ato logo
Search Suggestion:

Managerial-level responsibilities

Management's responsibility for capacity and capability, IT controls, accounting, law and administrative updates.

Last updated 24 August 2022

Management should have the capacity to enforce policies and implement strategies approved by the board. They should develop and implement systems that identify, assess, manage and monitor tax risks. Management also play a vital role in monitoring the appropriateness, adequacy and effectiveness of risk management systems.

The ATO recognises that the better practice examples provided below may not exactly align with the actual controls in place for all entities, particularly those with simple tax affairs. As with all internal controls, tax risk controls should be fit for purpose. We encourage you to adopt the elements of the ATO's recommended better practices that are applicable to your circumstances.

Find out about

Ensuring sufficient capacity and capability

Management should ensure there is sufficient capacity and capability to enable effective management of tax risk.

Managerial control 1: Roles and responsibilities are clearly understood

Staff, management and board roles and responsibilities are clearly defined and documented within the control framework to ensure tax obligations are well managed and satisfied.

Better practice example: roles and responsibilities

Better practice can be demonstrated by formal documents, policies or procedures for all roles and responsibilities relating to tax compliance and risk management.

These generally detail:

  • role descriptions for tax compliance, administration and risk management
  • roles and responsibilities for reporting of tax matters, formalised and understood by management and appropriately trained personnel formal delegations (or authorisation levels)
  • segregation of duties – for example, dual sign-off, Business Activity Statement (BAS)/ excise return preparation is segregated from review and authorisation prior to lodgment
  • policies or committee charters that specify methods and frequencies for reviewing and escalating risks in the tax risk register, including follow-up of identified tax risks.
End of example

See also

Managerial control 2: Senior management confident of capacity and capability

Senior management, such as the CFO/CEO or head of tax, are confident in the capacity and capability of tax governance processes and personnel for income tax, excise and GST and other indirect taxes.

Better practice can be demonstrated by:

  • a control framework approved by senior management that includes both preventative and detective controls
  • clearly identified key controls, including how often they are tested by staff with appropriate experience designated as control owners
  • senior management approval of the design and operating effectiveness of the internal controls governing tax compliance
  • internal or external assurance reviews of tax corporate governance or control framework procedures
  • staff training on tax-related topics including excise, GST and other relevant indirect taxes
  • staff reviews, KPIs and performance agreements that incorporate tax corporate governance and risk management elements
  • key personnel with professional qualifications and standards to ensure capability
  • impacts of tax compliance risks considered by an appropriate management or board sub-committee; for example, a mergers and acquisitions sub-committee considers the tax risks of acquiring an entity
  • existing channels for personnel outside of the tax function to identify and escalate tax risks
  • tax-related reports generated and presented to senior management.
End of example

See also

Managerial control 3: Significant transactions are identified

Transactions or arrangements with a significant tax impact are systemically identified, categorised and reported on – for example, into strategic, operational, reputational, compliance and financial matters.

Better practice examples: identifying significant transactions

Better practice can be demonstrated by a policy for significant tax transactions that:

  • specifies the value of what would constitute a significant transaction requiring authorisation from the tax area
  • details the types of transactions, issues or risks that are significant enough to be escalated to senior management or the board (and, by default, tax matters not requiring escalation)
  • outline the threshold where independent external tax advice should be sought and levels of management sign-off required for the transaction.

A risk-identification process that accounts for qualitative and quantitative risk factors. Examples of typical risk factors include:

  • volume of transactions affecting disclosures in the tax return, excise return or BAS
  • financial accounting and tax reporting complexities and inconsistencies
  • volume of manual adjustments made by management
  • related-party transactions
  • dealings involving low-tax jurisdictions
  • year-end arrangements resulting in tax benefits
  • revaluations resulting in tax benefits
  • transactions or arrangements where there        
    • is a legal versus substance disconnect
    • are steps added to a transaction making it more complex than necessary, resulting in a tax preferential outcome.
  • the use of new and complex financial instruments or arrangement.
  • manual coding and classification of transactions for GST and excise where systems were overridden Intra group transactions with GST groups
  • reversals or corrections to lodged BAS
  • tax risks have been rated, for example high/medium/low, with the appropriateness of the rating evaluated on a yearly or half yearly basis.
  • reporting templates that are adhered to.


Consider our tax risk information when carrying out your risk-identification processes.

End of example

See also

Ensuring information technology controls are in place

The internal control framework includes the implementation of appropriate Information Technology General Controls (ITGCs) to ensure information systems that process and store financial data accurately calculate, allocate, record and report tax data correctly.

Managerial control 4: Controls in place for data

Data integrity as a result of data transfer between various accounting/subsidiary systems should be subject to internal control processes.

It is generally understood that the information technology (IT) function will provide assurance that appropriate ITGCs are in place to support the various operations of the business including tax.

General IT controls

ITGCs are policies and procedures that relate to applications that support the effective functioning of those controls. ITGCs that maintain the integrity of information and security of data commonly include controls over:

  • data centre and network operations
  • system software acquisition (change and maintenance)
  • program change
  • access security
  • application and system acquisition (development and maintenance).

Where IT poses risk to the entity's general control environment, these controls are generally implemented to address:

  • reliance on systems or programs that are inaccurately processing data or processing inaccurate data
  • unauthorised access to data – particular risks may arise where multiple users access a common database or IT personnel gain access inappropriately
  • unauthorised changes to systems, programs or data in master files
  • failure to make necessary changes to systems or programs
  • inappropriate manual intervention
  • potential loss of data or inability to access data as required.

Better practice examples: Controls in place for data

Evidence of data integrity controls can include effective IT system and application controls that maintain the integrity and security of data.

For entities with organisational-level ITGCs, a tax function should identify the relevant IT controls that are key to the tax function in their tax internal control framework. These relevant IT controls should be designed and operating effectively to allow instances of IT control breakdowns to be remedied. Breakdown instances should be communicated to the tax function to assess and remediate any impact on the tax return/excise return/BAS.

This includes effective processes that allow the tax function to provide input on IT controls and functions, where the preparation of the tax return/BAS/excise return is dependent – for example, extracts of data from sub-ledgers, interfaces between systems, ensuring the system is calculating tax as intended.

Consideration of the relevant automated controls key to the tax function may include:

  • the extent to which automated calculations, coding of transactions or data-processing routines programmed into the applications are used
  • application of master tax codes and setting up of master files to classify GST transactions application of master product and customer codes to calculate the excise liability. Key master tables relate to excise include products, plants, permissions, customers, tax rates, vendors , tariff items and storage tanks
  • the settings, rules and conditions within the master files affecting the payment of excise
  • IT systems used at the terminal/site level for receipting products, product delivery and stock controls and their impact on calculating the excise liability
  • the volume of transactions processed by a control is an indication of whether management should consider the application of ITGCs
  • the extent to which your organisation makes use of complex spreadsheets, where the risk of formula error, unauthorised changes or access, and complex calculation, could increase the risk of error
  • whether identified information system-control risks have been investigated via an internal or external review by assurance provider (per audit plan)
  • reporting mechanisms exist between the tax unit and owners of ITGCs (and the rest of the organisation) regarding IT and system-related control weaknesses.
End of example

When developing your internal controls for tax, you may leverage existing control frameworks by documenting all tax-related key controls. You should also document how these controls are tested, by who, including communication protocols and testing frequencies (for example via internal audit on a rotational basis). This is to ensure tax function involvement in the event of any control breakdowns or changes.

See also

Managerial control 5: Record-keeping policies

The organisation employs procedures to support record keeping for tax requirements as prescribed by law and our guidelines.

Better practice examples: record keeping policies

Better practice can be demonstrated by:

  • a formally documented record-keeping policy for tax, including appropriate timeframes for the retention of records
  • staff access to guidance notes via an intranet, or a set of procedures that are readily accessible explaining record-keeping requirements
  • internal or external audits that verify compliance
  • evidence that staff have been trained on record-keeping requirements for tax purposes (covering all taxes).
End of example

See also

Assuring the flow of information from accounting records

Ensure there is a complete and accurate flow of information from accounting records to the tax return, or relevant excise return or the BAS.

Managerial control 6: Documented control frameworks

There is a documented internal control framework that specifically ensures the group’s compliance with tax law. This includes the complete and accurate flow of information from accounting records to the tax return, excise return and BAS

Better practice examples: documented control frameworks

Better practice can be demonstrated by:

  • documented procedures for reviewing the tax return, including reconciliation back to the audited financial statements with retention of working papers detailing the calculation of the tax, excise and BAS return
  • working papers reviewed and approved by management, indicating that they have checked the correct application of tax law to accounting transactions and accurate calculation of the tax, excise and BAS return.

Documented procedures and process manual/s for preparing the excise return and the BAS including the supporting reconciliations.

  • Retention of working papers and reports supporting the excise return and the BAS
  • documented processes and procedures for terminal/site level inventory controls and stock reconciliations affecting the calculation of the excise liability
  • Working papers and reports reviewed and approved by management, indicating they have checked the correct application of tax law to transactions and accurate reporting for excise returns and the BAS.
  • documented 'system map' showing the general process flow of how transactions are captured and flowed through to the GST/excise returns.
End of example

See also

Managerial control 7: Procedures to explain significant differences

There are procedures in place requiring explanations for significant differences between accounting disclosures, financial statements, the tax, excise and the BAS return.

Better practice examples: explaining significant differences

Better practice can be demonstrated by documented procedures detailing:

  • methods for reconciling the tax calculation prepared for the financial statements and the completed tax return
  • methods for preparing deferred tax assets and deferred tax liabilities calculations for the financial statements
  • methods for preparing tax calculations based on accounting transactions
  • management have a mechanism in place to appropriately explain the tax performance of the entity when compared to the accounting result
  • narratives to explain variances between tax expense for the financial statements and the tax paid/payable as per the completed tax return
  • methods for reconciling the BAS and the excise return to the source systems data and the general ledger
  • procedures in place requiring explanations for significant movements or deviations in the amounts reported in the BAS and the excise return compared to prior comparable periods or to the business operations of the entity.
End of example

See also

Managerial control 8: Complete and accurate tax disclosures

Management are confident that tax disclosures have been accounted for properly and disclosed correctly in the relevant tax return with other relevant disclosures such as the excise return and the BAS. (However, some of these matters may be outside of the responsibility of the tax area).

Better practice examples: complete and accurate tax disclosures'

Better practice can be demonstrated by assurance that a tax, excise or BAS return review has occurred prior to lodgment. This reduces the likelihood of incorrect allocation and classification of line items, and that the relevant law, administrative guidelines and record-retention requirements have been taken into account in relation to issues such as:

  • income tax
  • capital gains tax
  • transfer pricing
  • GST
  • excise
  • research and development
  • reportable tax positions
  • Appropriate controls to review compliance risk for other types of taxes managed elsewhere, such as
  • fringe benefits tax
  • the super guarantee charge
  • pay as you go (PAYG) (instalments and withholding)
  • employee mobility (who bears and claims the labour costs)
  • customs and excise duty
  • fuel tax credits (FTC)
  • luxury car tax (LCT)
  • state-based payroll taxes
  • stamp duty.
End of example

See also

Self-assessment procedures – MLC8

Dealing with law and administrative updates

Processes are in place to deal with law and administrative updates, such as including legislative amendments, ATO guidance updates and budget announcements ensuring these are operating effectively.

Managerial control 9: Legal and administrative changes

Tax corporate governance policies and procedures are required to be regularly reviewed and updated for law and administration changes.

Better practice examples: dealing with law and administrative changes

Better practice can be demonstrated by:

  • walkthroughs of process changes to assess whether changes to the law require updates to the internal control framework and development of new controls
  • change requests submitted to senior management and changes to systems or control mechanisms implemented
  • documented procedures to deal with difficulties implementing change due to law updates
  • correspondence sent to us advising of difficulties (if applicable).
End of example

See also