ato logo

Information systems risk assessment

Outlines how we assess the integrity of your information systems.

Last updated 20 September 2018

The integrity of information systems you use to support your business affects the accuracy and completeness of your reporting and lodgement activities.

We use an information systems risk assessment (ISRA) to gain a high-level overview of your information systems. Using a standardised questionnaire, we can develop a risk rating for key elements of your business operations. We usually undertake an ISRA as part of a larger review or audit. It contributes to our compliance activities by giving us confidence about integrity of your business systems, processes and controls by measuring their accuracy and completeness.

We have developed a process that provides a structured approach for assessing your information systems risks. It is based on the guidelines and assurance frameworks set out by the Information Systems Control Association and the IT Governance Institute.

The process includes:

Benefits of an ISRA

Using an ISRA in audits and other compliance activities can help you by:

  • providing an efficient way to help you understand your business, its systems and processes
  • highlighting any compliance risks and providing recommendation to mitigate them.

When we do an ISRA

When we consider whether to use an ISRA, we generally start by talking with you and gaining an understanding of your business activities. We look at whether your business:

  • has experienced mergers and acquisitions
  • has had rapid growth
  • has disparate, multiple systems that are loosely integrated
  • has had a high turnover of IT staff or relies heavily on temporary IT contractors for systems development and support
  • uses out-dated or unsupported software
  • uses in-house developed systems
  • has a history of IT project overruns and other difficulties
  • has a history of BAS amendments due to systems issues
  • has a history of voluntary disclosures caused by systems issues.

What you need to do

Preparing for your ISRA

We start with an interview, conducted by a compliance officer and systems specialist from our office.

Make sure the right staff are available to answer questions about your business systems – these may include system accountants, tax managers, system architects and support staff, external IT service providers or IT project managers.

We will be asking questions that focus on the history of your business, including planning, support, change management and other systems management functions.

Before the interview, we will:

  • establish with you who will be involved in the interview
  • negotiate an interview date that suits all participants
  • negotiate with you to obtain systems architecture diagrams and other supporting documents – ideally you will provide this information well ahead of the interview.

ISRA questionnaire

An ISRA questionnaire is a standardised questionnaire focused on those aspects of your information technology (IT) systems that relate to tax and regulatory compliance. The questionnaire has the five auditable units with a series of questions weighted according to a predetermined risk rating:

  • systems inventory to assess the size and complexity of your IT environment
  • interface inventory to understand the extent of data manipulation and the complexity of data mapping
  • customisation inventory to assess the level of customisation across all systems to determine the risk level
  • IT projects and methodologies to assess the maturity level of your IT systems and the business processes they support
  • IT governance to gauge the adequacy of your internal policies, procedures and methodologies for effective and productive management of the IT function within your business.

ISRA interview

In the interview, we will identify and record responses for each question. By discussing these questions and your business systems and process, we can understand your business systems, processes and controls.

We record your ISRA responses in the taxpayer version of the questionnaire and seek your agreement that the responses are correct. When the questionnaire is complete, we use the questionnaire responses to generate a risk rating profile with low, medium or high risk ratings. These ratings will be included in the report.

ISRA report

We prepare a final report that:

  • incorporates your feedback
  • details our findings including recommendations to address the issues we identified that may impact on the accuracy and completeness of your reporting.

Final interview

We have a final meeting with you to discuss the final report, where you will have the opportunity to work through the findings and offer any comment.

Computer systems and security

The ISRA process means you supply information about your information systems and if required, supporting documents. Our officers will not operate your computer system.

Electronic and paper records you provide are protected by law. This information is kept in accordance with:

  • secrecy provisions of the Taxation Administration Act 1953 and Income Tax Assessment Act 1936
  • (for personal information) information privacy principles of the Privacy Act 1988.

See also:

More information

For more information or a copy of any of our publications:

  • visit our website
  • phone us on 13 28 66
  • write to us at

    PO Box 3524
    ALBURY  NSW  2640

If you do not speak English well and need help from the ATO, phone the Translating and Interpreting Service on 13 14 50.

If you are deaf, or have a hearing or speech impairment, phone the ATO through the National Relay Service (NRS) on the numbers listed below:

  • TTY users, phone 13 36 77 and ask for the ATO number you need
  • Speak and Listen (speech-to-speech relay) users, phone 1300 555 727 and ask for the ATO number you need
  • internet relay users, connect to the NRS on Link and ask for the ATO number you need.