Show download pdf controls
  • Board-level responsibilities

    On this page

    Establish a framework to identify and manage tax risk

    The board of directors (or authorised board level sub-committee) oversees an internal control framework that provides guidance on how all risks, including tax risks, are identified and managed within the business.

    For a business headquartered overseas, we would expect the Australian-based board to perform the oversight role in respect of Australian tax risks including excise, GST and other applicable indirect taxes.

    A public statement prepared in accordance with Voluntary Tax Transparency Code (PDF 997KB)This link will download a file developed by the Board of Tax will cover many of these areas. It can be used to demonstrate the design effectiveness of an entity’s tax risk management framework, as will reviewing the results of periodic internal control testing performed by management to demonstrate the operational effectiveness of your tax risk management controls. Note that whilst the Voluntary Tax Transparency Code specifically applies to income tax, the broad principles on tax risk management can extend to other taxes such as GST and excise.

    The Board of Tax in its final report to the Treasurer regarding the Voluntary Tax Transparency Code in February 2016 stated:

    The involvement of the board/senior management will foster a culture within companies to meaningfully and accurately address the public desire for increased corporate tax transparency. As with companies who are currently voluntarily disclosing, the Board of Tax expects disclosures will evolve over time as corporate governance cultures develop and as global transparency initiatives evolve.

    Board-level control 1: Formalised tax control framework

    The board endorses a formalised tax control framework prepared by management that is understood across the organisation.

    Better practice can be demonstrated by a tax strategy document prepared by management, such as a board tax policy that provides details of how the organisation identifies and manages tax risk across all taxes.

    This would include policies prepared by management and endorsed by your board of directors that:

    • outline the organisation's tax risk appetite
    • detail an acceptable level of tax risk for day-to-day operations and what requires escalation
    • are published internally and in your annual report.
    End of example

    See also

    Board-level control 2: Roles and responsibilities are clearly understood

    The board understands and formalises company director roles and responsibilities for tax risk management.

    Better practice can be demonstrated by:

    • documented role and responsibility descriptions for company directors
    • programs for inducting new directors include briefings on key accounting and tax issues so they can perform their oversight of tax risk management strategies
    • ongoing support and briefings by management for directors regarding tax risk management strategies
    • allocating tax risk to an appropriate and independent board sub-committee – for example, an audit committee
    • clear communication of expectations for managing tax risks from the board or sub-committee to management.

    A board of directors 'skills matrix' as suggested in the ASX corporate governance principlesThis link will download a file to help identify gaps in the collective skills of the board. Consideration should be given to whether it would be beneficial to include tax in the skills matrix. The ATO notes the board ‘skills matrix’ is generally tailored to each organisation's unique circumstances.

    End of example

    See also

    Board-level control 3: The board is appropriately informed

    The board (or sub-committee) has been briefed by management on tax risk matters and the effectiveness of their tax control framework. Consideration should also be given to the tax risk matters and effectiveness of the control framework relating to excise, GST and other indirect taxes applicable to the organisation.

    Better practice can be demonstrated by:

    • board or sub-committee charters include oversight of tax risks
    • regular summarised progress updates to the board or sub-committee by management on how tax issues and risks are trending (i.e. high, medium or low risk) at board meetings
    • board (or sub-committee) minutes or documentation that demonstrate members have been briefed by management on the effective tax rate of the business, including whether the amount of tax paid aligns with business results and, where relevant, reasons for significant misalignment
    • board (or sub-committee) endorsement for positions taken by management that fall outside published ATO safe harbours or arrangements subject to tax-payer alerts issued by the ATO
    • tax-risk registers tabled by management and escalation of issues by management where appropriate – note if you have sought external advice on the relevant risk or issue
    • an annual report that includes a statement from the board attesting that they have effective policies and processes in place to manage tax risk – for example, a statement prepared in accordance with the principals in the Tax Transparency Code.
    End of example

    See also

    Policies and controls are regularly assessed

    The board provides oversight to ensure that management have adequate tax risk management policies in place and adhered to, as well as overseeing management’s systematic assessment of internal controls and procedures on a periodic basis.

    Board-level control 4: Periodic internal control testing

    Periodic internal control testing is conducted to assure the board that the internal control framework is robust enough to effectively manage income, excise and indirect tax compliance risk.

    Better practice example: Periodic internal control testing

    Better practice can be demonstrated by:

    • a testing plan prepared by management to determine the effectiveness of the control framework. (this may include a gap analysis to identify which key controls are not tested via existing assurance processes – for example internal or external audits)
    • reports from independent assurance providers (internal or external) that present findings on the effectiveness of the tax control framework, whether conducted primarily for tax controls or other interdependent controls
    • evidence that the board (or sub-committee) has reviewed the results presented by management of control framework testing and any proposed remediation plans to be implemented by management for tax control failures
    • documented assurance (such as an attestation) from senior management concerning the capability and capacity of the tax control framework.
    End of example

    See also

    Managerial-level responsibilities

    Management should have the capacity to enforce policies and implement strategies approved by the board. They should develop and implement systems that identify, assess, manage and monitor tax risks. Management also play a vital role in monitoring the appropriateness, adequacy and effectiveness of risk management systems.

    The ATO recognises that the better practice examples provided below may not exactly align with the actual controls in place for all entities, particularly those with simple tax affairs. As with all internal controls, tax risk controls should be fit for purpose. We encourage you to adopt the elements of the ATO's recommended better practices that are applicable to your circumstances.

    Find out about

    Ensuring sufficient capacity and capability

    Management should ensure there is sufficient capacity and capability to enable effective management of tax risk.

    Managerial control 1: Roles and responsibilities are clearly understood

    Staff, management and board roles and responsibilities are clearly defined and documented within the control framework to ensure tax obligations are well managed and satisfied.

    Better practice example: roles and responsibilities

    Better practice can be demonstrated by formal documents, policies or procedures for all roles and responsibilities relating to tax compliance and risk management.

    These generally detail:

    • role descriptions for tax compliance, administration and risk management
    • roles and responsibilities for reporting of tax matters, formalised and understood by management and appropriately trained personnel formal delegations (or authorisation levels)
    • segregation of duties – for example, dual sign-off, Business Activity Statement (BAS)/ excise return preparation is segregated from review and authorisation prior to lodgment
    • policies or committee charters that specify methods and frequencies for reviewing and escalating risks in the tax risk register, including follow-up of identified tax risks.
    End of example

    See also

    Managerial control 2: Senior management confident of capacity and capability

    Senior management, such as the CFO/CEO or head of tax, are confident in the capacity and capability of tax governance processes and personnel for income tax, excise and GST and other indirect taxes.

    Better practice can be demonstrated by:

    • a control framework approved by senior management that includes both preventative and detective controls
    • clearly identified key controls, including how often they are tested by staff with appropriate experience designated as control owners
    • senior management approval of the design and operating effectiveness of the internal controls governing tax compliance
    • internal or external assurance reviews of tax corporate governance or control framework procedures
    • staff training on tax-related topics including excise, GST and other relevant indirect taxes
    • staff reviews, KPIs and performance agreements that incorporate tax corporate governance and risk management elements
    • key personnel with professional qualifications and standards to ensure capability
    • impacts of tax compliance risks considered by an appropriate management or board sub-committee; for example, a mergers and acquisitions sub-committee considers the tax risks of acquiring an entity
    • existing channels for personnel outside of the tax function to identify and escalate tax risks
    • tax-related reports generated and presented to senior management.
    End of example

    See also

    Managerial control 3: Significant transactions are identified

    Transactions or arrangements with a significant tax impact are systemically identified, categorised and reported on – for example, into strategic, operational, reputational, compliance and financial matters.

    Better practice examples: identifying significant transactions

    Better practice can be demonstrated by a policy for significant tax transactions that:

    • specifies the value of what would constitute a significant transaction requiring authorisation from the tax area
    • details the types of transactions, issues or risks that are significant enough to be escalated to senior management or the board (and, by default, tax matters not requiring escalation)
    • outline the threshold where independent external tax advice should be sought and levels of management sign-off required for the transaction.

    A risk-identification process that accounts for qualitative and quantitative risk factors. Examples of typical risk factors include:

    • volume of transactions affecting disclosures in the tax return, excise return or BAS
    • financial accounting and tax reporting complexities and inconsistencies
    • volume of manual adjustments made by management
    • related-party transactions
    • dealings involving low-tax jurisdictions
    • year-end arrangements resulting in tax benefits
    • revaluations resulting in tax benefits
    • transactions or arrangements where there      
      • is a legal versus substance disconnect
      • are steps added to a transaction making it more complex than necessary, resulting in a tax preferential outcome.
    • the use of new and complex financial instruments or arrangement.
    • manual coding and classification of transactions for GST and excise where systems were overridden Intra group transactions with GST groups
    • reversals or corrections to lodged BAS
    • tax risks have been rated, for example high/medium/low, with the appropriateness of the rating evaluated on a yearly or half yearly basis.
    • reporting templates that are adhered to.


    Consider our tax risk information when carrying out your risk-identification processes.

    End of example

    See also

    Ensuring information technology controls are in place

    The internal control framework includes the implementation of appropriate Information Technology General Controls (ITGCs) to ensure information systems that process and store financial data accurately calculate, allocate, record and report tax data correctly.

    Managerial control 4: Controls in place for data

    Data integrity as a result of data transfer between various accounting/subsidiary systems should be subject to internal control processes.

    It is generally understood that the information technology (IT) function will provide assurance that appropriate ITGCs are in place to support the various operations of the business including tax.

    General IT controls

    ITGCs are policies and procedures that relate to applications that support the effective functioning of those controls. ITGCs that maintain the integrity of information and security of data commonly include controls over:

    • data centre and network operations
    • system software acquisition (change and maintenance)
    • program change
    • access security
    • application and system acquisition (development and maintenance).

    Where IT poses risk to the entity's general control environment, these controls are generally implemented to address:

    • reliance on systems or programs that are inaccurately processing data or processing inaccurate data
    • unauthorised access to data – particular risks may arise where multiple users access a common database or IT personnel gain access inappropriately
    • unauthorised changes to systems, programs or data in master files
    • failure to make necessary changes to systems or programs
    • inappropriate manual intervention
    • potential loss of data or inability to access data as required.

    Better practice examples: Controls in place for data

    Evidence of data integrity controls can include effective IT system and application controls that maintain the integrity and security of data.

    For entities with organisational-level ITGCs, a tax function should identify the relevant IT controls that are key to the tax function in their tax internal control framework. These relevant IT controls should be designed and operating effectively to allow instances of IT control breakdowns to be remedied. Breakdown instances should be communicated to the tax function to assess and remediate any impact on the tax return/excise return/BAS.

    This includes effective processes that allow the tax function to provide input on IT controls and functions, where the preparation of the tax return/BAS/excise return is dependent – for example, extracts of data from sub-ledgers, interfaces between systems, ensuring the system is calculating tax as intended.

    Consideration of the relevant automated controls key to the tax function may include:

    • the extent to which automated calculations, coding of transactions or data-processing routines programmed into the applications are used
    • application of master tax codes and setting up of master files to classify GST transactions application of master product and customer codes to calculate the excise liability. Key master tables relate to excise include products, plants, permissions, customers, tax rates, vendors , tariff items and storage tanks
    • the settings, rules and conditions within the master files affecting the payment of excise
    • IT systems used at the terminal/site level for receipting products, product delivery and stock controls and their impact on calculating the excise liability
    • the volume of transactions processed by a control is an indication of whether management should consider the application of ITGCs
    • the extent to which your organisation makes use of complex spreadsheets, where the risk of formula error, unauthorised changes or access, and complex calculation, could increase the risk of error
    • whether identified information system-control risks have been investigated via an internal or external review by assurance provider (per audit plan)
    • reporting mechanisms exist between the tax unit and owners of ITGCs (and the rest of the organisation) regarding IT and system-related control weaknesses.
    End of example

    When developing your internal controls for tax, you may leverage existing control frameworks by documenting all tax-related key controls. You should also document how these controls are tested, by who, including communication protocols and testing frequencies (for example via internal audit on a rotational basis). This is to ensure tax function involvement in the event of any control breakdowns or changes.

    See also

    Managerial control 5: Record-keeping policies

    The organisation employs procedures to support record keeping for tax requirements as prescribed by law and our guidelines.

    Better practice examples: record keeping policies

    Better practice can be demonstrated by:

    • a formally documented record-keeping policy for tax, including appropriate timeframes for the retention of records
    • staff access to guidance notes via an intranet, or a set of procedures that are readily accessible explaining record-keeping requirements
    • internal or external audits that verify compliance
    • evidence that staff have been trained on record-keeping requirements for tax purposes (covering all taxes).
    End of example

    See also

    Assuring the flow of information from accounting records

    Ensure there is a complete and accurate flow of information from accounting records to the tax return, or relevant excise return or the BAS.

    Managerial control 6: Documented control frameworks

    There is a documented internal control framework that specifically ensures the group’s compliance with tax law. This includes the complete and accurate flow of information from accounting records to the tax return, excise return and BAS

    Better practice examples: documented control frameworks

    Better practice can be demonstrated by:

    • documented procedures for reviewing the tax return, including reconciliation back to the audited financial statements with retention of working papers detailing the calculation of the tax, excise and BAS return
    • working papers reviewed and approved by management, indicating that they have checked the correct application of tax law to accounting transactions and accurate calculation of the tax, excise and BAS return.

    Documented procedures and process manual/s for preparing the excise return and the BAS including the supporting reconciliations.

    • Retention of working papers and reports supporting the excise return and the BAS
    • documented processes and procedures for terminal/site level inventory controls and stock reconciliations affecting the calculation of the excise liability
    • Working papers and reports reviewed and approved by management, indicating they have checked the correct application of tax law to transactions and accurate reporting for excise returns and the BAS.
    • documented 'system map' showing the general process flow of how transactions are captured and flowed through to the GST/excise returns.
    End of example

    See also

    Managerial control 7: Procedures to explain significant differences

    There are procedures in place requiring explanations for significant differences between accounting disclosures, financial statements, the tax, excise and the BAS return.

    Better practice examples: explaining significant differences

    Better practice can be demonstrated by documented procedures detailing:

    • methods for reconciling the tax calculation prepared for the financial statements and the completed tax return
    • methods for preparing deferred tax assets and deferred tax liabilities calculations for the financial statements
    • methods for preparing tax calculations based on accounting transactions
    • management have a mechanism in place to appropriately explain the tax performance of the entity when compared to the accounting result
    • narratives to explain variances between tax expense for the financial statements and the tax paid/payable as per the completed tax return
    • methods for reconciling the BAS and the excise return to the source systems data and the general ledger
    • procedures in place requiring explanations for significant movements or deviations in the amounts reported in the BAS and the excise return compared to prior comparable periods or to the business operations of the entity.
    End of example

    See also

    Managerial control 8: Complete and accurate tax disclosures

    Management are confident that tax disclosures have been accounted for properly and disclosed correctly in the relevant tax return with other relevant disclosures such as the excise return and the BAS. (However, some of these matters may be outside of the responsibility of the tax area).

    Better practice examples: complete and accurate tax disclosures'

    Better practice can be demonstrated by assurance that a tax, excise or BAS return review has occurred prior to lodgment. This reduces the likelihood of incorrect allocation and classification of line items, and that the relevant law, administrative guidelines and record-retention requirements have been taken into account in relation to issues such as:

    • income tax
    • capital gains tax
    • transfer pricing
    • GST
    • excise
    • research and development
    • reportable tax positions
    • Appropriate controls to review compliance risk for other types of taxes managed elsewhere, such as
    • fringe benefits tax
    • the super guarantee charge
    • pay as you go (PAYG) (instalments and withholding)
    • employee mobility (who bears and claims the labour costs)
    • customs and excise duty
    • fuel tax credits (FTC)
    • luxury car tax (LCT)
    • state-based payroll taxes
    • stamp duty.
    End of example

    See also

    Self-assessment procedures – MLC8

    Dealing with law and administrative updates

    Processes are in place to deal with law and administrative updates, such as including legislative amendments, ATO guidance updates and budget announcements ensuring these are operating effectively.

    Managerial control 9: Legal and administrative changes

    Tax corporate governance policies and procedures are required to be regularly reviewed and updated for law and administration changes.

    Better practice examples: dealing with law and administrative changes

    Better practice can be demonstrated by:

    • walkthroughs of process changes to assess whether changes to the law require updates to the internal control framework and development of new controls
    • change requests submitted to senior management and changes to systems or control mechanisms implemented
    • documented procedures to deal with difficulties implementing change due to law updates
    • correspondence sent to us advising of difficulties (if applicable).
    End of example

    See also

      Last modified: 25 Aug 2022QC 46292