Guide to Independent Data Testing by Third Party Advisors

Top 100 and Top 1000 GST assurance programs

Contents

What is this Guide about?

The purpose of this Guide is to assist taxpayers that may be contemplating engaging the services of a third-party advisor to undertake independent data testing with respect to a notified ATO Top 100 or Top 1000 GST assurance review.

We have previously published separate guidance to assist Top 100 and Top 1000 taxpayers with self-reviewing GST governance and correct reporting through data and transaction testing.¹

This Guide provides practical guidance on the ATO's expectations and the conditions that must be met for a taxpayer's third-party advisor to undertake the independent data testing that can be relied upon in a GST assurance review. There is no requirement for taxpayers to undertake independent data testing. A reference to third-party advisor includes both the individual advisor and the advisory firm.

Taxpayers will need to agree the scope of the independent data testing with the ATO in order for us to rely on the results in an assurance review. Where taxpayers are undertaking preparation work prior to the notification of a GST assurance review, including data testing, there is no guarantee that the scope, methodology and data testing plan undertaken as part of the preparation work will be accepted by the ATO in the assurance review. However, the ATO will leverage, where possible, the data testing undertaken prior to the commencement of the review where the scope, methodology and tests performed align with the review.

This Guide provides the framework for a uniform, consistent and transparent approach to independent data testing conducted by a third-party advisor.

The importance of robust business systems

The way in which a taxpayer's business systems create, capture, collate and report GST impacted transactions is fundamental to the correct reporting of GST obligations. To ensure the correct reporting of GST obligations, the ATO expects that taxpayers will undertake data and transaction testing regularly as part of their assurance and verification procedures.

As part of the ATO's GST assurance (Justified Trust) reviews in the Top 100 and Top 1000 markets, we will test the taxpayer's data and transactions to assess whether their business systems are capable of correctly calculating and reporting its GST liabilities. This may involve either the ATO undertaking the data and transaction testing, or the ATO reviewing and verifying the independent data testing that a third-party advisor undertakes for a taxpayer.

Where the taxpayer chooses to engage a third-party advisor to undertake independent data testing, prior agreement is required to be sought with the ATO in respect to the scope, methodology and the testing plan, including the full details of each test. This ensures that we are able to rely on the results as part of the assurance review. During the review, it is likely that the ATO will further analyse transactions (and request source data) for identified errors, anomalies, outliers or other exceptions from the data testing.

Further information on the ATO's GST Justified Trust assurance reviews, and the Top 100 and Top 1000 programs, should be reviewed in conjunction with this Guide: www.ato.gov.au/Business/Large-business/Justified-trust/.

When is it appropriate?

This approach may be appropriate where all of the following conditions are met:

• The taxpayer requests that data testing be undertaken by a third-party advisor.
• The third-party advisor has the requisite system capability and GST expertise to undertake the data testing.
• The third-party advisor is independent (see the 'Independence of third-party advisor' section below).
• The third-party advisor is able to undertake and complete the data testing within the agreed timeframes (including by reference to the taxpayer's circumstances in relation to accessing the data and any other relevant considerations).
• The scope, methodology and the data testing plan, including the full details of the procedures for each test, will be agreed to with the ATO before the commencement of any data testing.
• The taxpayer considers that it is preferable as part of its Justified Trust review to adopt this process, and any additional cost of compliance incurred by the taxpayer is considered by the taxpayer to be appropriate and manageable.
• The taxpayer and the third-party advisor collaboratively engage with the ATO as part of this process, including to resolve any issues or concerns identified by the ATO with the data and transaction testing process.

What if the conditions cannot be met?

Where the conditions cannot be met, the ATO will conduct the data testing.

What is the process?

The process will be tailored for the individual circumstances of each business and it is anticipated that in a GST assurance (Justified Trust) review for a Top 100 or Top 1000 taxpayer that the third-party advisor's scope of engagement will reflect the requirements articulated in this Guide (including Appendix 1). As noted above, the scope should be discussed and agreed with the ATO in advance. In this regard:

• For a Top 100 taxpayer, the ATO will confirm the scope, methodology and tests to be performed after the walkthrough of the taxpayer's business systems. This enables all parties to have a clear understanding of the way in which the business systems and processes operate to better inform the scope and methodology of the data testing.²
• For Top 1000 taxpayers, the ATO will seek to engage with the taxpayer during the notification period³ before the commencement of the assurance review to discuss its data testing requirements.
• The taxpayer must ensure that the data testing is adhered to and includes the scope, methodology and data tests determined by the ATO.
• The ATO will request full details of the third-party advisor's testing and procedures for each test to ensure the data testing meets the ATO's requirements.
• The taxpayer will retain the full data and provide it to the ATO if requested. The ATO will work with the taxpayer in relation to the data and information requirements throughout the assurance review process including in respect of errors and exceptions referenced below, as well as in applying the other elements of the Justified Trust methodology.⁴
• The taxpayer will provide to the ATO the third-party advisor's full report of factual findings. The factual findings report will contain sufficient detail for each test performed including procedures performed and errors or exceptions identified (see the 'Report of factual findings' section below).
• The report of factual findings will not be binding on the ATO or preclude the ATO from undertaking further verification and validation of the findings or conducting its own testing.
• The ATO will analyse the errors and exceptions noted and where the errors or exceptions are unable to be validated or reconciled by the taxpayer, the ATO may request the taxpayer to provide the full data set or request secondary testing to re-run the tests. The ATO may select a sample of transactions from any identified errors or exceptions for transaction testing.
• The ATO will make an assessment of whether or not the taxpayer's GST systems are capable of recording and reporting the right amount of GST as part of the GST assurance (Justified Trust) review. The assessment will be based on all of the objective evidence provided by the taxpayer including underlying source documentation (e.g. invoices, journals entries, etc.), the results of the data and transaction testings undertaken and the factual findings report.

Report of factual findings

The report of factual findings must contain:

• The scope of engagement and data tests performed.
• A statement attesting to the independence of the third-party advisor.
• A statement that the procedures performed were those agreed with the ATO.
• A statement of full and true disclosure of all matters.
• A statement detailing the bespoke data testing undertaken and the reasons why.
• A statement as to the GST expertise of the third-party advisor.
• A listing of the specific procedures performed, detailing the nature, timing and extent of each procedure.
• A description of factual findings in relation to each test/procedure performed, including:
1. the step-by-step details of the actions completed to format/manipulate and/or add to the raw data
2. the control checks (reconciliation) of the raw data uploaded to the third-party advisor's data analysis platform that clearly shows the process confirming the data integrity and reliability of the test outputs
3. the full criteria of each test/procedure and the transaction (line-by-line) results for each test⁵
4. full details of all errors and exceptions found including:
• total number of transactions in the data set
• the total number of transactions covered by each test
• total number of errors and exceptions for each test
• transaction listing of exceptions and errors (including false positives) identified and the aggregated monetary value GST inclusive and the GST amounts for each test
• full details of transaction testing undertaken in relation to any errors or exceptions found
5. a reconciliation of the raw data to the general ledger (GL) and the Business Activity Statements (BAS) for the data testing period.
• The identification of any of the procedures agreed in the terms of the engagement which could not be performed and the reasons why.
• The third-party advisor's name, address, signature and the date of their report.

Independence of third-party advisor

The ATO will require the third-party advisor to attest that it is independent from the day to day operations of the taxpayer's business and has not been involved in any aspect of the underlying data to be tested. This should be set out in the report of factual findings.

This requirement must be met by a third-party advisor (and should also be continuously considered throughout the engagement) before the ATO can rely on the testing undertaken by a third-party advisor.

The advisor must not be involved in the data input/BAS preparation exception reporting process or be responsible and/or accountable for controls in place for data and BAS preparation.

The following scenarios provide practical guidance on the application of the independence in respect to third-party advisors undertaking data testing. The examples illustrate and highlight some of the factors that may impact on the independence of the third-party advisor, but it is not feasible to cover every possible scenario. Where there is uncertainty as to the independence of the third-party advisor this should be raised with the ATO at the earliest opportunity.

The role of the ATO including e-Auditors

The ATO team undertaking the GST assurance (Justified Trust) review will support and assist the taxpayer with the data and transaction testing requirements.

As part of the ATO case team, an e-Auditor will be engaged from the commencement of the case to assist the ATO case team with planning and undertaking the walkthrough and the data and transactional testing processes. Additional information on the ATO's walkthroughs, and data and transactional testing processes can be found in the GST governance, data testing and transaction testing guide.⁶ For Top 1000 taxpayers, the ATO will seek to engage with the taxpayer during the notification period before the commencement of the assurance review to discuss its data testing requirements.

The ATO e-Auditor will work closely with the case team in a GST assurance (Justified Trust) review to determine the appropriate scope, methodology and data tests to be undertaken as part of the review and will also assist with reviewing the details of the proposed data testing to be undertaken by a third-party advisor.

For more information

If you have any queries in relation to this Guide, please email us at

Top100@ato.gov.au or Top1000GSTProgram@ato.gov.au

Amendment history

Appendix 1 - Data testing scope

The scope of the data testing depends on whether the taxpayer is a Top 100 or Top 1000 taxpayer.

To draw a reasonable conclusion that a taxpayer's business systems are capable of correctly capturing, recording and reporting your GST obligations, it is important that sufficient coverage over the whole economic group is obtained.

The process for determining the scope is as follows. This is also replicated, in part, in the GST governance, data testing and transaction testing guide (and that guide should be referenced in designing the data testing process).

Selecting the Entity

Top 100

We consider that a BAS relating to the largest GST reporter that provides at least 75% coverage of the GST throughput of the economic group represents sufficient coverage. You should use the following criteria:

• Greater than 75% coverage
• > Where the economic group is comprised solely of one GST reporting entity, select that entity.
• > Where the sole GST reporter's BAS is comprised of a number of GST divisions, identify the division that provides at least 75% coverage.
• > Where the economic group is comprised of a number of GST reporting entities, identify the reporting entity that provides at least 75% coverage.
• > Where the entity or division that contributes to the economic group provides less than 75% coverage, your scope should include:
• The largest contributor based on GST throughput, and
• The next largest contributor until the required 75% coverage is achieved.
• > Entities or business divisions including branches with unique or complex transactions including input taxed supplies, GST-free supplies and property transactions such as 'built-to-rent' that may present a GST risk.
• > Entities or business divisions including branches that have recently undergone major business system upgrades or introduced new IT systems, changed business operations models, have a high turnover of staff, where business reporting functions have been outsourced or business operations have introduced special purpose vehicles such as joint venture structures.

Top 1000

Generally, we review the largest GST reporter in the economic group. We may include additional entities that we consider may present potential GST risks, i.e. entities which undertake complex transactions or have recently undergone major business system changes.

Selecting the Data Test Period

The ATO considers that it is better practice to test data that relates to the 12-month period that aligns to the most recent income tax return lodged. This will ensure that any improvements to the business system and data controls that a taxpayer has implemented will be included in the testing scope.

The ATO considers a data set of at least three consecutive months (approximately 25% of all transactions - the 'testing period') used as a representative sample of a full 12 month period as appropriate for business operations that involve a stable supply and acquisitions base.

The testing period data allows for month-end processes to be tested, trend and variance analysis to be performed and timing adjustments identified. It is also possible to test for the most common types of GST reporting errors made by large businesses from this data sample size.

Some of the factors that should be considered when selecting the data testing period include:

• Rapid growth in the business
• Changes in existing accounting systems, Accounts Receivable (AR), Accounts Payable (AP), and BAS preparation processes and controls
• Changes in key accounting staff and/or GST tax managers
• Changes in business model, i.e. outsourcing or co-sourcing of finance/tax functions
• Restructuring of the group
• Merger and acquisition activity, i.e. recent merger, demerger and acquisitions (via assets or shares)
• Significant increase/decrease in the volume of transactions
• The presence of any transactions involving GST risks flagged by the ATO
• The presence of any identified significant or new transactions

Where any of the factors listed above exist or are identified during the review from discussions with the taxpayer consideration will be given to extending/amending the data testing to mitigate sampling risk and to achieve the intended outcomes. The third-party advisor needs to ensure that it has considered these factors in nominating the proposed data test period.

For Top 1000 taxpayers, the test period should, subject to the above, be agreed during the early notification period.

Selecting the Test Data

The data set should contain sufficient detail to ensure the correctness and completeness of the data to be tested. Often this includes data from accounting systems and source systems such as Point of Sale, billing systems or staff expense reimbursement systems, etc.

The data set should include reports with the following minimum fields:

General Ledger (GL) transactions

• Entity or business unit
• Journal Source
• Account Number
• Account Name/Description
• Reference Number
• Transaction Date
• Posting Date
• Description
• Debit Amount
• Credit Amount
• Tax Code

General journal transactions

• Account Number
• Account Name
• Reference Number
• Transaction Date
• Posting Date
• Description
• Debit Amount
• Credit Amount
• Tax Code

Purchase transactions

• Entity or business unit
• Invoice Date
• Posting Date (to GL)
• Invoice Number
• Purchase Order Number
• Transaction Description
• Cost Centre
• Supplier Code, Name, Address & ABN
• GL Account Number
• GL Account Name
• Tax Code
• Gross Amount
• Net Amount
• GST Amount

Sales transactions

• Entity or business unit
• Journal Source
• Invoice Number
• Invoice Date
• Store/Register number (for POS data)
• Transaction Description
• Customer Name & Code
• GL Account Number
• GL Account Name
• Tax Code
• Amount including GST
• Amount exclusive GST
• GST Amount

GST codes

• GST Code
• GST Code Description
• GST Rates (%)

Supplier master file

• Supplier Code, Name & ABN
• Supplier Address
• GST Status of Supplier (registered for GST, reverse charge, recipient created tax invoices, etc.)
• Tax Code

Chart of accounts

• Entity Code
• Entity Code Description
• Account Number
• Account Name
• Account Description
• GST Code(s)
• GST Code Descriptions
• Chart of Account Structure (asset, liability, income, expense account, etc.)

Developing the testing plan and data tests

Key elements to consider when developing the data testing plan include:

• the availability of data analytics software to undertake the data testing
• the capability and capacity of staff to undertake the testing
• ensuring that the scope and methodology of the data tests and procedures to be performed are documented
• ensuring the data request/data extraction contain the required fields to conduct the testing
• consideration of secondary systems such as staff expense (e.g. Concur) for batched and totals posted to the general ledger. Note that for Top 1000 taxpayers, we would focus on the primary accounting/ERP system and only review secondary/sub systems where these systems contribute to the majority of transactions for either AP or AR and are batch interfaced to the GL, e.g. Point of Sale system for a retailer
• ensuring the tests include those specific to the industry, bespoke to the business and a description of each test including data scripts and fields required to run the tests
• document data transformation steps including data export, data cleansing for import, reconciliations and uploading to analytics tool
• identifying potential errors and exceptions, including anomalous transactions
• capturing and reporting of identified errors and exceptions.

Tests, as appropriate, should be included from the list of ATO e-Audit tests. This is important to ensure that the ATO can assess the results and minimise the need to undertake further testing.

E-Audit tests include:

• BAS reconciliation
• Reversals (with/without GST)
• Monthly trends
• Delays in entering transactions into the accounting system
• Correct calculation of GST for taxable sales and purchases
• Tax code anomalies
• Vendor/supplier/GL tax coding anomalies
• Gaps in sales invoice or sequence numbers
• Correct tax code and amount - Sales
• Reconciliation of major sub-systems to main accounting system data, e.g. Point of Sale, commission systems, leasing systems, etc.
• Reconciliation of stock data or stock purchases to sales
• Duplicate purchases
• Supplier summary with ABN validity check
• Correct tax code and amount - Purchases
• Manual GL entries/adjustments
• Supplier/vendor/product master file anomalies

It is expected that the third-party advisor will work with the taxpayer to assess the GST risks associated with the business in relation to routine, non-routine, significant and new transactions. Additionally, the third-party advisor will ensure that additional specific tests are included in the data testing and the outcome is documented in the report of factual findings.

For the Top 100, a more bespoke in-depth approach will need to be used to determine what additional specific tests will be required based on the unique attributes of the taxpayer's business and risks identified in ATO public or private rulings and guidance documents.

For both Top 100 and Top 1000 taxpayers, testing will need to address industry specific risks, for example the property, insurance and financial services industries, etc.

¹    Refer to the ATO GST Governance, Data Testing and Transaction Testing Guide

²    As part of this, the ATO notes that a materiality threshold should not be used in setting the scope of the data testing. This is because it is important for all of the data and transactions to be tested for correct reporting.

³    This will generally be a period of 2 months.

⁴    Refer to www.ato.gov.au/Business/Large-business/Justified-trust/

⁵    The actual test results in a spreadsheet containing sufficient details such as the invoice number, invoice date, posting date, GL accounts, Journal entry reference, etc. should be provided to enable the ATO to select samples for transaction testing

⁶    Refer to the ATO GST Governance, Data Testing and Transaction Testing Guide