Governance over third-party data

Supplementary guide for large superannuation funds, managed funds and insurance companies on third-party data tax controls

Contents

1. Executive Summary 3
1.1 Background 3
1.2 About this Guide 4
1.3 Benefits of a well-designed third-party data tax governance framework 6
1.4 Our governance ratings 7
2. Our approach to reviewing third-party data tax controls 9
3. Practical guidance to self-review the entity's third-party data tax controls 14
3.1 Roles and responsibilities of outsourced service providers are clearly understood (MLC 1, Design effectiveness, Stage 2) 16
3.2 Documented third-party data tax controls framework (MLC 6, Design effectiveness, Stage 2) 19
3.3 Significant transactions are identified (MLC 3, Design effectiveness, Stage 2) 26
3.4 The board is appropriately informed (BLC3, Design effectiveness, Stage 2) 33
3.5 Periodic controls testing program (BLC4, Design effectiveness, Stage 2) 35
4. Independent assurance of the control environment at the outsourced service provider 38
5. Data analytics and sample testing 43
Appendix 1: Tax controls for complex foreign investments 45

1. Executive Summary

1.1 Background

Entities that operate within the investment industry make a significant contribution to the tax system. It is important that confidence is obtained over these entities' compliance with their tax and reporting obligations. In this guide, we refer to entities which include large superannuation funds, managed funds and insurance companies.

Such entities rely on third-party data from outsourced service providers as commercial viability in the institutional investment environment generally requires the outsourcing of non-core record keeping activities. Outsourced service providers include custodians and administrators that collate and present third-party data in tax reports from sources such as investment managers, actuaries and employers.

The high volume of transactional data means that tax risk management and mitigation on a transaction-by-transaction basis is difficult and onerous. By outsourcing to outsourced service providers, entities may leverage the expertise, control environment, scale and network benefits of such providers to reduce their tax risk and increase compliance in a cost-effective manner.

Further, these outsourced service providers themselves rely on data, systems, calculation engines and / or software of additional service providers.

Therefore, effective tax risk management, mitigation and assurance may be obtained through the establishment and testing of controls and processes over the third-party information that feeds into the entity's reporting obligations.

Lodgment responsibilities and duties are statutory requirements as set out in the Income Tax Assessment Act 1936 (ITAA 1936) and Income Tax Assessment Act 1997 (ITAA 1997) and Taxation Administration Act 1953. Lodging entities carry the legal responsibility for ensuring that false and or misleading statements (for example, tax returns and the Annual Investment Income Report (AIIR)) are not made to the ATO. Therefore, the use of outsourced service providers does not extinguish the legal responsibility of the lodging entity.

We expect the outsourced service providers to have contractual obligations to correctly capture and present the tax reporting accurately. However, entities relying on outsourced service providers should take steps to obtain a high level of confidence over the accuracy of the information provided.

The quality and integrity of outsourced service providers and third-party data is essential for accurate reporting.

Entities that rely on third-party data from outsourced service providers should document how they assess the integrity of the underlying data that feeds into their reporting obligations. The aim of third-party data tax controls is to provide a framework so that an entity does not need to examine every single transaction but will have comfort that there are controls in place to manage and mitigate tax risk, error and/or misstatement. This means having controls designed to mitigate the risk of inaccuracies in third-party data and to test that these controls are operating effectively.

Entities would be expected to have an understanding of the following:

knowledge of the different sources of tax data
where calculation engines are used to calculate amounts required for the tax reporting, knowledge of how the calculations are performed, and
how this tax data is used to complete the relevant lodgments to the ATO.

For many entities, in relation to investment income and gains, this starts with their custodian and obtaining confidence that the data received from a custodian is accurate. This also extends to the direct receipt of investment information from both domestic and foreign sources.

The trustees or boards (or the relevant sub-committee) of these entities have a responsibility to develop systems and processes in accordance with their tax risk management framework to manage and mitigate the risk of inaccuracies over third-party data that feed into their income tax reporting obligations.

1.2 About this Guide

This guide explains how the Justified Trust methodology is applied by the ATO to review the existence, design effectiveness and operational effectiveness of third-party data income tax controls as part of an effective tax control framework.

In July 2015, the ATO published the Tax Risk Management and Governance Review Guide (ATO Guide).

In applying the Justified Trust methodology, the following controls are considered:

Formalised Tax Control Framework (Board-level Control BLC 1)
The board is appropriately informed (BLC 3)
Periodic internal control testing (BLC 4)
Roles and responsibilities are clearly understood (Managerial-level Control MLC 1)
Significant transactions are identified (MLC 3)
Controls in place for data (MLC 4 - GST only)
Documented control frameworks (MLC 6)
Procedures to explain significant differences (MLC 7).

The above controls focus on different types of potential tax risks that we consider need to be managed to have an effective tax governance framework. The controls also focus on the entity's internal systems and processes. They do not extend to and accordingly do not appropriately provide guidance on circumstances where entities obtain and rely upon third-party data to meet their lodgment and other obligations.

This Guide on third-party data tax controls supplements the ATO Guide and should be reviewed together.

To the extent that it impacts on income tax reporting and distribution statement obligations, some sources of third-party data are:

custodians
administrators
unit registries
managed investment schemes
investor directed portfolio service providers
external tax advisers
actuaries
investment managers
valuers for unlisted assets.

Scope of this Guide

The entities to which this guide applies include:

trustees of superannuation funds (other than small funds)[1]
trustees of managed investment trusts (MITs) and attribution managed investment trusts (AMITs) and trustees of unit trusts involved in the managed funds and/or investment industry
boards of insurance companies.

These entities rely on data from third parties for the preparation and finalisation of their income tax reporting obligations and Attribution Managed Investment Trust Member Annual (AMMA) Statement for AMITs, standard distribution statement (SDS) for MITs and distribution statements for unit trusts.

Where an entity (such as a superannuation fund) invests through a wholly owned special purpose vehicle such as an AMIT, a MIT or a unit trust, the tax controls over third-party data may be part of the superannuation fund's tax governance framework or the AMIT, MIT or unit trust's tax governance framework.

The expectations for tax controls over third-party data in this guide apply to third-party data received by the entity for the following reporting obligations:

the entity's income tax return and associated schedules
the AMMA statement, SDS and distribution statement.

These entities, as investors in a MIT, AMIT or unit trust, are able to rely on the SDS, AMMA statement or distribution statement to an extent. However, as sophisticated investors we consider there needs to be some controls in place to sense check the amounts. The following are examples where the investor should consider if there is an issue with the statement (not exhaustive):

if there is a significant difference in amounts as compared to previous years
franking credits significantly exceed gross up amounts
the final amounts do not seem to align with the interim distribution position.

These entities typically have significant investment and asset holdings and enter into service agreements with the outsourced service provider to manage these holdings. The service agreement governs the relationship between the two parties. These entities rely on several reports produced by the outsourced service providers in respect of their investment and asset holdings to prepare their lodgments (for example, income tax or fund tax returns).

We are also aware that entities typically rely on data from several third-party sources in preparing their lodgments and that this brings its own challenges in consolidating data for final use.

Examples of these reports include:

custodian tax and supplementary reports (monthly and annual)
administrator reports
actuarial certificates.

We also recognise that some entities within the investment industry perform many investment and reporting functions 'in-house'. Although not a traditional outsourced service provider relationship, our expectations for third-party data tax controls apply equally to entities that have these in-house functions.

What is not in scope?

The following are not in scope for the purpose of this Guide:

superannuation fund obligations to report member account information to the ATO
PAYG withholding obligations on member superannuation benefits
GST controls, risks and tax implications which are considered in the GST Governance, Data Testing and Transaction Testing Guide .

While some of the principles in this Guide may be relevant to member reporting, PAYG withholding and GST reporting obligations, they are not covered in this Guide.

Finally, this Guide does not apply to other reporting requirements these entities may have to other regulatory authorities, such as financial reporting and reporting to the Australian Prudential Regulation Authority (APRA).

1.3 Benefits of a well-designed third-party data tax governance framework

Tax risk is the risk that entities may be paying or accounting for an incorrect amount of tax, or that the tax positions that an entity adopts are out of step with the tax risk appetite that the trustee board has authorised or believe is prudent. As tax will ultimately impact members' balances and/or what beneficiaries report in their income tax returns, entities have an obligation to ensure that they manage tax risk through a strong tax governance framework to ensure accurate reporting of information.

Throughout this Guide, a reference to the board also includes a reference to the relevant authorised board level sub-committee, for example, an audit, a risk and compliance and/or an investment committee.

The benefits of documenting and having a well-designed framework that is operating effectively for third-party data tax controls include the following:

Members or unitholders and the ATO will have trust in the board that it has processes in place to manage tax risks associated with third-party data and tax reporting and ensure member or unitholder outcomes are reported correctly. Trustee boards have statutory and general law obligations to perform their duties and exercise their powers in members' or unitholders' best interests.
It provides insights into the strength of the third-party data tax governance framework and through ongoing testing may help:

-
to identify potential systems or process gaps to prevent tax control breakdowns in advance
-
to reduce the incidence of misreporting. Where errors are made there is a process in place to ensure they are identified and addressed in a timely and efficient manner. Misreporting results in an administrative burden to correct reporting of member balances (which in turn impacts member reporting to the ATO) and amending income tax returns and distribution statements (which in turn may impact reporting by beneficiaries). A strong tax governance framework reduces reputational risk to the entities from misreporting to members and beneficiaries in addition to reduced compliance costs.
-
with more accurate reporting as it allows entities to quantify returns with greater accuracy, allowing investment decisions to be made optimally and in the best interests of its members or unitholders.

It assists management with:

-
clarifying accountabilities for managing tax risks to the board (or relevant committee) or senior management - who is responsible for what and why
-
helps the board (or relevant committee) or senior management to manage tax reputational risk
-
appropriately balancing the level of engagement required with its external tax advisers against the role and capabilities of its in-house tax team.

It provides evidence to support a higher assurance rating in the entity's Tax Assurance Report or Combined Tax Assurance Report. This may in turn:

-
help to reduce the risk of unexpected reviews or audits
-
provide a point of reference for statements the entity makes in its tax transparency reports
-
assist us in reducing the intensity of our enquiries because we can have confidence in the entity's tax disclosures.

1.4 Our governance ratings

Once we've established a tax control framework exists, we then look for objective evidence that the framework is designed effectively and is 'lived', that is, operating effectively. In this regard, we use the following staged rating system:

Red flag: The entity has not provided sufficient evidence to demonstrate a tax control framework exists or we have significant concerns with its tax risk management and governance.
Stage 1: The entity has provided evidence to demonstrate that a tax control framework exists.
Stage 2: The entity has provided evidence to demonstrate that a tax control framework exists and has been designed effectively.
Stage 3: The entity has provided evidence to demonstrate that a tax control framework exists, has been designed effectively and is operating effectively in practice.

To reach Stage 3, the entity must be able to demonstrate that its tax control framework has not only been designed effectively but is also operating as intended. This stage can be evidenced by a periodic tax controls testing program as well as reports describing the outcomes of that testing. When considering eligibility for a Stage 3 rating, we look for evidence of an independent review that tests tax controls, for example by internal or external auditors that provide an independent level of assurance to the audit (and/or risk) committee and the board. Typically, internal or external audit reviews occur every 2-3 years.

The third-party data tax control framework is made up of the controls described in Sections 3.1 to 3.4, Section 4 and Appendix 1 of this Guide. The testing program will include these third-party data tax controls that meets the criteria for design effectiveness. For operating effectiveness, the periodic testing program will be performed by an independent reviewer. The ATO Guide has further information on Stage 3 and what is required for operational effectiveness.

We may assign a 'red flag' where the entity cannot provide evidence to demonstrate a tax control framework exists or if we have significant concerns with the entity's tax risk management and governance. These concerns may include the entity's approach to tax compliance, for example, where there are significant errors that the entity's tax control framework is not detecting.

2. Our approach to reviewing third-party data tax controls

Our approach to reviewing third-party data tax controls will adopt a similar approach to the ATO Guide which sets out our expectations and better practice examples, rather than prescriptive checklists.

In future assurance reviews of investment industry entities, it is our intention to include a review of tax controls relating to third-party data adopting this Guide and apply the existing ratings guide to these controls.

In undertaking our Justified Trust assurance reviews for income tax, we will rate third-party data tax controls separately from the seven controls in the ATO Guide that we focus on for income tax governance ratings. However, the ratings for third-party data tax controls will contribute towards the overall income tax governance rating.

The controls for third-party data are integral to the preparation of the entity's income tax reporting obligations and the information contained in these returns. These controls are important in assessing the entity's overall approach to income tax governance. An overall income tax governance rating which will consider an assessment of the controls for third-party data will be provided as part of an assurance review.

We acknowledge that tax risk management and governance over third-party data is a journey for investment industry entities. The establishment of a documented third-party data tax control framework, the implementation of controls, processes and procedures that are both designed effectively and, through independent testing, operating effectively and lived, is a staged process.

Not all entities will be at the same stage at the same time, and our engagements through the assurance programs will assess each entity based on the stage it can achieve at the time of the review and be based on objective evidence provided as part of the review. As part of the review, we will outline areas of focus that will assist an entity in progressing through the incremental stages of third-party data governance at a pace suited to its own facts and circumstances.

Principles-based approach

There are four principles that an entity needs to address to manage and mitigate the risk of inaccuracies in the third-party data that feed into the income tax reporting or distribution statements.

Principles-based approach

A principles-based approach recognises the differences in business structures, size and investment behaviours of entities within the investment industry.

Entities will apply the principles and determine appropriate controls to their own circumstances so that the approach is fit for purpose to provide them comfort on the data they are relying on.

An entity may employ compensating or alternate controls depending on its circumstances.

Each of the above principles is aligned to one of the Justified Trust controls.

The following table summarises the Justified Trust controls we consider when assessing an entity's tax governance framework against the ATO Guide and this Guide in our reviews:

Principle Tax Risk Management and Governance Review Guide ATO Supplementary Guide Governance over third-party data (this Guide)
1. Roles and responsibilities Formalised Tax Control Framework (Board-level Control BLC 1)
The board is appropriately informed (BLC 3)
Roles and responsibilities are clearly understood (Managerial-level Control MLC 1)
The board is appropriately informed (BLC 3)
Roles and responsibilities are clearly understood (MLC 1)
2. Tax policy in accordance with the law Documented control frameworks (MLC 6) Documented control frameworks (MLC 6)
3. Returns and tax outcomes properly reflected in tax reporting Significant transactions are identified (MLC 3)
Controls in place for data (MLC 4 - GST only)
Documented control frameworks (MLC 6)
Procedures to explain significant differences (MLC 7)
Significant transactions are identified (MLC 3)
Documented control frameworks (MLC 6)
4. Independent assurance Periodic internal control testing (BLC 4) Periodic internal control testing (BLC 4)

Better practice framework

A better practice framework is fit for purpose, adopts a risk-based assessment, and manages the specific tax risks that apply to an entity depending on its investment structure and profile.

This Guide is not intended to become form over substance, nor should users attempt to comply with every element. Tax risk controls should be fit for purpose and we encourage entities to adopt the better practice examples throughout this Guide that are applicable to their circumstances. The better practice examples that are relevant to an entity's circumstances will depend on its investment structure and profile.

This Guide provides the opportunity to contrast an entity's third-party data tax governance framework against our better practice examples. During a third-party data tax governance review, entities are encouraged to describe their compensating controls, to demonstrate how the entity manages tax risks if the framework does not align exactly with better practice examples, and to document why they might not be applicable to their circumstances. An 'if not, why not' approach is suggested.

We suggest an initial gap analysis be performed and then entities should look to leverage existing processes or identify compensating controls where relevant better practice examples are either not present or only partially present.

What is required for Stage 2 (design effectiveness)?

There is no legislative or administrative compulsion to adopt the better practices detailed in this Guide and a fit for purpose approach is acceptable.

Where applicable, the better practice examples outlined in this Guide provide examples of documented evidence of third-party data tax controls that we expect to see to provide a Stage 2 rating (designed effectively). We recognise that the better practice examples provided below may not exactly align with the actual controls in place for all entities, for example, those with a simple investment profile (for example, a passively managed Australian equities index fund). As with all internal controls, tax risk controls should be fit for purpose. We encourage entities to adopt the elements of our recommended better practices that are applicable to their circumstances

In addition, there may be an appropriate compensating control (that is, an alternative control that still satisfies the ATO principles) for the better practice examples provided.

What is required for Stage 3 (operational effectiveness)?

Once we've established that a third-party data tax control framework exists, we then look for objective evidence that the framework is designed effectively and is 'lived', operating effectively. To reach a Stage 3 rating, entities must be able to demonstrate that their tax control framework has not only been designed effectively but is also operating as intended. See Section 1.4 of this Guide and the ATO Guide for further information on Stage 3 and what is required for operational effectiveness.

This Guide does not provide detailed information on what is required for Stage 3 (operational effectiveness) as this is covered in the ATO Guide. The requirements (for example, independently tested and subject to auditing standards) and methods for testing for operational effectiveness (Stage 3) as outlined in the ATO Guide will also apply to testing third-party data tax controls.

Who should implement the tax controls?

This Guide outlines the better practice examples of third-party data tax controls but it does not prescribe how third-party data tax controls are implemented. That is, the entity may choose to implement third-party data tax controls itself (for example, through its in-house tax function), engage an external tax adviser or request the outsourced service provider to implement these tax controls which are included in the service level agreement with the entity. This is likely to be influenced by the size and investment behaviours of the entity, as well as how the relevant tax reporting of the entity is prepared and reviewed (for example, by the administrator, the in-house tax or finance team or the external tax agent).

Going forward

We recognise that tax governance is a journey and entities will be at various stages of this journey.

Our focus in rating an entity's third-party data tax controls will be on whether the entity is on the journey of improvement. That is, it has demonstrated that it has taken steps in establishing processes to manage and mitigate the risk of inaccuracies in third-party data that feed into the entity's income tax reporting obligations or distribution statements to unitholders.

The community recognises the importance of good governance especially within the investment industry. An entity with a robust tax risk management framework including over third-party data can demonstrate to members, investors and the community at large that it has a high degree of transparency and accountability.

These entities may choose to outline their approach to tax risk management through the adoption of the Voluntary Tax Transparency Code .

3. Practical guidance to self-review the entity's third-party data tax controls

Evidence

Our approach to reviewing governance as part of our Justified Trust methodology is evidence based. We look at the policies, procedures, testing and reports the entity has provided to demonstrate the existence, design and operation of the entity's tax control framework in place for managing tax risk.

This Guide clearly articulates our expectations in terms of the design effectiveness of the five fundamental controls relevant for the third-party data tax controls framework, which are:

Roles and responsibilities are clearly understood (MLC 1)
Documented control frameworks (MLC 6)
Significant transactions are identified (MLC 3)
The board is appropriately informed (BLC 3)
Periodic internal control testing (BLC 4)

Note: the types of objective evidence listed below as better practice examples are included as illustrative examples only. We recognise the exact documents will differ between entities.

The better practice examples outlined in this section provide examples of third-party data tax controls that we expect to see, with the entity to have documented evidence to obtain a Stage 2 rating for design effectiveness. However, this Guide adopts a principles-based approach where controls may be designed to suit an entity's circumstances to meet the four principles for third-party data tax controls.

It is recognised that these better practice examples may not exactly align with the actual controls in place for all entities, for example, those with a simple investment profile. Entities should adopt the elements of our recommended better practices that are applicable to their circumstances or investment profile. The entity should identify compensating controls where relevant better practice examples are either not present or only partially present.

Summary of the Guide

Summary of the guide

Where an entity chooses complex or significant investments or transactions (or not straight-through processing transactions) we expect the entity to have in place additional third-party data tax controls due to the increased tax risk.

We also have expectations for entities that rely on outsourced service providers such as custodians and administrators to capture, collate and present tax data that feeds into its tax and reporting obligations. For straight-through processing transactions (that is, vanilla debt and listed equity security transactions processed by a custodian), we consider that a high quality, appropriately scoped and tested independent assurance report such as a ASAE 3402/GS 007 report[2] may provide assurance over the control environment of the outsourced service provider, if the user entity adopts the better practice examples. By understanding and providing evidence of the independent assurance report and the testing of the control environment at the outsourced service provider, this may enable the user entity to have confidence that a robust control environment exists at the outsourced service provider. This will in turn provide confidence in the data integrity of the outsourced service provider's tax reporting to the user entity.

3.1 Roles and responsibilities of outsourced service providers are clearly understood (MLC 1, Design effectiveness, Stage 2)

3.1.1 Intent

Principle 1: The entity needs to understand the roles and responsibilities of outsourced service providers

To satisfy Principle 1 - roles and responsibilities of outsourced service providers are clearly understood - we expect clear accountability to reduce the risks associated with outsourcing. The roles and responsibilities of the entity and the outsourced service providers should be clearly defined and documented within the entity's tax control framework.

3.1.2 Core elements

Management of the entity needs to understand the relationship, the tax role and tax controls of the outsourced service providers (custodian and administrator) to manage and mitigate the risk of inaccuracies in third-party data. This should be documented in the entity's tax control framework policy.

3.1.3 What we look for

Better practice can be demonstrated by formal documents, policies or procedures for all outsourced service provider roles and responsibilities relating to tax compliance and risk management.

Better practice examples:

The entity can demonstrate better practice by:

entering into a service level agreement (SLA) with the outsourced service provider that governs the relationship, roles and responsibilities of each party to the agreement. The SLA should articulate the tax reporting deliverables.
documenting the relationship and the tax role of the outsourced service provider and the entity relating to tax compliance and risk management in the entity's tax risk management framework documents. For example, entities should ensure that this documentation demonstrates that they have processes to understand the outsourced service provider's internal tax controls around data collection and processing, including whether such controls are sufficient. A high quality, appropriately scoped and tested ASAE 3402/GS 007[3] or similar independent assurance report from the outsourced service provider may provide assurance over the control environment. See Section 4 of this Guide for further details.
documenting the entity's own tax controls over third-party data in their tax risk management framework documents.
referencing or linking the roles and responsibility matrix in the tax control framework policy (or RACI - Responsible, Accountable, Consulted, Informed) to the SLA.
using a flow chart or process maps to document how third-party data is obtained, reviewed and utilised by the entity in the preparation of its tax return lodgment or distribution statements.
reviewing the roles and responsibilities between the outsourced service provider and the entity on a regular basis to ensure both parties maintain a clear understanding of their roles as their ongoing relationship continues to evolve. This includes reviewing reports from outsourced service providers confirming compliance with the SLAs.
ensuring there is oversight by the entity of any changes to the IT systems and process improvement activities of the outsourced service provider. The entity's tax function will consider the impact of any changes to the systems or process improvements that provide data for tax reporting or tax calculations and request a review by an external tax adviser, where appropriate.
maintaining appropriate levels of periodic contact between the entity and tax contacts within the outsourced service provider.
reviewing and verifying the tax data received. The entity reviews the custodian tax reports against external information (such as information received from its investment managers). For example, the entity reconciles summary dividends and franking credit amounts included in its custodian tax reporting against information provided directly from investment managers as part of its annual income tax return preparation process. Sampling may be appropriate depending on the volume of tax data. As a compensating control, the entity may outsource its review and verification process of the custodian tax reports received to an external tax adviser. In this case, the external tax adviser will also be an outsourced service provider and some of the above controls would be expected to also apply to them (for example, a service agreement or letter of engagement).

Example 1 - Attribution managed investment trust (AMIT) and custodian

(for illustrative purposes only)

XYZ is an AMIT and holds investments in Australian equities. It has a custodian, ABC, that holds title to all assets held by the AMIT and provides tax reporting services to XYZ for its tax return and AMMA statements to unitholders.

XYZ has entered into an SLA with ABC that outlines the services that are offered and service level expectations such as the deliverable dates for tax reporting services.

XYZ has a tax risk management framework (TRMF) policy that includes a section on outsourcing arrangements. In addition, the roles and responsibilities matrix clearly outline the responsibilities of outsourced service providers including compliance with the SLA.

The TRMF also outlines the tax controls that XYZ has in place to review and verify the tax reports it receives from ABC (for example, the realised and unrealised capital gains tax reports). The review and verification process is outsourced to XYZ's external tax adviser with expectations outlined in the letter of engagement.

On an annual basis, XYZ will review the SLA to ensure that ABC has met the benchmarks for providing services as agreed in the SLA.

An annual meeting is held with ABC to update XYZ on any systems changes and process improvements that have been made and for XYZ to raise any issues of concern. Any major process improvements that impact the tax reporting is reported immediately. There is also regular communication between ABC and XYZ. Any issues that ABC becomes aware of that may impact tax reporting are communicated to XYZ on a timely basis.

In assessing the third-party data tax controls against the Supplementary ATO Guide for Governance over third-party data, the ATO will accept the following documented evidence to assess whether MLC1 is designed effectively (Stage 2):

a copy of the relevant extracts from the SLA (for example, tax services section and the execution page)
a copy of the TRMF which includes an outsourcing section outlining the responsibilities of the outsourced service providers. A Responsible, Accountable, Consulted, Informed (RACI) model for key tax obligations is included in the appendix outlining the material business activity and the responsible outsourced service provider including a cross reference to the SLA
a copy of the outsourcing framework document which outlines

-
the tax controls the entity has in place to verify the data in the ABC tax reporting - for example, it outsources a reconciliation process to its external tax adviser to ensure the summary tax data on capital gains, dividends and franking credits reported from investment managers matches the ABC tax reports
-
the annual review process to ensure service levels are met as set out in the SLA
-
annual meetings to ensure there is oversight of the custodian, and
-
regular communication between the custodian and the user entity.

a copy of the letter of engagement with the external tax adviser outlining the review and verification process.

3.2 Documented third-party data tax controls framework (MLC 6, Design effectiveness, Stage 2)

3.2.1 Intent

Principle 2: The entity needs to be satisfied that the tax policies of the outsourced service providers are prepared in accordance with the tax law and reflected in the tax reporting relied upon by the entity
Principle 3: The entity needs to be satisfied that the returns and tax outcomes of investments are properly reflected in reporting obligations

A documented third-party data tax controls framework will ensure that Principles 2 and 3 are satisfied. Both these principles will be met where there are processes in place to ensure the third-party data in the entity's tax reporting reflects the correct tax treatment in line with the custodian's or administrators tax policies.

This control provides the entity with the comfort that the risk of inaccuracies in third-party data that flows through to the reports used to complete the income tax return or distribution statements is managed and mitigated.

This procedure should not result in a review of every transaction which is impossible due to the high volume of transactions but rather a documented process and application of well-designed controls to manage and mitigate the risk of inaccuracies in the flow of information from the custodian or administrator's records into the reports provided to the entity.

3.2.2 Core elements

There is a documented internal tax control framework that specifically ensures the entity's compliance with tax law. This includes the complete and accurate flow of third-party information from the outsourced service provider to the tax return and distribution statements.

3.2.3 What we look for

The entity has a limited ability to oversee the activities at the outsourced service provider on a transaction-by-transaction basis.

To obtain comfort over the integrity of the third-party data provided in tax reporting from outsourced service providers, the entity requires assurance over the following:

1.
Tax policies are prepared in accordance with the tax law and reflected in the custodian or administrator's reporting.
2.
Returns and tax outcomes of investments are properly reflected in the tax reporting obligations.

1. Custodian's or administrator's tax policies prepared in accordance with tax law and reflected in the custodian's or administrator's reporting

To ensure accurate flow of information from the outsourced service providers records into the tax reporting provided, the entity needs to be satisfied that the tax policies of the outsourced service provider are prepared in accordance with the tax law. In addition, the outsourced service provider's tax policy is reflected in the tax outcomes in the tax reports.

It is recognised there may be system limitations and the tax policy will outline where default positions may apply due to these limitations.

Further, it is recognised that proxies may be used by a custodian as a way of applying the tax law. The use of proxies should be outlined in the tax policy.

Better practice examples for custodian's tax policy and reporting

Better practice examples of documented controls to ensure the custodian's tax policy is prepared in accordance with tax law include the following:

Where a new custodian is engaged there is a substantive review of the tax policy of a new custodian. Any differences with the current custodian's tax policy are identified and a mitigation strategy is developed to address these differences.
Tax Policy Annual Review - evidence that the entity reviews the outsourced service provider's tax policy at least annually and whenever there is an update due to new or changed legislation to ensure it is in accordance with Australian tax law. The entity should also ensure that the tax policy of the custodian is aligned to its own tax policy and there is a process in place where there are differences in views as outlined below.
The entity has processes in place when completing the custodian client questionnaire for fund set-up or asset on-boarding to ensure they understand the custodian's tax policy and its limitations (or default positions). The client questionnaire provides instructions from the user entity to the custodian on how to set up its fund portfolios or accounts, which would include all the attributes required to specify the accounting and tax treatment. These attributes may include items such as taxpayer type/sub-type, CGT v Revenue account, CGT parcel selection and Taxation of Financial Arrangements (TOFA) status.
The entity has a process in place to ensure client instructions accord with the tax law where there is an override (or exception) to a default position in the custodian's tax policy, for example, external advice or a private ruling is sought. In addition, the entity has a process in place to assess the assumptions/default position built into a custodian's tax policy or reporting to ensure they are appropriate to their circumstances and the right tax outcome is achieved. For example, custodians will generally assume that for the purpose of the 45-day rule testing that all shares are held at risk.
The entity understands the controls in place by the custodian to ensure the custodian's tax policy is reflected in the custodian's tax reports which the entity relies on to complete the fund income tax return or distribution statements (see Section 4 of this Guide).

Compensating controls could include the entity being provided with evidence (such as through the ASAE 3402 / GS 007 report) that the service provider's tax policy has been reviewed by an external tax adviser on an annual basis and there is confirmation by management that the tax policy is in accordance with Australian tax laws subject to the user entity not providing an override to any default positions in the policy.

The third-party data tax controls should be documented in the entity's tax control framework policy.

Better practice examples for administrator's tax policy and reporting

Where a new administrator is engaged there is a substantive review of the administrator's tax policy documents to ensure that they are in accordance with tax law.
The administrator should have a tax policy.
An example where the administrator's processes will impact the income tax reporting for a superannuation fund is the process for including deductible personal contributions as assessable contributions.
The process should document how Notices of Intention to Deduct personal contributions are processed, including how deductible personal contributions are identified and the cut-off date for when they are included in the relevant income year's tax return as assessable income.
The administrator's tax policy documents are reviewed by an external tax adviser on an annual basis.
The entity is informed of any changes to the administrator's business rules that impacts reporting that feeds into the entity's tax reporting obligations.

2. Returns and tax outcomes of investments are properly reflected in the tax reporting obligations

The entity needs to be satisfied that the returns and tax outcomes of investments are properly reflected in the reporting obligations. We expect entities to understand the tax consequences of the underlying investment and not just rely on the custodian tax reports.

The custodian tax reports will flow into the income tax reporting and distribution statements. Therefore, the integrity of the third-party data that is received and processed by the custodian and included in the custodian tax reports is critical to managing and mitigating the risk of inaccuracies in the income tax return and distribution statements to unitholders.

An entity will obtain confidence in the custodian's tax reports for straight-through processing transactions where it is satisfied with the design and operating effectiveness of the internal tax control environment at the custodian. This requires the entity to have a good understanding of the scope of the tax controls covered in the testing plan and the testing methods undertaken by an independent party to provide assurance that the controls are operating effectively. This is covered in further detail at Section 4 of this Guide.

Better practice examples of documented controls

Evidence of how third-party data is obtained and used in preparation of the entity's income tax return. For example, a flowchart demonstrating the sources of data, how outsourced service providers receive and process data and how data is received by the entity to complete the income tax return or distribution statements.
The entity's tax function or external tax adviser undertakes a comprehensive review of the custodian tax reporting, including the following processes

-
the use of data analytics to identify exceptions to be investigated further. These exceptions could be subject to sample testing, tracing from source documents to confirm the tax treatment. See Section 5 of this Guide for procedures that could be applied.
-
a review of the following custodian reports to ensure they appear reasonable

Capital gains tax report
Income and Expense report
45-Day Rule report

Controls are in place to integrate the data obtained to prepare or translate it for their reporting obligations. For example, where investment tax adjustments are made to the monthly custodian tax reports, there is a documented process for making the adjustments and obtaining appropriate sign-off.
Procedures exist to explain significant differences between the different reporting requirements (for example, reconciliation process for AMMA statements and AIIR data and reconciliation process for book to tax differences).
Rectification processes exist where errors are identified. Where an entity has identified an error, this provides an opportunity to review processes and implement controls to ensure it does not happen again.

Tax controls for complex foreign investments

The proper characterisation and quantification of tax outcomes on foreign investments is one of the key challenges for entities in obtaining assurance over third-party data received. This can be influenced by several factors, including:

complexity of international structures and uncertainty over their characterisation for Australian tax purposes
difficulty in accessing information from foreign sources, due to holding a minority interest or differences in accounting periods
inherent differences between Australian and international tax laws.

We expect that entities that invest offshore should have tax controls for classifying the investment vehicles and establishing the tax treatment for entry, holding and exit of the different structures for foreign investments. This will provide them with a high level of confidence that the tax outcomes reported are consistent with the underlying economic substance of the transactions of their foreign investments. Where an external custodian provides tax reporting on these foreign investments, the entity needs to understand the tax controls that the custodian has in place to review the information provided by the offshore investment manager.

In addition to the tax controls outlined in Section 3.3 of this Guide, better practice examples of documented tax controls for outbound Australian investors are outlined as follows.

Better practice examples for offshore investments

Corporate limited partnerships (CLPs), foreign hybrid limited partnerships, controlled foreign companies and foreign trusts that are significant or complex investments or transactions (see Section 3.3.3 of this Guide)

The entity should have in place a checklist to determine the classification of the investment vehicle, including

-
obtain tax advice (including external) documenting the characterisation of foreign entities for Australian tax purposes (that is, company, trust, general partnership or corporate limited liability partnership (CLLP)). For entities with an in-house tax team, external tax advice should be sought as required under the entity's TRMF. For lower risk investments (as outlined in the TRMF), tax advice may be prepared internally by an in-house tax team
-
if the investment entity is classified as a CLLP or Limited Liability Company (LLC), document whether it is a foreign hybrid or election to be made as a foreign hybrid for Australian tax purposes
-
based on the classification of the entity, document the nature of returns arising from such investment (that is, dividends or deemed dividends, interest, other income)
-
as outlined in Section 3.3.3 of this Guide, the setup of the investment (including both in-house and/or custodian) needs to properly reflect the underlying characterisation of the entity and the nature of the expected return
-
for each investment, the in-house tax team should have processes and controls with the in-house reporting or custodian (process team), to ensure that the processing team understands the information provided by any expected statements or notices from the relevant investment entity and have proper processes to capture and map such information into the relevant system.

The tax function of the entity or the external tax adviser should document the process around gathering and analysing the relevant tax information and include the accountable parties and controls identified to align and operationalise the Australian tax impact on a day-to-day basis for foreign investments.
The entity should have a tax policy for CLPs to ensure that distributions paid or credited from CLPs are treated appropriately for Australian income tax purposes. The tax policy should ensure that the tax characterisation of these distributions matches the economic substance of the underlying transactions giving rise to the distributions. The tax policy should also detail the entity's annual process for reviewing the tax characterisation of distributions.
The tax due diligence processes outlined in Section 3.3.3 of this Guide should ensure adequate information can be, and is, obtained over the investment term in respect of the CLPs which is required to determine the tax characterisation of distributions from CLPs.
The tax policy should outline the roles and responsibilities of the various parties for CLP investments.
Appendix 1 of this Guide outlines a better practice example of an annual process for reviewing distributions from CLPs and a risk-based assessment to identify distributions for annual review.
The entity should have a tax policy providing an outline of the taxation rules that are applicable to foreign hybrid limited partnerships (FHLP). The policy also provides practical guidance regarding the application of the rules to assist the in-house tax team to calculate the net income of a partnership for Australian tax purposes. As the data provided is usually prepared for foreign tax purposes, greater care is required in translating the data and applying Australian tax laws.
There should be ongoing monitoring of Controlled Foreign Company (CFC) or FHLP status of offshore investment vehicles.
If the entity invests via an interposed foreign trust, the entity should have in place processes to ensure that the guidance in Taxation Determination TD 2017/23 Income tax: does the residency assumption in subsection 95(1) of the Income Tax Assessment Act 1936 (ITAA 1936) apply for the purpose of section 855-10 of the Income Tax Assessment Act 1997 (ITAA 1997), which disregards certain capital gains of a trust which is a foreign trust for CGT purposes? and Taxation Determination TD 2017/24 Income tax: where an amount included in a beneficiary's assessable income under subsection 99B(1) of the Income Tax Assessment Act 1936 (ITAA 1936) had its origins in a capital gain from non-taxable Australian property of a foreign trust, can the beneficiary offset capital losses or a carry-forward net capital loss ('capital loss offset') or access the CGT discount in relation to the amount? is being applied.

Example 2 - Ongoing monitoring of CFC status by an AMIT that holds an interest in a foreign limited partnership

(for illustrative purposes only)

An AMIT holds a 30% interest in a foreign limited partnership which is characterised as a CLP for Australian tax purposes in prior income years.

During the year, one of the other non-resident partners redeemed its interest in the foreign limited partnership.

As the AMIT holds at least 10% in the foreign limited partnership, it has in place processes for the ongoing monitoring of CFC status of the CLP for the purpose of the assumed controller test (if a single Australian entity owns or is entitled to acquire, an associate inclusive control interest of at least 40%). The monitoring of the CFC status is required each income year as this will establish whether the foreign limited partnership should be characterised as a foreign hybrid limited partnership (FHLP) or continue to be treated as a CLP.

The AMIT has included a requirement in its Side Letter Agreement with the investment manager for reporting and confirmation of its interests in the foreign limited partnership.

In addition, each year the AMIT sends a questionnaire to the investment manager to confirm that its interests in the foreign limited partnership have not exceeded the thresholds that would result in the investment being considered a CFC.

As a result of the questionnaire the AMIT becomes aware that its interest has increased to 40% due to the redemption of a non-resident partner's interest in the foreign limited partnership. Accordingly, the foreign limited partnership will be characterised as a FHLP in relation to the income year.

In assessing the third-party data tax controls against the Supplementary ATO Guide for Governance over third-party data, the ATO will accept the following documented evidence to assess whether MLC6 is designed effectively:

a procedure manual or process map
a copy of the Side Letter Agreement
a copy of the questionnaire
policy documents detailing the process for and the documented outcome of ongoing monitoring of CFC status.

Better practice examples for foreign income tax offsets (FITO)

Processes which would include making reasonable enquiry into the information provided by foreign investment managers. This includes understanding the amount of FITO that can be recognised. For example, FITO amounts are reduced where they relate to capital gains offset by capital losses or subject to the CGT discount. AMITs, MITs and unit trusts should have processes in place to ensure unitholders are provided with sufficient information on foreign capital gains so that they can report the correct FITO amount (for example, FITO that relates to foreign capital gain assessable in Australia). See ATO ID 2010/175 .
Processes and tax policy approach for preparing the superannuation fund's FITO entitlement limit calculation. For example, processes to ensure there is no FITO entitlement for foreign tax paid that relates to exempt current pension income.
Processes to consider the impact of double tax treaty agreements and whether a lower withholding tax rate is available. Data analytics may also be useful in identifying where there are outliers regarding the foreign withholding tax rate applied. See Section 5 of this Guide. The superannuation fund or unitholders of the MIT/AMIT/unit trust are not able to claim a FITO for foreign tax withheld in excess of the applicable double tax treaty rate.
Processes in place to assess and compare the effective tax rates of different foreign investment structures across the jurisdictions that the entity holds in the portfolio. This provides a practical way of identifying key anomalies or variances between the expected effective tax rate and a resulting effective tax rate that can be supported and the reasons understood by a documented position.

3.3 Significant transactions are identified (MLC 3, Design effectiveness, Stage 2)

3.3.1 Intent

Principle 3: The entity needs to be satisfied that the returns and tax outcomes of investments are properly reflected in reporting obligations

In
the context of third-party data tax controls, the focus of this managerial-level control (MLC3) is on the entity identifying investments or transactions where there is uncertainty that the returns and tax outcomes are properly reflected in the tax reporting obligations. Entities rely on tax information provided directly from investment managers or to the custodian and included in the custodian's tax reports.
From a custodian perspective, investments or transactions that are not subject to straight-through processing are likely to require manual processing, review and controls that may justify additional controls in the entity's third-party data tax control framework to mitigate any uncertainty in the returns and tax outcomes reported in the custodian tax reports.[4] For example, there may be limitations in the systems that result in uncertainty that the returns and tax outcomes are properly reflected in the custodian tax reports (for example, 45-day reporting where shares are not held at risk or process limitations for foreign limited partnerships). The concept of straight-through processing is covered further in Section 4 of this Guide.
Where this applies, we expect the entity to have additional tax controls in place for these transactions not subject to straight-through processing by a custodian due to the complexity in applying the tax law to determine the correct tax outcome.
There are four stages where we expect to see controls for these complex or significant investments or transactions:

on-boarding of the entity - to ensure the entity level tax settings are established correctly
on-boarding of the investment
ongoing monitoring
dissolution of the investment.

Entities should be mindful of the need for adequate controls required when entering into investments or transactions not subject to straight-through processing. An example of such investments includes investments in foreign limited partnerships. We consider that entities should factor these additional tax controls into their decision-making process when choosing investments not subject to straight-through processing.

See Section 3.3.3 of this Guide for factors that indicate when we would consider an investment or transaction to be 'complex' or 'significant'. Entities have a responsibility to ensure that the correct tax outcome for these investments is reported in their income tax return or distribution statements.

3.3.2 Core elements

Transactions or arrangements with a significant tax impact are systematically identified, categorised and reported on.

Tax due diligence processes and checklists will form the basis of the evidence of controls for new investments pre-transaction.

Post-transaction controls to manage the tax outcomes of existing investments or transactions include evidence of questionnaires, data analytics and sample testing of custodian data on investments and a register of significant and complex investments or transactions.

3.3.3 What we look for

To ensure tax outcomes are properly reflected in the reporting obligations, the entity needs to have documented evidence to demonstrate it has a robust system in place to appropriately identify and manage tax risks of new and existing significant or complex investments or transactions. This includes internal controls for on boarding of new investments (including through a successor fund transfer) and post-transaction controls to manage the tax outcomes of existing investments. These controls will provide comfort to the entity that the tax outcomes of new and existing investments are properly reflected in its reporting obligations.

Factors that indicate an investment or transaction is 'significant' or 'complex'

Tax controls should differ based on the complexity of each investment or transaction. Entities should ensure that their tax risk management framework clearly defines the criteria as to how the complexity of each investment will be assessed, as well as the processes and procedures for investments of varying complexity. In addition, it will outline the criteria for identifying what is a significant transaction. In line with the ATO Guide, an entity's tax risk management framework will outline its enterprise-wide risk thresholds or specific tax thresholds for signification transactions.

Some of the factors that may indicate an investment or transaction is likely to be significant or complex include:

the size of the investment
investments or transactions where there are limitations in the custodian's tax reporting (for example, limitations in some custodian software systems for off-market share buybacks or TOFA elections) or where the entity overrides the default positions in the custodian's tax policy
investments where external advice is required in line with the entity's tax risk management framework (for example, application of the law or facts in areas that are uncertain or lack precedent)
investments involving complex tax structures, including where there are a number of steps to a transaction making it more complex, whether or not it results in a preferential tax outcome
new investment requiring a new special purpose vehicle (SPV) to be established
non-portfolio investments (entity acquires or disposes of a greater than 10% stake in an investment entity)
other unlisted investments (not captured above) in foreign entities that are treated as fiscally transparent under foreign tax laws
infrastructure acquisitions and disposals
investment transactions that adopt various legal structures across a number of jurisdictions
investments into or dealings with new or low tax jurisdictions or asset classes which the entity is unfamiliar with
new or significant corporate actions (for example, demergers and share buy-backs) with a large and material after-tax outcome
successor fund transfers
changes to third-party service providers that involve a migration of data.

Better practice examples for onboarding of the complex or significant investment

Tax due diligence process to confirm the foreign and Australian tax issues for investments identified as significant or complex transactions. A report is prepared to document any tax risks identified by the tax function and how those risks will be managed. Where the tax function does not have the resources, an external tax adviser could be engaged for this process.

-
A tax checklist signed off by the Head of the Tax or Investment Tax function (or suitably qualified staff with appropriate tax experience) or an external tax adviser that ensures all relevant tax risks have been considered, and correct classification of the investment vehicle and investment returns. This will enable tax risks to be identified and mitigation procedures documented.
-
As part of the tax due diligence process for offshore limited partnership investments, the in-house tax team or external tax adviser should ensure there are provisions in the Side Letters of Limited Partnership Agreements. These should require the general partner to provide adequate information to determine the tax characterisation of distributions. See Appendix 1 of this Guide for an example of processes for corporate limited partnership (CLP) investments. This may also include information required to prepare controlled foreign company (CFC) or foreign hybrid limited partnership (FHLP) calculations (if required).

Controls to check the accuracy of new investment setups in the custodian's systems.

-
New investment portfolio setup forms are reviewed for accuracy before the entity supplies the custodian with a formal setup up instruction. There is a review program in place that portfolio setups are in line with instructions.
-
Senior staff in the entity's tax function (or an external tax adviser) should review and authorise the classification of new investments (particularly for alternative investments, for example offshore private equity investments) for tax reporting purposes.

Controls for investment tax due diligence for complex foreign investments where there is a successor fund transfer.

-
For example, where the transferring fund held CLP investments that will be transferred to the successor fund, we would expect that as part of the merger the successor fund would apply the following better practice examples

Side Letter Request Process applied to transferred CLP investments (see Appendix 1 of this Guide). We would expect the internal tax function or external tax adviser to review the Side Letters being novated to the successor fund to confirm that the general partner of each CLP has agreed to provide adequate information to the successor fund which is required to determine the tax characterisation of distributions from the CLPs. We expect reasonable attempts to include requests in the Side Letter to be made, with documented communications between the entity and the general partner. However, we recognise that in practice, an SFT provides a general partner (investment manager) with little incentive to change clauses particularly if they expect that they may not be a continuing manager following an SFT.
A review of the transferred CLP investments to ensure that the tax cost base register is consistent with the CLP tax cost bases prior to the merger.

Better practice examples post-transaction (ongoing monitoring of the complex or significant investments or transactions)

Annual confirmation questionnaires are sent by the limited partner (investor) or the superannuation fund or insurer investor (on behalf of a wholly owned AMIT/MIT/unit trust) in respect of each foreign investment to obtain confirmations on various matters. These may include

-
international tax developments that may impact the entity's investments
-
information requests for CFC and FHLP calculations required including confirmations on Australian ownership percentages (together with the entity's ownership interest) and characterisation of distributions received by the entity throughout the income year, and
-
compliance with any new tax alerts or other public guidance released by the ATO in the prior year.

Data analytics and sample testing of custodian tax data on investments/transactions to provide the entity with comfort that they can rely on the information received. The entity may engage an external tax adviser to conduct data analytics or sample testing to verify this data (for example, sample testing of significant corporate actions such as off-market share buybacks). See Section 5 of this Guide for further information on data analytics and sample testing.
Ongoing monitoring of investments or transactions that are complex or significant as defined in the entity's tax governance framework. A significant transactions register to be maintained by the entity for all investments that meet the criteria of a 'complex or significant investment or transaction'.

Better practice examples on dissolution of the complex or significant investments or transactions

For a dissolution, a set procedure is followed to check that the Fund's instructions are implemented correctly by the custodian, and a post closure review is conducted to ensure the custodian processing has occurred as instructed and that operations have ceased.
The entity should have a process in place to ensure that the tax treatment adopted on disposal or dissolution of the significant investment is consistent with the initial advice (assuming there is no change in law).

Example 3 - Tax due diligence process and tax checklist for significant new investment

(for illustrative purposes only)

In accordance with ABC's Tax Risk Management Framework, all new investments are subject to Head of Tax sign-off before they are finalised. As part of this process, the ABC in-house tax team provides a tax due diligence report which sets out the appropriate tax treatment of investments, including the manner in which investment vehicles should be characterised for tax purposes and the appropriate tax treatment of investment returns (if any).

The investment is a new overseas private equity investment. A tax due diligence review is required as the new investment is considered a 'significant investment'.

A tax due diligence checklist must be completed in accordance with ABC's tax risk management framework as part of the tax due diligence review of a new overseas private equity fund. The purpose of the checklist is to identify if there are any material tax risks and the nature and characteristics of any income/disposal from an Australian and foreign tax perspective.

The in-house tax team applies the analysis of the report as part of its day-to-day operations. Where relevant, these procedures also involve verification procedures against the custodian's tax reporting.

In assessing the third-party data tax controls against the Supplementary ATO Guide for Governance over third-party data, the ATO will accept the following documented evidence to assess whether MLC3 is designed effectively

a copy of the tax due diligence report
a copy of the tax due diligence checklist
the documented process and outcome to check the accuracy of new investment setup in the custodian's systems.

Better practice examples for a migration of data due to a change in outsourced service provider

When an entity transitions to a new administrator or custodian, issues relating to data integrity may arise during the transfer process, or data errors may be identified. Therefore, we would expect that documented controls and processes are put in place in the planning, testing and migration of data from one administrator or custodian to another that considers these issues.
A review to identify any differences in tax policies between the two service providers should be undertaken. This will include processes to identify where there are limitations in the tax reporting which should be outlined in the tax policy, client instructions questionnaire or communicated to the user entity by the service provider.

Better practice examples for a successor fund transfer

We expect the entity to perform a due diligence process prior to the change including the better practice examples for onboarding of new complex or significant investments or transactions. The entity would be expected to establish a project to identify any issues with the transition process.
Where the entity chooses to apply Division 310 of the ITAA 1997 CGT and losses rollover relief, we expect the entity to have processes in place to determine whether it has satisfied the conditions to qualify for the relief.
Where there is a change in custodian, we would expect

-
the entity to undertake a custodian review to identify any difference in tax policies between the two service providers
-
the entity and the custodian to develop a data migration strategy along with test plans to reconcile the pre and post load balances. At the end of each test, cycle results to be reviewed jointly with the entity to identify the variances and resolve as required
-
that subsequent to the data migration or go-live, the in-house tax team or an external tax adviser also conducts assurance on the data migration.

Where there is a change in administrator, we would expect the entity to undertake a review of the administrator's tax policy documents to identify any differences in procedures that have a tax impact.

3.4 The board is appropriately informed (BLC3, Design effectiveness, Stage 2)

3.4.1 Intent

Principle 1: The entity needs to understand the roles and responsibilities of outsourced service providers

The board (or the relevant sub-committee) or the trustee has been briefed by management on tax risk matters and the effectiveness of its tax control framework in relation to third-party data.

The board or trustee plays a critical role and is ultimately responsible even where activities of the entity are outsourced. In line with Principle 1, it is important that the board understands its role and ensures there are processes in place so that it is appropriately informed of the risks of outsourcing including tax risks.

A reference to the board also includes a reference to the authorised board level sub-committee, for example, an audit committee.

3.4.2 Core elements

The core elements of BLC 3 include:

who informs the board
what matters the board is informed on
how the board is informed, and
when the board is informed.

3.4.3 What we look for

The entity should have in a place a policy, procedure or manual that addresses the above core elements in line with the ATO Guide for BLC3.

In relation to the matters the board is informed on, we would expect tax risk matters and the effectiveness of the control framework in relation to third-party data would also be included.

Better practice examples:

The performance of significant outsourced providers (administrators and custodians), including whether there have been any breaches of the SLAs (for example in relation to timeliness or quality of data provided) should be reported to the board on an annual basis. Where there have been breaches, the board should be briefed on how the breach was rectified and what controls have been put in place to prevent such a breach from occurring again. The entity should also seek confirmation on how effective such controls are expected to be to avoid the breach from occurring again. This could include an explanation from the outsourced service provider as to how it determined the effectiveness of any new control implemented.
The position in relation to tax risks associated with third-party data (for example, overseas investment tax data, limitations in third-party reporting).

Example 4 - The board is appropriately informed

(for illustrative purposes only)

The AMIT's tax risk management framework policy includes a section on significant outsourced providers (custodians and administrators) which notes that management is required to monitor and report to the board on the performance of the service providers against its service agreements and contracts on an annual basis.

The Outsourcing Framework outlines the responsibilities of the significant outsourced service providers. This process is provided to the outsourced service provider that has a responsibility to notify the AMIT where there has been a breach of the SLA or contract.

At the quarterly meeting with the custodian, it is raised that there has been a breach of the SLA or contract as there has been an error in its tax reporting to the fund. Management is required to brief the board outlining how the breach was rectified and what controls have been put in place to ensure it does not happen again.

In assessing the third-party data tax controls against the Supplementary ATO Guide Governance over third-party data, the ATO will accept the tax risk management framework policy document that evidences the process for monitoring and reporting to the board on the performance of significant outsourced service providers.

3.5 Periodic controls testing program (BLC4, Design effectiveness, Stage 2)

We recommend that the testing program include the entity's third-party data tax controls that meet the criteria for design effectiveness as part of BLC4. For operating effectiveness, we recommend the periodic testing program be performed by an independent reviewer.

A well-designed testing program which covers third-party data tax controls will help ensure that once the testing is complete, the test results will provide the entity's tax function with evidence that the third-party data tax controls are operating (as designed) in practice and are 'lived' (operationally effective).

These test results will help the entity to identify and address any deficiencies in the operation of the third-party data tax controls which may be the cause of the misapplication of the income tax law and potential reporting errors.

3.5.1 Intent

As part of its oversight role, the board (or audit committee) must obtain assurance that the internal control framework it has endorsed is operating effectively. The design of the testing program helps determine whether the review is robust enough to provide a reasonable level of assurance that the tax control framework including third-party data tax controls are operating effectively. The testing program must include testing of third-party data tax controls for operating effectiveness. The design effectiveness of BLC 4 is a pre-requisite for being eligible to reach the highest rating for governance across all controls (that is, Stage 3).

Independent assurance of the third-party data tax control framework

Periodic internal control testing is conducted to assure the board (or audit committee) that the internal third-party data tax control framework is robust enough to effectively manage income tax compliance risk.

The third-party data tax control framework is made up of the controls described in this section and in Section 4 of this Guide. The relevance of the controls to the entity will depend on the investment profile of the entity. Where relevant, these controls are what we expect to see for an entity to achieve a Stage 2 rating unless compensating controls apply. We expect these controls to be included in the scope of the internal tax controls testing plan for the entity (if the third-party data tax controls are owned by entity's tax function) and conducted by an independent party (for example, internal or external audit or an independent third party) in line with the auditing standards. Typically, internal or external audit reviews occur every two to three years.

3.5.2 Core elements

A periodic testing program that covers the following elements.

Scope of controls tested, and taxes covered

For the ATO to rely on testing, the test scope must include the testing of the following income tax controls:

the board (or audit committee) is appropriately informed (BLC 3)
roles and responsibilities of outsourced service providers are clearly understood (MLC 1)
significant transactions are identified (MLC 3)
documented third-party data tax control framework (MLC 6).

These third-party data tax controls are described in detail in this section and in Section 4 of this Guide.

The test scope should be set out in a plan put together by the independent reviewer which has been signed off describing:

taxes to be reviewed
tax controls to be reviewed
control owners
frequency.

In terms of frequency of testing, this should be periodic, that is, not once-off testing, but rather, ongoing testing, with the frequency determined by an appropriately skilled person, for example an internal or external auditor.

Who is conducting the testing - independent reviewer

For us to place reliance on the entity's testing program, it needs to be conducted by an independent tester. This means someone with a suitable degree of independence and skill. The most common scenario is the internal audit function conducting independent testing; as they have the skills and requisite level of independence, because they are not tax control owners.

Testing of certain third-party data tax controls by the tax function could qualify as independent testing if the tax function is not the owner of those controls.

Testing methodology

We acknowledge that the testing methodology and frequency of testing will vary depending on the type of controls. We require sufficiently detailed evidence of the testing methodology including any sampling methods applied, to assess the adequacy of the work performed and place reliance on the testing. We note these various testing methodologies in order of preference as follows:

1.
re-performance
2.
examination or inspection
3.
observation.

3.5.3 What we look for

The tax controls adopted will depend on the investment profile of the entity. To meet the requirements for BLC 4 Periodic internal control testing, we expect:

policies or procedures documenting the tax controls testing program (including third-party data tax controls), that is, operational effectiveness testing.
an extract from the actual test plan for the next three years or past three years setting out the above information (see Section 3.5.2 of this Guide), plus

-
proposed or actual commencement date for testing within the next three years or past three years
-
controls tested align with the third-party data tax controls forming our areas of focus on a rotation basis
-
evidence that the test plan is finalised and approved
-
agreed dates and deliverables
-
reporting process for test results (that is, that the test results are tabled with the board or their delegated authority).

4. Independent assurance of the control environment at the outsourced service provider

Principle 4: The entity needs to seek assurance from independent parties in relation to the accuracy of the data received and processed by outsourced service providers.

The purpose of Principle 4 is to ensure that the entity understands the scope of the independent assurance reports on the control environment at the outsourced service provider and identifies if there are any gaps in these reports. The key outsourced service providers that receive and process data and provide reports to user entities that flow into their income tax reporting or distribution statements reporting include:

custodians
administrators.

As noted in Section 3.2 of this Guide, most of the custodian's business is straight-through processing (that is, vanilla transactions for equity and debt securities).[5] For straight-through processing, there is no manual intervention (other than client instructions for fund or asset set-up) and the user entity does not need to modify or adjust the data. This presents less risk around the integrity of the data. Likewise, with superannuation fund administrators, processing of assessable employer contributions could be considered straight-through processing and assessable personal contributions not straight-through processing.

For the straight-through processing at the custodian or administrator, it is generally expected that a high quality and appropriately tested independent assurance report (such as an ASAE 3402/GS 007) could provide an entity with assurance over the control environment at the custodian or administrator and confidence in the tax reporting it provides.[6] We expect the ASAE 3402/GS 007 report to include the taxation control objectives referred to in Guidance Statement GS 007. A report that does not include taxation control objectives in the scope of the report will not be designed effectively. To be satisfied there is data integrity in the underlying systems, an entity will need to understand these independent assurance reports and have documented evidence that it includes in scope the controls that impact on tax reporting, the nature, timing and extent of the testing process and the outcomes of the testing process undertaken by the independent assurer. This evidence will be required to achieve Stage 3 or operational effectiveness across the straight-through processed third-party data.

The investment profile of the user entity will impact the extent to which the investment transactions of the entity are subject to straight-through processing or not.

For third-party tax data, that is not derived from straight-through processing, the entity will need to assess the level of automation used to generate that data, the outsourced service provider controls in place to ensure the completeness and accuracy of that data and the inclusion and effectiveness of those controls in the independence assurance reports. There may be limitations to the custodian's systems which should be clearly outlined in their tax policy. To the extent that there are any weaknesses in the controls at the outsourced service provider identified, we expect entities to have additional third-party data tax controls to manage and mitigate the risk of inaccuracies in the reporting obligations of the entity (income tax returns and distribution statements). These additional third-party data tax controls are covered in Sections 3.2 and 3.3 of this Guide and the process of independent periodic control testing to achieve operational effectiveness of these controls is outlined in Section 3.5 of this Guide.

Example 5 - independent assurance report on control environment at the custodian

(for illustrative purposes only)

An AMIT invests 50% in a passively managed Australian equities index fund that tracks the ASX 200 index and 50% in CLPs.

The AMIT would need to consider the independent assurance report on the control environment at the custodian (for example, ASAE 3402/GS 007 report) to obtain assurance over the 50% invested in the passively managed Australian equities index fund that tracks the ASX 200 index. The AMIT would require evidence as outlined in this section that the independent assurance report on the control environment at the custodian has been independently verified to be designed and operating effectively.

However, additional tax controls as outlined in Sections 3.2, 3.3 and Appendix 1 of this Guide would be required for the 50% invested in CLPs due to the increased tax risk that the characterisation of the income may not reflect the underlying economic substance of the transactions. As the custodian's controls do not include CLP processes, it is expected that additional tax controls would need to be undertaken by the entity as described in Appendix 1. These additional tax controls would need to be designed effectively as outlined in Sections 3.2 and 3.3, and Appendix 1 and independently verified to be operating effectively by internal or external audit of the fund in line with the internal testing plan requirements (see Section 3.5 of this Guide).

Expectations of user entities in understanding independent assurance reports

Where the entity obtains an independent assurance report (for example, ASAE 3402/GS 007 report) that provides independent assurance of the control environment at the outsourced service provider for tax reporting services, the following applies:

The entity must understand the scope of the controls for tax reporting services included in the testing plan, the testing methodology and review the findings of these reports. The testing methodology should be consistent with the ATO Guide . In particular

-
the testing plan should describe the method of testing, methodologies for sample population selection, sample size selection, frequency of testing, areas and personnel responsible for controls
-
provide the outcomes of testing undertaken including subsequent actions undertaken.

The entity is required to report the findings and any exceptions to the board (or audit committee). Where any exceptions are identified a rectification strategy to address the deficiencies needs to be developed.
Where the entity identifies gaps in the independent assurance report for controls for tax reporting services, these gaps should be raised with the outsourced service provider. Alternatively, the entity may implement its own controls to provide comfort over these gaps.
The entity should review the custodian's or administrator's tax policy on an annual basis to ensure it is appropriate and aligns with the tax law. Where there are default positions built into custodian's or administrator's tax policy or reporting the entity needs to assess these default positions to ensure they are appropriate to their circumstances and the right tax outcome is achieved. See the better practice examples in Section 3.2.3 of this Guide.

Control environment at the custodian for tax reporting

The third-party data tax control framework at the custodian includes a set of controls applicable to the tax attributes of the user entity and its investment profile. For efficiency and integrity purposes, custodians will process transactions in their investment accounting systems once for multiple purposes, including portfolio valuations, financial reporting and tax reporting. Many of the standard processes and controls implemented by the custodian to ensure completeness and accuracy of valuations and financial reports also provide assurance over the integrity of tax reports.

We expect the internal control environment of the custodian that is subject to independent assurance reviews to include the following:

Controls for the exchange of data - controls should be in place across the data transport process to ensure that in any exchange of data between participants, the signed-off data being sent is identical to the data being received by the various participants.
Controls over input investment data - the custodian implements effective controls over the underlying investment source data used in tax reports provided to the tax reporting entity to ensure accuracy and completeness in processing such data. Documented controls include

-
simple data validation rules - exception checks and review processes over reasonableness of source data (for example, percentages of foreign withholding tax payments or franking credits relative to source income is within tolerance limits)
-
processes in place to ensure that any changes to tax reporting systems are subject to change management controls and are reflected in updates to the custodian's tax policy
-
processes in place to ensure that client instructions (including for overrides or exceptions) are processed consistently and correctly on an ongoing basis. A key control over the client instructions processes for fund set-up, asset set-up and any annual updates is the maker and checker controls (or four eyes controls) and client sign-off[7]
-
processes to ensure the correct tax attributes are applied on fund set-up or asset on-boarding, asset purchase, asset sale, income entitlements and corporate actions
-
regular monitoring of tax regulatory changes to assess if system or tax policy changes are required
-
change management processes or controls over any changes to systems or tax policy to ensure correct tax attributes of any relevant change. Where system changes are required, there should be processes to build and test (including user acceptance testing sign-off) before live client data is uploaded to the system. The IT controls in the independent assurance reports are critical to these processes
-
controls in place to mitigate risks associated with any other manual interventions that are part of the entire investment lifecycle and reporting
-
controls in place around issue identification, escalation and remediation. There needs to be prompt communication to user entities when issues are identified together with actions taken to rectify the issues and prevent recurrence.

Better practice examples of documented controls at the user entity

To obtain confidence in the control environment at the outsourced service provider, we recommend the user entity implement the following documented third-party data tax controls:

There is oversight of the internal control environment at the outsourced service provider through regular meetings (quarterly) to discuss system changes that may impact tax reporting. In addition, where the outsourced service provider becomes aware of limitations in their systems that will impact on its tax reporting (that are unable to be rectified immediately), this is communicated to the affected user entities.
The entity needs to ensure there is a robust secure mechanism for receipt of the investment or contributions data for tax reporting obligations.
The entity should be able to interrogate the investment or contributions data to satisfy themselves around its accuracy and completeness.
There are processes in place to ensure there is an audit trail where adjustments are made to the investment or contributions data by the user entity that will impact tax reporting.
An annual custodian or administrator tax governance questionnaire could assist the entity to make an assessment as to whether the custodian or administrator has identified and addressed relevant changes to systems and reporting and its implementation is in line with the entity's understanding. The questionnaire could cover the following broad areas and its potential impact on the custodian or administrator's tax reporting

-
new tax legislation introduced that will result in system or report changes
-
new double taxation agreements that result in changes to reporting for foreign income tax offsets (custodians only)
-
proposed tax legislation that will result in system or report changes
-
industry updates that will result in system or report changes
-
complex transactions occurring during the period
-
changes to the custodian or administrator's tax reporting systems
-
changes to the custodian's or administrator's tax policy.

The entity obtains an independent assurance report (such as an ASAE 3402/GS 007 report) that provides assurance of the internal control environment at the third-party service provider

-
The entity would need to understand the scope of the controls for tax reporting services included in the testing plan, the testing methodology and review the findings of these reports to ensure they are consistent with the ATO Guide .
-
The entity would be required to report the findings and any exceptions to the board (or audit committee). Where any exceptions are identified a remediation strategy to address the deficiencies needs to be developed.

Evidence of these third-party data tax controls should be documented in the entity's tax risk management framework policy documents or included as part of the contract or service level agreement with the outsourced service provider.

5. Data analytics and sample testing

The way in which third-party data is captured, collated and reported in the entity's income tax return or distribution statements to unitholders is fundamental to the correct reporting of the entity's reporting obligations. The calculation engines applied to the data and aggregation of the data will also impact on correct reporting.

We consider this to be a significant focus area for an income tax assurance review because systemic errors in reported transactions from third-party data can often lead to significant income tax revenue effects over time. For example, an undetected error could extrapolate to significant income tax shortfalls when replicated throughout large volumes of transactions.

In assessing the correct reporting of third-party data that feeds into the entity's income tax reporting obligations, we expect the entity (or an external tax adviser on behalf of the entity) should undertake assurance and verification procedures that align with its business and are tailored to its operating environment. Data analytics and sample testing are considered critical to this process.

Better practice examples for data analytics

This involves running pre-determined tests against a defined data set to identify reporting errors and exceptions for further investigation and or correction.

Simple data validation testing could be applied across the entire data set to ensure:

franking credits are associated with franked dividends
foreign income tax offsets correspond to foreign sourced income, and/or
foreign income tax offsets are not received in respect of exempt current pension income (superannuation funds only).

Data analytics which could be applied across the entire population of relevant transactions within the custodian tax reports include:

CGT discount rate
days held for eligible CGT discount rules
negative tax cost for CGT assets
franking credit rate and foreign tax withholding rate, and/or
foreign tax reclaims.

The data analytics could be applied to the custodian's quarterly tax reports or the year-end tax reports. The data analytics review should detail the description, outcome, and further actions where exceptions (or outliers) are identified.

These data analytics assurance and verification tests could be applied by the custodian or administrator, conducted by the in-house tax team or outsourced to an independent third party.

Better practice examples for sample testing

This involves a review of a particular transaction from the source to the custodian tax reporting to ensure the tax treatment applied is correct.

Where data analytics testing has identified exceptions, these transactions could be investigated further using sample testing.

In addition, a sample approach could be applied to review various unlisted Australian unit trusts to ensure the tax components are accurately recorded in the custodian's tax reporting.

Where an investment or transaction is significant or complex, an entity should undertake sample testing using a risk-based assessment to manage and mitigate the risk of inaccuracies in the custodian tax reports. Examples of investments or transactions where sample testing is appropriate include:

corporate actions such as share buybacks and demergers
characterisation of distributions from CLPs.

Data analytics and sample testing may be conducted in-house, by the custodian or outsourced to an independent third party, or a combination of all three approaches.

Where third-party data tax controls are undertaken by the outsourced service provider (on behalf of their client or user entity) we would expect the service level agreement to clearly outline this additional service.

Appendix 1: Tax controls for complex foreign investments

Due to the challenges of characterising the investment vehicle and income, entities should conduct a review of third-party data on foreign investments (either conducted internally or outsourced to an external tax adviser) that are considered 'significant/complex investments or transactions' (see Section 3.3.3 of this Guide). This will allow them to obtain a high level of confidence that the tax outcomes reported are consistent with the underlying economic activity of their foreign investments.

Where outsourced to an external tax adviser, the letter of engagement should clearly outline the scope of the engagement that is, the review process. The entity should understand the review process undertaken by the custodian and be confident that they have the capability to perform the service. The independent assurance report provided by the custodian as described in Section 4 of this Guide should include the CLP review processes in place at the custodian to ensure that they are operating effectively.

Corporate Limited Partnerships

The following better practice examples apply to investments in foreign limited partnerships that are taxed as CLPs for Australian income tax purposes under Division 5A of Part III of the Income Tax Assessment Act 1936.

Investments in CLPs may be held directly in investment entities that are generally Limited Partnerships (LPs) or Limited Liability Partnerships (LLPs). Typically, the LPs own 99% and the general partner owns 1% of the investment entity. The investment entity invests the capital received from investors on a collective basis, and each investor generally shares in the profits and losses in direct proportion to its interest in the investment entity.

Entities may also invest indirectly into these offshore LPs or LLPs through an Australian-domiciled trust (flow through vehicle). Where an entity invests through an externally managed and administered Australian MIT/AMIT/unit trust that, in turn, invests in CLPs we expect the external manager (of the MIT/AMIT/unit trust) to apply the better practice processes outlined below. This will provide the entity with a high level of confidence that the distributions are correctly characterised by the external manager (of the MIT/AMIT/unit trust).

Where the entity invests indirectly into these offshore LPs or LLPs through an Australian-domiciled trust and the entity is the only unitholder and/or the investment is material to the asset class, the entity may apply better practice processes in place of the interposed trust.

As the source information is from offshore entities, entities are expected not to rely solely on the custodian reporting but also to have - and apply - an understanding of the Australian tax treatment of the underlying investment.

An entity's approach will ultimately depend on the size and complexity of its CLP holdings and subject to the entity's risk appetite and materiality threshold. Where an entity does not consider the controls appropriate for their circumstances (for example, due to materiality thresholds), we expect the entity to document the reasons why they consider the controls are not appropriate. However, where an entity has elected to invest in offshore CLPs, we expect processes to be put in place to ensure that the tax outcomes reported are consistent with the underlying economic transaction. Where an entity chooses to invest in these complex offshore investments, they need to factor these additional third-party data tax controls into their investment decision making.

To obtain a high level of confidence that the characterisation of CLP distributions received is correct, better practice includes:

when a new investment is entered into (or a successor fund transfer occurs), a tax checklist is completed that ensures all relevant tax risks for significant investments have been considered, and correct classification of the investment vehicle and investment returns (see Section 3.3 of this Guide)
implementing a Side Letter Request Process to ensure the necessary information is provided by the general partner
maintaining a policy which documents in detail the entity's approach to reviewing CLP distributions. This policy should document the annual review process and the risk-based criteria to identify distributions which will require a more detailed examination (see Better practice examples below)
a proportion of the CLP distributions not identified for detailed examination using a risk-based assessment should be subject to random sample testing over a rolling cycle.

Better practice examples: Side Letter Process / information requests

The entity (the Australian Limited Partner) should seek to include provisions in the Side Letters of Limited Partnership Agreements (LPAs) which require the general partner to provide detailed distribution breakdowns. However, in respect of minority investments, it may not be possible to successfully negotiate with the general partner to provide detailed reports. Nevertheless, the entity or its representative should use best endeavours to seek to obtain relevant information in respect of each capital call/distribution notice.

Entities investing into CLPs would typically receive the following information from the fund:

fund constituent documents including LPAs and memorandum and articles of associations.
Annual reports containing various data on investments held and overall investment performance
capital account statements, issued on either a monthly, quarterly, bi-annually or annual basis, detailing the entity's ownership interest in the fund
distribution statements, breaking down the detail of each distribution paid by the fund
Schedule K-1s (Internal Revenue Service (IRS) Form 1065), being a tax form issued annually by the funds with US investments, which details the entity's share of the partnership's profits, losses, deductions and credits. However, it is noted there are limitations to their use. As they are usually based on a 31 December year end, the US tax treatment may differ to Australian tax treatment (for example, accelerated depreciation) and the basis of preparation of Schedule K-1s may vary between investments
audited financial statements, which are typically provided on a 31 December year-end basis
other various financial information, including investment performance data and calculations.

As a matter of better practice, entities should ensure they are able to obtain such information from the CLP in a timely manner, including any additional information that may be required to comply with their Australian tax compliance obligations.

The entity may also provide the general partner with a copy of its Tax Code of Conduct (where available) which outlines its expectations of investment managers.

Better practice example: Where information not available

We expect entities to request the above necessary underlying information at the CLP level from the general partner even if they have nominal holdings in investments. If entities are unable to obtain underlying information from the general partner (for example, due to a minority interest), an entity exhibiting better practice will have in place a number of additional controls, including:

directly reaching out to the general partner to request confirmation on specific transactions which the entity may have identified as requiring further confirmation (see Better practice - risk-based assessment to identify distributions for annual review below), and
seeking alternative information sources such as publicly available information (including news articles, company releases, investment data).

Better practice example: Annual review of CLPs

Cash flows from CLP investments may not be correctly characterised in the custodian's systems without client instruction. The purpose of the annual review of CLPs by the entity (or taxpayer) is to have oversight of the flows going through the custodian's system and consider whether those flows are treated correctly for tax purposes. Where the flows are not treated correctly, this may require an update to the custodian's reporting through a client instruction, for example, updating the cost base. However, the obligation is on the entity to ensure the correct income flows are reported in the fund income tax return so that the correct amount of tax is paid.

It is noted, that in some cases, CLPs may be held via an internally managed special purpose vehicle or by foreign hybrid entities without a custodian. However, the following annual review process is largely the same whether a custodian is involved or not.

Step 1 - Gather the following information:

Custodian's Cash Flow Report.
Custodian's Income Report that provides a breakdown of the gross foreign income, net foreign income, foreign income tax offset, capital call and return of capital components for each cash payment/receipt processed.
Copies of all capital call/distribution notices for each CLP during the income year.
Copies of emails between the custodian and the general partner of each CLP (where applicable) in respect of clarifying the component split of cash payments/receipts.
Any other information/documentation as described above in Better practice - Side Letter Request Process and information requests.

Step 2 - Determine amount paid or credited to the entity during the income year:

Examine each capital call/distribution notice to determine the amount paid or credited (that is, the relevant distribution amount).
As each cash payment or receipt can include netting of gross cash payments and receipts, capital call and distribution notices from the general partner of the CLP are examined in detail. This step aims to ensure for Australian income tax purposes that amounts 'credited' or 'paid' are correctly identified for Australian tax purposes. Example 1 below illustrates how this would apply.
Where it is not clear if an amount has been paid or credited based on the distribution notice, raise a query with the general partner or refer to the clauses in the LPA to ensure amounts returned as assessable income comply with Taxation Ruling TR 2017/D4 Income tax: when does a corporate limited partnership 'credit' an amount to a partner in that partnership?. There are examples in TR 2017/D4 regarding when an amount has been paid or credited.

Step 3 - For each capital call / distribution notice for the CLP, determine the tax components of the notice, namely:

capital components (for example, capital calls and return of capital)
gross income components credited (for example, distribution of profits or gains), and
any foreign withholding tax in the currency of the investment/notice.

As the components on the notice may not match the underlying economic substance of the transactions, capital call and distribution notices from the general partner of the CLP are examined in detail.

To identify which CLP distributions to examine in detail, the entity should apply the criteria outlined below in the Better practice - risk-based assessment to identify distributions for annual review.

These risk-based identified distributions should be subject to the following sub-steps:

3.1 The explanatory comments on the notice setting out the underlying economic substance of the transactions resulting in the distribution should be examined to determine where they do not match the tax treatment.
Examples include where the distribution arises from

a disposal (or partial disposal) of an asset and the component split does not include a mix of return of capital and gains
dividends, income or operating income and the component split does not consist of majority income.

3.2 Further information is requested to confirm or determine the component split, including

requesting additional information from the general partner
considering whether the tax components can be confirmed or determined based on any other reporting provided by the general partner (for example, audited financial statements, quarterly investment reporting).

Based on the above steps, determine the components of the distributions having regard to the underlying economic substance of the investment. This step includes a reasonableness check that the tax treatment is appropriate having regard to the entity's understanding of the investment.

To assist in identifying risk-based distributions the entity could apply data analytics based on some of the criteria (outlined below) over the data set of CLP distributions.

A deep dive examination through testing of a small sample of the remaining non-risk based identified distributions, as described in this step, including the use of additional sources of information, could be used to confirm that distributions have been characterised correctly. See Better practice - random sample testing over a rolling period and Example 3 in this Guide.

Step 4 - Translate to Australian currency (A$) the different components, being gross assessable income, foreign income tax offsets (if any), and net assessable income.

Step 5 - For each CLP:

query the custodian to verify the integrity of distributions recorded and documents relied upon
reconcile the total of each of the calculated A$ amounts with the Custodian's Income Report and any differences are appropriately explained
review the cost base adjustments, to ensure that relevant cost base adjustments are made where necessary (for example, increase the cost base for capital calls and decrease the cost base for a return of capital).

Step 6 - Advise the custodian to update their records of errors or tax adjustments required in the Cash Flow Report or the Income Report and request confirmation from the custodian.

Step 7 - Review tax treatment of any disposals or partial disposals of the CLP.

Example 1 - Step 2 - is the amount paid or credited?

(for illustrative purposes only)

ABC Super Fund is a limited partner in XYZ foreign LP that is taxed as a CLP for Australian tax purposes. The additional information attached to the distribution notice mentions undistributed proceeds.

In line with its process for annual review of CLPs, ABC Super Fund examines the notice in detail to confirm the tax treatment by taking the following steps:

review explanatory comments on the notice setting out the underlying economic substance of the transactions of the distribution
request additional information from the manager of the CLP as the comments on the notice did not make the tax characterisation clear. This will help to determine whether the undistributed proceeds should be deemed as an assessable dividend under section 94M of the ITAA 1997.

The manager advises that the undistributed proceeds (from capital gains) represents ABC Super Fund's share of cash withheld for working capital needs.

In effect, there is a netting of the gross cash payment in exchange for a capital call.

The additional investment of capital is recorded in the partnership's statutory record.

Accordingly, in line with TR 2017/D4, the cash withheld is treated as having been credited and included as an assessable foreign sourced dividend under section 94M of the ITAA 1997. The undistributed proceeds are treated as a capital call into the CLP and would increase ABC Super Fund's cost base for its interest in the CLP investment.

Better practice - a risk-based assessment to identify distributions for annual review

As the components on the notice may not match the underlying economic substance of the transactions, capital call and distribution notices from the general partner of the CLP are examined in detail. To determine the character of the distributions received from CLPs, we would expect the entity to conduct an annual review of, at a minimum, distributions from CLP investments using a risk-based assessment.

Specifically, if any of the following criteria are met, an entity should examine the distribution by applying Step 3 in the Better practice - annual review of CLPs:

Based on materiality (having regard to the likelihood and consequence of any error), a review of material CLP distributions should be undertaken. Depending on an entity's facts and circumstances, a review of the top 10% of CLP distributions or the two largest CLP distributions, whichever is the greater, based on the amount received, may be considered appropriate in line with the entity's tax risk profile.
Risk-based assessment based on prior year reviews - distributions which do not align with annual trends (such as CLPs with large variances in allocation from year to year) or where the entity has had to re-characterise the tax treatment of the distribution in previous years.
Where the percentage split of the distribution is in the range of 90-100% income or 90-100% returns of capital.
Where the distributions relate to onboarded CLP investments (new or as part of successor fund transfer) for the first year from onboarding.

Example 2 - Step 3 - components on the notice don't match the underlying economic substance of the transactions

(for illustrative purposes only)

XYZ Super Fund is a limited partner in the ABC foreign LP. The notice provided that the distribution of A$2 million was 100% return of capital and no explanatory comments were provided.

XYZ Super Fund applies the processes it has in place for CLPs and accordingly the distribution notice from ABC foreign LP is identified using a risk-based assessment.

In line with its process for annual review of CLPs, XYZ Super Fund examines the notice in detail to confirm the tax treatment by taking the following steps:

1.
review explanatory comments on the notice setting out the underlying economic substance of the transactions resulting in the distribution.
2.
request additional information from the manager of the CLP as the comments on the notice did not make the tax characterisation clear.

Given the nature of the investment, it would be expected to provide regular interest income distributions. However, all four distribution notices received during the income year were characterised as 100% return of capital. As a result, XYZ Super Fund was not satisfied that a 100% return of capital tax treatment matched the underlying economic substance of the transactions.

XYZ Super Fund contacted the manager to ascertain what percentage or dollar amount of each distribution was sourced from gains/income. The manager advised that this distribution comprised interest income on loans and is 100% interest income.

XYZ Super Fund then considered whether 100% income treatment was consistent with its understanding of the investment and other reporting provided by the manager. As indicated in the Private Placement Memorandum of the fund, the underlying investment is senior secured debt and current income received on the investment portfolio net of expenses will generally be distributed quarterly. The principal repayments are not expected to commence until two income years following the current year.

Accordingly, the process followed by XYZ Super Fund which examined the nature of the distribution to understand the economic substance driving the distribution, resulted in A$2 million being re-characterised from a return of capital to being treated as a distribution of profits and therefore an assessable foreign sourced dividend for the income year.

In line with Step 6, the custodian was advised to update its records for the tax adjustment (subject to timing restrictions) to ensure the accuracy of its Income Report. However, the obligation is on the entity to ensure the correct income flows are reported in the fund income tax return so that the correct amount of tax is paid.

To satisfy the ATO as part of a Justified Trust assurance review that its third-party data tax governance processes for its CLP investments are designed effectively (Stage 2), XYZ Super Fund provides its policy which documents its approach to reviewing CLP distributions. This policy should document the criteria by which the entity will review CLP distribution data in detail.

In order to satisfy operational effectiveness, the third-party data tax controls including the processes for CLP investments would need to be included in the scope of the testing and tested by an independent party to determine if they are operating effectively (Stage 3).

Better practice - random sample testing over a rolling period

A proportion of the remaining CLP distributions, not identified as distributions using the risk-based assessment criteria above, should also be subject to random sample testing on a rotational basis. See Example 3 in this Guide.

However, where an entity has received a low assurance rating for CLPs in its last Top 1000 review, we would expect to see testing of a larger sample size of the remaining pool of CLP distributions not identified using the risk-based assessment criteria.

Following a risk-based assessment where random sample testing identifies incorrect characterisation of distributions, then distributions from those CLP investments should be included in the following year as part of the Better practice example: Annual review of CLPs.

Example 3 - Rotational random sample testing over a five-year rolling period of the remaining CLP distributions not identified as distributions

(for illustrative purposes only)

DEF the limited partner in ABC foreign LP from the example above, has identified that it has received two distributions from the 12 distributions received from CLPs it holds using the criteria outlined in the Better practice - a risk-based assessment to identify distributions for annual review.

For the remaining 10 distributions, DEF will conduct sample testing on two distributions (20%) on a rotational basis every year over five years for these CLPs. The two CLP distributions will be selected at random each year from the pool (with no duplicates). The sample testing will be conducted in line with Step 3 where DEF will examine the components on the notice to ensure that it matches the underlying economic transactions.

To satisfy the ATO that as part of a Justified Trust assurance review its third-party data tax governance processes for its CLP investments are designed effectively (Stage 2), DEF provides its policy which documents that a proportion of the remaining CLP distributions not identified using the criteria outlined in the Better practice - a risk-based assessment to identify distributions for annual review, are subject to sample testing on a rotational basis over a rolling period.

To satisfy operational effectiveness, the third-party data tax controls including the process described above would need to be included in the scope of the testing plan and tested by an independent party to determine if they are operating effectively (Stage 3).

Estimates or conservative approach due to delay in availability of information

Due to the differences in accounting periods (for example, calendar rather than financial) for foreign investments, there may be delays in the receipt of third-party information required by the superannuation fund to complete the third-party data tax governance processes for complex foreign investments before the date of lodgment of the fund return at 15 January each year.

As a result of this outstanding information, the superannuation fund could adopt an estimates approach (for example. based on previous years, if appropriate) for the income it expects to be included as assessable and lodge an amendment once all unlisted assets information is confirmed.

[1]
Includes registrable superannuation entities, pooled superannuation trusts and exempt public sector superannuation schemes. It does not include self-managed superannuation funds or small APRA funds (that is, less than seven members).

[2]
Reports on the outsourced service providers (for example, custodian and administrators) internal controls are generally prepared in accordance with the Australian Standard of Assurance Engagements ASAE 3402 Assurance Reports on Controls at a Service Organization (ASAE 3402) and with reference to Guidance Statement GS 007 Audit Implications of the Use of Service Organisations for Investment Management Services (GS 007).

[3]
Ibid

[4]
In October 2021, the concept of straight-through processing was discussed at a custodian workshop between the ATO and industry. Custodians described an 80/20 rule where about 80% of their business could be described as vanilla equity and debt instruments processing (or straight-through processing). The remaining 20% is not straight-through processing.

[5]
In October 2021, the concept of straight-through processing was discussed at a custodian workshop between the ATO and industry. Custodians described an 80/20 rule where about 80% of their business could be described as vanilla equity and debt instruments processing (or straight-through processing). The remaining 20% is not straight-through processing.

[6]
Reports on the outsourced service providers (for example, custodian and administrators) internal controls are generally prepared in accordance with the Australian Standard of Assurance Engagements ASAE 3402 Assurance Reports on Controls at a Service Organization (ASAE 3402) and with reference to Guidance Statement GS 007 Audit Implications of the Use of Service Organisations for Investment Management Services (GS 007).

[7]
The maker/checker control ensures where there is manual input that there is a "maker" to input those attributes into the system and a "checker" to review that the client instructions have been entered correctly.


Copyright notice

© Australian Taxation Office for the Commonwealth of Australia

You are free to copy, adapt, modify, transmit and distribute material on this website as you wish (but not in any way that suggests the ATO or the Commonwealth endorses you or any of your services or products).