Article Index

623 03861939n

While the rates for direct tax are decreasing everywhere across the world, the rates for indirect tax keep rising. With multinational companies we’re easily talking about amounts of over 5 billion euros of indirect tax flowing through the books. 

Yet according to big4 surveys, the control mechanisms for these numbers are still inadequate.

“Life is inherently risky. There is only one big risk you should avoid at all costs, and that is the risk of doing nothing.”

Not only can an error in the accounts lead to major additional tax assessments and substantial penalties, but worse, a mistake of one percent can make the difference between profit and loss for a multinational company. 

The main reason that indirect tax receives less attention is because it is dealt with completely differently than direct tax. There are hardly any KPIs determined for VAT/GST and the CFO generally solely focuses on direct tax regarding managing tax risks.

Perhaps the most surprising is the fact that the financial auditor also points out the huge risks of insufficient control of indirect tax. On the one hand, it is strange, since it is the benchmark studies from the tax advisors of the same firms who sound the alarm bells.

"Trust, but verify is a form of advice given which recommends that while a source of information might be considered reliable, one should perform additional research to verify that such information is accurate, or trustworthy."

A company’s tax control framework that meets generally accepted control standards provides:

  1. insight into the areas prone to VAT risks (awareness),
  2. management has established the extent to which it is prepared to accept risks, and
  3. internal controls have been implemented that are appropriate given the material risks identified.

Clear responsibilities, effective systems, documented processes and robust controls

Definition Tax Control Framework A Tax Control Framework (TCF) is an internal control instrument specifically aimed at the tax function within a company and an integral component of a company’s business control framework, which is different for every organization. It is a system (process) to identify, mitigate, control and report tax risks.

The ultimate objective of a TCF is to be in compliance with tax laws and reporting requirements and manage the risks that exceed the companies' risk appetite.

Governance, risk identification, controls, communication and monitoring

Prevent risks and identify savings A TCF should prevent tax errors, identify opportunities in a timely manner and perform correct filings at the right moment.

A company's VAT control framework system is adequate if it provides insight into where material VAT risks may arise in the company (awareness), while the degree of risk tolerance is established internally and where appropriate control measures are taken with respect to these risks.

A review should take place of the categories of VAT risk the company is facing as well as the likelihood of occurrence, its potential impact and mitigation measures. Review the company's risk appetite and risk tolerance and the way in which risks is measured.

Effectiveness and efficiency of operations, the reliability of tax reporting, and compliance with applicable laws and regulation

Click to enlarge

definitions 1

See also chapter: OECD - Co-operative Tax Compliance - Building Better Tax Control Framework

Sufficient internal communication

A TCF requires a clear understanding of: the companies' material risk areas, the company's tax policy derived from business objectives, the VAT processes and risk based control measures (hard and soft controls) and roles and responsibilities of the indirect tax department and its shadow tax function.

  • Internal control is a process. It’s a means to an end, not an end in itself. Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization.
  • Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
  • Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

From: The Institute of Internal Auditors, Does Your Control System Pass the COSO Test, March 1998, Issue 2

A tax control framework consists of

  • Strong tax governance with an agreed tax strategy that is in line with wider business objectives an in-depth understanding of where the key risks lie within the business, including indirect and wage tax
  • Effective and efficient controls in place to mitigate identified risks
  • A clearly defined communications strategy for managing tax internally and externally
  • Ongoing monitoring activities and improvement efforts
  • Ensure strong governance including the implementation of strict guidelines.

See chapter: Awareness and acceptance by senior management

Threats and opportunities

Managing risk is about making decisions at all levels of an organization, to limit the effect and likelihood of threats happening and to increase the effect and likelihood of opportunities.

Uncertain tax positions In many countries indirect tax returns are not audited by the tax authorities. Tax certainty about tax positions taken will exist once the statutory time limits are exceeded. That might change when e-audits approaches are standard implemented as audit method or other VAT fraud measures come into force. What is often missed in a business case, planning and execution is a full understanding of the processes and controls needed to effectively and efficiently manage indirect tax.

A tax trend is that companies due to regulations will have to become transparent about their attitude to tax risk, its appetite and its approach to its relationship with tax authorities. It will cover the governance framework describing the way a business takes decisions on taxation including information on the systems and controls in place to manage tax risk.

It is therefore essential that a documentation exist of your (automated) tax control framework and a logbook – risk register – is kept of all identified inconsistencies. The internal tax function should always have insight into the areas for attention through this logbook. This allows tax managers to set the right priorities and take measures timely.

Below gaps might give rise to some important considerations from a benchmark perspective

Inability to comply with local VAT rules — Although the root cause will vary from one company and country to another, the risk is likely to arise because of the fundamental lack of resources with local knowledge, clear VAT policies and procedures, technology enablement and controls and metrics to facilitate and monitor compliance. In most cases, there is some combination of these causes.


System incompatibility — It isn’t uncommon to find that the ERP system or other available technologies do not support for example SSC staff as fully or effectively as required in making sound decisions related to VAT.


Processes not clearly defined  — Staff sometimes find themselves operating without clear descriptions or instructions as to how certain processes should function internally. That typically includes specific division of duties and defined responsibilities for every task and the person assigned to perform it, as well as the protocols for communicating with the tax office to receive updated information, escalate issues and solicit valuable feedback. The more pieces missing, the greater the risk.

Non-existent or inadequate processes and documentation — Since indirect tax guidance is not typically part of the brief, staff may not have access to VAT training, manuals or web-based technology to support their decisions and activities relative to VAT.

Insufficient communications — Staff may also be hampered by inadequate or unorganized communications between the indirect tax function and other operational business units (e.g., IT, logistics, group tax department) within the organization, making it very difficult to identify and address any crossover issues relating to VAT.


Non-existent or inadequate compliance controls — An indirect tax control framework and key performance metrics that focus on relevant indirect tax risk must be in place to provide the stability and transparency required to both enable and sustain compliance.  None of these “risk drivers” are insurmountable or prohibitively complex to overcome. That said, there are some equally significant VAT-specific rewards in a well-run and well-founded indirect tax function.

Performance improvement — Companies have seen a reduction in both manual effort and error rates in VAT processes from automating VAT decisions in an ERP environment and (or) using technologies available on the market such as tax engines and certain web-based applications.

Better time management — More time is available to tax staff to set up and implement VAT strategy and planning. Since problems can be anticipated at an earlier stage and action taken to pre-empt or solve them.


Process improvement — With for example a SSC doing a good portion of the “heavy lifting,” the organization has more time and resources to review, adjust, structure and optimize existing VAT processes. It may also lead to the development of a VAT team to operate as part of the overall international tax team.

Consistency and flexibility — An efficient and effective tax functioncan provide the company with a consistent operating model as well as flexible organizational design to support growth, profitability and compliance.  Once the company has evaluated the risks and rewards and conducted any other due diligence, the processes begin for identifying the VAT-critical functions, diagnosing the current state and designing the structure that will enable any effective migration.

From: The intersection of VAT and shared service centers

VAT risk based controls

Materiality of VAT risks There are a couple of elements that need to be considered to determine the materiality of VAT risks. Using absolute amounts is the way a business controls framework sets up a risk based approach.  However this is not sufficient as a VAT control framework is not only about paying the right amount of tax but also nowadays about avoiding risks that impact the reputation of the company.

The PowerPoint show risks relating to the company's reputation and potential impact for various stakeholders such as vendor and customers, but as well tax authorities, external auditors and shareholders. 

Creating a consistent and robust controls environment for VAT-critical processes

See chapter: Indirect tax risks and rewards

  • We are talking about extremely large amounts of money that lack appropriate control, but because KPIs have never been developed for this particular purpose, the risks remain outside the CFO’s field of view.
  • Many organizations still lack an effective ‘indirect tax control framework' for defining a strategy, systems and control mechanisms to manage risks linked to reporting VAT.

Roadmap to conduct proper tax management

In order to get buy-in from senior management it is often about setting the right priorities, understanding the root cause of underperforming and select a method for measurement that best fits. The deck explains what a tax function could do to get indirect tax higher on the priority list of senior management.

Written by Richard Cornelisse
 Richard LinkedIn

Richard advises multinational businesses in improving the efficiency and effectiveness of their Indirect Tax Function and Tax Control Framework.

He started his career as a manager at Arthur Andersen and then became a partner in EY where I led the indirect tax performance team for Netherlands and Belgium. Currently he is a senior managing director of Key Group.

Richard has over 20 years’ experience advising clients on international VAT issues. He is specialized in the tax aspects of financial transformations, shared service centre migration, and post merger integration work. Richard is also somewhat of a mentor, giving back to the profession. If you are interested in conversation and discussion, please feel free to contact him.