“Life is inherently risky. There is only one big risk you should avoid at all costs, and that is the risk of doing nothing.”

Transactions in today’s business world

A different approach to business indirect tax advice Even as the world is shrinking, businesses and their growth strategies are becoming more complicated. A schematic drawing of the functions of a typical multinational today might look like a Rube Goldberg contraption—a complex of moving parts that must connect one to another for tax, regulatory, and reporting purposes.

And unlike the more contained structure for handling income-based taxes, responsibilities and key drivers for indirect taxes may be spread throughout the enterprise, residing not just in the tax department but in any of such diverse departments as finance, information technology, supply chain management and logistics, human resources, and beyond.

Added is the growing trend toward shared service centers (SSCs) that are responsible for operational processes including accounts payable and accounts receivable as well as other outsourced functions for tax, finance, and treasury. Tax determination and reporting for the entire operation may be governed by one or more enterprise resource planning systems, which in turn may be integrated to varying degrees, with or without the benefit of sophisticated technology tools.

All these factors make for a changing and increasingly sophisticated business environment that requires a different approach to business indirect tax advice.

'As Is' situation to benchmark at
Does it fit or not?

Improve the effectiveness and efficiency of your processes and controlsMany organizations continue to manage their global indirect tax throughput without reference to risks that are inherent to all transactional operations and processes. Other organisations have successfully identified indirect tax risks within their global ERP systems design and accounting processes, but have yet to develop a coherent and proactive indirect tax strategy that addresses and effectively manages these risks.

Within most organizations there is no single person or department responsible for the end-to-end VAT accounting process. The finance department owns overall responsibility for the sales and purchase processes, but the application architecture underpinning those processes is configured and maintained by the IT department.

The control environment surrounding manual intervention in the accounts payable and receivable processes remains the responsibility of the finance department. VAT-critical processes such as PO creation, invoice verification and AP tax code selection are subject to limited or inappropriate controls, while the attention of the internal indirect tax function remains focused on the provision of ad hoc advisory support to local business units.

Failures in VAT-critical systems and processes can result in overpayments of VAT that represent a real cost to the business, or in underdeclarations that entail the threat of penalties and reputational risk.

Through the design and implementation of effective controls, the objective of the internal indirect tax function should be to assume overall strategic responsibility for the operational integrity of VAT-critical systems and processes.

Unless there are measures in place to capture and control the end-to-end VAT accounting process, the result will be an incomplete risk management strategy that is essentially unreliable. By contrast, an improved tax risk management model should involve periodic testing of controls to guarantee the effectiveness of VAT-critical processes.

"Someone is sitting in the shade today because someone planted a tree a long time ago."


Benchmarking provides objective evidence. It can show whether or not you have achieved your objective set such as a 'mature' tax function' or make visible what needs to be done to make that happen. It might provide the extra arguments to realize change and get buy-in.

Big4 surveys and KPIs and controls

Control mechanisms stills inadequate While the rates for direct tax are decreasing everywhere across the world, the rates for indirect tax keep rising. With multinational companies we’re easily talking about amounts of over 5 billion euros of indirect tax flowing through the books.

Yet according to big4 surveys, the control mechanisms for these numbers are still inadequate. Not only can an error in the accounts lead to major additional tax assessments and substantial penalties, but worse, a mistake of one percent can make the difference between profit and loss for a multinational company. 

The main reason that indirect tax receives less attention is because it is dealt with completely differently than direct tax. There are hardly any KPIs determined for VAT/GST and the CFO generally solely focuses on direct tax regarding managing tax risks.

Perhaps the most surprising is the fact that the financial auditor also points out the huge risks of insufficient control of indirect tax. On the one hand, it is strange, since it is the benchmark studies from the tax advisors of the same firms who sound the alarm bells.

"Trust, but verify is a form of advice given which recommends that while a source of information might be considered reliable, one should perform additional research to verify that such information is accurate, or trustworthy."

A company’s tax control framework that meets generally accepted control standards provides:

  1. insight into the areas prone to VAT risks (awareness),
  2. management has established the extent to which it is prepared to accept risks, and
  3. internal controls have been implemented that are appropriate given the material risks identified.

Clear responsibilities, effective systems, documented processes and robust controls

Definition Tax Control Framework A Tax Control Framework (TCF) is an internal control instrument specifically aimed at the tax function within a company and an integral component of a company’s business control framework, which is different for every organization. It is a system (process) to identify, mitigate, control and report tax risks.

The ultimate objective of a TCF is to be in compliance with tax laws and reporting requirements and manage the risks that exceed the companies' risk appetite.

Governance, risk identification, controls, communication and monitoring

Prevent risks and identify savings A TCF should prevent tax errors, identify opportunities in a timely manner and perform correct filings at the right moment.

A company's VAT control framework system is adequate if it provides insight into where material VAT risks may arise in the company (awareness), while the degree of risk tolerance is established internally and where appropriate control measures are taken with respect to these risks.

A review should take place of the categories of VAT risk the company is facing as well as the likelihood of occurrence, its potential impact and mitigation measures. Review the company's risk appetite and risk tolerance and the way in which risks is measured.

Effectiveness and efficiency of operations, the reliability of tax reporting, and compliance with applicable laws and regulation

Click to enlarge

definitions 1

See also chapter: OECD - Co-operative Tax Compliance - Building Better Tax Control Framework

Sufficient internal communication

A TCF requires a clear understanding of: the companies' material risk areas, the company's tax policy derived from business objectives, the VAT processes and risk based control measures (hard and soft controls) and roles and responsibilities of the indirect tax department and its shadow tax function.

  • Internal control is a process. It’s a means to an end, not an end in itself. Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization.
  • Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
  • Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

From: The Institute of Internal Auditors, Does Your Control System Pass the COSO Test, March 1998, Issue 2

A tax control framework consists of

  • Strong tax governance with an agreed tax strategy that is in line with wider business objectives an in-depth understanding of where the key risks lie within the business, including indirect and wage tax
  • Effective and efficient controls in place to mitigate identified risks
  • A clearly defined communications strategy for managing tax internally and externally
  • Ongoing monitoring activities and improvement efforts
  • Ensure strong governance including the implementation of strict guidelines.

See chapter: Awareness and acceptance by senior management

Threats and opportunities

Managing risk is about making decisions at all levels of an organization, to limit the effect and likelihood of threats happening and to increase the effect and likelihood of opportunities.

Uncertain tax positions In many countries indirect tax returns are not audited by the tax authorities. Tax certainty about tax positions taken will exist once the statutory time limits are exceeded. That might change when e-audits approaches are standard implemented as audit method or other VAT fraud measures come into force. What is often missed in a business case, planning and execution is a full understanding of the processes and controls needed to effectively and efficiently manage indirect tax.

Below gaps might give rise to some important considerations from a benchmark perspective

Inability to comply with local VAT rules — Although the root cause will vary from one company and country to another, the risk is likely to arise because of the fundamental lack of resources with local knowledge, clear VAT policies and procedures, technology enablement and controls and metrics to facilitate and monitor compliance. In most cases, there is some combination of these causes.


System incompatibility — It isn’t uncommon to find that the ERP system or other available technologies do not support for example SSC staff as fully or effectively as required in making sound decisions related to VAT.


Processes not clearly defined  — Staff sometimes find themselves operating without clear descriptions or instructions as to how certain processes should function internally. That typically includes specific division of duties and defined responsibilities for every task and the person assigned to perform it, as well as the protocols for communicating with the tax office to receive updated information, escalate issues and solicit valuable feedback. The more pieces missing, the greater the risk.

Non-existent or inadequate processes and documentation — Since indirect tax guidance is not typically part of the brief, staff may not have access to VAT training, manuals or web-based technology to support their decisions and activities relative to VAT.

Insufficient communications — Staff may also be hampered by inadequate or unorganized communications between the indirect tax function and other operational business units (e.g., IT, logistics, group tax department) within the organization, making it very difficult to identify and address any crossover issues relating to VAT.


Non-existent or inadequate compliance controls — An indirect tax control framework and key performance metrics that focus on relevant indirect tax risk must be in place to provide the stability and transparency required to both enable and sustain compliance.  None of these “risk drivers” are insurmountable or prohibitively complex to overcome. That said, there are some equally significant VAT-specific rewards in a well-run and well-founded indirect tax function.

Performance improvement — Companies have seen a reduction in both manual effort and error rates in VAT processes from automating VAT decisions in an ERP environment and (or) using technologies available on the market such as tax engines and certain web-based applications.

Better time management — More time is available to tax staff to set up and implement VAT strategy and planning. Since problems can be anticipated at an earlier stage and action taken to pre-empt or solve them.


Process improvement — With for example a SSC doing a good portion of the “heavy lifting,” the organization has more time and resources to review, adjust, structure and optimize existing VAT processes. It may also lead to the development of a VAT team to operate as part of the overall international tax team.

Consistency and flexibility — An efficient and effective tax functioncan provide the company with a consistent operating model as well as flexible organizational design to support growth, profitability and compliance.  Once the company has evaluated the risks and rewards and conducted any other due diligence, the processes begin for identifying the VAT-critical functions, diagnosing the current state and designing the structure that will enable any effective migration.

From: The intersection of VAT and shared service centers

VAT risk based controls

Materiality of VAT risks There are a couple of elements that need to be considered to determine the materiality of VAT risks. Using absolute amounts is the way a business controls framework sets up a risk based approach.  However this is not sufficient as a VAT control framework is not only about paying the right amount of tax but also nowadays about avoiding risks that impact the reputation of the company.

The PowerPoint show risks relating to the company's reputation and potential impact for various stakeholders such as vendor and customers, but as well tax authorities, external auditors and shareholders. 

Creating a consistent and robust controls environment for VAT-critical processes

See chapter: Indirect tax risks and rewards

  • We are talking about extremely large amounts of money that lack appropriate control, but because KPIs have never been developed for this particular purpose, the risks remain outside the CFO’s field of view.
  • Many organizations still lack an effective ‘indirect tax control framework' for defining a strategy, systems and control mechanisms to manage risks linked to reporting VAT.

Roadmap to conduct proper tax management

In order to get buy-in from senior management it is often about setting the right priorities, understanding the root cause of underperforming and select a method for measurement that best fits. The deck explains what a tax function could do to get indirect tax higher on the priority list of senior management.

Written by Richard Cornelisse
 Richard LinkedIn

Richard advises multinational businesses in improving the efficiency and effectiveness of their Indirect Tax Function and Tax Control Framework.

He started his career as a manager at Arthur Andersen and then became an EY partner where he led the indirect tax performance team for Netherlands and Belgium. Currently, he is a managing director of SAP Tax Consultancy Firm.

Richard has over 20 years of experience advising clients on international VAT issues. He is specialized in the tax aspects of financial transformations, shared service center migration, and post-merger integration work.

SAP's YouTube about the need to link risk and strategy

Scoping of inherent risks

Keep a logbook – risk register – of all identified inconsistencies. The internal tax function should always have insight into the areas for attention through this logbook. This allows tax managers to set the right priorities and take measures timely.

Risk assessment

"Every entity faces a variety of risks from external and internal sources that must be assessed.

  • A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent.
  • Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed.

Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change."

It is about clear responsibilities, effective systems, documented processes and risk based controls


Some initial risk scoping questions to raise

Click to enlarge

Scoping 1

 See chapter: Indirect tax risks and rewards

Foresee future risks long before they manifest themselves

Below is a benchmark example of a normative VAT process that relates to changes in the business (strategic) and shows the controls that can be implemented to manage the risks that come up with business changes.

The control activity, the test of control and the frequency are important for an effective and efficient implementation and shows how an organization is in control.

Click to enlarge Schermafbeelding 2015 04 19 om 23.31.19

Getting VAT out of the black box

One of the objectives of Internal Audit is via a risk based methodology to provide comprehensive assurance to the Board and senior management that companies’ material risks areas are managed efficiently and effectively.

VAT errors - as it is a transactional tax – impact profit margins negatively and could beside tax risks result in commercial and reputational risks as well and based on Big4 surveys often no adequate controls are in place.

  • Is adequate management of material indirect tax risks actually tested in daily practice?
  • Should this be part of Internal Audit annual audit plan to investigate?

In the governance structure of an organization internal audit plays an important role. Internal Audit can actually audit the control activities defined of the company’s TCF and realize that stakeholders take it seriously.

Internal Audit role will not review any VAT technical content, but audit whether subject matter experts have been involved as documented in the TCF.

 Click to enlarge

Internal Audit 1