GST Governance, Data Testing and Transaction Testing Guide

Top 100 and Top 1000 GST assurance programs

Contents

1. Executive Summary 4
1.1 Background 4
1.2 Objective of this guide 4
1.3 Benefits of a well-designed GST governance control framework 5
1.4 Benefits of well-designed GST business systems 5
1.5 GST and Justified Trust 5
1.6 Our governance ratings 6
1.7 Our approach 7
2. Essential features of a tax control framework 8
3. Our approach to reviewing governance 9
3.1 Overview 9
3.2 Standard ratings system 10
4. Practical guidance to self-review your tax control framework 12
     Top 100 12
     Top 1000 13
     Evidence 13
4.1 MLC4 Controls in place for data for GST purposes (Design effectiveness, Stage 2) 13
   4.1.1 Intent 13
   4.1.2 Core elements 14
   4.1.3 What we look for 15
     4.1.3.1 Business systems setup 15
     4.1.3.1.1 IT controls for integrity and security of data 15
     4.1.3.1.2 GST master tax codes 16
     4.1.3.2 Data processing - manual controls 17
     4.1.4 Links to other controls 18
4.2 MLC6 Documented GST control frameworks (Design effectiveness, Stage 2) 19
   4.2.1 Intent 19
   4.2.2 Core elements 19
   4.2.3 What we look for 19
     4.2.3.1 Procedures for monthly BAS preparation process 19
     4.2.3.2 Process for reviewing and signing off the monthly BAS 20
4.3 BLC4 Periodic controls testing program (Design effectiveness, Stage 2) 21
   4.3.1 Intent 21
   4.3.2 Core elements 21
   4.3.3 What we look for 22
   4.3.4 Sample Testing Program template 23
5. Self-review your GST Correct Reporting through Data and Transaction Testing 25
5.1 Background 25
5.2 Data Testing 26
   5.2.1 Intent 26
   5.2.2 Scope and Methodology 26
   5.2.3 The entity to be reviewed 26
     Top 100 26
     Top 1000 28
   5.2.4 The overall architecture of the source systems 28
   5.2.5 How data is captured in source and business systems 28
   5.2.6 The data sample size 28
   5.2.7 Determining what data to include in the testing (what fields or tables within the database are required to test specific business processes) 29
   5.2.8 Testing Methodology 30
   5.2.9 Documenting your findings 31
   5.2.10 Connections to GST tax governance controls 31
   5.2.11 Self-Review Process 31
   5.2.12 Recording Testing Outcomes 33
   5.2.13 Efficacy of self-review 33
5.3 Transaction Testing 33
   5.3.1 Intent 33
   5.3.2 What we look for 34
   5.3.3 Connections to GST tax governance controls 34
   5.3.4 Self-Review Process 34
   5.3.5 Recording Testing Outcomes 35
Appendix 1 - Common drivers and errors in GST reporting 37
Appendix 2 - Common controls for GST and Income Tax 40
Appendix 3 - Systems and BAS Walkthrough 46
Appendix 4 - General and specific data tests 54
Appendix 5 - Additional information 59

 

1. Executive Summary

1.1 Background

Our justified trust program seeks greater assurance that taxpayers in the large market are reporting the right amount of Goods and Services Tax (GST). This supports and expands on existing compliance approaches, including justified trust reviews for income tax.

We are undertaking GST assurance (justified trust) reviews in the large top 100 and top 1000 markets because large corporate groups make a significant contribution to the Australian economy and play a critical role in the tax system.

The total net GST liabilities across the ATO in 2017-18 was $59.3 billion and combined the top 100 and top 1000 taxpayers paid just under 47% of net GST collected by the Australian Taxation Office (ATO) giving an indication of their large contribution to the tax system.

1.2 Objective of this guide

The purpose of this guide is to explain how the justified trust methodology is applied with regard to reviewing the existence, design and operation of GST controls as part of an effective tax control framework.

Demonstrating how your good tax governance is embedded in positions taken, disclosures in Business Activity Statements (BAS) and tax calculations provides us with evidence we can rely upon, which can reduce the intensity of enquiries.

This guide provides practical guidance on how to conduct a self-review of your tax control framework for GST, by describing the requirements for each level of our staged rating system. In particular, it outlines the core elements and what we look for when we review the following three fundamental GST controls:

This guide also provides detailed guidance on how to undertake data and transaction testing, to ensure that your business systems are creating, capturing and correctly reporting GST. Data and transaction testing may also help you identify areas where your tax control framework may not be designed or operating effectively for GST purposes.

This guide can be used to:

If you use this guide to self-review your governance for GST purposes or undertake data and transaction testing, it is advisable to scope this work with reference to this document, in particular sections 4 and 5.

1.3 Benefits of a well-designed GST governance control framework

The benefits to documenting and having a well-designed framework that is operating effectively for GST controls include the following:

Appendix 1 contains two tables listing the common drivers and errors in GST reporting. These tables further highlight the importance of a well-designed GST tax control framework.

1.4 Benefits of well-designed GST business systems

The way in which your business systems create, capture, collate and report GST impacted transactions is fundamental to the correct reporting of your GST obligations.

The ATO considers this one of the most significant focus areas for a GST assurance review because incorrectly reported transactions can often lead to significant GST revenue effects over time. For example, in a high volume - low value environment such as a retail outlet, an undetected GST classification error of just one product could extrapolate to significant GST shortfalls when replicated throughout large volumes of sales across a large number of stores.

In assessing the correct reporting of your GST obligations, the ATO expects that you undertake assurance and verification procedures that align with your business and that are tailored to your own operating environment. The ATO considers data and transaction testing as a critical aspect of this process.

1.5 GST and Justified Trust

In a GST assurance review, we look for assurance that:

Therefore, while tax governance and data and transaction testing are important components of our assurance reviews, there is other work conducted as part of applying our justified trust (JT) methodology in a GST assurance review. For further information on the broader JT program, please refer to Appendix 5.2

1.6 Our governance ratings

We look for evidence that a tax control framework exists, such as a board-endorsed tax policy and/or documented procedures for preparing Business Activity Statements (BASs). Once we've established a tax control framework exists, we then look for objective evidence that the framework is designed effectively and is "lived". In this regard, we use the following staged rating system:

To reach our highest rating for tax governance for GST (stage 3) you must be able to demonstrate that your tax control framework has not only been designed effectively but is also operating as intended. This stage can be evidenced by a periodic tax controls testing program as well as reports describing the outcomes of that testing. When considering eligibility for a stage 3 rating, we look for evidence of an independent review that tests specific tax controls, for example by internal or external auditors that provide an independent level of assurance to the Audit Committee and the Board.

We may assign a "red flag" where you cannot provide evidence to demonstrate a tax control framework exists or if we have significant concerns with your tax risk management and governance. These concerns may include your approach to tax compliance, for example, where there are significant errors your tax control framework is not detecting.

1.7 Our approach

In undertaking our justified trust reviews for GST, we are likely to review the tax control framework for the largest GST reporting entity in a top 1000 group. We may also review the tax control framework of another GST reporting entity in that group where it has entities or business divisions that may present GST risk.

In our top 100 reviews, if there are a number of key GST reporting entities, we are likely to review the tax control framework for each of these entities.

A GST assurance review will focus on the last complete financial year. It will include systems and BAS walkthroughs. Data and transaction testing is also undertaken, focusing on a minimum of three consecutive BAS periods.

There are a number of materials to assist you with understanding the overall process followed in our tax assurance reviews (refer to Appendix 5). For GST governance, you should focus on this guide in preference to the older tax risk management and governance review guide, as it provides more current and additional practical information on how we review GST governance for large businesses in our Top 100 and Top 1000 assurance reviews.

This guide helps you to prepare for a GST assurance review by outlining the ATO's expectations in terms of what better practice tax corporate governance looks like. It can help you to develop or improve your own tax governance and internal control framework, test the strength of the design of your framework against our better practice benchmarks, and understand how to demonstrate the operational effectiveness of your tax controls to the ATO.

This guide also provides separate practical guidance to help you prepare for a systems and BAS walkthrough (Appendix 3).

2. Essential features of a tax control framework

A "tax control framework" typically comprises a suite of policies and procedures prepared by management which have been endorsed by the board of directors. The framework outlines your organisation's tax risk appetite, the acceptable level of tax risk for day-to-day operations and what types of issues and transactions require escalation.

The following eight areas of focus, which we describe as "controls," form the basis of a tax control framework. We focus on these controls because they are most closely aligned with the following justified trust objectives:

Objective Controls
Understanding an entity's tax control framework > Board-level control 1: Formalised tax control framework
> Board-level control 4: Periodic internal control testing
> Managerial control 1: Roles and responsibilities are clearly understood
> Managerial control 4: Controls in place for data (GST only)
> Managerial control 6: Documented control frameworks
 
Identifying risks flagged to the market > Board-level control 3: The board is appropriately informed
 
Understanding significant and new transactions > Managerial control 3: Significant transactions are identified
 
Understanding why the accounting and tax results vary > Managerial control 7: Procedures to explain significant differences
 

 

When applying the justified trust methodology, three of the above eight areas of focus, being BLC4, MLC4 & MLC6 are fundamental, because the design of these controls directly influences the way in which GST is reported. Section 3 of this guide provides a detailed explanation of these controls, including, the core elements and what we look for when we review these three fundamental controls.

The other five areas of focus are BLC1, BLC3, MLC1, MLC3 and MLC7. These five controls are common controls because the design is equally as critical for both income tax and GST, and there are common features in the way these controls are evidenced. Appendix 2 of this guide provides information on these controls, including, the core elements and what we look for when we review the design effectiveness of these five common controls from a GST perspective.

3. Our approach to reviewing governance

3.1 Overview

We review governance by requesting objective evidence of the design of tax controls which aligns with our ratings system. We review the design of your controls based on documentation you submit to us. We look for evidence in the form of approved policies and procedures demonstrating the existence and design of a tax control framework, for example, work instructions, templates and process maps.

We are unable to rely on slide presentations, draft policies or narrative descriptions of the tax control framework, as they do not represent source documentation.

When applying the justified trust methodology, we review the three fundamental controls (MLC4, MLC6 & BLC4) based on evidence you provide as part of our tax assurance review for GST purposes.

We also review the five common controls; however, if there has already been an income tax assurance review, we will generally seek to rely on source documentation previously submitted in reviewing these controls for GST purposes. We usually will only request additional evidence in relation to common controls if the source documentation submitted as part of a previous income tax assurance review does not extend to GST, or if there have been material changes in your tax control framework since the income tax assurance review.

We refer to this as our "top up" approach to GST governance reviews as part of our integrated approach, which is the same for top 100 and top 1000 taxpayers, however the intensity for top 1000 taxpayers will be different, as compared to top 100 taxpayers.

If you have not previously had an income tax assurance review, we will request evidence for all of the five common controls.

3.2 Standard ratings system

We apply an integrated tax governance staged ratings system, based on objective evidence provided by you to demonstrate existence (stage 1), design (stage 2) and operational effectiveness (stage 3) of your tax control framework. Our standard governance ratings for income tax and GST purposes are defined as follows:

Green dot represents a Stage 3 rating Stage 3 You provided evidence to demonstrate that a tax control framework exists, has been designed effectively and is operating effectively in practice.
Yellow dot represents a Stage 2 rating Stage 2 You provided evidence to demonstrate that a tax control framework exists and has been designed effectively.
Orange dot represents a Stage 1 rating Stage 1 You provided evidence to demonstrate a tax control framework exists.
Red flag rating Not evidenced or concerns You have not provided sufficient evidence to demonstrate a tax control framework exists or we have significant concerns with your tax risk management and governance.

 

The table below articulates what is required for each stage.

Overall rating General rating criteria Specific rating criteria for GST Link to overall level of assurance

Stage 3
Green dot represents a Stage 3 rating

This stage is the highest rating for tax governance, and we encourage all large public and multinational businesses to achieve this stage. Achieving stage 3 provides a strong foundation for our level of confidence and supports a lower intensity in future engagements.

To achieve stage 3, you must be able to demonstrate that your tax control framework has not only been designed effectively but is also operating as intended. The report describing the outcomes of any independent testing should include an opinion on the operating effectiveness of the tax control framework and include a description of the:

> tax controls tested
> testing methodology, and
> sample sizes.3

BLC4 at Stage 3
Effectively operating periodic testing program which includes GST controls
MLC4 at stage 3
Effectively operating GST data controls which includes GST controls built into business systems as well as standard rules for assigning tax codes and process for setting up, adding and deleting of customer and vendor master files and tax codes
MLC6 at Stage 3
Effectively operating BAS preparation procedures and process for preparing, reviewing and approval of the BAS.

It is important that GST controls are operating as intended.

Stage 2
Yellow dot represents a Stage 2 rating

When we have established a tax control framework exists, we then look for objective evidence that the framework is designed effectively.

We may step through your controls which we refer to as "walkthroughs" to help initially identify and understand your GST processes and procedures however we require source documentation to determine design effectiveness. Refer to Appendix 3 for details.

BLC4 at Stage 2
Effectively designed periodic testing program which includes GST controls
MLC4 at Stage 2
Effectively designed GST data controls which includes documentation which evidences GST controls built into business systems as well as standard rules for assigning tax codes and process for setting up, adding and deleting of customer and vendor master files and tax codes
MLC6 at Stage 2
Effectively designed BAS preparation, review and approval process

Minimum requirement to be eligible for overall high assurance (pending ratings of other focus areas)

Stage 1
Orange dot represents a Stage 1 rating

You will reach stage 1 when you provide objective evidence that a tax control framework exists. For GST, if the documentation of your tax strategy is relatively "silent" on GST4 then we recommend documentary evidence of your BAS procedures is provided.

BLC1 at Stage 1
Tax strategy and/or policy documentation describing how the organisation identifies and manages tax risk, including GST exists.
AND/OR MLC6 at Stage 1
Documented BAS preparation process exists.
AND/OR MLC4 at Stage 1
Data controls exist but insufficient evidence to demonstrate design effectiveness.

You cannot receive an overall high assurance (regardless of ratings of other focus areas).


 

4. Practical guidance to self-review your tax control framework

The scope of the review will be driven by whether you are a top 100 or top 1000 taxpayer to acknowledge the fact that taxpayers in the large market have multiple GST reporting entities and GST groups.

Top 100

A self-review of your tax control framework will enable you to self-assess the existence and design of your tax control framework for GST purposes using the ATO criterion and processes outlined in this guide.

In undertaking a self-review it is important that you obtain sufficient coverage over the whole GST economic group. We consider that a BAS relating to the largest GST reporter that provides at least 75% coverage of the GST throughput5 of the economic group represents sufficient coverage. Therefore, for the top 100, you should use the following criteria:

The ATO understands that undertaking a self-review of your GST controls requires a substantial investment in your time and resources. To ensure your self-review is undertaken as efficiently as possible and achieves the desired outcome, you are invited to discuss your intended scope and methodology with your Senior Relationship Manager before you begin your self-review.

For top 100 taxpayers your Senior Relationship Manager's contact information is listed on the most recent copy of your ATO Risk Differentiation letter.

Top 1000

In undertaking a self-review we encourage you to obtain sufficient coverage over the whole GST economic group. In our justified trust reviews for GST we are likely to review the tax control framework for the largest GST reporting entity in your economic group. We may also review the tax control framework of other GST reporting entities in your group if they have entities or business divisions that may present GST risk or have recently undergone major business system changes.

Evidence

Our approach to reviewing governance as part of our justified trust methodology is evidence based. We look at the policies and procedures you have provided to demonstrate the existence, design and operation of your tax controls framework in place for managing tax risk. The guidance on the following pages clearly articulates the ATO's expectations in terms of the design effectiveness of the three fundamental controls, which are MLC4, MLC6 and BLC4.

Please note that the types of objective evidence listed below under the heading "what we look for" are included as illustrative examples. We recognise the exact documents will differ between taxpayers.

Our guidance for each control is structured as follows:

4.1 MLC4 Controls in place for data for GST purposes (Design effectiveness, Stage 2)

4.1.1 Intent

The focus of MLC4 is to establish that controls are in place to ensure GST data integrity. Having a well-designed control framework is central to ensuring all business systems that process and store financial data, are able to accurately calculate, allocate, record and report GST amounts.

It is important to note that the term "business systems," which appears throughout this section of the guidance, is intended to cover the design of all of the business systems, subsystems, platforms etc. used to process business transactions.

The amount of GST reportable to the ATO is captured at the time supplies and acquisitions (referred to as sales and purchases) are entered into the relevant business system. Therefore, it is important that business systems and the GST data controls within those systems are designed effectively to help manage risks associated with potential processing errors (MLC4).

The effectiveness of the design of your business systems for GST will depend on the extent of automation and manual intervention required to capture and process data for GST purposes. Therefore, the design of your business systems should be fit for purpose and tailored to your circumstances to identify and mitigate GST risks.

The objective of reviewing your business systems is to identify and review your controls that support the accurate flow of data, including how they are initiated, authorised, processed, recorded and treated for GST purposes.

The objective evidence we look for is in the form of documented policies and procedures informed by the findings from walkthroughs undertaken on your business systems.

A walkthrough is a process where enquiries, inspection of documents and observations are performed to understand and evaluate the design of your business systems from a GST perspective. The walkthrough provides an opportunity to assess whether your business systems have been designed effectively and will assist in identifying design gaps that may give rise to potential GST errors. Refer to Appendix 3 for guidance on how to perform a business systems walkthrough including accounts receivable and accounts payable processes.

The objective of reviewing the extent of data processing and manual controls is to identify potential control deficiencies or weaknesses and areas of manual intervention that could increase the risk of errors in the data used to process and report your GST obligations.

The complexity of your business systems, including the extent of manual intervention, will determine which business systems you need to include within the scope of your self-review.

Benefits of getting the design of MLC4 right

To ensure that sales, purchases and manual adjustments are processed correctly for GST purposes, it is important that robust and well-designed data controls are documented and periodically tested for operational effectiveness.

Poorly designed or missing data controls specific to GST can lead to:

> Unauthorised changes to business systems and programs that are used to process sales and purchases
> Unauthorised access to data which may lead to potential GST errors
> Incorrect GST coding of transactions
> Consequential errors in BAS reporting.


 

4.1.2 Core elements

In undertaking a self-review of your business systems for GST purposes, it is important to consider the following two core elements:

4.1.3 What we look for

4.1.3.1 Business systems setup

4.1.3.1.1 IT controls for integrity and security of data

The objective of reviewing your IT controls is to assess the design effectiveness of controls regarding the integrity and security of the data used for reporting your GST obligations.

Essentially, this element is about the design of your business systems and related application controls that are used for GST reporting. This is inclusive of:

The objective evidence we look for in respect to IT controls is in the form of documented policies and procedures informed by the findings from a business systems walkthrough which is based on the business systems that you use to process and report your GST obligations.

Examples of the type of objective evidence we look for are set out below.

Green tick to highlight what we look for IT systems architecture and user interactions

Documentation in the form of policies and / or procedures which include the following information:

Green tick to highlight what we look for Recent business systems and user access audits/reviews

4.1.3.1.2 GST master tax codes

We look for objective evidence to demonstrate the existence and design of your data controls built into your business systems, for example, the implementation and maintenance of:

The objective evidence we look for is in the form of documents such as policies and procedures informed by the findings from a business systems walkthrough. Refer to Appendix 3 for guidance in terms of the performance of a business systems, accounts receivable and accounts payable walkthroughs.

The objective evidence for policies and procedures could be in the form of an extract from business systems setup documentation, accounts receivable and accounts payable manual, BAS preparation manual /or other relevant policies/procedures. In terms of GST tax codes, we look for documented controls based on the examples set out below.

Green tick to highlight what we look for Controls regarding GST tax codes

Documentation in the form of policies and/or procedures which include the following information:

Example - Tax codes available for use to process sales for GST purposes

Code Description
S1 Taxable sales (10%)
S2 GST-free sales (0%)
SG Intra-group sales (no GST, within GST group)
SZ Out of scope of GST

 

Green tick to highlight what we look for Customer, vendor and product GST master file setup

Documentation in the form of policies and/or procedures which include the following information:

Green tick to highlight what we look for Built in "rules" to automate the assignment of GST tax codes within business systems

Example - Tax conditions tables

These tables sit in the background within the business system (e.g. SAP) and comprise a set of "rules" to automatically assign GST tax codes to sales and purchases. The rules are based on specific customer master data, tax codes available in source systems, the actual sales order etc. Typically, this type of automation is in place for sales and purchases. The example below illustrates a sales transaction:

SALES

Green dot represents a Stage 3 rating

Practical example - Tax code automatically assigned to outgoing invoice (sales)

Based on Customer master file, sales order, delivery, the condition table automatically assigns the tax code as follows:

  • - Sold to and ship to address = Australia
  • - GST tax code S1 assigned
  • - S1 = taxable 10% GST applies)

 

4.1.3.2 Data processing - manual controls

The objective of reviewing data processing controls is to assess how GST tax codes are applied to facilitate the correct GST treatment.

This element is about the linking of the GST tax codes with the product/item master file to process routine transactions and reliably determine the correct GST treatment of sales and purchases including both routine and non-routine transactions.

"Routine transactions" in this context are those recurring, high volume standard sales and/or purchases which are low value at a transaction level and occur on a daily basis and where there is a low inherent risk of a GST technical error. Whilst the risk of technical error may be low, the aggregated effect of the error may be material. This can be distinguished from non-routine transactions which are mostly material at a transaction level or give rise to a high inherent risk of a GST technical error. These are typically one-off type transactions and/or transactions that maybe subject to the GST special rules.

The objective evidence we look for is in the form of policies and procedures informed by an accounts payable and accounts receivable walkthrough. Refer to Appendix 3 for guidance on how to perform an accounts receivable and accounts payable walkthrough.

The objective evidence for policies and procedures is typically in the form of standard operational procedures and/or instructions for accounts receivable and accounts payable as well as for procurement and sales order teams to process both routine and non-routine transactions.

We acknowledge that you may use other terminology in your documentation. However, for the purposes of this guidance, we have outlined below examples of the type of information that we would expect to see in your documentation:

4.1.4 Links to other controls

The rating for MLC4 may be impacted by any systemic errors identified through other aspects of our justified trust review, for example data and transaction testing especially where the reason for the errors are directly linked to missing and/or poorly designed data controls.

BLC4 - The internal tax controls testing contained in the periodic testing plan must include the testing of data controls in place to process sales and purchases including manual adjustments to ensure the GST treatment is correct.

MLC6 - The tax/finance function reviews the amounts reported in the BAS for each BAS period. Where errors are identified in the amounts reported in the BAS labels, it is important to understand the root cause of these issues. This process may uncover fundamental control gaps that are directly attributable to data integrity issues that specifically relate back to MLC4.

4.2 MLC6 Documented GST control frameworks (Design effectiveness, Stage 2)

4.2.1 Intent

This control relates to documented work instructions in place for GST compliance procedures for the monthly preparation, review and approval of Business Activity Statements (BAS).

These processes involve repetitive tasks; therefore, documenting them ensures consistency in tax positions or adjustments and mitigates key person risk.

Benefits of getting the design of MLC6 right

Your tax function can only be sure that BAS disclosures are accurate if there are robust GST compliance processes in place to review data from source systems which forms the basis of GST reporting.

The BAS preparation and review process includes checking against source documents to ensure high risk and material transactions are treated correctly for GST purposes (based on contract terms, characterisation of the supply and acquisition) so that the correct amount of GST is remitted and claimed.


 

4.2.2 Core elements

Detailed work instructions form the basis of the evidence of this control. These instructions should describe the controls and processes for each step of the monthly BAS end-to-end process to help to ensure compliance with legislative requirements and to help manage risks regarding GST disclosures.

4.2.3 What we look for

A comprehensive set of instructions, such as a manual covering the following:

4.2.3.1 Procedures for monthly BAS preparation process

Green tick to highlight what we look for Data extraction process (what, how, who, when). We look for:

Green tick to highlight what we look for Data analysis process (to ensure correct amount of GST is remitted and claimed), such as:

Example - BAS Manual adjustments process

There is a major acquisition project underway. There is a specific entity and cost centre used to report direct and indirect costs related to the project. As part of the BAS data analysis process, Group Tax identifies and checks for such cost centres, reviews the GST on costs and ensures GST paid is quarantined until the deal is confirmed and can be classified.


 

4.2.3.2 Process for reviewing and signing off the monthly BAS

Example

The use of standard BAS working paper template to show how the GST reports reconcile to BAS disclosures


 

NOTE: In addition to the tax function reviewing the numbers which go into the BAS each month, you should also have a documented process for regular reviews by the tax function that examine GST classification, attribution, recording, reporting and supporting document validity (e.g. tax invoices) in accordance with the GST law.

4.3 BLC4 Periodic controls testing program (Design effectiveness, Stage 2)

The ATO does not conduct the testing required to assess the operational effectiveness of tax controls. Instead, we rely on the fact that your testing program has been designed effectively based on the principles outlined below.

In this regard, we recommend that testing of your tax control framework for operating effectiveness be performed by an independent reviewer as part of a periodic testing program which meets the criteria for design effectiveness as part of BLC4.

Benefits of getting the design of BLC4 right

A well-designed testing program which covers GST will help ensure that once the testing is complete, the test results will provide your tax function with evidence that GST controls are operating (as designed) in practice and are "lived".

These test results will help you to identify and address any deficiencies in the operation of GST controls which may be the cause of the misapplication of the GST law and potential reporting errors.


 

4.3.1 Intent

As part of its oversight role, the board should obtain assurance that the internal control framework it has endorsed is operating effectively. The design of the testing program helps determine whether the review is robust enough to provide a reasonable level of assurance that tax controls operate effectively. The testing program should include testing of GST controls for operating effectiveness. The design effectiveness of BLC 4 (stage 2) is a pre-requisite for being eligible to reach the highest rating for governance overall across all controls (i.e. Stage 3 overall).

If we have already undertaken a tax assurance review of your income tax affairs, we will consider evidence previously submitted with regard to your periodic tax controls testing program in reviewing it from a GST perspective.

However, we review this control for GST purposes based on the principles set out below.

4.3.2 Core elements

A periodic testing program that covers the following elements:

Scope of controls tested and taxes covered

For the ATO to rely on your testing, the test scope must include the testing of GST controls for data (MLC 4) and your documented GST control framework (MLC 6).

The test scope should be set out in a plan put together by the independent reviewer which has been signed off describing:

In terms of frequency of testing, this should be periodic, that is, not once-off testing, but rather, ongoing testing, with the frequency determined by an appropriately skilled person, for example an internal auditor. We would expect MLC4 and MLC6 are tested by an independent reviewer for operational effectiveness regularly for GST (ideally annually).

Who is conducting the testing - independent reviewer

The ATO does not conduct the testing. Instead, we rely on your testing program and the actual test results to assess the operating effectiveness.

In order for us to place reliance on your testing program, it needs to be conducted by independent testers. This means someone with a suitable degree of independence and skill. The most common scenario is the internal audit function conducting independent testing; as they have the skills and requisition level of independence, because they are not tax control owners.

Testing of certain GST controls, such as MLC4, by the tax function could qualify as independent testing, if the tax function is not the owner of those controls. For large corporates, this is often the case and the tax function often collaborates with internal audit to test GST controls owned outside the tax function (e.g. finance, IT, procurement, commercial teams etc.).

Testing methodology

We acknowledge that the testing methodology and frequency of testing will vary depending on the type of controls. We require evidence of the testing methodology in sufficient detail including any sampling methods applied in order to assess the adequacy of the work performed and to rely on your testing. We note the various testing methodologies in order of preference as follows: (1) re-performance, (2) examination/inspection, and (3) observation.

4.3.3 What we look for

4.3.4 Sample Testing Program template

We encourage you to work with your internal risk team to identify existing testing programs which may cover certain testing that can be relied upon for GST purposes. For example, data controls for GST under MLC 4 may be covered as part of the existing 'Order to Cash' and 'Order to Payments' business process testing plans.

The sample controls testing plan at Table 1 is an indicative illustration of a plan for periodic tax controls testing for operating effectiveness. It illustrates the key elements to be included in a test plan for the ATO to place reliance on that testing.

Actual plans vary and the testing could also be performed by external auditors or other independent reviewers. We acknowledge that your testing program, the approach and the ongoing commitment to conduct periodic testing for operating effectiveness are driven by your overall enterprise wide risk management program.

Table 1: Sample Tax Controls Testing Plan7- illustration to demonstrate the key elements of a test plan.

SCOPE
  • Include details of the Key risks being addressed
  • Include details of the controls tested and taxes covered for the specific business processes covered
  • Include a reference to the wider internal audit plan or the company's enterprise wide risk management framework which has been endorsed by the board
Key Risks
  • Describe the key risks the test plan will address (e.g. Risk of non-compliance with taxation legislation and regulations.
Key Controls tested and taxes covered
  • Reference to enterprise wide tax risk management control framework or tax policy OR
  • Reference to Tax governance procedures and associated Board and Managerial controls areas of focus as referred to in the ATO's tax risk management and governance guide aligned with the 'justified trust' objectives. This includes the following controls:
    • Green tick to highlight what we look for Board-level control 3 - The board is appropriately informed
    • Green tick to highlight what we look for Managerial-level control 1 - Roles and responsibilities are clearly understood
    • Green tick to highlight what we look for Managerial-level control 3 - Significant transactions are identified
    • Green tick to highlight what we look for Managerial-level control 4 - Controls in place for Data for GST purposes (specifically covering accounting systems set up - GST master data & Sales and Purchases processing of data)
    • Green tick to highlight what we look for Managerial-level control 6 - Documented control frameworks
    • Green tick to highlight what we look for Managerial-level control 7 - Procedures in place to explain significant differences
  • Controls tested and taxed covered can include a combination of your enterprise wide policies and a reference to the board and management level controls referred to in the ATO's external guide.
Out of Scope
  • Describe areas, entities, controls and taxes that will not be in the scope of testing.
WHO IS CONDUCTING THE TESTING
  • List the positions/ titles of who is conducting the testing (Indicate the specific area where they belong to (e.g. internal audit, external audit, independent third party)
  • Tester must be independent from the control owners (e.g. an internal auditor with a separate reporting structure from the tax team).
METHODOLOGY

Describe the methodology undertake to conduct the testing. Methodology typically consist of:

  • Green tick to highlight what we look for Re-performance
  • Green tick to highlight what we look for Examination/ inspection
  • Green tick to highlight what we look for Observation
  • Green tick to highlight what we look for Or a combination of the above methods (e.g. Observation of a control followed by Inspect documents and reports indicating performance of the controls)
DELIVERABLE

Describe the type of report / deliverable that will be issued at the end of the testing. Findings report should include:

  • Green tick to highlight what we look for A description of the test methodology, including sample size and types of source documents relied upon by the auditor in conducting the tests
  • Green tick to highlight what we look for Observations of the operational effectiveness of the controls and issues identified, and
  • Green tick to highlight what we look for Actions required to address identified issues included expected dates of completion
  • Green tick to highlight what we look for An independent opinion as to whether the selected controls are operating effectively.

 

5. Self-review your GST Correct Reporting through Data and Transaction Testing

5.1 Background

The way in which your business systems create, capture, collate and report GST impacted transactions is fundamental to the correct reporting of your GST obligations.

The ATO considers this one of the most significant focus areas for a GST assurance review because incorrectly reported transactions can often lead to significant GST revenue effects over time. For example, in a high volume - low value environment such as a retail outlet, an undetected GST classification error of just one product could extrapolate to significant GST shortfalls when replicated throughout large volumes of sales across a large number of stores.

In assessing the correct reporting of your GST obligations, the ATO expects that you undertake assurance and verification procedures that align with your business and that are tailored to your own operating environment. The ATO considers data and transaction testing as a critical aspect of this process.

GST Data Testing

Data testing involves running a number of pre-determined tests (see Appendix 4) against a defined data set to identify reporting errors and exceptions for further investigation and or correction.

GST Transaction Testing

Transaction testing involves tracing an identified transaction from its source documentation through to the financial reports to confirm the accuracy of the GST treatment, calculation and reporting of the transaction. Where errors and exceptions are identified, further investigation will be necessary and / or correction may be required.

Application in a justified trust review

As explained above, a justified trust review includes seeking assurance in relation to GST risks flagged to market (Focus Area 2) and atypical, new or large transactions (Focus Area 3). Your testing must also include these transactions and we will seek to understand how you have treated these transactions for GST purposes.

The ATO will review data and transactions for correct reporting. This includes further analysing transactions where we identify errors, anomalies, outliers or other exceptions from the data testing. It will also include separately analysing transactions relevant to any GST risks flagged to market and new or large transactions to confirm that these have been correctly treated and reported for GST purposes.

5.2 Data Testing

5.2.1 Intent

The purpose of data testing is to obtain quantitative insights and assurance over transactional data.

An effective data testing plan is one that is tailored to the specific business so that reasonable conclusions can be drawn in respect to whether your business systems are capable of correctly capturing, recording and reporting your GST obligations.

Applying data analytics over GST data assists in the identification of:

5.2.2 Scope and Methodology

We look to the objective evidence that demonstrates the scope and methodology of the data testing with specific reference to the following:

5.2.3 The entity to be reviewed

It is common for taxpayers in the large market to have multiple GST reporting entities and GST groups. The scope of the data testing is driven by whether you are a top 100 or top 1000 taxpayer.

Top 100

In undertaking a self-review it is important that you obtain sufficient coverage over the whole GST economic group. We consider that a BAS relating to the largest GST reporter that provides at least 75% coverage of the GST throughput8 of the economic group represents sufficient coverage. Therefore, for the top 100, you should use the following criteria:

Examples - Selecting the entity to be reviewed

Example 1

ABC Group which is comprised of 140 entities predominantly taxable business operations. It is comprised of a single BAS lodger with a total GST throughput (Labels 1A + 1B + 7A) of $2 billion.

  • > XYZ Co is the GST group reporter (with 139 members) with a GST throughput of $2 billion

Green tick to highlight what we look forSelect XYZ Co as it provides the total GST throughput of the ABC Group.

Example 2

ABC Group which is comprised of 140 entities predominantly taxable business operations and is comprised of multiple BAS lodgers with a total GST throughput (Labels 1A + 1B + 7A) $2 billion.

  • > XYZ Co is the GST group reporter (with 120 members) with a GST throughput of $1.52 billion

Green tick to highlight what we look forSelect XYZ Co as it represents more than 75% of the total GST throughput of the ABC Group or the entire ABC Group.

Example 3

ABC Group which is comprised of 140 entities with unique business divisions and entities that make input taxed supplies, GST-free supplies and property transactions and is comprised of multiple BAS lodgers with a total GST throughput (Labels 1A + 1B + 7A) $2 billion.

  • > XYZ Co is the GST group reporter (with 100 members) that makes taxable supplies with a GST throughput of $1.52 billion
  • > Finance Co makes predominantly input taxed supplies with a GST throughput of $170million
  • > Retail Co makes both taxable and GST-free supplies with a GST throughput of $160 million
  • > Development Co makes both taxable and input taxed supplies (residential properties) with a GST throughput of $150 million

Green tick to highlight what we look forSelect Finance Co, Retail Co and Development Co as these entities may present a greater GST risk even though XYZ Co represents more than 75% of the GST throughput of the ABC Group.


 

The ATO understands that undertaking a self-review of your GST correct reporting involves a substantial investment in your time and resources. To ensure your self-review is undertaken as efficiently as possible and achieves the desired outcome, you are invited to discuss your intended scope and methodology with your Senior Relationship Manager before you begin your self-review.

Your Senior Relationship Manager's contact information is listed on the most recent copy of your ATO Risk Differentiation letter.

Top 1000

As noted above for top 100 taxpayers, to draw a reasonable conclusion that your business systems are capable of correctly capturing, recording and reporting your GST obligations, it is important that you obtain sufficient coverage over the whole GST economic group. We encourage you obtain sufficient coverage over the whole GST economic group. In our justified trust reviews for GST we are likely to review the governance framework for the largest GST reporting entity in your economic group. We may also review the governance framework of other GST reporting entities in your group if they have entities or business divisions that may present GST risk or have recently undergone major business system changes.

The desired scope of data testing will depend and rely on the individual facts and circumstances.

If you have been notified of a top 1000 GST assurance review, we will discuss the scope of any data testing or self-reviews you have already undertaken at the commencement of the review. We will also work collaboratively with you where we identify any limitations in the scope of the work to close any identified gaps in this regard.

5.2.4 The overall architecture of the source systems

It is important to identify the systems that capture and record data to understand how data flows and GST specific information is captured, recorded and reported as well as the relevance of each system to the key GST touchpoints of a transaction. This provides the catalyst to identify which source system will be tested and determine the tests required. For example, to ensure the correct capture and reporting of sales values, data testing would start with the point of sale (POS) system.

5.2.5 How data is captured in source and business systems

To ensure completeness and accuracy of transactions, an understanding of how transactions flow into source systems and into business systems such as general journal and ledgers allows for testing of billing system totals against GST output accounts.

5.2.6 The data sample size

The ATO considers that it is better practice to test data that relates to the 12 month period that aligns to the most recent income tax return lodged. This will ensure that any improvements to the business system and data controls that you have implemented will be included in the testing scope.

The ATO considers a data set of at least three consecutive months (approximately 25% of all transactions) used as a representative sample of a full 12 month period as appropriate for business operations that involve a stable supply and acquisitions base.

Three consecutive months of data allows for month-end processes to be tested, trend and variance analysis to be performed and timing adjustments identified. It is also possible to test for the most common types of GST reporting errors made by large businesses from this data sample size. A list of common GST reporting errors and drivers for those errors is at Appendix 1.

There are a number of factors that will impact on the final data sample size chosen and the data analytics tests to be undertaken during a review:

Where any of the factors listed above exist, it is likely that further testing and a larger data set may be considered more appropriate to mitigate sampling risk and achieve the intended outcome.

Where you have identified that these factors exist in your business operations, it is recommended that the data sample size includes the periods where any of these factors are present. Where significant changes have occurred in the existing business systems or processes and controls or where changes in key accounting staff have occurred, it is recommended to include months that are pre and post these changes in your data sample size.

Where data testing results indicate a large number of GST errors that can be attributed to specific GST tax governance controls, the sample size should be increased to a level that provides sufficient evidence to support an accurate factual finding. Similarly, where the test results include a number of significant or one-off transactions, the sample size should be increased to ensure sufficient coverage of those transactions.

5.2.7 Determining what data to include in the testing (what fields or tables within the database are required to test specific business processes)

Once the data testing period is established, a data sample size and data fields are selected. The data request should contain sufficient detail to ensure the correctness and completeness of the data to be tested. Often this includes data from source systems such as Point of Sale (PoS). The table below provides the detail required in a typical data request.

ACCOUNTING REPORTS FOR GST GROUP
1. General Ledger (GL) transactions
  • > Entity or business unit
  • > Account Number
  • > Account Name/Description
  • > Reference Number
  • > Transaction Date
  • > Posting Date
  • > Description
  • > Debit Amount
  • > Credit Amount
  • > GST Tax Code
2. Chart of Accounts
  • > Entity Code
  • > Entity Code Description
  • > Account Number
  • > Account Name
  • > Chart of Account Structure
3. Purchase transactions
  • > Entity or business unit
  • > Invoice Date
  • > Posting Date (to General Ledger)
  • > Invoice Number
  • > Purchase Order Number
  • > Transaction Description
  • > Cost Centre Number
  • > Supplier Code
  • > Supplier ABN
  • > Supplier Name and Address
  • > GL Account Number
  • > GST Tax Code
  • > Gross Amount
  • > Net Amount
4. Sales transactions
  • > Entity or business unit
  • > Invoice Date
  • > Posting Date (to GL)
  • > Invoice Number
  • > Store/register number (for POS data)
  • > Transaction Description
  • > Customer Code
  • > Customer Name
  • > GL Account Number
  • > GST Tax Code
  • > Gross Amount
  • > Net Amount
  • > GST Amount
5. Trial Balance
  • > GL Account Number
  • > GL Account Name
  • > Debit Amount
  • > Credit Amount
  • > Year to date Balance
  • > Previous Year Balance
6. GST Code Listing
  • > GST Code
  • > GST Code Description
  • > GST Rates (%)
7. Supplier Master File
  • > Supplier Code
  • > Supplier ABN
  • > GST Status of Supplier
  • > Supplier Name
  • > Supplier Address
  • > GST Code

 

5.2.8 Testing Methodology

The ATO is aware that there are a number of commonly used data analytics software tools available to identify errors in the reporting of an entity's GST obligations. This may include proprietary specific purpose software or software tools used by accounting firms or data analytics service providers.

Where this type of software is utilised in performing the data and transaction testing, you need to compare the list of software tests against the list of ATO e-audit tests (see Appendix 4). This is important to ensure that the ATO can assess the results without the need to undertake further testing.

The comparison between data analytics software and the ATO data tests will provide valuable insights into further tests that may assist in your analysis and provide opportunities for further enhancements to your existing tests. This process will assist you in developing a tailored approach specific to your entity and promote a more streamlined and efficient process to ensure a targeted investment of your valuable resources.

5.2.9 Documenting your findings

The data testing you undertake needs to support the conclusion, including through objective evidence, that your business systems are capable of correctly reporting your GST obligations. Where data testing identifies errors and exceptions, process deficiencies and or over and under payment of GST, the steps you have taken to address these issues also forms part of this assurance. Further guidance is provided at 5.2.12.

5.2.10 Connections to GST tax governance controls

The outcomes from your data testing provide an opportunity for you to review underlying GST tax governance controls that may be contributing to the exceptions and errors identified. For example, where an error is identified in respect to the correct GST coding of a supply, the underlying error may be attributable to the review and sign off process that governs the Master File set-up.

5.2.11 Self-Review Process

Step 1: Identify the entity/entities to be reviewed

To draw a reasonable conclusion that your business systems are capable of correctly capturing, recording and reporting your GST obligations, it is important that the scope of the testing has sufficient coverage over your whole GST economic group. This has been discussed above.

Step 2: Identify the testing periods

Typically, the scope and methodology of the data testing will have a direct relationship with the observations and outcomes of the walkthrough of the business systems (see Appendix 3).

Gaps identified in governance controls can provide valuable insights into potential reporting errors and this information is used to identify and select a suitable representative sample of a consecutive three month period that has similar characteristics to the full 12 months being tested.

The period to be tested should reflect a 12-month tax period that aligns with the most recent income tax return lodged by the entity or the consolidated group.

In selecting three consecutive months as the test period as a representative sample of the period of review, consider:

In selecting the tests to be performed, consider:

Step 3: Testing the data

The data testing process begins with understanding the data, designing and deploying the tests and includes capturing and reporting the outcomes in the form of errors, exceptions.

It involves the extraction of data and the use of software to run the tests over the data. The software will produce error and exception reports that require further investigation and validation.

Key elements to consider when planning your data testing include:

Appendix 4 provides a list of the general tests that are undertaken by the ATO E-Audit function. These will assist in developing and enhancing your existing data testing processes. It also includes the approach to be used when determining whether specific tests will be required based on the unique attributes of your business.

Step 4: Documenting your findings

Capturing and reporting your data testing outcomes provides the objective evidence that demonstrates the extent to which your business systems are capable of correctly reporting your GST obligations.

The ATO expects that your report of factual findings provides sufficient detail and references to objective evidence.

Where data testing identifies errors and exceptions, process deficiencies and or over and under payment of GST, the steps you have taken to address these issues needs to be detailed and supported by evidence. Where further testing is conducted to test remediation activities, these should also form part of the report of factual findings.

Consistent with the ATO's record retention requirements, you must keep all records related to establishing, running and selling your business. This includes one-off transactions and those that support the calculations and amounts in your tax returns for five years after they are prepared, obtained or the transaction is completed, whichever occurs last.

Step 5: Disclose over and under payments of GST to the ATO.

In disclosing over and underpayments of GST to the ATO, you may be able to correct an error made in an earlier tax period in a future BAS. Goods and Services Tax: Correcting GST Errors Determination 2013 specifies the circumstances in which you may correct errors in working out your net amount for an earlier tax period.

5.2.12 Recording Testing Outcomes

The recording of the outcome of data testing undertaken must include the following:

5.2.13 Efficacy of self-review

The alignment of the scope, method and recording of the data and transaction testing undertaken to the guidelines set out in this section including the independence of the person undertaking the testing vis-à-vis the underlying control owner will determine the extent to which we can rely on the outcomes of your self-review and whether we undertake additional e-audit and transaction testing (including the scope and sample size).

5.3 Transaction Testing

5.3.1 Intent

Transaction testing provides an opportunity to test routine and specific transactions so as to understand and explain errors and exceptions identified during data testing. Based on the results of the data testing, sample transactions are selected and traced from source documents through the financial reports to confirm the correct GST treatment, recording and reporting of a particular transaction.

5.3.2 What we look for

We seek to understand the errors and exceptions identified during data testing to gain insights into the root cause of these discrepancies.

Where sampling is used, we seek to understand the reasons used to identify the sample transactions identified for further testing and the testing methodology adopted to ensure it appropriately addresses the identified errors or exceptions.

We seek objective evidence including the source documentation relied on to validate the GST treatment of the transaction. The source documentation may include:

We rely on your testing outcome report to understand the methods you used to validate the errors and exceptions and any remedial or corrective action that you have implemented to prevent similar errors from occurring in the future.

We expect that the report, including the full data set, is retained to comply with the ATO's record retention requirements and is able to provide it to the ATO upon request.

5.3.3 Connections to GST tax governance controls

Transaction testing outcomes provide an opportunity for you to review underlying GST tax governance controls that may be contributing to the exceptions and errors identified. For example, where an incorrect amount of GST has been calculated in respect to a transaction, the error may be attributable to an incorrect interpretation or application of the legislation which could relate to the way significant or new transactions are identified and escalated for consideration by a Risk Management Committee.

5.3.4 Self-Review Process

Step 1: Review the errors and exceptions emanating from data testing.

Step 2: Select a sample of transactions from the errors and exceptions for examination and analysis to validate the data test outcomes.

In deciding on the sample size factors to consider include:

Step 3: Documenting the sampling methodology and the factors considered in determining the sample size.

To ensure that the sample size and sample methodology is fit for purpose, you should refer to professional standards on sampling.

Step 4: For the selected transactions, make appropriate enquiry, examination and analysis of the supporting documentation such as tax invoices, RCTIs, adjustment notes, journal entries, contracts, bills of lading and other documentation is sighted to understand and validate the correct GST treatment.

As part of this process, it is important to:

Step 5: For errors confirmed, note the corrective and remedial action required and or taken to prevent these errors occurring in the future and note if any escalations were made to senior management with respect to errors identified.

Step 6: Capture and report findings including quantum of the error.

Step 7: Disclose over and under payments of GST to the ATO.

In disclosing over and underpayments of GST to the ATO, you may be able to correct an error made in an earlier tax period in a future BAS. Goods and Services Tax: Correcting GST Errors Determination 2013 specifies the circumstances in which you may correct errors in working out your net amount for an earlier tax period.

5.3.5 Recording Testing Outcomes

The report of transactional testing should include:

Appendix 1 - Common drivers and errors in GST reporting

Drivers

The following table lists the common drivers for errors in GST reporting:

Driver Issues
Governance and Systems Issues Poor governance that includes gaps in procedures and/or controls often lead to incorrect or the late reporting of GST obligations.

Taxpayers may inadvertently underpay GST or over-claim input tax credits due to a breakdown in part of their processes or systems that capture, collate, report and reconcile the data that determines their GST liability.

The sub-drivers:

  • > Systems - Coding errors and issues with the flow of information through the business system.
  • > Controls - Failure to undertake reconciliations and testing of controls.
  • > Processes - Absence or deficiencies in procedures or absence or deficiencies in documented procedures. Unstructured manual interventions or work arounds.
New system The implementation of, or migration to, a new business system.
New or one-off transactions Internal controls are generally not in place to handle events outside of usual core business activity that creates the risk that one-off transactions can be incorrectly classified.
Structural change A structural change occurs without the review of systems and procedures. This can include a change in entity type, a restructure of business units, a merger (or demerger) and an acquisition or sale of a business unit.
Related entity dealings Transactions between related entities are not appropriately treated.
Personnel issues Staff turnover or leave at any level can lead to resource and capability gaps that impact on correct or timely reporting of tax obligations.

Tax technical understanding and knowledge issues

Incorrect interpretation of the law through lack of knowledge or capability, especially in relation to complex issues or law.

This also includes 'following the market' decisions on the GST treatment of a transaction without confirming the correct legal interpretation.

Changes to the law

Not updating existing policy, procedures or knowledge to deal with law change.

ITC estimators

Use of an ITC Estimator

See https://www.ato.gov.au/Business/GST/ITC-estimators/


 

Common errors

The following table lists common errors in relation to GST reporting:

Area Types of Error
BAS preparation
  • > Transposition of figures when completing a BAS
  • > GST control accounts not cleared
  • > Not including invoices produced outside normal business systems
  • > BAS reconciliations are not completed
  • > Errors in spreadsheets used as part of BAS preparation to consolidate figures from separate business units.
Transaction classification
  • > Over-claimed international travel and entertainment expenses
  • > Early termination fees charged under retail customer contracts incorrectly treated as being not subject to GST
  • > Claiming GST on total tax invoice amounts when part of the transaction was not subject to GST
Communication between related entities
  • > Both entities claiming the same expense item
  • > Incorrect transfer of GST information between entities
  • > GST credits being claimed for tax invoices created by the recipient although no agreement had been established between the recipient and the supplier
System related
  • > Processing rebates incorrectly
  • > System errors when using luxury car tax (LCT) software
  • > Incorrectly treating sales as taxable when supplied to a member of a GST group
  • > Not adjusting for bulk purchase discount
  • > Using outdated formulas
  • > Errors associated with new accounting software
  • > GST code mapping not synchronised with accounts
  • > Incorrect GST codes allocated
One-off supply of assets
  • > Making incorrect attributions in relation to a hire purchase arrangement
  • > Errors in calculating GST on adjustments at the time of settlement of a land purchase
Business structure change
  • > Coding errors when merging two business systems
Interpretation of GST Legislation
  • > Misclassification of supply
  • > Exceeding the FAT from a merger

 

Appendix 2 - Common controls for GST and Income Tax

As mentioned at section 2 of this Guide, in addition to the three fundamental controls, there are five common controls across income tax and GST which form part of our JT areas of focus for governance. These controls are BLC1, BLC3, MLC1, MLC3 and MLC7. They are common controls because the design elements are equally as critical for both income tax and GST and there are common features in the way these controls are evidenced.

If you have already had an income tax assurance review, we will be largely relying on the evidence provided as part of that review where the results are equally applicable across both income tax and GST. We will only request additional evidence in relation to common controls if the source documentation submitted as part of a previous income tax assurance review does not extend to GST, or if there have been material changes in your tax control framework since the income tax assurance review. This approach is the same for top 100 and top 1000 taxpayers, however the intensity for top 1000 taxpayers will be different.

If you have not previously had an income tax assurance review, we will request evidence for all of the five common controls below.

The purpose of this appendix is to provide guidance on what we look for to demonstrate the design effectiveness of these five common controls.

BLC 1 - Formalised tax control framework

Intent

Sets out the parameters of how tax risks are to be managed in line with enterprise wide risk management strategy.

Core elements

  1. A tax strategy document that sets out how tax risks are to be managed (including GST and Income Tax).
  2. Board endorsement, or endorsement by a delegated authority where applicable.

What we look for

Tax strategy document

Board endorsement

Links to other controls

The strategy to manage tax risk sits across all board level and managerial level controls.

BLC 3 - The board is appropriately informed

Intent

The board has the leading role in overseeing risk management structures and policies. To do this the board must be informed of the tax risks (including GST and Income Tax) in the organisation.

Core elements

  1. Who informs the board.
  2. What matters the board is informed on.
  3. How the board is informed.
  4. When the board is informed.

What we look for

Policy, procedure or manual (or stated in a board reporting template) that addresses the above core elements:

1. Identifies who is responsible to report to the board (e.g. CFO, Head of Tax) and if there are any differences for GST compared to other taxes (e.g. via Chief Operations Manager, Chief Technology Officer) and how GST matters are escalated from the indirect tax manager (or equivalent) to ensure GST risks are covered by the Head of Tax / others in reporting of all tax risks to the Board .

2. Sets out what tax matters (including GST and Income Tax) are reported to the board; the minimum requirements are:

3. Specifies how the board is informed (e.g. board reporting template, memo).

4. Clearly articulates the frequency of reporting (e.g. quarterly, 6 monthly, annually).

Links to other controls

MLC 3 - Authorisation levels for significant transactions.

MLC 7 - Reporting on effective tax rates and whether tax paid aligns with business results.

MLC 1 - Roles and responsibilities are clearly understood

Intent

Clear accountability between departments or individuals reduces the risk of conflict in responsibilities that could lead to inefficiencies, such as duplication of work, delayed work or mismanagement of key tax risks.

Core elements

Documented responsibilities:

  1. For key roles: board, sub-committee (audit or risk committee), management and business units.
  2. In relation to:
    1. Review and preparation of BAS, income tax return and tax disclosure for financial statements.
    2. GST and income tax advice, including escalation of significant transactions to tax team and reporting to senior management (where required).
    3. Reviewing and maintaining the tax control framework.

What we look for

Links to other controls

All board and managerial level controls.

MLC 3 - Significant transactions are identified

Intent

Management of GST and income tax risks relating to significant transactions is critical as it may have a large impact on tax positions. This control focuses on the end-to-end process from identification through to risk mitigation strategies.

Core elements

  1. Significant transactions must be clearly defined by reference to materiality thresholds (monetary and non-monetary, e.g. reputational risk) and types of transactions.
  2. Escalation process to the tax team covering all business areas (for GST this should include A/R, A/P, finance/accounting, procurement, commercial legal).
  3. How the tax team categorises and rates the risks (including GST and Income Tax) and how these risks are recorded (e.g. by way of a tax risk register).
  4. Thresholds to obtain external advice or seek approval from senior management or the board and whether there are commercial/legal processes which require GST sign-off and by whom.

What we look for

Policy, procedures or operations manual that sets out:

Links to other controls

BLC 3 - The board is appropriately informed of how tax risks are trending in relation to significant transactions.

MLC 6 - Tax implications of significant transactions are correctly reflected in the BAS and income tax return.

MLC 7 - Procedures to explain significant differences

Intent

Process to explain differences between accounting disclosures, financial statements, the BAS and income tax return. This involves repetitive tasks, therefore documenting the process ensures consistency, reducing fluctuations (such as large unders/overs) year-on-year, and mitigates key person risk.

Core elements

Process or procedures for:

  1. Calculating income tax expense, deferred tax assets and deferred tax liabilities for the financial statements.
  2. Reconciling the tax note to the financial statements and the completed income tax return.
  3. Management to explain income tax paid compared to business outcomes and variances between tax expense for financial statements and tax payable for completed income tax return.
  4. Management to explain BAS reporting of GST payable on sales (1A) and GST receivable on purchases (1B) compared to business outcomes and variances in comparison to financial statements (e.g. through GST analytical tool).
  5. Management to explain variations between monthly net GST payable/receivable as reported on the BAS and monthly GST clearing account balances for management accounting purposes.

What we look for

Links to other controls

BLC 3 - informing the board on effective tax rates and alignment to business outcomes.

MLC 1 - responsibility to prepare and review calculations and report to the board.

MLC 6 - BAS and income tax return preparation process.

Appendix 3 - Systems and BAS Walkthrough

Walkthroughs

The systems and BAS walkthroughs involve gaining an understanding of:

Whilst a walkthrough overlays and informs particular aspects of our review of your tax governance framework, the review of the design of your tax governance controls is based on source documents.

Accounts Receivable (AR) and Accounts Payable (AP)

The objective is to understand and evaluate the systems used that support the AR and AP functions including meeting with relevant personnel that have the specialist knowledge and can explain key processes.

Key Personnel

For AR it will be those staff involved in the end-to-end sales process from customer set up to raising and issuing of sales invoices. For AP it will be those staff involved in the end-to-end AP process from vendor set up, procurement and processing of invoices.

Discussion points will include:

AR - Product setup and classification

We select different product types and step through the end-to-end process.

For the product(s) selected we are seeking to observe:

AR - Tax codes

Review of the list of available GST tax codes in the business system for sales.

For each tax code:

AR - Customer setup

Review the process for customer set up:

AR - Sales and invoicing

Review of the product list (including the GST tax codes) in the business system for sales.

For each sales segment, selecting a sample transaction, including any significant or non-routine transactions and stepping through the process.

For each transaction selected:

AP - Master vendor setup and maintenance

Review of the process for Vendor set up:

AP - Tax codes

Review a list of all the tax codes used in the business system relevant for acquisitions.

For each tax code:

AP - Procurement and invoice receipting, and payment review of the list of acquisitions (including GST tax codes) in the business system, and selecting some sample transactions

For each sample transaction stepping through the process:

Walkthrough Outcomes and Conclusions

The walkthrough of your AR and AP systems should confirm that your processes and controls ensure that:

For AR Processes For AP Processes
> Product Master Lists and the Customer Master List are set up and maintained regularly > The Vendor Master List is set up and maintained regularly including periodic review of Vendor ABN and GST status
> GST tax codes are hard coded and any changes are tracked and limited to authorised personnel > Acquisitions are correctly coded
> Access to systems that support the sales process is restricted to authorised personnel > Access to systems that support the accounts payable process is restricted to authorised personnel
> All sales are captured and correctly coded > Significant and non-routine acquisitions are identified and processed correctly
> Significant and non-routine transactions are identified and processed correctly > Suitable three way matching exists
> Segregation of duties exists > Segregation of duties exists
> Documented process exists for AR staff including checklists > Documented process exists for AP staff including checklists

 

Month-end Process

Observation as to:

For each task with a GST impact:

BAS preparation

The objective is to understand the BAS preparation process.

Key Personnel

Meet with the relevant personnel responsible for preparing, reviewing and signing-off the BAS to understand the BAS preparation.

Walkthrough Process

Step 1: Select a sample BAS period

We may select a sample BAS period and request the relevant personnel to step through how the BAS is compiled; from extracting the reports, completing the various BAS labels, the analysis undertaken, the review and sign-off, lodgment and ultimately to retention of the BAS working papers.

Step 2: Relevant systems and business processes

Systems and business processes that support the BAS:

Step 3: The BAS Preparation Process

Step through the BAS preparation process:

Step 4: BAS Review and Sign-off Process

Step through the BAS review and sign-off process:

Step 5: Retention of BAS working papers

Step through the BAS retention of working papers process:

Appendix 4 - General and specific data tests

General tests

ATO GST tests
Test Description of the test Why do we do the test?
BAS reconciliation For each BAS period, checks figures lodged in BAS against business system data, for labels G1, 1A, G10+G11, 1B. Verify that the amount reported in the BAS correctly represents the sales and purchases made by the entity in the reporting period.
Reversals For both sales and purchases, checks for reversal transactions and compares to the original transaction. Verify that where a reversal transaction has been processed, tax classification of the sale or purchase has not changed on reversal.
GST codes in General Journal entries Determine whether any General Journal transactions have GST tax codes. Verify that the correct tax codes and rates have been used and applied appropriately.
Monthly trends Create pivot tables or charts showing monthly trends of sales, cost of goods sold and expenses. Verify that the business systems reflect the level of sale and purchase activities that would be expected in the business.
Delays in entering transactions into the business system Use the posting date within the data to calculate the delay between a transaction's date and the date it was entered into the business system. The data can then be stratified to give a summary of the extent of the delays. Verify that system entries were made within a reasonable time of the transaction date to ensure correct attribution of sales and purchases.
Correct calculation of GST for taxable sales and purchases Confirming the rate of GST is 10% on all taxable transactions for sales and purchases. To verify that the business system is reliable in its capacity to correctly classify sales and purchases.
Tax code anomalies Identifying where a non-taxable tax code has GST applied. To verify that the business system is reliable in its capacity to correctly classify sales and purchases.

 

Sales tests
Test Description of the test Why do we do the test?
Gaps in sales invoice or sequence numbers Identifies gaps in the invoice or other recorded sequence numbers of sales transactions. Show the number of gaps in the sequence, the size of each gap and the date of the transaction that immediately preceded each gap. Verify that all supplies made by the entity have been recorded in the business system.
Correct tax code and amount - Sales Review of sales transactions by tax code, including summary totals for each tax code, list of transactions that appear to have inappropriate tax codes, and list of customers who have sales using more than one tax code. Verify that the correct tax codes and rates have been used for all sales and highlight where multiple tax codes may have been used for a customer.

 

Sales tests - specific to a retail environment
Test Description of the test Why do we do the test?
Reconciliation of Point Of Sale data to main business system data Reconciles sales recorded in POS system to sales recorded in the business system. Verify that the POS system has recorded all the expected sales activity.
Reconciliation of stock data or stock acquisitions to sales Reconciles stock turnover from stock system or purchase records to sales records. Verify that all sales recorded in the POS system and other systems have been recorded in the business system.
Trading hours analysis from Point Of Sale data Reports on the range of trading hours as recorded in the POS system. Verify that the POS system has recorded all the expected sales activity.
Gaps in trading, from Point Of Sale data Uses POS system data to find gaps where no sales are recorded in a user specified time limit. Verify that the POS system has recorded all the expected sales activity.
Staff operational hours analysis from Point Of Sale data Uses POS system data to report on first sale and last sale times for individual staff members. Verify that the POS system has recorded all the expected sales activity.

 

Purchase tests
Test Description of the test Why do we do the test?
Duplicate acquisitions Identifies duplicate acquisitions where input tax credits (ITCs) have been claimed. Multiple results may be given using different duplicate criteria. For example: 1. same date, amount, supplier name, and reference/Invoice ID or No 2. same amount and supplier name.

If data is available from related entities, can also check for duplicate input tax credits claimed by all entities.

Verify that ITCs on acquisitions have only been claimed once.
Supplier summary with ABN validity check Summary table of total number of acquisitions, total purchase amount and total GST amount for each supplier and confirmation of the ABN validity for each supplier. The bulk ABN look-up tool from abr.gov.au will assist with this task. ABN Look-up tools link. Verify that ITCs are not being claimed on acquisitions that are not related to the entity's business activity and that the supplier master file has accurate ABN data confirming the entitlement to ITCs.
Correct tax code and amount - Acquisitions Review of purchase transactions by tax code, including summary totals for each tax code, list of transactions that appear to have inappropriate tax codes, and list of suppliers from whom acquisitions have been made using more than one tax code. Verify that the correct tax codes and rates have been used for all acquisitions and highlight any suppliers where multiple tax codes have been used.

 

Specific testing

A bespoke approach will need to be used to determine what specific tests will be required based on the unique attributes of your business, including industry specific risks and risks identified in ATO public or private rulings and guidance documents. It is expected that you:

> Have an in depth understanding of the tax risks associated with your business and that you are aware of tax technical risks that apply. You should also be informed of ATO positions in ATO rulings and published guidelines, especially in relation to significant or unique transactions.

> In addition to tax risks, it is recognised that you have a systems design which relates to your individual business and industry. Complex or unique systems, structures that include multiple systems and interfaces should be understood, well documented and have a clear synergy. The whole systems environment should be taken into consideration focusing on points where a decision is made as to the GST treatment of the transaction.

The following examples illustrate this:

  1. A motor vehicle dealer has multiple technical elements which are unique and include:
  2. A food retailer may have multiple systems which are interfaced to their business system for a large number of retail outlets. The linked tax treatment may be driven by product codes from multiple system sources. These products may be updated from the ATO GST food guide and a private ruling for GST classification purposes may have been sought.
  3. A financial supply provider will have unique accounting rules to claim ITCs based on their Extent of Creditable Purpose (ECP). ECP rates may be applied through the business system based on business rules or applied in a separate database or separate system. The application of these ECP rates to the claiming of ITCs should be tested to confirm the ECP rates have been applied correctly within the applicable system.

The types of factors in the examples need to be considered when designing your approach and scope for the tests that will be required. In addition, it would be expected that you have a robust testing methodology to ensure the flow of tax reported is clear, concise and easily identified, and followed from points where decisions are made as to the GST treatment right through to the BAS.

In undertaking your data and transaction testing it would be expected that a level of sampling takes place in regards to specific risks that relate to your industry or have been flagged to market by the ATO.

For example, if you export goods the ATO would expect that a reasonable sample of those export transactions are examined to confirm that the 60 day rule has been complied with. This would include confirming that either of the two factors below has occurred and the goods have been exported within 60 days:

> the supplier receives any payment for the goods, and

> the supplier issues an invoice for the goods.

In other cases it may be necessary to test using a statistical sampling technique, such as stratified random sampling, due to the volume of transactions. This would then involve, for example, vouching from journal or transactional data to a valid tax invoice.

In the financial supplies example above, it would be necessary to design a specific data analytics test, based on your business system, to confirm the ECP rates have been applied correctly within the applicable system.

Appendix 5 - Additional information

This following links will take you to further guidance and resources regarding justified trust, and the top 100 and top 1000 programs including:

  • > Justified Trust
  • > Top 100 justified trust program
  • > Top 100 GST assurance program
  • > Top 100 risk categorisation approach
  • > Top 1,000 Tax Performance Program
  • > Top 1,000 GST assurance program
  • > GST streamlined assurance review - what we need from you
  • > Typical questions in a Top 1,000 streamlined assurance review
  • > GST and business systems: large business
  • > Tax risk management and governance review guide (*)
  • > Reviewing tax governance for large public and multinational businesses
  • > Make a voluntary disclosure
  • > GST, WET LCT and fuel tax credit voluntary disclosures
  • * For GST governance, you should focus on this guide in preference to the older tax risk management and governance review guide, as it provides more current and additional practical information on how we review GST governance for large businesses in our Top 100 and Top 1000 assurance reviews.

    Contact us

    To learn more about the Top 100 or Top 1000 GST assurance program, email us at Top100@ato.gov.au or Top1000Program@ato.gov.au

    For a copy of the GAT Guide and method statement we use to complete our GAT calculations, email GATSupport@ato.gov.au

    We welcome feedback as we continue to integrate our approaches for justified trust across income tax and GST.

    1    The top 100 population is determined through the annual moderation process which is outlined on our website (and a link is included at Appendix 5). The top 1000 population is also defined the same for income tax and GST being any foreign owned or Australian headed economic group with turnover greater than $250M.

    2    Refer to our large business Justified Trust webpage - see Appendix 5 for details.

    3    Refer to Practical guidance to reviewing tax governance published on 19 June 2018.

    4    Refer Appendix 2 for an explanation of what we look for regarding the design effectiveness of BLC1.

    5    GST throughput refers to the total $ amount of GST transactions that the taxpayer manages. It is the sum of GST on sales (1A), GST on purchases (1B), and deferred GST on imports (7A). This calculation provides a more accurate understanding of the amount of the GST - both liabilities reported and credits claimed. This includes the GST reporting obligations of the GST joint venture operator (but not in the capacity of joint venture participant).

    6    A branch of a GST registered entity can be separately registered as a GST branch. Separate BAS is lodged in respect of the branch. However, a branch of a registered entity cannot be registered as a GST if the registered entity branch is a member of a GST group.

    7    Refer to 'Reviewing tax governance for large public and multinational businesses' published on 19 June 2018 for further guidance.

    8    GST throughput refers to the total $ amount of GST transactions that the taxpayer manages. It is the sum of GST on sales (1A), GST on purchases (1B), and deferred GST on imports (7A). This calculation provides a more accurate understanding of the amount of the GST - both liabilities reported and credits claimed. This includes the GST reporting obligations of the GST joint venture operator (but not in the capacity of joint venture participant).

    9    A branch of a GST registered entity can be separately registered as a GST branch. Separate BAS is lodged in respect of the branch. However, a branch of a registered entity cannot be registered as a GST if the registered entity branch is a member of a GST group.


    Copyright notice

    © Australian Taxation Office for the Commonwealth of Australia

    You are free to copy, adapt, modify, transmit and distribute material on this website as you wish (but not in any way that suggests the ATO or the Commonwealth endorses you or any of your services or products).