Better practice can be demonstrated by a tax strategy document prepared by management, such as a board tax policy that provides details of how the organisation identifies and manages tax risk across all taxes.

This would include policies prepared by management and endorsed by your board of directors that:

• outline the organisation's tax risk appetite
• detail an acceptable level of tax risk for day-to-day operations and what requires escalation
• are published internally and in your annual report.

Better practice can be demonstrated by:

• documented role and responsibility descriptions for company directors
• programs for inducting new directors include briefings on key accounting and tax issues so they can perform their oversight of tax risk management strategies
• ongoing support and briefings by management for directors regarding tax risk management strategies
• allocating tax risk to an appropriate and independent board sub-committee – for example, an audit committee
• clear communication of expectations for managing tax risks from the board or sub-committee to management.

A board of directors 'skills matrix' as suggested in the ASX corporate governance principlesThis link will download a file to help identify gaps in the collective skills of the board. Consideration should be given to whether it would be beneficial to include tax in the skills matrix. The ATO notes the board ‘skills matrix’ is generally tailored to each organisation's unique circumstances.

Better practice can be demonstrated by:

• board or sub-committee charters include oversight of tax risks
• regular summarised progress updates to the board or sub-committee by management on how tax issues and risks are trending (i.e. high, medium or low risk) at board meetings
• board (or sub-committee) minutes or documentation that demonstrate members have been briefed by management on the effective tax rate of the business, including whether the amount of tax paid aligns with business results and, where relevant, reasons for significant misalignment
• board (or sub-committee) endorsement for positions taken by management that fall outside published ATO safe harbours or arrangements subject to tax-payer alerts issued by the ATO
• tax-risk registers tabled by management and escalation of issues by management where appropriate – note if you have sought external advice on the relevant risk or issue
• an annual report that includes a statement from the board attesting that they have effective policies and processes in place to manage tax risk – for example, a statement prepared in accordance with the principals in the Tax Transparency Code.

Better practice example: Periodic internal control testing

Better practice can be demonstrated by:

• a testing plan prepared by management to determine the effectiveness of the control framework. (this may include a gap analysis to identify which key controls are not tested via existing assurance processes – for example internal or external audits)
• reports from independent assurance providers (internal or external) that present findings on the effectiveness of the tax control framework, whether conducted primarily for tax controls or other interdependent controls
• evidence that the board (or sub-committee) has reviewed the results presented by management of control framework testing and any proposed remediation plans to be implemented by management for tax control failures
• documented assurance (such as an attestation) from senior management concerning the capability and capacity of the tax control framework.

Better practice example: roles and responsibilities

Better practice can be demonstrated by formal documents, policies or procedures for all roles and responsibilities relating to tax compliance and risk management.

These generally detail:

• role descriptions for tax compliance, administration and risk management
• roles and responsibilities for reporting of tax matters, formalised and understood by management and appropriately trained personnel formal delegations (or authorisation levels)
• segregation of duties – for example, dual sign-off, Business Activity Statement (BAS)/ excise return preparation is segregated from review and authorisation prior to lodgment
• policies or committee charters that specify methods and frequencies for reviewing and escalating risks in the tax risk register, including follow-up of identified tax risks.

Better practice can be demonstrated by:

• a control framework approved by senior management that includes both preventative and detective controls
• clearly identified key controls, including how often they are tested by staff with appropriate experience designated as control owners
• senior management approval of the design and operating effectiveness of the internal controls governing tax compliance
• internal or external assurance reviews of tax corporate governance or control framework procedures
• staff training on tax-related topics including excise, GST and other relevant indirect taxes
• staff reviews, KPIs and performance agreements that incorporate tax corporate governance and risk management elements
• key personnel with professional qualifications and standards to ensure capability
• impacts of tax compliance risks considered by an appropriate management or board sub-committee; for example, a mergers and acquisitions sub-committee considers the tax risks of acquiring an entity
• existing channels for personnel outside of the tax function to identify and escalate tax risks
• tax-related reports generated and presented to senior management.

Better practice examples: identifying significant transactions

Better practice can be demonstrated by a policy for significant tax transactions that:

• specifies the value of what would constitute a significant transaction requiring authorisation from the tax area
• details the types of transactions, issues or risks that are significant enough to be escalated to senior management or the board (and, by default, tax matters not requiring escalation)
• outline the threshold where independent external tax advice should be sought and levels of management sign-off required for the transaction.

A risk-identification process that accounts for qualitative and quantitative risk factors. Examples of typical risk factors include:

• volume of transactions affecting disclosures in the tax return, excise return or BAS
• financial accounting and tax reporting complexities and inconsistencies
• volume of manual adjustments made by management
• related-party transactions
• dealings involving low-tax jurisdictions
• year-end arrangements resulting in tax benefits
• revaluations resulting in tax benefits
• transactions or arrangements where there        
  • is a legal versus substance disconnect
  • are steps added to a transaction making it more complex than necessary, resulting in a tax preferential outcome.
   
• the use of new and complex financial instruments or arrangement.
• manual coding and classification of transactions for GST and excise where systems were overridden Intra group transactions with GST groups
• reversals or corrections to lodged BAS
• tax risks have been rated, for example high/medium/low, with the appropriateness of the rating evaluated on a yearly or half yearly basis.
• reporting templates that are adhered to.

Note:

Consider our tax risk information when carrying out your risk-identification processes.

Better practice examples: Controls in place for data

Evidence of data integrity controls can include effective IT system and application controls that maintain the integrity and security of data.

For entities with organisational-level ITGCs, a tax function should identify the relevant IT controls that are key to the tax function in their tax internal control framework. These relevant IT controls should be designed and operating effectively to allow instances of IT control breakdowns to be remedied. Breakdown instances should be communicated to the tax function to assess and remediate any impact on the tax return/excise return/BAS.

This includes effective processes that allow the tax function to provide input on IT controls and functions, where the preparation of the tax return/BAS/excise return is dependent – for example, extracts of data from sub-ledgers, interfaces between systems, ensuring the system is calculating tax as intended.

Consideration of the relevant automated controls key to the tax function may include:

• the extent to which automated calculations, coding of transactions or data-processing routines programmed into the applications are used
• application of master tax codes and setting up of master files to classify GST transactions application of master product and customer codes to calculate the excise liability. Key master tables relate to excise include products, plants, permissions, customers, tax rates, vendors , tariff items and storage tanks
• the settings, rules and conditions within the master files affecting the payment of excise
• IT systems used at the terminal/site level for receipting products, product delivery and stock controls and their impact on calculating the excise liability
• the volume of transactions processed by a control is an indication of whether management should consider the application of ITGCs
• the extent to which your organisation makes use of complex spreadsheets, where the risk of formula error, unauthorised changes or access, and complex calculation, could increase the risk of error
• whether identified information system-control risks have been investigated via an internal or external review by assurance provider (per audit plan)
• reporting mechanisms exist between the tax unit and owners of ITGCs (and the rest of the organisation) regarding IT and system-related control weaknesses.

Better practice examples: record keeping policies

Better practice can be demonstrated by:

• a formally documented record-keeping policy for tax, including appropriate timeframes for the retention of records
• staff access to guidance notes via an intranet, or a set of procedures that are readily accessible explaining record-keeping requirements
• internal or external audits that verify compliance
• evidence that staff have been trained on record-keeping requirements for tax purposes (covering all taxes).

Better practice examples: documented control frameworks

Better practice can be demonstrated by:

• documented procedures for reviewing the tax return, including reconciliation back to the audited financial statements with retention of working papers detailing the calculation of the tax, excise and BAS return
• working papers reviewed and approved by management, indicating that they have checked the correct application of tax law to accounting transactions and accurate calculation of the tax, excise and BAS return.

Documented procedures and process manual/s for preparing the excise return and the BAS including the supporting reconciliations.

• Retention of working papers and reports supporting the excise return and the BAS
• documented processes and procedures for terminal/site level inventory controls and stock reconciliations affecting the calculation of the excise liability
• Working papers and reports reviewed and approved by management, indicating they have checked the correct application of tax law to transactions and accurate reporting for excise returns and the BAS.
• documented 'system map' showing the general process flow of how transactions are captured and flowed through to the GST/excise returns.

Better practice examples: explaining significant differences

Better practice can be demonstrated by documented procedures detailing:

• methods for reconciling the tax calculation prepared for the financial statements and the completed tax return
• methods for preparing deferred tax assets and deferred tax liabilities calculations for the financial statements
• methods for preparing tax calculations based on accounting transactions
• management have a mechanism in place to appropriately explain the tax performance of the entity when compared to the accounting result
• narratives to explain variances between tax expense for the financial statements and the tax paid/payable as per the completed tax return
• methods for reconciling the BAS and the excise return to the source systems data and the general ledger
• procedures in place requiring explanations for significant movements or deviations in the amounts reported in the BAS and the excise return compared to prior comparable periods or to the business operations of the entity.

Better practice examples: complete and accurate tax disclosures'

Better practice can be demonstrated by assurance that a tax, excise or BAS return review has occurred prior to lodgment. This reduces the likelihood of incorrect allocation and classification of line items, and that the relevant law, administrative guidelines and record-retention requirements have been taken into account in relation to issues such as:

• income tax
• capital gains tax
• transfer pricing
• GST
• excise
• research and development
• reportable tax positions
• Appropriate controls to review compliance risk for other types of taxes managed elsewhere, such as
• fringe benefits tax
• the super guarantee charge
• pay as you go (PAYG) (instalments and withholding)
• employee mobility (who bears and claims the labour costs)
• customs and excise duty
• fuel tax credits (FTC)
• luxury car tax (LCT)
• state-based payroll taxes
• stamp duty.

Better practice examples: dealing with law and administrative changes

Better practice can be demonstrated by:

• walkthroughs of process changes to assess whether changes to the law require updates to the internal control framework and development of new controls
• change requests submitted to senior management and changes to systems or control mechanisms implemented
• documented procedures to deal with difficulties implementing change due to law updates
• correspondence sent to us advising of difficulties (if applicable).

Example of a walkthrough scenario for a tax process

In the table below we outline an example of how you may document a tax function process to provide a clear view of your key control points. The walkthrough example below documents typical processes and controls for preparing a corporate tax return.

For entities with consolidated tax groups, we acknowledge that your tax return preparation processes and controls may be slightly different.

The Tax return process described above has been represented diagrammatically below. The green circles indicate key controls as per column two in the table above:

Example: Sample sizes for controls testing

An example of minimum sample sizes for controls testing is provided below

Example: Testing of control operational effectiveness

Key control: Reconciliation of document A to document B is completed and independently reviewed

Frequency: Monthly

Method of testing: Inquiry and inspection

Sample size: 5

Test: Randomly select a sample of 5 reconciliations performed between 1 July and 30 June and verify that they have been completed and reviewed independently. Note the control in the example below would not have been considered to be operating effectively (since sample 2 and 3 failed) – all 5 instances should have passed for it to be deemed to operate effectively.

Procedure

When performing this step we suggest that you leverage information potentially disclosed in Part B of the Tax Transparency Code which includes guidance on disclosures relating to tax policy, strategy and governance.

Obtain the entity's formalised tax strategy document and note the following:

• name of document
• date of document version
• date of board (or sub-committee) endorsement.

If a formalised tax strategy document does not exist, is in draft or has not been endorsed by the board (or sub-committee), enquire of the entity and report their response raising an observation there is no document.

If tax has been included in the overarching risk management framework and endorsed by the board, the tax strategy document may be delegated to or owned by management. In this scenario the inclusion of tax in the risk management framework should be checked and a copy of the tax strategy document obtained.

Better practice report inclusions

• Formalised tax strategy or similar documents that addresses how the organisation identifies and manages tax risks
• Extracts from the overarching risk management framework that relate to tax
• Extracts from the organisation's Tax Transparency Report (Part B) Approach to tax strategy and governance

Procedure

When performing this step we suggest that you leverage information potentially disclosed in Part B of the Tax Transparency Code, which includes guidance on disclosures relating to attitude towards tax planning and acceptable level of risk in relation to tax.

Obtain the entity's board (or sub-committee) endorsed policies that describe:

• the organisation's approach to risk management
• reference to BLC-3e for procedures in relation to obtaining advice
• the delegated authority for tax matters (for example, audit committee)
• endorsed risk management policies published internally where tax is included as an element
• the approach risk management (or summary version) included in their annual report, corporate governance statement or tax transparency report, if applicable.

Extract and note the page reference of the above items in the report.

To check the existence and accessibility of above policies published internally, inspect the entity's intranet/central repository or other forms of staff communication. Obtain and attach screen print and note the access date

Also check if the above content is included in the entity's most recent annual report, tax transparency report or corporate governance statement and reference the relevant pages.

If the above items have not been described in a board endorsed document, or not accessible in the locations outlined above, enquire of the entity the reasons for its absence, report their responses and raise an observation.

Better practice report inclusions

• Formalised tax risk management policy or similar documents such as extracts from the overarching risk management framework that addresses the organisation’s risk appetite and governance statements
• Extracts from the organisation's corporate governance statement

Procedure

Obtain the entity's board charter, annual report, corporate governance statement (or similar document) and note the name and date of document.

Extract and page reference the relevant sections of the document that describes the board's role and composition

Extract the sections that relate to the annual review of the risk management framework (of which income tax, excise and indirect tax will be an element) - note that tax might be included as part of compliance risk or regulatory risk components

Extract the sections that indicate the responsibility of management to attest to the controls in the risk management framework and the required frequency (BLC-3a); if absent, raise an observation - note this oversight responsibility can be delegated to the board audit committee as an example.

If the board charter (or similar document) does not exist or is in draft, enquire of the entity's reasons, report their response and raise an observation.

Better practice report inclusions

• Documented board (or sub-committee) level roles and responsibilities

Procedure

Obtain the entity's induction program for new directors and enquire if the induction program for new directors includes briefings relating to key accounting and tax issues. Potential inclusions might be:

• public statements prepared in accordance with the Voluntary Tax Transparency Code
• the presence of arrangements for which the ATO has issued Risk Alerts.

If ongoing training programs are offered in addition to the initial induction programme, obtain details of the training program by:

• in-house, outsourced or attendance at periodic tax update briefings provided by professional services firms, Tax Institute and so on
• list of topics covered by training program and identify if there are any tax-related topics covered.

If new director induction pack does not exist, enquire the reasons for its absence, report their response and raise an observation.

Better practice report inclusions

• New board director's induction pack

Procedure

Obtain extracts of policies, minutes, agendas or board papers from management that evidence how the board provides oversight over the entity’s tax risk management and noting:

• the frequency at which the board (or its delegated board committee) considers tax risk management strategy updates/briefings provided by management and report management’s response
• if the board (or sub-committee) require assistance with details of the tax risk management strategy with details of relevant party to provide assistance.

If documents do not exist for the above items, enquire of the entity reasons for its absence and report their response. If the board has delegated the overseeing function to an independent board sub-committee, proceed with BLC-2d.

ATO officers: refer to Interacting with PS LA 2004/14.

Better practice report inclusions

Better practice can include management updates or briefings to board directors on tax risk management strategies.

Procedure

If the board have not delegated this to an independent board sub-committee, note this and skip the remaining parts of BLC-2d.

Obtain sub-committee charter noting the name of the document and composition of the sub-committee

Extract the section(s) that indicate the responsibility of reviewing tax risks and the required frequency (BLC-3a). If absent, raise an observation. Note the review of tax risk might be done in conjunction with other risks or as part of an annual review of the overarching risk management framework.

If the sub-committee charter does not exist, or is in draft, or the composition of the members does not include board or independent members, enquire of the entity's reasons, report their response and raise an observation.

The local board for some multinational companies might consist of executive management with independent directors existing at parent level. If this is applicable, note this when responding to the procedures above.

Enquire of the entity when, within the last 12 months, tax-related matters were discussed by the sub-committee. Report their response and inspect relevant extracts of the agenda or minutes to check tax-related matters discussed, or presented by tax manager or head of tax.

Better practice report inclusions

• Independent board sub-committee charter.

Procedure

Enquire of the entity if the board or sub-committee communicates expectations to management regarding the management of tax risks. Document their response.

Procedure

There are multiple skills that might be considered when developing a board skills matrix dependent on the strategy and business circumstances of the organisation.

Industry taxation is an element of subject matter expertise that an organisation might consider when developing its criteria for a board skills matrix However the skills matrix is unique to each organisation according to its needs.

The absence of tax from the board skills matrix should not be considered an exception.

Enquire of the tax manager/public officer/company secretary if any circumstances have arisen where it would have been beneficial to have tax expertise at the board level and report their response.

Better practice report inclusions

• Board of director's ‘skills matrix’

Procedure

Refer to BLC-2a for board or BLC-2d for sub-committee charter.

If annual reviews of the risk management framework (which includes tax risk) are absent from the charter, enquire of the entity when was the last time that the risk management framework was reviewed by the board or the delegated sub-committee. Report their response and obtain extracts of an agenda and/or minutes to evidence the review.

Better practice report inclusions

• Independent board sub-committee charter
• Agenda or minutes of board or sub-committee meeting

Procedure

Obtain from the entity the most recent board (or sub-committee) agenda, minutes or papers which summarises:

• progress updates provided by management on tax issues
• risk trends assessed by management (i.e. high, medium or low risk)
• managements proposed changes to the risk register, including new tax risks, removal of tax risks and risks that have changed in ratings compared to the previous period
• for each tax risk listed, report if tax advice was sought by management.

If documents for the above items do not exist, enquire of the entity's reasons, raise an observation and report their response.

Better practice report inclusions

• Agenda or minutes of board or sub-committee meeting

ATO officers: refer to Interacting with PS LA 2004/14

Procedure

When performing this step we suggest that you leverage information potentially disclosed in Part A of the Tax Transparency Code which includes guidance on the disclosure of effective tax rates.

Obtain from the entity documented evidence that the board or sub-committee has been informed of:

• the effective tax rate
• the timing and permanent differences
• the alignment of tax paid with business results and justification for any significant misalignment.

If there is no documented evidence that the effective tax rate has been tabled by management to the board/sub-committee, enquire of the entity's reasons, raise an observation and report their response.

Documentation could include board minutes, board pack, annual financial statements or Tax Transparency Report or any other document where information on tax effective rate is briefed to the board should be obtained. Clearly reference the name of the document in the report.

Better practice report inclusions

• Board (or sub-committee) minutes or documentation that demonstrates members have been briefed on effective tax rate
• Documented processes to examine the alignment of tax paid with business results and justification for any significant misalignment

ATO officers: refer to Interacting with PS LA 2004/14.

Procedure

Obtain from the entity documented evidence that the board or sub-committee has been informed of:

• significant, new and unusual transactions
• changes in the business model affecting excise and the indirect tax outcome of transactions
• excise and indirect tax position taken
• changes to excise and indirect tax methodologies, for example apportionment of input tax credits on acquisitions for GST
• alignment of tax paid with business results and justification for any significant misalignment or variations.

If there is no documented evidence that excise and significant indirect tax issues has been tabled by management to the board/sub-committee, enquire of the entity's reasons, raise an observation and report their response.

Documentation could include board minutes, board pack, internal or external review findings or any other document where information on significant excise and indirect tax issues is briefed to the board should be obtained. Clearly reference the name of the document in the report.

Better practice report inclusions

• Board (or sub-committee) minutes or documentation that demonstrates members have been briefed on significant excise and indirect tax matters
• Documented processes to examine the alignment of excise and indirect tax paid with the business model of the organisation and justification for any significant (as defined by the entity) misalignment or deviations

Procedure

Enquire of the entity the following and document their response:

• What is management's process for determining if safe harbour has been breached?
• If safe harbour is breached or the organisation is party to an arrangement for which the ATO has issued a taxpayer alert, is there a process to communicate this to the board (or delegated board committee)?

If the above processes are documented, obtain a copy, note the document name and page reference the relevant section(s) of the document that corresponds to the above items.

Safe harbour

ATO or legislative 'safe harbours' apply to rules such as thin capitalisation, CFC attribution, transfer pricing and fuel tax credits. ATO releases early warnings to the community of concerns about new or emerging transactions, structures or arrangements we consider may represent a compliance risk through taxpayer alerts (TA).

We acknowledge that administrative safe harbours are designed to be compliance saving measures (for example, Public Rulings and PSLA’s) and that taxpayers may elect not to apply them. We recommend that you document your process for making such elections including appropriate escalation points.

Better practice report inclusions

• Documented board (or sub-committee) endorsement for positions taken outside the ATO published safe harbour

Procedure

Refer to MLC-3c for procedures relating to the tax-risk register.

Enquire of the entity if they have the following and document their response:

• Are tax-risk registers (or registers including tax risks) tabled by management to the board (or sub-committee) at appropriate intervals? If so, how often?
• Documented process (1) for escalation of issues by management where appropriate - for example, a material change in tax risk or uncertain tax treatment.
• Documented process (2) when management seek external advice on the relevant risks, issues and/or rulings from the ATO.

If documented processes 1 and 2 exist, obtain a copy, note the document name and page reference the relevant section(s) of the document that corresponds to the above items.

Better practice report inclusions

• Risk registers that may include tax risks or a separate tax risk register if that exists
• Documented process for escalating tax issues
• Documented process for seeking external advice on tax issues

ATO officers: refer to Interacting with PS LA 2004/14.

Procedure

When performing this step, we suggest that you leverage information potentially disclosed in Part B of the Tax Transparency Code which includes a description of the approach to risk management and governance.

Obtain the entity's annual report/corporate governance statement and check if a statement from the board has been included to attest that they have effective policies and processes in place to manage risk (tax might be included as a compliance or regulatory risk).

Enquire if tax is included as an element of the overarching risk management framework.

Enquire of the entity if they have a Tax Transparency Report. If so, obtain a copy and attach to report.

If attestation document/corporate governance statement or Tax Transparency Report is absent, enquire of the entity's reasons, report their response and raise an observation.

Better practice report inclusions

• Statement from the board attesting effective policies and processes for managing risks (page extract from annual report)
• Tax being classified as a compliance or regulatory risk
• Voluntary Tax Transparency Report

Procedure

Obtain management's testing plan to determine the effectiveness of their internal control/risk management framework.

Entities often have three-year or five-year strategic audit plans that describe rotational audits of key processes and controls and tax-related controls might be tested in conjunction with other processes such as testing of controls in the financial reporting framework.

Inspect the testing plan, page reference and note:

• the methodology to test the design effectiveness of controls
• the methodology to test the operational effectiveness of controls

Identify and list of tax key controls covering both income tax, excise and indirect taxes, including:

• tax key controls that are tested under existing assurance processes
• tax key controls that are not tested under existing assurance process and alternate plan on how these controls would be tested

Enquire if tax key controls are in scope for SOX (only if the US Sarbanes Oxley legislation applies).

If the listed items above are absent or have not been documented, enquire the reasons for their absence, report their response and raise an observation.

Obtain evidence that the testing plan or results thereof have been tabled to the board (or sub-committee) (BLC-4c) by management. If absent, enquire of the entity's reasons, report their response and raise an observation.

If a testing plan does not exist, enquire of the entity's reasons for its absence, report their response and raise an observation.

Better practice report inclusions

• Extracts from internal / external audit plan relating to tax elements covered as part of engagement.
• Listing of tax-related key controls as part of the organisation's internal control framework.
• Gap analysis that identifies which tax key controls are not tested via existing assurance processes
• Documented testing plans for tax key controls that are not tested via existing assurance processes

Procedure

When performing this step, we suggest that you leverage information potentially disclosed in Part B of the Tax Transparency Code which includes a description of assurance regimes the organisation is subject to, for example internal audit, external audit and ATO compliance products.

If some or all the entity's tax key controls are tested under their existing or planned internal audit cycle or are considered as part of the external audit program, obtain audit reports and note:

• the name of audit report or audit plan
• the date of report
• the provider
• the scope of audit/review including the testing of design effectiveness and operational effectiveness?
• the sample sizes.

If the audit is complete, list the findings/qualifications regarding tax controls and proposed remediation plans then page reference the sections that state the findings on effectiveness of tax controls.

Audits might not be conducted primarily to review tax controls but tax controls may be included with other interdependent controls.

For all the audit reports obtained, obtain board (or sub-committee) agenda and/or minutes to evidence that these reports (or a summary) have been tabled to the board (or sub-committee) by management.

If absent, enquire of the entity's reasons, report their response and raise an observation (BLC-4c).

Better practice report inclusions

• Extracts from internal or external audit report where tax-related controls might be included in the scope of review
• Internal and external auditor report – IT controls review (with a sub-section related to the tax function if applicable)
• Report on compliance by independent assurance provider
• Information disclosed in the organisation's Tax Transparency Report.

Procedure

Refer to BLC-4a (testing plan tabled to the board or sub-committee) and BLC-4b (audit reports tabled to the board or sub-committee)

Enquire of the entity how the board (or sub-committee) provides oversight on management’s progress to implement proposed remediation plans. For example, entities may have periodic follow up reviews to report the progress of audit recommendations.

Report the entity's response and obtain copies of follow up reports (if any) and page reference the section(s) that are related to tax controls recommendations.

Better practice report inclusions

• Board (or sub-committee) agenda/minutes
• Follow up report presented by management to relevant board or board sub-committee

Procedure

Obtain management's documented assurance (such as an attestation) from senior management concerning the design and operational effectiveness of the tax control framework and note:

• the findings and deficiencies
• the remediation plans
• the implementation dates
• the follow up testing.

If senior management’s attestation or assurance document regarding the design and operational effectiveness of the internal control framework (of which tax should be an element) does not exist, enquire of the entity's reasons, report their response and raise an observation.

Better practice report inclusions

• Senior management attestation on the capability and capacity of the control framework (of which tax is an element)

Procedure

Enquire if the entity has documented roles and responsibilities relating to tax compliance and risk management for their tax function and noting:

• name of document
• date of document
• document approver (name and title)
• if the document is formally endorsed by senior management and, if not, report an observation

Inspect the document, extract and page reference the sections of the document that describe the following:

• role descriptions for tax compliance, administration and risk management
• roles and responsibilities for reporting of tax matters, formalised and understood by management and appropriately trained personnel (or authorisation levels)
• formal responsibility or process for excise and indirect tax staff members to partner with accounting/finance/operations and systems staff to consider the appropriate excise and indirect tax consequences of transactions
• formal responsibility for liaising with the ATO excise and GST relationship managers
• segregation of duties (for example, dual sign-off).

If documented roles and responsibilities do not exist, enquire of the entity's reasons for its absence, report their response and raise an observation.

Enquire about the entity's processes for reviewing, escalating and following up risks in the tax risk register and noting:

• name of document (if documented)
• date of document
• document approver (name and title)

If the document is not formally endorsed by senior management report as an observation.

Where available page reference the sections where methods and frequencies for reviewing, escalating and following up tax risks are described.

When escalation is required, identify any dollar threshold set for matters like errors and law changes.

If documented methods do not exist, enquire of the entity's reasons, report their responses and raise an observation.

Better practice report inclusions

• Documented roles and responsibilities relating to tax compliance and risk management
• Documented methods and frequencies for reviewing, escalating and following up tax risks

Procedure

Obtain the entity's tax control framework (or overarching risk management/internal control framework of which tax is an element) and note the following:

• name of the document
• date of document
• document approver (name and title)
• list of preventative and detective controls related to tax and page reference
• frequencies at which controls operate and sample size guide
• whether the tax control framework includes policies/procedures to ensure sufficient capacity of tax function - for example, management might consider the capacity of the tax function is not compromised by cost saving measures by        
  • the benchmarking of team headcount numbers versus industry peers
  • the comparison of tax obligation deliverables versus staff resources.
   

If documented control framework is absent, or is in draft, or is not approved, enquire of the entity's reason, report their response and raise an observation.

Better practice report inclusions

• Approved tax control framework (including both preventative and detective controls)
• Approved overarching risk management/internal control framework of which tax is included as an element

Procedure

Obtain the entity's documented key controls related to tax, testing frequencies and assigned control owners and note:

• name of document
• date of document
• identified key controls related to tax
• how often controls are tested and sample sizes
• transaction cycles for which walkthroughs have been completed
• details of owners for each tax key control (name and title).

If the above items are not documented, enquire of the entity’s reason for its absence, report their response and raise an observation.

Some of the information required for this procedure will be obtained in MLC-2a.

Better practice report inclusions

• Documented key controls related to tax, testing frequencies and assigned control owners

Procedure

Enquire of the entity if management have undertaken an assessment of their design and operating effectiveness of the internal controls governing tax compliance. Report their response.

Enquire if assessment results have been documented and approved by senior management. If so, obtain a copy and note findings raised from the assessment.

If documented assessment is not approved or in draft, raise an observation. Note that an organisation might review design and operating effectiveness of tax controls in conjunction with other controls in the risk management framework.

Better practice report inclusions

• Documented assessment of their design and operating effectiveness of the internal controls governing tax compliance, approved by Senior Management.

Procedure

Refer to BLC-4b for reviews of the tax control framework carried out by independent assurance providers.

Refer to MLC-6b where the review of tax provisions or tax positions as part of the year end external audit fieldwork can be leveraged.

Enquire of the entity if they have internal audits or management self-assessment reviews to examine their tax corporate governance or control framework as it relates to tax.

For example, organisations may adopt their own three lines of defence risk management framework for testing the design and operational effectiveness of their tax function.

Report their response.

If the testing of tax corporate governance or control framework has been undertaken by management, obtain a copy of their report, extract and page reference:

• the name of report
• the details of staff who performed the review (name, title, division)
• the synopsis of review scope
• the list of tax key controls
• the transaction cycles for which walkthroughs have been completed
• the sample size
• the findings or testing results
• the recommendations.

Better practice report inclusions

• Documented internal or external assurance audit plan (includes the examination of tax corporate governance or control framework procedures)
• Elements of the risk management framework relating to tax that might be tested as part of external or internal audits (reflected in the audit plan), for example, annual GST apportionment reviews

Procedure

Obtain the entity's training materials and training attendance registers for staff training on tax-related topics and note:

• training to date
• training type (in-house, external workshop, course, briefing or presentation by external advisors or professional bodies (for example, Tax Institute).
• training topics
• staff who attended.

Also note any personnel who have not attended training in the last twelve months and who work in the tax function. Enquire of the entity's the reasons for their absence, report their response and raise an observation.

If the tax training materials and attendance registers are absent, enquire of the entity's reasons, report their response and raise an observation.

Better practice report inclusions

• Tax-related training packs
• Tax-related training attendance register

Procedure

Enquire of the entity if tax corporate governance and tax risk management metrics have been incorporated into tax personnel staff reviews, KPIs and performance agreements. Report their response. An example would be the requirement to attend tax technical update training periodically.

Better practice report inclusions

• Documented KPIs or performance agreements (includes tax corporate governance and tax risk management)

Procedure

Enquire of the entity how they ensure adequate capabilities of key personnel within their tax team. Report their response.

If the entity's response relates to on-going training, obtain documented training documents or training attendance registers to tax-related training sessions held in the last 12 months.

The work performed in MLC-2e can be leveraged here.

Better practice report inclusions

• Role description for key personnel used in the hiring process
• Documented training documents or training attendance registers to tax-related training sessions

Procedure

Refer to MLC-3a and MLC-3d for consideration of how tax compliance risks are managed in significant transactions.

Refer to BLC-3b for consideration of how management ensure the board (or sub-committee) is appropriately informed.

Better practice report inclusions

• Documented policy or procedure describe the responsibility of considering tax compliance risks

Procedure

Refer to MLC-3a for documented processes for business areas to identify and communicate significant transactions to the tax team.

Better practice report inclusions

• Documented procedure describing how personnel from areas outside the tax function identify and escalate tax risks

Procedure

Enquire of the entity what tax-related reports are produced for senior management and who have these reports been circulated to. Include reports for all tax types and entity's response.

Of the reports that are presented to senior management, enquire of the entity to identify reports that include tax information or calculations, obtain a copy and note:

• name of report
• date of report
• distribution list
• type of tax (for example, Capital gains tax, GST, FBT, stamp duty).

Better practice report inclusions

• Tax-related reports presented to senior management

ATO officers: refer to Interacting with PS LA 2004/14.

Procedure

Obtain the entity's documented definition of significant transactions for tax purposes and note:

• where value would constitute a significant transaction requiring authorisation from the tax function types of transactions, issues or risks that are significant enough to be escalated to senior management or the board (or sub-committee)
• whether the escalation process is automatic or manual (automatic escalation process is a system enabled approval process via workflows that are programmed in accordance with the entity's delegation of authority)
• the process other business areas use to identify and communicate significant transactions to the tax team (also refer to MLC-3d in relation to reporting templates)
• the threshold where independent external tax advice should be sought and levels of management sign-off required for the transaction
• the requirement to perform a Financial Acquisitions Threshold (FAT) test to ensure costs associated such significant transactions incorporate appropriately denied GST credits.

If documented definition of significant transactions for tax purposes does not exist, enquire of the entity's reasons for its absence, report their response and raise an observation.

Better practice report inclusions

• Documented processes for identifying, managing and escalating significant tax transactions
• New product or transaction approval documents
• Documented processes that capture information relating to:        
  • the identification of potential supplies made under significant transactions ( e.g. share sale/purchase is input taxed or asset sale/purchase is taxable/GST-free)
  • timing of proposed transactions, including any changes regarding the structure or type of transactions to be undertaken
   

Procedure

Enquire of the entity the following and report responses:

• How does management identify risks (such as a change in business, change in law) that would potentially warrant a change in the internal controls relating to tax?
• What are the triggers that would lead management to assess its risk and controls pertaining to the tax function?
• Does management have a process in place to automate controls for large volume transaction processes to improve efficiency?

Enquire of the entity whether the following examples of risk factors are part of their risk identification or risk assessment process:

• volume of transactions affecting disclosures in the tax return or excise return or BAS financial accounting and tax reporting complexities and inconsistencies
• volume of manual adjustments made by management
• related-party transactions
• transactions within GST groups dealings involving low-tax jurisdictions
• year-end arrangements resulting in tax benefits
• revaluations resulting in tax benefits
• GST recovery apportionment methodology assessment and monitoring (if applicable)
• transactions or arrangements where there is a legal versus substance disconnect        
  • there are steps added to a transaction making it more complex than necessary, resulting in a tax preferential outcome
  • the use of new and complex financial instruments or arrangements.
   
• Classification or treatment of uncommon, new or unusual GST transactions. (for example a sale of property involving margin scheme, sale or acquisition of shares)
• GST treatment and classification of transactions involving overseas suppliers and customers, including transactions with offshore related parties
• excise treatment of new 'developed' products.

In reporting their response:

• Enquire of the entity if there are any other tax risk factors considered by the management. If risk factors are documented by the entity, obtain and attach a copy to the report.
• Enquire of the entity if there have been any changes to the control framework in the past 12 months, as a result of errors or exceptions found in its tax control framework. If so, list them and the corresponding new controls or remediation plans in the report. Report entity's response.

Better practice report inclusions

• Tax risk identification document
• Internal control framework change request or IT control change request form

Procedure

Enquire of the entity what risk rating scales are being used and how often tax risks are assessed to ensure its ratings are appropriate. Report their response. If documented, obtain a copy and note the sections that correspond to risk rating scales and review frequencies.

Inspect the entity’s risk register and note:

• the number of risks in the risk register
• if each risk been assigned a risk rating
• the date when the risk register was last reviewed.

In addition, non-ATO personnel should note the nature of risks considered, who reviews these risks, who approves revised risk ratings, when was the risk register last presented to the senior management or the board or (sub-committee).

Better practice report inclusions

• Documented processed for ranking risks and review frequencies
• Risk registers that may include tax risks, or a separate tax risk register if that exists
• Risk registers that incorporate review of matters when ATO advises industry that certain industry issues/risks are under review

Procedure

Enquire of the entity if they have processes for reporting tax risks for all relevant taxes and significant transactions staff are required to use when identifying and reporting tax risks. Report their response.

Obtain evidence of how the process was adhered to when reporting tax risks and significant transactions. Note the reporting format, date, issue and tax law references in the report. For example, some industries make use of a New Product Approval template that would include a section for the tax team to complete.

If the reporting templates require the consideration of:

• what taxes apply to a significant transaction
• formal advice or consultation sought to assess the impact of all relevant taxes including excise, GST and other indirect taxes
• strategies or controls to manage any identified tax risk
• post implementation review to consider if the transaction was implemented as originally planned and if not reasons for changes are documented.

If the processes do not exist, enquire of the entity the format used for reporting tax risks and significant transactions (for example, emails). Document their response, obtain an example of the format used and attach to the report.

Better practice report inclusions

• Reporting template for reporting identified risks and/or significant transactions

ATO officers: refer to Interacting with PS LA 2004/14.

Procedure

Enquire of the entity if they have identified the IT system and application controls that are related to the tax function or preparation of the tax, excise and BAS return. If so:

• List the IT system and application controls that relate to the tax function or preparation of the tax, excise return and BAS preparation process (including data extracts or feeds from sub-systems). Where tax-related IT controls are documented, obtain a copy and attach to the report.
• List the maintenance of IT system and application controls that ensure adequate tax data integrity and security. For example, data integrity is the accuracy and consistency of data stored in a database. Data security is protecting data from unauthorised access and other destructive forces. Note that application controls relating to tax can also be maintained or tested as part of a wider IT General control environment.

If the entity indicates that there are reviews of system and application controls related to the tax function or preparation of the tax, excise and BAS return, enquire:

• Is the review undertaken in-house or outsourced?
• When was the last review performed?
• When is the next scheduled review?

A review of system and application controls relating to tax might also be performed as part of a wider IT General control review.

Obtain the report for the most recent review/audit and enquire of the entity which part of the review scope relates to tax applications or data. Report their response and page reference the report.

Inspect the review/audit report and note any findings raised and remediation plans that are related to systems and data used by the tax function.

If the entity has not identified systems and application controls that are related to the tax function or preparation of the tax, excise or BAS return then:

• enquire of the entity’s reasons
• enquire how the management ensure the completeness and accuracy of the tax function and preparation of the tax, excise or BAS return
• report their response.

If the entity has identified tax-related systems and application controls but has no mechanisms in place to maintain the control design and operating effectiveness of those systems and applications, enquire of the entity’s reasons, report their response and raise an observation.

Better practice report inclusions

• Review/audit of IT system and application controls report

Procedure

Enquire if they have organisational-level (or enterprise wide) ITGCs in place where the tax function can be identified and is documented. Document their response. If so, obtain the document and highlight tax key controls, noting how often these controls are tested.

In the most recent ITGC review, enquire if any IT control breakdowns were noted that related to the tax function. If so, obtain a copy of the ITGC report and note the remedial plans, due dates and action owners.

Enquire if the breakdown of tax-related controls was communicated to the tax function? If so, how was it communicated? Obtain copies of any written evidence (for example, emails). Report their response.

If the tax function is informed of IT control breakdowns that are associated with the tax function, enquire of the entity how does the tax function assess and remediate any impact on the tax, excise or BAS return? Report their response.

Note that IT general controls relating to tax might be reviewed as part of wider IT general control review for all systems.

Procedure for the income tax return preparation

Enquire of the entity in relation to preparing the tax return what software applications (for example, tax integrator) are used to perform tax return calculations (refer to MLC-4d) and note:

• the name of the application
• whether in-house or purchased (if purchased, details of provider/vendor and whether it is bespoke or off-the-shelf software)
• the frequency of the software update
• how the entity ensures that the programming of the application is updated to reflect law changes as they arise
• the relevant automated key controls built into the software with a brief description of the control
• when these controls were last tested for design and operating effectiveness and what results have been included in MLC-4a (if not, repeat MLC-4a).

If the entity uses spreadsheets for calculating their tax return (refer to MLC-4d) enquire:

• What controls are in place to ensure that formulas are correct?
• What controls are in place to ensure that the spreadsheets are only accessed and used by authorised personnel?
• When were spreadsheet controls last tested for design and operating effectiveness and have the results been included in MLC-4a (if not, repeat MLC-4a)?
• What datasets (for example, general ledger, and tax asset register) are required to perform the tax calculation?
• Which systems are data extracted from?
• How does data from sub-systems integrate with the software used to perform the tax calculation?
• How does the tax team ensure that the required data extracted from sub-systems is accurate and complete?

Where the tax team has previously identified issues (including changes required because of change of tax laws) with the IT controls or functions then identify:

• the nature of the issue
• how reported
• who it was reported to
• how it was rectified.

If issues are documented, obtain the document and page reference. Report their response.

Procedure for the BAS/excise return preparation

Enquire of the entity what accounting systems are used to capture transactional data to prepare the BAS/excise return (refer to MLC-4d) and document:

• the name of the application/system
• whether in-house or purchased - if purchased, details of provider/vendor and whether it is bespoke or off-the-shelf software
• the frequency and nature of the system updates/change
• whether all members of the GST group use a common accounting system or how their systems are integrated
• whether all excise transactions are captured within one system or multiple systems? How does the inventory management systems interact with systems recording and calculating the excise liability on transactions?
• how the entity ensures that the systems are updated to reflect law changes as they arise
• what controls and authorisation processes are there to ensure the accuracy of master file data including creation, amendments and changes
• what the settings, rules and conditions within the master files that affect the payment of excise liability and related categories including delivery location, unbonded/bonded status, excisable/duty paid goods, customer status (Lifter pays) and sales type
• what the procedures are for changing the classification of products in the accounting system including the authorisation process
• the relevant automated key controls built into the system with a brief description of it
• the controls in place to ensure the accuracy of data input and processing
• the ability to track changes to the adjustments made including changes to GST/excise classification of transactions
• any process to ensure staff responsible for entering data into the accounting systems understand the correct GST/excise treatment of a transaction
• how the accounting payable and accounts receivable process is recorded
• whether any or all the accounting functions and billing activities are outsourced
• as to when were these controls last tested for design and operating effectiveness and if the results were included in MLC-4a. (if not, repeat MLC-4a).

Enquire of the entity the following in relation to the BAS/excise return preparation process and note:

• the source system reports are used to extract data for the BAS/ excise return preparation
• whether all systems are integrated or are there any legacy/unintegrated systems requiring manual intervention to collect the BAS/excise return preparation data
• whether there are manual adjustments/journals required to correct/update system extracted data
• the process for ascertaining and correcting errors via the Out of Period Adjustment (OOPA) in excise reporting
• the controls are in place to ensure the extracted data is accurate, complete, classified, reconciled and reported correctly
• the controls in place to ensure the manual/automated journals are reviewed and validated for accuracy.

If the entity uses spreadsheets for preparing the BAS/excise return (refer to MLC-4d) enquire:

• the controls in place to ensure that formulas are correct
• the controls in place to ensure spreadsheets are only accessed and used by authorised personnel?
• when the spreadsheet controls were last tested for design and operating effectiveness and results included in MLC-4a (if not, repeat MLC-4a).

Where the indirect tax team previously identified issues (including changes required as a result of change of tax laws) with the IT controls or functions then note:

• the nature of the issue
• how it was reported
• who it was reported to
• how it was rectified.

If issues are documented, obtain the document and page reference, reporting their response.

Better practice report inclusions:

• Accounting system architecture overview or a diagram(s) that outlines how sales, acquisitions transactions and inventory movements flow through the system(s) to the BAS and sales reported for excise and/or WET
• BAS/excise return preparation instructions
• GST and excise manuals

Procedure

We note that application controls relating to tax might be covered by enterprise-wide controls and suggest these are leveraged for this procedure provided tax systems are included in the scope of these controls:

• MLC-4d-1. Refer to MLC-4c for details of software applications used to automate tax return calculations/BAS/excise return preparation or data-processing.
• MLC-4d-2. Refer to MLC-3b for details on the consideration of automating manual controls used for large volume transaction processes.
• MLC-4d-3. Refer to MLC-4c relating to spreadsheets used to automate tax return calculations/BAS/excise return preparation or data-processing.
• MLC-4d-4. Enquire of the entity if the tax team have considered the all information system control risks If so, enquire of the following and report entity's response:        
  • What risks were identified and which IT systems are the risks related to? List risk and IT systems.
  • Has internal/external audit identified these risks? If so, obtain documented risks by internal/external audit? Ensure these risks are related to the tax function and information systems.
  • Is internal / external audit planning to review these risks and the associated controls? If so, obtain internal/external audit plan and note the following:        
    • scheduled reviews to assess information system risks that are related to the tax function
    • synopsis of review scope
    • timing of scheduled review.
     
   
• MLC-4d-5: Refer to MLC-4c for details of reporting mechanisms from the tax team to the IT function.        
  • Enquire of the entity if there is a reporting mechanism in place from other areas of the business to the tax team regarding IT and system-related control weaknesses? Report their response.
   

Better practice report inclusions

• ITGCs scoping document or engagement letter
• Spreadsheet templates for calculating tax return and preparing excise return, BAS/WET calculations
• Internal (or external) audit plan
• Documented processes for reporting and remediating IT control breakdowns

Procedure

Obtain the entity’s record-keeping policy for tax and note:

• the name of the document
• the date of approval
• the document approver (name and title)

Identify if this policy is specific to tax and covering all tax types (if not, page reference the sections of the policy pertaining to tax).

Identify if the document specifies appropriate timeframes for the retention of records and requirements for retaining work papers that details tax calculations, including where work paper should be stored (password protected share drive).

If a tax specific record-keeping policy does not exist or is not formalised, enquire of the entity's reasons, report their response and raise an observation.

Better practice report inclusions

• Formally documented record-keeping policy for tax

Procedure

Enquire of the entity how staff get access to policies and procedures regarding record-keeping requirements for tax. Report their response.

If access is provided via intranet, obtain a screen print and check that intranet link’s accessibility that it leads to the correct policy document.

Procedure

Enquire of the entity if record-keeping policy compliance reviews have been undertaken as part of its internal or external audit program. Report their response.

If so, obtain a copy of the audit report and note:

• the name of the report
• the date of report
• the internal or external auditor
• the findings related to tax (if so, page reference and list findings raised and remediation plans).

Better practice report inclusions

• Report on the review of record keeping

Procedure

Obtain the entity’s training materials and note if the material provides guidance on record-keeping requirements for tax purposes and note:

• the date of last training session
• the training content
• the name of provider
• the list of staff attendance

If no training materials or attendance registers on record keeping for tax does not exist, enquire of the entity's reason and report their response.

Better practice report inclusions

• Training materials on record-keeping requirements

Procedure

Obtain the entity’s documented procedures for preparing the tax return (that is, book-to-tax process) and note:

• the staff members responsible for preparing and completing the tax return
• the systems and applications where data is sourced and processed automatically (Refer to MLC-4 for procedures relating to system and application controls)
• whether the process for preparing the tax return begins with the account profit or loss as per the entity’s financial statements (if not, document the entity’s approach for determining the taxable income)

If the entity’s book-to-tax process begins with the accounting profit or loss, document:

• the types of transactions (for example, depreciation) and circumstances (for example, depreciation rate for accounting differs from tax) that are added back to determine taxable income
• the types of transactions (for example, long service leave provisions) and circumstances that are deducted to determine taxable income
• any other tax specific items (for example, R&D offsets) that are generally considered and included in the tax return.

Obtain the entity’s documented procedures for reviewing the tax return and note:

• the staff member responsible for reviewing the tax return
• the procedures describing the reconciliation of the tax return figures back to the financial statements
• the requirement for providing a narrative to explain major variances from previous year
• the entity’s definition of major variance threshold that would require documented explanations.

If procedures performed by the reviewer as mentioned above for reviewing the tax return are absent or not documented, enquire of the entity's reasons, report their response (see note) and raise an observation.

Obtain the entity’s most recent review or reconciliation of tax return to the financial statements (also known as the book-to-tax reconciliation) and note:

• the starting point of the entity’s tax return calculation to process the accounting profit/loss
• whether the accounting profit/loss matches with the financial statements (if not, request the entity explain differences supported with detailed calculations)
• What are the items that were adjusted and the reasons for the adjustment (for example, elimination entries, permanent and timing differences, R&D offsets)? For adjustments are processed by software application, refer to MLC-4 for procedures relating to automatic adjustments processed by software applications.

Sample five manual adjustment line items (three items with the largest amounts adjusted and two other random line items) and perform a walkthrough of the calculation with the entity. Document their response; obtain screenshots of calculations and any supporting evidence. If the entity has less than five adjustments, sample all adjustment line items.

Enquire of the entity their processes and controls for completing other schedules relating to the tax return and report their response (for example, the Reportable Tax Position schedule).

Enquire of the entity if they have reviewed the frequencies of re-submission of their tax returns or BAS statement in the most recent financial year If so note:

• the number of tax returns re-submitted (all tax types, income tax, indirect tax, and so on)
• the common root causes for re-submissions
• any systemic impact to the entity's control framework
• any remediation of identified control breakdowns.

Note: Only relevant for entities that are required to have financial statements. If the entity does not have financial statements, document the entity’s approach for determining taxable income. The assumption is that most organisations will prepare financial statements for internal reporting purposes or for lodgment with ASIC if the organisation is a ‘reporting entity’.

Better practice report inclusions

• Documented control framework

Procedure

Obtain the entity’s documented procedures for preparing the BAS/excise return and note:

• the staff member/s responsible for preparing and completing the BAS/excise return
• the systems and applications where data is sourced and processed automatically (refer to MLC-4 for procedures relating to system and application controls)
• whether the process for preparing the BAS begins with the transaction data extracted from source systems (if yes, document the entity’s process for compiling the data for the BAS/or excise return)
• any system map (general process flow) showing how excise tax events are triggered
• the process in place to identify transactions that trigger an excise liability to be created or a movement of products without an excise liability or refund of an excise duty.

Ascertain how these following events flow through to an excise liability being generated and reported:

• purchase orders
• sales orders
• delivery advice
• goods receipts
• inventory adjustments and write offs
• order cancellations.

Enquire about the entity's data extraction process for the preparation of the BAS/excise return and document:

• the entity's process for ensuring that the extracted data is complete and reconciled to the general ledger/source systems
• whether the data extraction automated or the manual processes involved
• the reports that are run from systems
• the nature and types of manual adjustments/journals and the review process for ensuring these adjustments are valid and authorised
• the checks/reviews performed to ensure the accuracy of GST classification of transactions and excise classification of products?
• the reconciliation and review of GST general ledger accounts and relevant excise liability accounts and the approval process for journals/postings
• any periodic system/transaction testing undertaken to ensure calculations/classification of taxes are performed as required.

Obtain the entity’s documented procedures for reviewing the BAS/excise return and note:

• the staff member responsible for reviewing the BAS/excise return
• the procedures describing the reconciliation of BAS/excise data to the general ledger/source system
• any requirement for providing a narrative to explain major variances/deviations from previous periods or BASs/excise returns
• the entity’s definition of major variance threshold that would require documented explanations
• any requirement for ensuring that reported BAS/excise figures are consistent with the entity's business model and its operations (for example, increase in sales in a particular quarter or month is in trend with seasonality or a significant increase in acquisitions reported in BAS corresponds to a large capital purchase or for excise, the release of a new product line).

If procedures performed by the reviewer as mentioned above for reviewing the BAS/excise return are absent or not documented, enquire of the entity's reasons, report their response and raise an observation.

Obtain the entity’s most recent BAS/excise return preparation work papers and note the following:

• as the starting point of the BAS/excise return preparation is the extracted data reconciled and verified to ensure data is complete and accurate
• manual adjustments/entries are processed, note the nature and reasons for adjustments. Were they reviewed and authorised? (refer to MLC-4 for procedures relating to automatic adjustments processed by software applications).

Sample five manual adjustment/journal line items (three with the largest amounts adjusted and two other random) and perform a walkthrough of how they are processed with the entity. Document their response, Obtain screenshots of adjustments/calculations and any supporting evidence. If the entity has less than five adjustments, sample all adjustment line items.

Perform a walkthrough of BAS /excise return preparation process starting from the relevant system batch reports run, related spreadsheets, and checklists completed, final review before submission to post submission general ledger reconciliation of GST accounts (payable and receivable accounts).

Enquire of the entity their processes and controls for ensuring reviewing the reasonableness of the reported figures in the BAS.

Enquire of the entity if they have reviewed the frequencies of re-submission/revisions or late lodgments of their BASs/excise returns in the most recent financial year If so, enquire the following:

• How many returns have been re-submitted/revised or lodged late
• What are the common root causes for re-submissions/revisions/late lodgments?
• Is there a systemic impact to the entity's control framework
• Is there any remediation of identified control breakdowns

Report their response.

Better practice report inclusions

• Documented control framework including the BAS/excise return preparation process
• GST/excise manual

Procedure

Refer to MLC-5a for requirements for retaining work papers detailing tax return calculations and the BAS/excise return

Better practice report inclusions

• Documented process for retaining tax return and the BAS/excise return work papers

Procedure

The ATO notes that external auditors will review tax balances and verify the reasonableness of calculations and reporting of the GST liability in the BAS and overall excise liability as part of their field work during the annual external audit. Organisations should take credit for external reviews such as this, noting that these reviews will be performed using the accounting materiality concept. Materiality for tax might be significantly lower than the materiality applied in a financial statement audit.

Enquire of the entity if there is review and approval processes in place to check the correct application of tax law to accounting transactions and accurate calculation of the tax return and BAS/excise return. Report their response.

If a review process is in place, list the specific items that a reviewer would look for when reviewing the working papers. For example, how the reviewer understands major movements or variances in the working papers have been made correctly for tax. If review or approval processes are in place, obtain copies of physical or electronic sign off (that is, via email) of the calculation prepared for the most recently submitted tax return and note:

• the tax return/BAS /excise reporting period
• the preparer (name and title)
• the reviewer (name and title)
• the approver (name and title).

If there was no review undertaken or the review was undertaken, enquire of the entity's other management controls to ensure the complete and accuracy of the work and document their response.

Enquire of the entity if the external auditor has reviewed the tax positions, calculations, balances and reported amounts in the BAS during the year-end audit process. Report their response. Where applicable, enquire if they have also reviewed the excise liability calculations.

Better practice report inclusions

• Work papers with signoff by reviewer/approver
• External audit plan which includes review of tax balances and GST/excise in the scope of work

Procedure

We suggest leveraging BLC-3c relating to briefings on the effective tax rate of the business for this procedure as well as information in Part A of the Tax Transparency Report or notes to the annual financial statements if applicable.

Enquire of the entity what methods they have in place to reconcile tax return calculations to the financial statements. This includes:

• reconciliation of income tax expense to profit (commonly called “book to tax”)
• reconciliation from income tax expense to income tax paid or payable. The reconciliation should include material temporary and non-temporary differences. This reconciliation relates to current tax reported as component of the income tax expense in the financial statements on a ‘like for like’ year basis to income tax payable for the same year.

Report their response.

If methods exist confirm if they are documented. If so, obtain a copy of the document and extract the procedures for reconciling tax calculations to the financial statements.

Enquire of the entity if they have a summary of the major book-to-tax differences. If so, obtain a copy, sample the top five largest line items and enquire how the differences arise. Report their response.

Obtain a copy of the following two calculations for the most recent financial year:

• the tax calculation (in spreadsheet format with embedded formulas) for determining income tax expense in the most recent financial statements
• the taxable income calculation (in spreadsheet format with embedded formulas) supporting the most recent income tax return for submission to the ATO and noting        
  • the financial statement period
  • the tax return period        
    • Does the tax consolidated group match with accounting consolidated group? If not, obtain listing of entities within the tax consolidated group, listing of entities within the accounting consolidated group; and identify and document the entities that are not included in both lists.
    • What is the tax calculation result for “income tax expense”? Does this match with the financial statements? What is the current tax amount? What is the deferred tax amount?
    • What is the tax calculation result for “taxable income” for the tax return? Does this match with the tax return?
     
   

Better practice report inclusions

• Documented procedures for reconciling tax return calculations to the financial statements

Procedure

Enquire of the entity what processes they have in place to reconcile BAS/excise reported numbers to the source system, general ledger and financial statements if applicable

This includes:

• the entity's definition of what is considered a material or significant variance/write-offs
• the reports generated from source systems for the BAS/excise return preparation process? Obtain a list of reports and copies of these reports for one BAS/excise period
• reconciliation of BAS/excise data to the source system and the general ledger each month/BAS period/excise period
• reconciliation of annual BAS data to the financial statements that should include explanations for material variance between the reported BAS figures and the financial statements (for example, revenue reported in the financial statements may include items that are out of scope for GST).

If processes exist, are they documented? If so, obtain a copy and extract the procedures for reconciling BAS figures to general ledger and to the financial statements.

Obtain copies of the GST/excise general ledger account reconciliations for two months and enquire of the entity if there were major reconciling items or non-cleared items. If so, obtain a copy of the reconciliations and review top three reconciling items and trace how they were reconciled. Sight associated supporting documentation and explanations recorded. Report the findings.

Obtain copies of the BAS/excise working papers for a sample BAS/excise period and review the five largest manual adjustments posted to amend/modify extracted source systems data. Document the nature of the adjustments/journals and sight supporting documents.

Does the GST group match with accounting consolidated group? If not, obtain listing of entities within the GST group, listing of entities within the accounting consolidated group. Identify and document the entities if any, which are not included in both lists.

Stock control and reconciliation is critical in an excise environment. Enquire of the entity the following with respect to stock control and reconciliation and report their responses

• What are the procedures for receipting products into terminals/sites and delivery livery if products?
• What IT systems are used by sites/terminals?
• How often are the relevant systems calibrated and how are transactions entered into the systems as part of this process
• How do the site/terminal systems integrate /interact with entity's enterprise resources planning (ERP) and accounting systems
• What inventory checks are performed by inventory staff and what is the process in place to monitor losses?
• Is the tank or site reconciliation process of book to physical inventory documented? If yes, obtain a copy of the documented procedures
• What reports are used for the stock reconciliation process
• How is the tank balances closed off and how often does this occur?
• How are the losses or gains treated from the stock reconciliation process? How is the impact of the losses and gains assessed for excise?
• Who is authorised to make corrections or adjustments to book inventory and under which circumstances can they be made? Are these reviewed
• Are there any variations between product types?
• Are there differences in controls and processes between company owned sites and third party sites?

Better practice report inclusions

• Documented procedures for reconciling BAS reported numbers to accounting records and financial statements
• Documented procedures for reconciling reported figures in the excise return to the accounting records and source systems

Procedure

Enquire of the entity if they prepare deferred tax assets and liabilities calculations for the financial statements in accordance with AASB 112. Report their response. If process is documented, obtain a copy and extract the procedures.

Obtain a breakdown of the deferred tax assets and liabilities calculations, sampling five-line items (three items with the largest amount and two random) and reconcile the entity’s methods. In the event there are less than five items, sample all line items.

Procedure

Refer to MLC-3a for procedures relating to the entity’s process for business areas to identify and communicate significant transactions to the income tax and indirect tax teams.

Refer to MLC-3a for procedures relating to the entity’s process and threshold for seeking external advice

Refer to MLC-6a for the procedures relating to the entity’s overall tax return and the BAS/excise return preparation process. MLC-7 specifically addresses significant differences between accounting and tax.

When preparing the tax return calculations and the BAS/excise return, identify the entity’s process for:

• ensuring the correct application of income tax, excise and indirect tax laws to significant accounting transactions that were identified during the year (for example, if a major transaction requires clearance on tax and accounting treatment by internal specialists or advisers) (MLC-3a)
• retention of documents to evidence the reasons for difference in treatment for tax and accounting (for example, legal documents to evidence exempt income)

Where external tax advice has been sought during the year (MLC-3a), identify the entity’s process for correctly applying the advice in their tax return/BAS calculations

Report the entity’s response.

Better practice report inclusions

• Documented procedures for preparing tax calculations based on accounting transactions
• Documented procedures for determining classification and treatment of transactions for GST/excise

Procedure

We suggest leveraging BLC-3c relating to briefings on the effective tax rate of the business for this procedure as well as information in Part A of the Tax Transparency Report or notes to the annual financial statements if applicable.

Enquire of the entity if there is a practice in place to compare and report tax performance of the entity and accounting results by noting:

• any documentation of the practice
• any explanation provided for identified differences
• whether comparison analysis and explanations are reported to the board or governance body
• whether this a required item as part of annual reporting pack to the board or sub-committee.

If not, raise an observation.

Better practice report inclusions

• Documented procedures for comparing tax performance of the entity and accounting results
• Documented requirement for management reporting to compare and explain tax performance of the entity and accounting results
• Disclosures in a Tax Transparency Report

Procedure

Enquire of the entity if there is a practice in place to analyse the figures reported in the BAS/excise returns consistent with the business operations noting. Report entity's response.

If so, enquire of the following:

• is the practice documented?
• Are documented explanation/commercial reasons provided for identified differences and inconsistencies of trends?
• Is the comparison analysis and explanations reported to the board or governance body?
• Is this a required item as part of annual reporting pack to the board or sub-committee? (for example, trend analysis and aggregate monthly comparisons of GST payable/receivable in the BAS compared to the position reported in financial statements).

If not, raise an observation.

Better practice report inclusions

• Documented procedures for analysing the reasonableness of the reported figures in the BAS(s)/excise returns compared to the financial results and operations of the business
• Documented requirement for management reporting of significant variances and trends in BAS reported figures or excise liability reported and paid compared to the financial results

Procedure

We suggest leveraging BLC-3c relating to briefings on the effective tax rate of the business for this procedure as well as information in Part A of the Tax Transparency Report or notes to the annual financial statements if applicable.

Enquire of the entity if there is a practice in place to compare and report tax performance of the entity and accounting results including variances between tax expense for the financial statements and the tax paid/payable as per the completed tax return noting:

• any documentation of the practice
• any documented explanation for identified differences
• the type of variances considered material
• whether the comparison analysis and explanations are reported to the board or governance body
• whether this a required item as part of annual reporting pack to the board or sub-committee.

If not, raise an observation.

Better practice report inclusions

• Documented procedures for comparing tax performance of the entity and accounting results
• Documented requirement for management reporting to compare and explain tax performance of the entity and accounting results
• Disclosures in a Tax Transparency Report.

Procedure

Enquire of the entity if there is a process in place to analyse and explain variances between the BAS/excise reported figures and the accounting records. If so, enquire the following:

• Is the practice documented?
• Are variances explained and documented
• What variances are considered material.

Does the entity performs trend/variance analysis to understand significant deviations in BAS/excise reported figures to previous comparable periods?

Are BAS/excise figures reviewed for reasonableness to ensure if they are consistent with commercial operations and the business model of the entity?

If not, raise an observation.

Better practice report inclusions

• Documented requirement to retain narratives to explain variances between reported BAS/excise figures and the accounting records and prior comparable BAS/excise periods

Procedure

Note that while the guide contemplates all taxes, ATO officers considering tax risk management and governance as part of PCR, ACA or similar products, should focus on income tax elements. ATO officers should consider work of other business lines such as an annual compliance arrangement and key taxpayer reviews for GST to ensure credit is given where the requirement has been tested in a related process/product.

Enquire of the entity their process for reviewing and signing off on the tax, BAS and excise return to ensure that tax return or statement review has occurred prior to lodgment. If there is no process to review and signoff the return prior to lodgment, note an observation and report entity's response.

Regarding tax amendments/corrections/revisions, enquire of the entity as to:

• the process for determining when a tax amendment/correction/revision is required
• the process for calculating the tax amendment/correction/revision
• the process to identify the errors / control breakdown that results in amendments/corrections and revisions
• the process to rectify identified errors / control breakdowns for future tax returns excise returns and the BAS.

If there is no process to review and signoff amendments/corrections to the return, note an observation and report the entity's response.

Better practice report inclusions

• Assurance report of tax return or statement review

Procedure

Note that while the guide contemplates all taxes ATO officers considering tax risk management and governance as part of PCR, ACA or similar products should focus on income tax elements. ATO officers should consider work of other business lines such as an annual compliance arrangement for GST to ensure credit is given where the requirement has been tested in a related process/product.

Enquire of the entity if there are controls to review compliance risk for other types of taxes and report the response. If controls to review compliance risk are absent, raise as an observation.

Note if compliance risks and key controls have been identified by the entity for:

• fringe benefits tax (FBT)
• the super guarantee charge (SCG)
• pay as you go (PAYG) - instalments and withholding
• employee mobility (who bears and claims the labour costs)
• customs and excise duty
• fuel tax credits (FTC)
• wine equalisation tax (WET)
• luxury car tax (LCT)
• state-based payroll taxes
• stamp duty.

For items in the above list where no compliance risks or key controls have been identified, enquire of the entity's reasons for its absence and report their response.

Note that for most organisations FBT, PAYG, super guarantee and other payroll taxes and related controls will be administered by the payroll function, stamp duty legal departments, and customs and excise taxes by customs agents.

Better practice report inclusions

• Documented compliance risks and key controls for employee taxes (including FBT, etc.)
• Documented compliance risks and key controls for state taxes ( stamp duty, payroll tax)

Procedure

Enquire of the entity what are their processes for:

• awareness of tax law changes to income tax, excise and indirect taxes or taxpayer alerts in a timely manner
• assessing if the law change requires any changes in processes or internal controls
• making changes to processes or updating internal controls to address the changes in tax law.

Report their response.

If the above processes exist and are documented, enquire whether:

• law changes have affected the entity in the current financial year
• processes have been updated
• controls have been updated, added or removed.

Report their response.

Better practice report inclusions

• Documented policy for processing legal and administrative changes

Procedure

Refer to MLC-4c for details of reporting mechanisms from the tax team to the IT function.

Following from MLC-9a, enquire of the entity if changes to systems or controls are required to meet with new law requirements, and the review and approval processes required for those changes.

Identify how the entity ensures the implementation of approved changes to systems or control.

Document their response?

Better practice report inclusions

• Documented procedures for changing systems and controls

Procedure

Enquire if the entity has a policy that states how it will deal with or inform the ATO of any law update implementation difficulties. Page reference the relevant sections of the policy/document.

If no policy exists, enquire of the entity if they have had any implementation difficulties previously and how they addressed those challenges without consulting the ATO. Report their response.

Better practice report inclusions

• Documented policy for processing legal and administrative changes

Procedure

If the entity has previously communicated to the ATO in relation to difficulties associated with complying, administrating or addressing law changes, obtain a copy of their most current correspondence and attach to the report.

Better practice report inclusions

• Correspondence sent to ATO advising of implementation difficulties