Best Practices

VAT GST risks

Indirect tax (VAT/GST) risk management • Scope: EU and global • Last reviewed: June 2026

VAT/GST Risk Management: Costs, Compliance Risks, and How to Manage Them

In brief. Value-added tax (VAT) and goods and services tax (GST) are often assumed to be cost-neutral, but they are only neutral when strict formal and material requirements are met. Because tax authorities now detect errors automatically through e-invoicing and SAF-T data, weak controls expose businesses to large assessments, interest, penalties, blocked refunds, reputational damage, and even personal liability. This article explains where VAT/GST risk arises, the most common root causes, how the EU is fighting VAT fraud, and how organisations can manage the exposure.

Key takeaways

VAT/GST risk should be measured against total “VAT under management” — the full throughput of VAT through a business — not just the net balance of output VAT minus input VAT.
VAT is only cost-neutral when formal and material requirements are met; otherwise a business faces assessments, interest, and penalties.
In the EU, penalties for incorrect invoicing can be charged as a percentage of turnover — up to the 27 percent VAT rate in Hungary — plus additional penalties.
If a 25 percent supply is wrongly zero-rated, the assessment is 25/125 of the consideration charged, before interest and penalties are added.
Italy’s mandatory e-invoicing system (SdI), introduced in 2019, coincided with its VAT gap falling from about €35 billion (2018) to €16 billion (2022).
EU operation “Admiral” uncovered the largest VAT carousel fraud network ever detected, with estimated damage rising from €2.2 billion to €2.9 billion across 16 countries.
VAT failures can trigger personal liability and criminal charges for executives, not only corporate penalties.

What is “VAT under management,” and why does it matter?

“VAT under management” is the total amount of VAT/GST flowing through a business, not the net balance ultimately remitted. Many organisations measure indirect-tax risk by looking only at the balance between output and input VAT. This understates the true exposure, because the sums passing through the business are far larger than the net amount paid to the authorities. Measuring risk against total throughput gives a more honest picture of what is at stake.

Why is VAT/GST risk management necessary if VAT is cost-neutral?

VAT is only cost-neutral when specific formal and material requirements are met; neutrality is earned, not automatic. The common argument is that VAT/GST is simply “money in and money out.” Every indirect-tax function knows, however, that deductible input VAT and liable output VAT must be managed separately. Where they are not, the result can be substantial assessments, penalties, and interest. Monitoring only the net position is therefore risky, and it begins to fail the moment people across the organisation lose sight of the amounts at stake. Benchmark studies repeatedly show the same pattern: too little control and too few key performance indicators — and when a control does fail, the amounts involved are usually large.

How are tax authorities increasing scrutiny of VAT?

Tax authorities increasingly detect VAT errors automatically by collecting and analysing transaction-level data through SAF-T and e-invoicing. Technological innovation has made audits far more effective, and the likelihood of additional assessments and penalties rises by the day as errors are detected more readily. The emphasis falls on timely and accurate VAT reporting, and on whether an effective tax control framework exists in high-risk areas — in effect, authorities are assessing the quality of a company’s tax risk management methods.

A parallel regulatory trend is the growing expectation of transparency. Companies are increasingly required to be open about their attitude to tax risk, their risk appetite, and their relationship with the tax authorities, including the governance framework that describes how the business makes decisions on taxation. For this reason it is essential that the (automated) tax control framework be documented, and that a logbook — a risk register — record all identified inconsistencies, giving the internal tax function continuous insight into the areas that require attention so that managers can set priorities and act in time.

What VAT risks arise in accounts receivable and accounts payable?

Failures in VAT-critical AR and AP processes cause either overpayments, which are a real cost, or under-declarations, which bring penalties and reputational harm. Because tax authorities check the correctness of VAT reporting only after the fact, non-compliance can result in an assessment levied over many years — depending on the jurisdiction’s assessment period, which is five years in the Netherlands — together with interest and increased penalties. Penalties for incorrect invoicing are often calculated as a percentage of turnover, so the amounts escalate quickly: in Europe this can mean VAT of up to 27 percent on turnover (Hungary applies 27 percent), plus penalties.

The zero-rate is a clear example. The supplier is responsible for satisfying every condition for applying the zero VAT rate; where it cannot, the authorities will recover the tax due through an assessment. If the applicable rate is 25 percent, the assessment will be 25/125 of the consideration charged, and that figure must then be increased by interest and penalties. Even a basic billing error — an invoice issued in the wrong name — can delay revenue and produce non-recoverable VAT. A single operational failure in the systems that move indirect taxes through the supply chain can therefore lead to additional assessments, penalties, blocked VAT refunds, and delayed customer payments. The risk is amplified because indirect tax is too often missing from the strategic and planning stages of a financial transformation, even though VAT touches finance, procurement, IT, and HR alike.

What are the most common root causes of VAT failures?

Most VAT failures fall into two groups: incorrect treatment or registration, and breakdowns in reconciliation or documentation. On treatment and registration, a process inside or outside the accounting system may apply the wrong VAT treatment to a transaction — charging VAT when it should not, or failing to charge it when it should. A business may overlook a requirement to register for VAT in a jurisdiction, even though establishment is often unnecessary to create the obligation: a mere sale of goods can be enough. The non-application of VAT may also go unevidenced, for example through missing export documentation, and VAT on intercompany transactions may simply not be accounted for.

On reconciliation and documentation, VAT turnover may not be reconciled to accounts receivable; a VAT credit may be rejected through accounts payable because the supporting purchase invoice was missing or defective; credit for VAT charged at importation may go unclaimed; and a business may fail to self-assess (reverse-charge) VAT when receiving services from a non-resident or transferring goods between EU Member States.

What should the tax function’s objectives be?

The tax function’s primary objective is to mitigate risk and identify opportunities that support the company’s supply chain. To do so it must understand the business’s activities and objectives, including research and development, and stay aligned with legal, HR, and IT. Finance and tax need access to data showing how transactions are processed and how IT systems are configured, because data integrity is itself an operational risk: wherever transactions are recorded in a country without proper evaluation for tax purposes, exposure builds. Where financial data does not match the intended business model, or changes are not managed effectively, gathering the tax data needed for reporting to regulators, investors, and authorities across every unit and country becomes a significant challenge.

How should companies assess VAT threats and opportunities?

Risk management means deciding, at every level, how to limit the likelihood and impact of threats while increasing those of opportunities — taking the right amount of the right risk. In practice this calls for two regular reviews. The first examines the categories of VAT risk the company faces, the likelihood of each occurring, its potential impact, and the available mitigations. The second considers the company’s risk appetite and tolerance, and the way risks are measured.

What VAT risks arise from shared service centres and offshoring?

Centralising VAT/GST functions in an offshore shared service centre (SSC) concentrates complexity and often strips out the local knowledge that kept compliance accurate. Historically, transactions giving rise to indirect taxes were handled by in-country entities familiar with local invoicing, liability, rate, accounting, and reporting rules. When those functions move to a distant SSC, operational requirements grow far more complex because one centre must handle countless transactions across different countries, languages, cultures, and tax jurisdictions — and turnover is often high while experienced local staff are made redundant. As multinationals adopt the shared service model, responsibility for indirect taxes migrates with it, and complexity grows exponentially once cross-border activity is involved, especially where controls are external, processes are manual, and procedures are undocumented. Invoicing is a frequent casualty: many payable invoices are mis-coded, so VAT is not deducted in time.

Case study: how a French multinational’s SSC migration went wrong

A multinational that centralised functions in Switzerland without documenting processes or analysing the VAT impact faced exposure to the full VAT amount plus penalties of up to 100 percent. The company also lost the staff familiar with the work, and with them access to the historical data needed to prepare VAT returns; remaining employees did not know how the returns were prepared or how manual adjustments were made. When a VAT audit was announced, SSC staff had to work around the clock to reconstruct the returns. The potential benefits of the migration were largely overshadowed by the cost of this emergency response and the disruption to normal operations.

How can companies foresee VAT risks before they occur?

The most reliable safeguard is to anticipate problems at the planning stage, before a business-model change creates them in practice. A change in business model can create not only VAT risks but also commercial ones — logistics difficulties in getting goods into a country, and delays or hold-ups that disrupt daily business. The root causes are often mundane: the company forgot to register for VAT, or procurement failed to agree which party would import the goods.

How does VAT risk affect corporate reputation?

Reputational risk is a central element of tax risk management because one tax position can influence others, for better or worse. If a company becomes associated with behaviour seen as unacceptable, suppliers and vendors may alter their contractual relationships, with potential consequences for shareholder value. Management’s task is to anticipate how public opinion is likely to respond.

How is the EU fighting VAT fraud?

The EU combines mandatory digital reporting, e-invoicing, and cross-border enforcement through the EPPO and Europol to detect and disrupt VAT fraud. Significant progress has been made, but the road ahead demands continued cooperation, new technology, and alertness to evolving tactics. The following cases, drawn from work by the European Parliamentary Research Service (author: Pieter Baert), illustrate both the scale of the problem and the response.

Italy — Sistema di Interscambio (SdI). Italy long had one of the EU’s highest VAT gaps, around €35 billion in 2018. In 2019 it introduced the SdI exchange system for business-to-business transactions: businesses must issue electronic invoices and send them to the SdI platform, where the authorities check the content before the validated invoice is forwarded to the customer, giving a near real-time view of the VAT trail. As one of the EU’s earliest and most stringent e-invoicing frameworks, the SdI is a highly advanced “clearance” model with broad scope. Its introduction coincided with Italy’s VAT gap falling from €35 billion to €16 billion between 2018 and 2022; while the system’s precise contribution is challenging to isolate, the timing strongly suggests it played a considerable role.

Investigation Admiral (I, II, III). In April 2021 the Portuguese tax authorities opened an investigation into a local electronics retailer suspected of VAT fraud. Reported to the EPPO, it became a Europe-wide operation of more than 200 searches and, with Europol and national support, uncovered the largest VAT carousel fraud network ever detected in the EU — worth about €2.2 billion. Further searches and arrests in November 2024 (Admiral 2.0) across 16 countries raised the estimated damage to €2.9 billion, and a month later a new suspected network worth €38 million was uncovered in Greece (Admiral 3.0).

Moby Dick. A 2024 EPPO investigation codenamed Moby Dick, into suspected VAT carousel fraud linked to Italian organised crime, led to 43 arrest warrants and a €520 million freezing order. In Italy alone, 129 bank accounts were frozen, and 44 luxury cars and boats, together with 192 properties, were seized.

Silk Road. In a Europol-supported operation at several locations in Belgium, four suspects were arrested over a suspected CP42 fraud ring in which goods were imported VAT-free through Liège airport under the pretence of being destined for another Member State. The ring is believed to have caused up to €310 million in evaded taxes and duties.

Can individuals be held personally liable for VAT failures?

Yes — personal liability for compliance officers and executives has been rising, and individuals have been fined, banned, or jailed. In one industry survey, 59 percent of respondents (up from 53 percent in 2014) expected the personal liability of compliance officers to increase in 2015, with 15 percent anticipating a significant increase. Compliance officers and executives at firms as varied as Swinton Insurance, Bank Leumi, Bank of Tokyo-Mitsubishi, Brown Brothers Harriman, and Deutsche Bank have faced fines, bans, or imprisonment — or some combination of the three.

Can VAT fraud lead to criminal charges and jail time?

Yes — tax authorities and public prosecutors increasingly bring criminal charges, with consequences for both corporate reputation and individuals. In one example, prosecutors investigated 25 bank staff on suspicion of serious tax evasion, money laundering, and obstruction of justice, searching the bank’s headquarters and private residences in Berlin, Düsseldorf, and Frankfurt. Deutsche Bank stated that two of its Management Board members, Jürgen Fitschen and Stefan Krause, were involved in the investigation because they had signed the company’s value-added tax statement for 2009.

Frequently asked questions

Is VAT really cost-neutral for businesses?: Not automatically. VAT is neutral only when a business meets all the formal and material requirements — correct invoicing, valid documentation, proper registration, and accurate reporting. When those conditions are not met, the business bears real cost in the form of assessments, interest, and penalties.
What is a VAT carousel (MTIC) fraud?: A carousel fraud, also called missing-trader intra-Community (MTIC) fraud, exploits cross-border trade within the EU. One trader collects VAT from a buyer and disappears without remitting it to the authorities, while other parties in the chain reclaim input VAT — sometimes recirculating the same goods to repeat the cycle. Operations such as Admiral and Moby Dick targeted networks of this kind.
What is a tax control framework, and why does it matter?: A tax control framework is the documented set of systems, controls, and governance a business uses to manage tax risk. It matters because tax authorities increasingly assess whether such a framework exists in high-risk areas, and because a documented framework with a risk register lets the tax function spot issues and act before they become assessments.
How large can VAT penalties be?: Penalties for incorrect invoicing are frequently charged as a percentage of turnover, so they scale with revenue rather than with the error. In Europe this can reach the full VAT rate on turnover — up to 27 percent in Hungary — plus additional penalties, and in some cases penalties of up to 100 percent of the VAT owed.
What does “25/125 of the consideration” mean?: When a supply that should carry 25 percent VAT is treated as zero-rated, the price charged is treated as VAT-inclusive. The VAT element is then 25/125 (one fifth) of the amount charged, which the authorities recover from the supplier, before adding interest and penalties.
How is the EU using technology against VAT fraud?: Member States are adopting digital reporting requirements and e-invoicing — Italy’s SdI “clearance” model is a leading example — alongside data standards such as SAF-T. These give authorities near real-time visibility of transactions, and cross-border enforcement is coordinated through the European Public Prosecutor’s Office (EPPO) and Europol.

Sources and attribution. The VAT-fraud case examples (Sistema di Interscambio, Investigation Admiral, Moby Dick, and Silk Road) draw on work by the European Parliamentary Research Service, Progress and Future Challenges in the Fight Against VAT Fraud, author Pieter Baert. Figures on personal liability and criminal proceedings reflect industry survey data and publicly reported investigations.

Richard Cornelisse

Tax Function Effectiveness expert