example, extracts of data from sub-ledgers, interfaces between systems, ensuring the system is calculating tax as intended.

Consideration of the relevant automated controls key to the tax function may include:

• the extent to which automated calculations, coding of transactions or data-processing routines programmed into the applications are used
• application of master tax codes and setting up of master files to classify GST transactions application of master product and customer codes to calculate the excise liability. Key master tables relate to excise include products, plants, permissions, customers, tax rates, vendors , tariff items and storage tanks
• the settings, rules and conditions within the master files affecting the payment of excise
• IT systems used at the terminal/site level for receipting products, product delivery and stock controls and their impact on calculating the excise liability
• the volume of transactions processed by a control is an indication of whether management should consider the application of ITGCs
• the extent to which your organisation makes use of complex spreadsheets, where the risk of formula error, unauthorised changes or access, and complex calculation, could increase the risk of error
• whether identified information system-control risks have been investigated via an internal or external review by assurance provider (per audit plan)
• reporting mechanisms exist between the tax unit and owners of ITGCs (and the rest of the organisation) regarding IT and system-related control weaknesses.

Better practice examples: record keeping policies

Better practice can be demonstrated by:

• a formally documented record-keeping policy for tax, including appropriate timeframes for the retention of records
• staff access to guidance notes via an intranet, or a set of procedures that are readily accessible explaining record-keeping requirements
• internal or external audits that verify compliance
• evidence that staff have been trained on record-keeping requirements for tax purposes (covering all taxes).

Better practice examples: documented control frameworks

Better practice can be demonstrated by:

• documented procedures for reviewing the tax return, including reconciliation back to the audited financial statements with retention of working papers detailing the calculation of the tax, excise and BAS return
• working papers reviewed and approved by management, indicating that they have checked the correct application of tax law to accounting transactions and accurate calculation of the tax, excise and BAS return.

Documented procedures and process manual/s for preparing the excise return and the BAS including the supporting reconciliations.

• Retention of working papers and reports supporting the excise return and the BAS
• documented processes and procedures for terminal/site level inventory controls and stock reconciliations affecting the calculation of the excise liability
• Working papers and reports reviewed and approved by management, indicating they have checked the correct application of tax law to transactions and accurate reporting for excise returns and the BAS.
• documented 'system map' showing the general process flow of how transactions are captured and flowed through to the GST/excise returns.

Better practice examples: explaining significant differences

Better practice can be demonstrated by documented procedures detailing:

• methods for reconciling the tax calculation prepared for the financial statements and the completed tax return
• methods for preparing deferred tax assets and deferred tax liabilities calculations for the financial statements
• methods for preparing tax calculations based on accounting transactions
• management have a mechanism in place to appropriately explain the tax performance of the entity when compared to the accounting result
• narratives to explain variances between tax expense for the financial statements and the tax paid/payable as per the completed tax return
• methods for reconciling the BAS and the excise return to the source systems data and the general ledger
• procedures in place requiring explanations for significant movements or deviations in the amounts reported in the BAS and the excise return compared to prior comparable periods or to the business operations of the entity.

Better practice examples: complete and accurate tax disclosures'

Better practice can be demonstrated by assurance that a tax, excise or BAS return review has occurred prior to lodgment. This reduces the likelihood of incorrect allocation and classification of line items, and that the relevant law, administrative guidelines and record-retention requirements have been taken into account in relation to issues such as:

• income tax
• capital gains tax
• transfer pricing
• GST
• excise
• research and development
• reportable tax positions
• Appropriate controls to review compliance risk for other types of taxes managed elsewhere, such as
• fringe benefits tax
• the super guarantee charge
• pay as you go (PAYG) (instalments and withholding)
• employee mobility (who bears and claims the labour costs)
• customs and excise duty
• fuel tax credits (FTC)
• luxury car tax (LCT)
• state-based payroll taxes
• stamp duty.

Better practice examples: dealing with law and administrative changes

Better practice can be demonstrated by:

• walkthroughs of process changes to assess whether changes to the law require updates to the internal control framework and development of new controls
• change requests submitted to senior management and changes to systems or control mechanisms implemented
• documented procedures to deal with difficulties implementing change due to law updates
• correspondence sent to us advising of difficulties (if applicable).