We have embraced the increasingly global view that tax risk management must be a part of good corporate governance. The presence and testing of a tax internal control framework are an integral part of the risk-assessment protocols used by tax authorities.

This guide was developed primarily for large and complex corporations, tax consolidated groups and foreign multi-national corporations conducting business in Australia. The principles outlined can have application to a corporation of any size if tailored appropriately.


Find out more - Medium and small corporations

When appropriate we do assess the tax governance processes of large business taxpayers that we have under review, however the aim of this guide is to help you understand what we believe better tax corporate governance practices look like, so you can:

  1. develop your own tax governance and internal control framework
  2. test the robustness of the design of your framework against our benchmarks
  3. understand how to demonstrate the operating effectiveness of your key internal controls to your stakeholders.

Our guide is focussed at two levels:

  1. Board-level responsibilities Board-level responsibilities – Here we outline how a board can ensure they are both independent and effective. Note this includes where applicable, their delegated representatives, such as an audit committee.
  2. Managerial Level responsibilities Managerial Level responsibilities – Here we provide examples of the controls that can be implemented to help mitigate tax risks and how management can test and provide assurance for the operational effectiveness of their controls.

Corporate governance and key controls

If you have good corporate governance processes in place, many of the key controls we identify will already exist within your organisation. We expect you will be using existing corporate governance practices and internal control frameworks as much as possible, such as your existing financial reporting internal control framework.

For this reason, and to ensure consistency and synergy in our approach, we have considered information:

  1. published by the Australian Stock Exchange (ASX)
  2. contained in the Corporations Act
  3. distributed by other global tax regulators.

If we do need to assess your tax governance processes, having a strong tax control framework within the company gives us confidence that tax risks are well managed. This means it may take less time to assess whether your controls align with the principles outlined in this guide. Alternatively, the absence of a strong tax control framework may signal to us that more resources are necessary to fully assess tax risks.

Find out more Directorship responsibilities, GST governance and risk management guide for large businessesATO - Public officer responsibilities

Board-level responsibilities

Establish a framework to identify and manage tax risk

The board of directors (or authorised sub-committee) establishes an internal control framework to identify and manage all major tax risks. For a business headquartered overseas, we would expect the Australian-based board to perform the oversight role in respect of Australian tax risks.

Board level control 1: Formalised tax control framework

The board endorses a formalised tax control framework that is understood across the organisation.

Better practice can be demonstrated by:

A formal tax strategy document, such as a board tax policy that provides details of how the organisation identifies and manages tax risk.

  • Policies endorsed by your board of directors that outline the organisation's tax risk appetite detail an acceptable level of tax risk for day-to-day operations and what requires escalation are published internally and in your annual report.

Board level control 2: Roles and responsibilities are clearly understood

The board understands and formalises company director roles and responsibilities for tax risk management.

Better practice can be demonstrated by:

  • Documented role and responsibility descriptions for company directors
  • Programs for inducting new directors with appropriate accounting skills and knowledge so they can perform their oversight of tax risk management strategies
  • Ongoing support and briefings for directors regarding tax risk management strategies
  • An established tax risk committee or allocating tax risk to an appropriate and independent board sub-committee – for example, an audit committee
  • Clear communication of expectations for managing tax risks from the board or sub-committee to management
  • A board of directors 'skills matrix' as suggested in the ASX corporate governance principles. This will download a file to help identify gaps in the collective skills of the board. Gaps should be addressed as part of a listed entity’s professional development initiatives for directors and successors.

Board level control 3: The board is appropriately informed

The board (or sub-committee) is familiar with tax risk matters and the effectiveness of their tax control framework.

Better practice can be demonstrated by:

  • Board or sub-committee charters include review of tax risks
  • Regular summarised progress updates to the board or sub-committee on how tax issues and risks are trending (ie high, medium or low risk) at board meetings.
  • Board (or sub-committee) minutes or documentation that demonstrate members have been briefed on the effective tax rate of the business, including whether the amount of tax paid aligns with business results and, where relevant, reasons for significant misalignment.
  • Board (or sub-committee) endorsement for positions taken that fall outside published ATO safe harbours – for example, debt-to-equity ratios.
  • Tax-risk registers and escalation of issues where appropriate – you should note if you have sought external advice on the relevant risk or issue.
  • An annual report that includes a statement from the board attesting that they have effective policies and processes in place to manage tax risk.

Policies and controls are regularly assessed

The board ensures adequate tax risk management policies are in place and adhered to, as well as systemically assessing internal controls and procedures on a regular basis.

Board level control 4: Periodic internal control testing

Periodic internal control testing is conducted to assure the board that the internal control framework is robust enough to effectively manage tax compliance risk.

Better practice can be demonstrated by:

  • A testing plan to determine the effectiveness of the control framework. Note: this may include a gap analysis to identify which key controls are not tested via existing assurance processes – for example internal or external audits.
  • Reports from independent assurance providers (internal or external) that present findings on the effectiveness of the tax control framework, whether conducted primarily for tax controls or other interdependent controls.
  • Evidence that the board (or sub-committee) has reviewed the results of control framework testing and any proposed remediation plans for tax control failures.
  • Documented assurance (such as an attestation) from senior management concerning the capability and capacity of the tax control framework.

Managerial-level responsibilities

Management should have the capacity to enforce policies and implement strategies approved by the board. They should develop and implement systems that identify, assess, manage and monitor tax risks. Management also play a vital role in monitoring the appropriateness, adequacy, and effectiveness of risk management systems.

Ensure sufficient capacity and capability

Management should ensure there is sufficient capacity and capability to enable effective management of tax risk.

Managerial control 1: Roles and responsibilities are clearly understood

Staff, management and board roles and responsibilities are clearly defined and documented within the control framework to ensure tax obligations are well managed and satisfied.

Better practice can be demonstrated by:

Formal documents, policies or procedures for all roles and responsibilities relating to tax compliance and risk management. These generally detail

  1. role descriptions for tax compliance, administration and risk management
  2. roles and responsibilities for reporting of tax matters, formalised and understood by management and appropriately trained personnel formal delegations (or authorisation levels)
  3. segregation of duties – for example, dual sign-off
  4. policies or committee charters that specify methods and frequencies for reviewing and escalating risks in the tax risk register, including follow-up of identified tax risks.

Managerial control 2: Senior management confident of capacity and capability

Senior management, such as the CFO/CEO or Head of Tax, are confident in the capacity and capability of tax governance processes and personnel.

Better practice can be demonstrated by:

  • A control framework approved by senior management that includes both preventative and detective controls.
  • Clearly identified key controls, including how often they are tested. Staff with appropriate experience are designated as control owners.
  • Senior management approval of the design and operating effectiveness of the internal controls governing tax compliance.
  • Internal or external assurance reviews of tax corporate governance or control framework procedures.
  • Staff training on tax corporate governance procedures.
  • Staff reviews, KPIs and performance agreements that incorporate tax corporate governance and risk management elements.
  • Key personnel with professional qualifications and standards to ensure capability.
  • Impacts of tax compliance risks are considered by an appropriate management or board sub-committee; for example, a mergers and acquisitions sub-committee considers the tax risks of acquiring an entity.
  • Existing channels for personnel outside of the tax function to identify and escalate tax risks.
  • Tax-related reports generated and presented to senior management.

Managerial control 3: Significant transactions are identified

Transactions or arrangements with a significant tax impact are systemically identified, categorised and reported on – for example, into strategic, operational, reputational, compliance and financial matters.

Better practice can be demonstrated by:

  • A policy for significant tax transactions that
  • specifies the value of what would constitute a significant transaction requiring authorisation from the tax area
  • details the types of transactions, issues or risks that are significant enough to be escalated to senior management or the board (and, by default, tax matters not requiring escalation)
  • outline the threshold where independent external tax advice should be sought and levels of management sign-off required for the transaction.

A risk-identification process that accounts for qualitative and quantitative risk factors. Examples of typical risk factors include

  • volume of transactions affecting disclosures in the tax return
  • financial accounting and tax reporting complexities and inconsistencies
  • volume of manual adjustments made by management
  • related-party transactions
  • dealings involving low-tax jurisdictions
  • year-end arrangements resulting in tax benefits
  • revaluations resulting in tax benefits
  • transactions or arrangements where: there is a legal versus substance disconnect; there are steps added to a transaction making it more complex than necessary, resulting in a tax preferential outcome.
  • the use of new and complex financial instruments or arrangement.

Tax risks have been rated, for example high/medium/low, with the appropriateness of the rating evaluated on a yearly or half yearly basis. Reporting templates that are adhered to.

Ensure Information Technology controls are in place

The internal control framework includes the implementation of appropriate Information Technology General Controls (ITGCs) to ensure information systems that process and store financial data accurately calculate, allocate, record and report tax data correctly.

Managerial control 4: Controls in place for data

Data integrity as a result of data transfer between various accounting/subsidiary systems should be subject to internal control processes.

General IT controls

ITGCs are policies and procedures that relate to many applications and support the effective functioning of application controls. ITGCs that maintain the integrity of information and security of data commonly include controls over:

  • data centre and network operations
  • system software acquisition, change and maintenance
  • program change
  • access security
  • application and system acquisition, development and maintenance.

These controls are generally implemented to address the following specific risks that IT poses to an entity's general control environment:

  • Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both.
  • Unauthorised access to data – particular risks may arise where multiple users access a common database or IT personnel gain access inappropriately.
  • Unauthorised changes to systems, programs or data in master files.
  • Failure to make necessary changes to systems or programs.
  • Inappropriate manual intervention.
  • Potential loss of data or inability to access data as required.

Evidence of data integrity controls can include:

  • Effective IT system and application controls that maintain the integrity and security of data.
  • For entities with organisational-level ITGCs, a tax function should identify the relevant IT controls that are key to the tax function in their tax internal control framework. These relevant IT controls should be designed and operating effectively and instances of IT control breakdowns should be remedied. Breakdown instances should be communicated to the tax function to assess and remediate any impact on the tax return.
  • An effective process that allows the tax function to provide input on IT controls/functions, where the preparation of the tax return is dependent on IT – for example, extracts of data from sub-ledgers, interfaces between systems, and similar.

Consideration of the relevant automated controls key to the tax function. This may include

  • the extent to which automated calculations or data-processing routines programmed into the applications are used
  • the volume of transactions processed by a control is an indication of whether management should consider the application of ITGCs
  • the extent to which your organisation makes use of complex spreadsheets, where the risk of formula error, unauthorised changes or access, and complex calculation, could increase the risk of error
  • whether identified information system-control risks have been investigated via an internal or external review by assurance provider (per audit plan)
  • reporting mechanisms exist between the tax unit and owners of ITGCs (and the rest of the organisation) regarding IT and system-related control weaknesses.

Managerial control 5: Record-keeping policies

The organisation employs procedures to support record keeping for tax requirements as prescribed by law and our guidelines.

Better practice can be demonstrated by:

  • A formally documented record-keeping policy for tax, including appropriate timeframes for the retention of records.
  • Staff access to guidance notes via an intranet, or a set of procedures that are readily accessible explaining record-keeping requirements.
  • Internal or external audits that verify compliance.
  • Evidence that staff have been trained on record-keeping requirements for tax purposes.

Assure the flow of information from accounting records

Ensuring there is a complete and accurate flow of information from accounting records to the tax return or relevant activity statement.

Managerial control 6: Documented control frameworks

There is a documented internal control framework that specifically ensures the group’s compliance with tax law. This includes the complete and accurate flow of information from accounting records to the tax return and activity statements.

Better practice can be demonstrated by:

  • Documented procedures for reviewing the tax return, including reconciliation back to the audited financial statements.
  • Retention of working papers detailing the calculation of the tax return.
  • Working papers reviewed and approved by management, indicating that they have checked the correct application of tax law to accounting transactions and accurate calculation of the tax return.

Managerial control 7: Procedures to explain significant differences

There are procedures in place requiring explanations for significant differences between accounting disclosures, financial statements and the tax return.

Better practice can be demonstrated by:

Documented procedures detailing:

  • methods for reconciling the tax calculation prepared for the financial statements and the completed tax return
  • methods for preparing deferred tax assets and deferred tax liabilities calculations for the financial statements
  • methods for preparing tax calculations based on accounting transactions
  • methods for reconciling completed tax return to accounting transactions as retained by the taxpayer’s accounting records
  • management have a mechanism in place to appropriately explain the tax performance of the entity when compared to the accounting result
  • narratives to explain variances between tax calculations for the financial statements and the completed tax return.

Managerial control 8: Complete and accurate tax disclosures

Management are confident that tax disclosures have been accounted for properly and disclosed correctly in the relevant tax return

Note: some of these matters may be outside of the responsibility of the tax area.

Better practice can be demonstrated by:

  • Assurance that a tax return or statement review has occurred prior to lodgment. This reduces the likelihood of incorrect allocation and classification of line items, and that the relevant law, administrative guidelines and record-retention requirements have been taken into account in relation to issues such as
  • income tax
  • capital gains tax
  • transfer pricing
  • GST
  • research and development
  • reportable tax positions.
  • Appropriate controls to review compliance risk for other types of taxes managed elsewhere, such as
  • fringe benefits tax
  • the super guarantee charge
  • pay as you go (PAYG) (instalments and withholding)
  • employee mobility (who bears and claims the labour costs)
  • customs and excise duty
  • state-based payroll taxes
  • stamp duty.

Dealing with law and administrative updates

Processes are in place to deal with law and administrative updates, such as including legislative amendments, ATO guidance updates and budget announcements, while ensuring these are operating effectively.

Managerial control 9: Legal and administrative changes

Tax corporate governance policies and procedures are required to be regularly reviewed and updated for law and administration changes.

Better practice can be demonstrated by:

  • Walkthroughs of process changes to assess whether changes to the law require updates to the internal control framework and development of new controls.
  • Change requests have been submitted to senior management and changes to systems or control mechanisms have been implemented.
  • Policy that states you will inform us of any law update implementation difficulties.
  • Correspondence sent to us advising of difficulties.

Written by Richard Cornelisse
 Richard LinkedIn

Richard advises multinational businesses in improving the efficiency and effectiveness of their Indirect Tax Function and Tax Control Framework.

He started his career as a manager at Arthur Andersen and then became an EY partner where he led the indirect tax performance team for Netherlands and Belgium. Currently, he is a managing director of SAP Tax Consultancy Firm.

Richard has over 20 years of experience advising clients on international VAT issues. He is specialized in the tax aspects of financial transformations, shared service center migration, and post-merger integration work.