Tax Risk Management - PwC

Tax Risk Management

Tony ElgoodTax PartnerUnited Kingdom

Ian ParoissienTax PartnerAustralia

Larry QuimbyTax PartnerUnited States

Larry Quimby, is a US based tax engagementpartner working with a number of our Philadelphiabased clients. He is currently the national lead foran initiative addressing the application of theSarbanes Oxley Act to the tax function.

For further information:[email protected]

Ian Paroissien is the leader of PwC’s GlobalCompliance Services for Australia and the AsiaPacific theatre. Ian advises many leadingcompanies on best practices and developmentsin tax management and compliance systems.


Tony Elgood is the author of The ‘Best Practice’tax function guide. He is based in the UK and ispart of PwC’s Global Compliance Services team.He works regularly with leading tax functions inhelping them set their strategies and managetheir tax functions.


Acknowledgments:We are very grateful for the help and comments given to us by a number of people during the preparation of this guide. Inparticular we would like to thank Pat Ellingsworth (head of group taxation at Royal Dutch/Shell) and Alan Davidson from thePricewaterhouseCoopers London office for their input. For more information on strategic thinking for a tax function see thePricewaterhouseCoopers ‘Best Practice’ tax function guide.

Tax Risk Management 1

Contents Page

1. Introduction 2

2. What is tax risk? 3

3. Why is tax risk management important and who to? 11

4. Where does managing tax risk fit into the overall tax strategy? 18

5. The risk management framework for tax 20

6. The tax risk management framework in practice 30

a. Risk control environment 32

b. Risk assessment 34

c. Control activities 41

d. Information and communication 46

e. Monitoring 47

7. Managing global tax risk 48

8. Summary 53

Appendix 1 Best practice checklist 54

Appendix 2 Risk assessment templates 56

2 Tax Risk Management

1 INTRODUCTION

We have seen the Enron scandal in the US, and more recently the Parmalat scandal in Italy. The US hasresponded with the introduction of the Sarbanes-Oxley legislation, and with an ongoing increase inglobalisation, similar legislation and practices are springing up in a number of different countries. Insideorganisations there is an increasing awareness that risk management, and in particular, good internal controlprocedures is becoming more and more important.

Historically tax risk management and tax internal controls were a bit of a black art, not necessarilyunderstood even by those in the tax function, let alone those outside. Whilst recognising that the tax areahas its own unique profile, tax risk management is now increasingly being discussed inside both commercialorganisations and revenue authorities. Companies are starting to document their tax risk managementpolicies and to do this they are having to assess the different types of tax risk in their business. Someorganisations have also recently appointed internal tax risk managers.

The purpose of this guide is to pull together the current thinking on tax risk management. It is aimed notonly at tax directors and their teams, but also at CFOs, audit committees, chief risk officers and internalaudit functions. These stakeholders, including those sitting outside the tax function, need to be comfortablethat there is a tax risk management policy in their organisation, that tax, as one of the key costs in thebusiness, is being properly managed and that the inherent risks in the tax position of the organisation arebeing both understood and properly controlled.

Tax risk management has come a long way over the last couple of years and will continue to evolve. This isnot a manual about how to manage tax risk – different businesses will address their issues in different ways.What we have tried to do is to set out firstly the issues that need to be discussed when a company isdeciding on its policy and addressing its approach to tax risk management, secondly a framework formanaging the risks and finally some specific tools and techniques that can be used in doing so.

We look forward to being part of the debate as this area of tax management continues to develop in the fastchanging commercial world in which we find ourselves.

In early 2002 we published a guide entitled the ‘Best Practice’tax function. In that guide there was one chapter (seven pages)on Tax Risk Management. Since that guide was published thecorporate world has changed dramatically and risk managementhas shot up the agenda of most organisations.

The decisions, activities and operationsundertaken by an organisation give rise tovarious areas of uncertainty – businessrisks. Some of these uncertainties will be inrespect of tax. These tax uncertainties maybe in relation to the application of tax lawand practice to particular facts, it may beuncertainty over the facts themselves or itmay be uncertainty as to how well systemsoperate to arrive at the tax results of thebusiness activities and operations. Theseuncertainties give rise to tax risk.

Managing tax risk is therefore aboutmanaging these uncertainties. Due to thevery nature of these uncertainties, there isoften no one right answer. Tax riskmanagement is about understanding wherethese risks arise and making judgementcalls as to how they are dealt with.

We have sought in this chapter to providean explanation of where we see the mainareas of tax uncertainty arising. This hasled us to define seven main areas of taxrisk. We have quite intentionally not triedto do any analysis by type of tax – sufficeit to say that we include all types of tax

under the umbrella of tax risk management,irrespective of whether they are taxesmanaged by the tax function or not. They all give rise to uncertainty and henceto tax risk.

For any type of risk, you not only need tounderstand what it is but you also need todecide how much risk you are willing andprepared to take. To our mind tax riskmanagement is not necessarily thereforeabout minimising risk. Businesses makeprofits by taking risks and a no-riskstrategy is probably neither cost effectivenor right for any business. By setting aframework scale (or a score out of 10),against where you either want to be or areprepared to be for each type of tax risk,you give yourself some criteria againstwhich to decide what actions need to betaken, what risks you are prepared to takeand how any particular type of tax risk is tobe managed. For each area of tax risk thischapter provides such a framework scale.

The tax risk spectrum below showswhere the major tax uncertainties canarise. It shows the upside opportunity

that can arise from business transactions,the downside hazard which can arisefrom the compliance process and the factthat the operational part of the businesscan give rise to both opportunities andhazards. Ensuring that the opportunitiesare maximised can be as important asmanaging the hazards.

A company’s policy on tax riskmanagement will therefore determine:• The value that can be achieved by

taking risks,• The costs that can be saved by

reducing risks, and• The resources needed to manage

both the upside opportunities andthe downside risks

Before we proceed, we should make itclear that we believe each business has aresponsibility and duty to pay theappropriate taxes on its businesstransactions. We also feel strongly that it isimportant for organisations to manage andplan their tax affairs. However we do notbelieve it is right for a business to play the‘tax audit lottery’ with the revenueauthorities. This chapter and, indeed, thewhole guide, are based on the fundamentalpremise that non disclosure to authoritiesis not an acceptable approach and that the‘risk of getting caught’ is therefore not aconsideration or risk to be ‘managed’.


Opportunity Transactions Operations Compliance

Hazard

Uncertainty/Variance

The term tax risk means different things to different people andwe need to start with a common understanding of what it is weare talking about. Only then can we address how tax risk can be managed.

2 WHAT IS TAX RISK?


Specific risk areas

Transactional risk

This concerns the risks and exposuresassociated with specific transactionsundertaken by a company. In anytransaction there may be uncertainty as to how the relevant tax law will applyand uncertainty arising from specificjudgement calls – particularly in the morecomplex areas.

The more unusual and less routine aparticular transaction is, then generally, the greater the tax risks associated withthe transaction are likely to be. One-off,non-routine transactions, such asacquisitions/disposals of businesses orparts of a business, or significantrestructuring projects and reorganisations,will generally bear greater tax risks than theroutine every day business such as sellingproducts and services. In addition there arelikely to be well-designed procedures andsystems in place for the processing ofroutine transactions, which would usuallynot apply to non-routine, one-off

transactions. From a tax point of view thehighest risk transactions are often thosethat are happening specifically for taxpurposes e.g. a tax driven reorganisation.

In any transaction there will be viewstaken during the process as to what isacceptable and what is not – risks willundoubtedly be taken. This is in the verynature of the way transactions andnegotiations are carried out. Some partsof a transaction may be carried out toachieve a particular tax result (for exampleto preserve tax losses). The steps takento achieve the hoped for tax result may below risk or they may be more aggressivewith more chance of being challenged bya revenue authority.

Major transactions have for some timebeen a key focus for tax authorities butthe signs are that this is increasing. InAustralia for example, the Commissionerof Taxation has just written to the boardsof all public companies indicating that aspart of their governance responsibilitiesthey should be signing-off that the tax

risks have been properly assessed and areappropriate. In doing so the Commissionerhas provided boards with 10 questions or criteria against which to judge this. (For more details on the AustralianCommissioner’s position see Chapter 3.)The appropriateness of this and the issuesit raises are a major discussion point inthemselves but it does highlight thegrowing profile and importance of tax riskmanagement in this area.

Additionally tax risks can arise fromfailures, such as:

• The tax department is not involved inthe transaction or are brought in onlyat the last minute;

• There is no organisational agreedframework against which to judgeacceptable risk; and/or

• There is a failure to properly documentand implement a transaction.

Types of Tax RiskIn our view there are seven broad categories of risk associatedwith taxes, four that are specific risk areas and three that arerather broader and more generic.

These are:

Specific risk areas1 Transactional risk2 Operational risk3 Compliance risk4 Financial accounting risk

Generic risk areas

5 Portfolio risk6 Management risk, and7 Reputational risk


In our view this last point often carries the greatest risk in the transactional area. Failureto implement and document properly what has been planned and agreed is in ourexperience the cause of more tax authority challenges in this area than any other. Wherethe tax result depends on a particular sequence of events, board meeting or wording in a documentation there is often the risk that the ‘i’s are not dotted and the ‘t’s are notcrossed – and all the best planning falls down due to inadequate implementation andmonitoring over the life of the issue to ensure nothing is done to prejudice the tax result.Revenue authorities are increasingly asking to see the full documentation relating to aparticular transaction to test out whether the implementation has achieved the result thecompany is claiming.

The question then arises as to how much tax risk are you prepared to take in particulartransactions and how much risk are you actually taking over the correct implementationof the transactions? What is your profile in relation to transactional risk?

It is important in considering this scale to indicate where you want to end up as distinctfrom the inherent risk in the transaction or planning idea. Risks identified can in manycases be managed, such that a risk initially identified as above an acceptable level maybe capable of being brought within it by a tax ruling or some other approach. Thisrecognises that risks can be managed so that the potential upside benefit is not lost.

Operational risk

Operational risk concerns the underlying risks of applying the tax laws, regulations anddecisions to the routine every day business operations of a company. Different typesof operation will have different levels of tax risk associated with them. For example,compare normal third party product sales with intra-group cross-border products sales;there are greater tax risks associated with connected party cross-border transactions(primarily transfer pricing issues). With increasing globalisation of trade there is an ever increasing risk of operational people inadvertently creating a taxable presence in a country in which they are operating. These are just two examples of tax risks that can occur from the normal ongoing business of a company.

In our experience the closer the tax function is to the business operations the betterthese types of risks are managed. Communication between the various parties is key.The standing of the tax function in the organisation will be an important point here; if the people are well respected, then they are more likely to be contacted at theappropriate time. Where are you today on the operational risk scale – and where wouldyou like to be?

Low Medium High

0ConservativeNo riskProud of the tax we pay

10Aggressive

Minimum amount possible

5

Low Medium High

0

Tax heavily involved in operationsFormal sign off procedures in place

10

Tax seldom consultedNo formal procedures

5


Compliance risk

Compliance risk concerns the risksassociated with meeting an organisation’stax compliance obligations. (As we notedearlier, we do not believe risk of discoveryby tax authorities is a factor. One mustassume full disclosure and that theauthorities are aware of and will reviewyour activities.) From a tax perspectivecompliance risk would primarily relate tothe preparation, completion and review ofan organisation’s tax returns (of whatevertype and not only corporate tax returns)and the risks within those processes.

Compliance risk addresses the risksimplicit in the systems, processes andprocedures adopted by a company toprepare and submit its tax returns and inresponding to any enquiries/issues raisedin the process of reaching an agreedposition with the authorities.

What we are talking about here is:

• the integrity of the underlying accountingsystems and information,

• the processes of extracting tax sensitiveinformation from the accounting system,

• ensuring the tax compliance analysisprocesses are based on up to dateknowledge of the latest tax law andpractice, and

• the proper and efficient use oftechnology in the processes.

There are clearly cost implications in whereyou position yourself on the scale belowand there will be a trade off between costsspent and risks taken. To achieve no errorsin any tax return will undoubtedly be costprohibitive. Alternatively, are you overengineering the process and could youreduce the cost with little or no impact onyour risk position? What is your attitude totax penalties? Where do you want to be onthe scale above – and what changes needto happen in the way you operate to getyou there?

Tax compliance risk also includes therisks arising from agreement of taxreturns and from enquiries on, or theaudit of, submitted tax returns by fiscalauthorities. In a number of countries thefinal agreement of a tax return oftenends in a ‘horse trade’ between thetaxpayer and the relevant revenueauthority; it may make sense to have anumber of aggressive positions in thereturn so that there is something to giveas part of any negotiations.

Additionally, and we will come back to thispoint later on, how many of the group’stax returns is the tax function activelyinvolved with? What about payroll taxreturns, indirect tax returns, and customsand duty returns? If it is not the taxfunction, who is managing the risksassociated with these returns?

There is also an interaction betweencompliance risk and reputational risk (seebelow). How do the revenue authoritiesrate you on a risk scale? Do they see youas an aggressive tax planning group andhave ‘marked your card’ as one wherethey have to do a lot of work – or are youseen as a more conservative group wherethey have little to go for?

Financial accounting risk

The Sarbanes-Oxley Act of 2002 hasbrought the risks in the financialaccounting area into sharper focus. A particular challenge for many taxdepartments is the requirement inSarbanes-Oxley Section 404 requiringdocumented and tested internal controlsover financial reporting.

At this point one should note that in mostjurisdictions the figures included in the tax accounts, at the time the financialstatements are issued, are ‘estimates’. In fact, deferred tax accounting generallycalls for the estimation of future taxes tobe paid under tax regimes on transactionsthat are recorded in the accounts in thecurrent year. Avoiding negative prior yearadjustments to the tax accounts hasalways been high on most tax directors’agendas. We have lost count of thenumber of times we have been told by taxdirectors that what the CFO and board arelooking for is ‘no surprises’. This hasprobably led tax directors to be more riskaverse than they might have been (and tomiss upside opportunities?) Thisconservative view as to what should beprovided for in the accounts may lead to a debate with the auditors as to whether a provision is justified or is perhaps atouch over prudent.

As well as looking at the processes inarriving at the accounts figures, and theinternal controls around these processes,the following questions need to be asked:

• How much uncertainty is there in theinterpretation or application of the taxlaw(s) used to compute the taxfigures?

• What is the quality of the data receivedfrom or used in the transactional,operational and compliance areas?

• Are there issues or questions as to theapplication of the tax law to the data?

• What provisions are needed to coverthese uncertainties and what level ofmateriality is acceptable?

Low Medium High

0

Zero tolerance – no error rate

10

Large acceptable error rate

5


It will be interesting to see howcompanies apply Section 404 to the taxaccounts. The ‘spirit’ of the law wouldsuggest that better information and moretimely consideration of risk will evolve.Some have suggested a mechanical‘check the box approach’ to the adoptionof the requirements of Section 404. Webelieve that the mechanical approachmay cause a number of tax functions tofocus too heavily on the processes inarriving at the tax figures in the financialaccounts – at the expense of theprocesses of managing the other tax risksconsidered in this chapter. These othertax risks are potentially the ones thathave been less well managed and arewhere there are both larger opportunitiesand greater risks.

Clearly it is not only the statutory financialaccounts where financial accounting riskarises. Tax figures appear in cash flowplanning, forecasting, and in managinginvestor expectations of the future.

Generic risk areas

You could argue that the four specific taxrisks set out above are the only ones thatreally exist, and the risks we set outbelow are more about managing theserisks than risks themselves. However webelieve them to be sufficiently importantto be treated as separate risks in theirown right and to be reviewed as part ofthe tax risk management process. If youdisagree with us then some of the toolsintroduced later in this guide will needadapting to show four risk areas, notseven. However whichever way we go onthis point, the general principles of taxrisk management will not change. Thethree areas of tax risk that we are callingthe generic tax risks are explained below.

Portfolio risk

Portfolio risk concerns the overallaggregate level of risk when looking attransactional, operational and compliancerisks as a whole and considers theinteraction of these three different specificrisk areas. This is of particular concern tothose organisations that are involved in anumber of transactions, whether tax drivenor business driven. One might argue thatthe financial reporting is the measure ofthe portfolio risk and well it might be.However, we believe that a consciousconsideration of the aggregation of thethree risks should be considered.

Each particular transaction may be belowthe ‘risk threshold’, but when combinedtogether with positions taken with variousrevenue authorities the cumulative riskprofile becomes unacceptable.

What would be the impact if all the areasof tax risk went wrong at the same time?What would be the financial implicationsand what would be the resourcingimplications to deal with the issues?

Have you given each key tax risk in yourorganisation a percentage chance ofgoing wrong and aggregated the result?Have you considered the worst-casescenario and the impact of this on theprofit and loss account and the balancesheet? Is this acceptable?

We look later, in Chapter 6 andAppendix 2, at how you might measureportfolio risk by considering both theimpact and the probability of particularrisks actually happening.

Low Medium High

0

Good internal controlsHigh degree of certainty

10

Unquantified riskLow degree of certainty

5

Low Medium High

0

Low aggregate risk

10

High aggregate risk

5


Management risk

The second generic area of tax risk is oneof not properly managing the various risksset out above. In our experience, few taxfunctions actually have a documented taxrisk management policy, though we arestarting to see tax risk managers beingappointed. Risk management issomething that historically has notspecifically been on the agenda for manytax functions. While some of the risksabove will have been managed, wesuspect few people will claim that all theirtax risks have been managed in asystematic way. Even where it has, a lotof the information about tax issues iscarried around in people’s heads and ifthese people leave the organisation thenthe information leaves with them.

In this new world, with tax risk managementbecoming increasingly important, it is clearthat organisations need to put some timeand resources behind this issue. They alsoneed to ensure that those charged withmanaging tax risks have the skills and theability to do so. ‘Under-managing’ theseissues, either through a lack of skill,resource or time can lead to unexpected‘surprises’ or possibly worse, missedopportunities. Tax risk management willneed to become a higher managementpriority for many organisations.

Reputational risk

We have collected a file of press cuttingsrelating to the tax affairs of companies –and this file is becoming increasinglybulky. How will your CEO or the boardreact to seeing your tax affairs splashedall over the front page of a nationalnewspaper (or even on the inside pages)?

Reputational risk concerns the widerimpact on the organisation that mightarise from an organisation’s actions ifthey become a matter of publicknowledge. By their very nature suchrisks will impact wider business interests.For example, consider the impact on acompany if, as a result of pursuing a tax

issue through a public arena such as the courts, information about the company’s activities or practices result in changes tothe perception of the company by itscustomers, suppliers, or employees.

Consider also the impact of being seento pursue considerably more aggressivetax planning and ideas than the norm –does this matter to you?

Low Medium High

0Tax risk management taken seriouslyHigh on management agendaResources available to do this

10Lack of risk management skills

Lack of budget/resourcesQuality resources not available

5

Low Medium High

0

Not important

10

Very important

5


More than one tax strategy we have seen have included policiessuch as “We will not undertake any tax planning transactionwhich would reflect adversely on the group if details of it were to be published in the business pages of [Daily Newspaper Title].”

By way of an example, in the US it isproposed that failure to disclose certain‘listed transactions’ under the ReportableTransaction Regulations will result in afine. For an SEC listed company, the factthat a fine has been levied may have tobe disclosed in the published accounts.The potential disclosure of the failure toreport properly certain transactions to theInland Revenue Service could however be more concerning than the fine itself.

For MNCs (multi national corporations)this issue may also go to the heart ofgood corporate citizenship, particularly inforeign jurisdictions where reputational risksmay be more important in some countriesthat at home. It is also where culturaldifferences and policy clashes can occur.Identifying and managing issues such asthe impact of aggressive tax planning,reputational issues just from major taxauthority challenges, and policy andpractices around corruption, are allelements of reputational tax risk management.

This leads on to the question of tax ‘ethics’and whether companies have an obligationto pay their ‘fair share’ of tax – whateverthat might mean. There is a debate takingplace in many countries around this point –and whether companies should pay the taxthat is in accordance with the letter of thelaw, the spirit of the law or both (if that ispossible). To be seen to be doing anythingdifferent can impact on a company’s widerreputation. Is transparency of your taxposition an important part of managingyour reputational risk?

External risks

The comments so far have focused onthe risks that are manageable inside anorganisation. There will also be risks thatare external and by their very nature areunmanageable – but are very real andequally important nevertheless. Examplesunder this heading are a change oflegislation, an unexpected court decisionon a particular point, or even a change of government. The rest of this guidefocuses on those risks that a businesshas some control over – but perhapsportfolio risk should be deemed toinclude this extra layer of external risk.

Use of the scale frameworks

In our discussions so far, there is anassumption that there is one point on thescale for each of the different types of risk.However we recognise that thisassumption may not be valid when youlook across the spectrum of different taxesand different countries. For example youmay well decide that the compliance riskyou are prepared to take for one particulartax in country A is very different from thatfor another type of tax in country B.

You may wish to put the different taxesand countries at different points on thescales. This leads us to a threedimensional matrix, covering the types of risk, the types of tax and the differentcountries in which you operate.

Co

rpo

rate incom

e taxesS

ales taxesE

xcise duties

Payro

ll taxesW

ithhold

ing taxes

Austra

lia

Belgium

Brazil

Germ

any

India

Singap

ore

United

King

dom

United

Sta

tes

Transactional risk

Operational risk

Compliance risk

Financial accounting risk

Portfolio risk

Management risk

Reputational risk

It is likely that the mere exercise ofcompiling the information and consideringthe areas of tax risk that we have discussedin this chapter will significantly enhance acompany’s management of tax risks.


Other activities

In our experience tax functions often havea wider remit than just tax. Tax and treasuryare sometimes the same department; taxfunctions are often responsible for thepreparation of statutory accounts as theyare the people who need them most – toenable them to file the tax returns.

The purpose of this guide is to focus ontax risk management and we have notsought to stray into the other activities thatmay be carried out by the tax function.That is not to say that the risks in theseareas do not need managing.

SummaryWe have set out the seven areas of tax risk, together with a scale of one to ten for each one. By reviewing allseven scales, it should be possible to produce one overall scale summarising your organisation’s attitude to taxrisk management. You should be able to consider where you want to be on the scale – and where you are today. This will give you a template to consider further what actions you need to take going forward.

Low Medium High

0

ConservativeLow appetite for risk

10

AggressiveRisk taker

5

Where are you today – and, more importantly, are you where you want to be?

Very few organisations will be positioned at eitherend of this scale. The organisations on the left hand side might be the ones who:• Are inherently cautious• Spend more time managing risk• Are more concerned about compliance risk• Are concerned about their reputation

The organisations that position themselves on theright hand side of the scale:• Are more aggressive• Accept that they will have more compliance risks• Have a higher materiality level• Are less concerned about upsetting revenue

authorities• Spend less time managing tax risk

We look in more detail in Chapter 4 as to how tax risk management fits into the bigger picture both in terms of managingtax and managing risk in the organisation as a whole. However before doing so can you answer the question belowspecifically in terms of tax risk management.


There are (or should be) many stakeholders,both inside and outside the organisation,involved in managing risk, and inparticular managing tax risk. The first

point therefore is to consider who, inaddition to the tax function, are thestakeholders in a business’s tax riskmanagement?

Head of tax/tax function

CEO/CFO

The boardBusiness unitsand functional

areas

Auditors

Revenue authorities

Investors

Tax RiskManagementStakeholders

3 WHY IS TAX RISK MANAGEMENT IMPORTANT – AND WHO TO?

We have set out in the previous chapter our view of the differenttypes of tax risk. This chapter seeks to identify the differentparties who have an interest in an organisation’s tax riskmanagement. We will explore why they are, or should be,interested in this subject. We are also presenting a view as towho should focus on (or take ownership for) each of the variousrisks outlined in Chapter 2. Our analysis of this latter point isundoubtedly open to challenge – but if it gets the reader thinkingthrough their role and responsibilities with respect to tax riskmanagement then our objective will have been achieved.

The board

There is a tendency to equate theboard’s view on tax risk managementclosely with their view on corporategovernance. However a board’s role isfirst and foremost to give direction to theoverall running of the business so let uslook at this aspect first.

We would suggest that until now therehas been little or no engagement orunderstanding around tax riskmanagement at board level – with suchmatters normally being delegated to theCFO and the head of tax. We questionhow many boards of companies haveseen and considered a documented tax

risk management policy. This, webelieve, is the starting point for effectivetax risk management.

(We recognise that the role andresponsibilities of the board of directorsmay vary by country. While the level ofinvolvement of the board in day-to-dayoperations may be different, it is clearthat the board is and must be the keystakeholder in the management of risk.As noted below, the board could be theentire board of directors or if applicablethe audit committee of the board. Thekey point is involvement by persons notresponsible for ‘day-to-day’management.)

The templates in Chapter 2 might beused as a starting point for engaging theboard in the debate as to what is thegroup’s tax risk management policy. Havethey properly considered both thebenefits and the costs of the variousapproaches to tax risk management –how aggressive or conservative do theywant the group to be? How does this fit in with the risk management policy for thegroup as a whole? How does this fit inwith the group’s overall tax strategy?

Historically, we have found that, whenasked, boards may have perceived thatthe tax function was one where there was‘low risk’. In fact, the board may haveperceived (and expected) the company tobe taking a more aggressive approach totax risk management than the tax functionwas actually adopting. The process ofdiscussing a tax strategy with the boardis, in our recent experience, changing andadding direction to and support for whatthe tax function is expected to do.Whatever the view of the board, gettingthe tax strategy in front of them is goodfor the profile of the tax function.

Perhaps the two key tax risks the boardshould focus on are portfolio risk andreputational risk. The board should have ageneral understanding of the organisations‘risk profile’. The portfolio risk addressesthis ‘profile’ for tax. Of equal or possibly of greater importance is a view onreputational risk. It is important that theboard understands the impact onreputation that the organisation’s taxpositions (or lack thereof) may have withinthe business community or the communityat large. A consistent position, along withboard support for the resources needed to manage reputational risk, are key tosuccessfully addressing this area.

A documented tax risk policy that isembraced by the board is also crucial forgood corporate governance. The boardnot only sets the tax risk/rewardphilosophy of the business, it also setsthe tax risk management framework andthe whole ethos as to how risk isassessed, how management controlsoperate within the business and how they are monitored.

The rules, regulations and commentarygenerated by Sarbanes-Oxley have beendriving most of the current thinking in thisarea, even where a group is not SEClisted. The Sarbanes-Oxley rules requiredetailed documentation of the design andoperational effectiveness of internalcontrols to be in place – anddocumentation of tax risk managementpolicies and controls is not something wehave seen in many organisations. Bestpractice would suggest that whatever thetax function (or others) produces in thisarea should be acknowledged andembraced by the board.

In some countries revenue authoritieshave also been driving thinking in thisarea. In Australia for example, theCommissioner of Taxation has written to public company boards stating, “It isimportant that the board identify thetaxation risks associated with theirorganisation’s operations, which risks areacceptable and appropriate, and whichare not, and put in place a process for the management of those risks.”

The view expressed was that in respect of major transactions and arrangementsit was not sufficient for boards to relysimply on tax functions and externaladvice but should focus beyond taxoutcomes to questions of probability,level of aggressiveness, likely tax officeresponse and the implications ofalternative outcomes.



This of course raises a whole series ofissues and questions to be addressed.These range from whether these are theright questions and whether this is in factthe right level to be asking these questions.(Should it be the audit committee, CEO,CFO or the tax director?) Issues range from the capacity of the board to makeappropriate judgements to content and tax office access to board papers. In ourview many of the matters raised in thesequestions can be dealt with by appropriatepolicies that the board has signed off on,and controls to ensure those policies areadhered to.

Just how far the board should go is anopen question, the discussion on whichhas only just begun. We would say that, inthis new world of greater governance andresponsibility of boards, greaterinvolvement than we currently have seendoes seem appropriate. In this regard,involvement in ensuring there is anappropriate risk management frameworkand policy in place, that it fits in with theorganisation’s overall attitude to riskmanagement and that a process forensuring that this is functioning asintended, would be an important placeto start.

The CEO and CFO

Historically it has been the CFO whorepresents tax at board level and to whommost heads of tax report. However we areseeing pressure in some countries forCEOs to become more actively engagedin the tax area – whether because of theneed to sign off on accounts or fromexternal pressures (e.g. the above debatebeing initiated at CEO level by theAustralian Tax Office). We have thereforecombined these two positions in terms of stakeholder consideration – whilstrecognising that more of the responsibilityfor tax risk management will likely fall onthe shoulders of the CFO than the CEO.

The points discussed above concerningthe board’s involvement in tax riskmanagement obviously apply to the CEOand CFO as members of the board.However their interest in tax riskmanagement will go further. The CEO andCFO, having had high level input into thestrategy design, should be using it as aframework for participating in significanttax related decisions both on thetransactional side and possibly also on the operational side.

They clearly have an interest in thefigures in the accounts and hence infinancial accounting risk. They may even be personally at risk if majorrestatements or prior year adjustmentsarise in the accounts.

They are also responsible for monitoringhow tax risk is being managed and howthe tax department is performing (taxmanagement risk). We come back to thepoint that in today’s environment it isimportant that the leadership view of thetax function’s risk profile is consistent withpractice. Where there is a disconnectthere can be surprises for the CEO andCFO from adjustments to the accounts ormissed tax savings, and frustrations onthe part of the tax function wheninformation provided or resourcesallocated are not sufficient to achieve therisk management targets established.

Virtuouscircle

Tax riskshigh on

managementagenda

Tax riskidentified and

communicated

Appropriatetax resource

1. What level of confidence do you havein the correctness of your advice?

2. How likely is it that the tax office willtake a different view of the applicationof the law and assess the companyaccordingly?

3. If the Australian Tax Office takes adifferent view and the matter proceedsto litigation, what is the risk of theFederal Court or the High Court decidingthe matter in favour of the tax office?

4. What is the potential downside if thecompany is unsuccessful in litigationwith the tax office?

5. If there is a dispute, what is the likelihoodof the tax office being prepared to settlethe dispute and, if so, on what terms?

6. How likely is it that the tax office willidentify the tax issues that arise fromthe proposed course of action? Alliedwith that, to what extent will embarkingon the proposed course of actionincrease the tax risk profile of thecompany and increase the possibilityof audit scrutiny?

7. In light of the potential risk, would itbe desirable to approach the taxoffice for guidance in the form of aprivate binding ruling

8. Where a position has been taken on atax issue, would it be desirable, in theinterests of appropriately managing anyrisk, to be up front with the tax office inidentifying the issues before or whenlodging the tax return and endeavouringto constructively handle anydisagreements which may ensue?

9. Is the advice based on the actualtransaction or on an expectation ofhow the transaction will beimplemented?

10. Are you satisfied that the factual basisfor your opinion to the board has beenproperly checked?

In this context the AustralianCommissioner posed 10questions boards should beasking in this area:


The head of tax and his/her team

Obviously the tax function is responsiblefor managing the majority of tax outcomes,and the actions and activities that createtax risk. It is also the first point of contactin tax risk management. What therefore arethe head of tax’s objectives in relation totax risk management? Do they buy in tothe concept that tax risk can be managed?How do their objectives on riskmanagement fit in with those set out bythe chief risk officer? What framework isused to measure risk and does the taxfunction participate in developing thescores? Is the head of tax trying to make aname for themselves by taking risk – or dothey come from the ‘no surprises’ schoolwhere tax risk management is aboutavoiding potentially contentious oraggressive positions? How secure do theyfeel in their jobs? Will they now be signingoff, to the CEO or CFO, that the tax figuresin the accounts are acceptable – and if thegroup is SEC listed, also on the internalcontrols over tax?

Whilst the board will agree the strategy, inpractice it is the head of tax who will setthe whole tone on tax risk managementfor the rest of the organisation – whetherit is the tax team doing the tax returns orthe advice and support provided tooperational and other teams doing theirjobs. It is therefore vitally important thatthe head of tax, CEO and CFO, and theboard are in agreement on the group’s taxrisk management policy.

The one area where we see some gaps iswith MNC’s foreign subsidiaries. In manycases tax is the responsibility of the localCFO in the foreign subsidiary with indirectline responsibility to the head of tax. Inthese circumstances there is a real risk thattax risk management is falling between thecracks and it is important that clearresponsibilities are established. This pointis explored in more detail in a later chapter.

The head of tax will, or should, beinvolved in all areas of tax riskmanagement. However they will usuallyhave prime responsibility for the

management risk – ensuring that the rightpeople are in place to manage tax,ensuring these people have the rightskills, and ensuring that the appropriateprocesses and procedures are in place.

But however good the tax riskmanagement policy of an organisation isand however much leadership anddiscussion there is at board level, thehead of tax and his/her team will deliverwhat they are being measured on. Thisbegs the question as to what are theymeasured on – and what are theconsequences for them personally if,having taken a risk, revenue authoritiestake different positions or imposearbitrary adjustments.

We would encourage those settingobjectives for tax functions to build taxrisk management into such objectives –and to identify acceptable levels of risk(whatever that might be for thatorganisation) in order to add value to thebusiness. Once risks have been taken, taxfunctions will need support if things gowrong – and praise when things go well.We will look at how tax risk managementcan be monitored in a later chapter.

Business units and functional areas

The interest in the management of taxrisks by the other business units andfunctional areas of the organisation willvary based on the broader managementand risk profile of the organisation. For example, the level of interest bymanagement of a business unit will beclosely aligned with whether the unit ismeasured on a pre-tax or after-tax basis.The business unit’s accountability forinformation provided to the tax function (orresponsibility for transaction taxes withinthe unit) will also drive the level of interest.In a similar manner the legal departmentwill need to understand where thebusiness sits on transactional risk. Thetreasury department will want to knowwhat tax is payable – and what tax mightbe payable if some of the risks taken doactually crystallise. This may include bothtransactional risk and compliance risk. The

business planning team may well bedealing with forecasting, both of taxcharges in the accounts and cash goingout of the business.

The finance department will nearly alwaysplay a key role because it is impacted bytax in many ways. Its own responsibilitiescan vary from managing expectationsaround the effective tax rate throughprocessing the results of operationalactivities to full responsibility for tax inforeign jurisdictions. The financedepartment is nearly always involved in theimplementation of significant transactionsand will also often be involved in producingdetailed information for the tax returns –how much detail does it need to go into,what level of materiality is appropriate fordifferent tax returns? In all these areas itwill need to understand the full range ofthe tax risk profile of the business.

To do their job properly internal auditorswill need to understand the group’sposition on tax risk. This is applicable toany role they may have in monitoringcontrols or in reviewing the tax function.Historically we believe that internalauditors may have found reviewing the taxfunction as one of those items that goes inthe ‘too specialised’ basket. Perhaps thiswill have to change. Indeed where internalaudit functions undertake broader reviewsof the tax function, which we have seen in a small number of cases, they can help raise the profile of the tax function by highlighting where the tax function isadding value to the business.

Moving away from the functional areas ofa business to the operational people wecome to people who are responsible formaking decisions with potentiallysignificant tax implications. This is theoperational tax risk area, and the questionarises as to whether operational peopleunderstand what risks they are taking,when they need to consult, when they canact without consulting – and whathappens when something goes wrong? Inbusinesses that are measured on a profitbefore tax basis, operational people will


often be more focused on sales taxes and payroll taxes and will often ignorecorporate income taxes. This in itself is a risk – tax management risk.

This brief list skims the surface of themany potential interactions between taxand the different areas of yourorganisation – which other functionalareas are making decisions that have atax impact and hence carry tax risk? Ifthese people are to take responsibility forthe tax impact of their actions they needto understand both where the risk areasare and how they are expected to managetheir tax risks. You need to be able toanswer the question below.

Who are the tax riskmanagement internalstakeholders in yourbusiness?

External auditors and other externaladvisors

Let us now consider the stakeholdersoutside your organisation. The externalauditors clearly have an interest in agroup’s tax risk policy. They need tounderstand both the policy and whererisks are being taken so they can plantheir audit of the financial accounts. Wewould suggest the auditors have aninterest in all seven of the areas of tax risk.

One of the effects of the currentcorporate governance concerns is thatsome groups are not using the taxdepartments of their auditors as muchas they used to for tax planning advice.Where the auditors are not the taxadvisors to the company, they will haveless familiarity with the client’s taxaffairs. This is likely to be particularlysignificant where the group has, forexample, made large acquisitions ordisposals, undertaken new financingarrangements, implemented a groupreorganisation, or implemented taxmitigation strategies. As a result the

auditors will require more time and effortto understand where the risks lie andthe implications for them in reachingtheir opinion on the financial statements– with corresponding additional costsfor the group concerned.

This leads on to the point as to the board’sand the audit committee’s view of usingtheir audit firm for tax work. Differentbusinesses have taken different views here.Our view is that the audit firm is generallythe best placed provider of both taxplanning and tax compliance services.There is a strong linkage between acompany’s accounts and its tax affairs thathas led to the audit firm generally alsoproviding tax services to its audit clients.The audit firm will have a deepunderstanding of the company’s businessand therefore generally be best placed toprovide related tax services. Additionally,the tax charge will generally be a materialcomponent of the company’s profit and lossaccount and therefore needs to be carefullyconsidered by the auditor. This process ismade easier where the audit firm providestax services on an ongoing basis; with itsdeep involvement with the company thisleads to a better quality audit. It thereforefollows that we believe that the company’smanagement of its tax risk is improved bythe involvement of its auditors in theprovision of tax services as opposed to theprovision of such services by others.

In addition to issuing an opinion on thefinancial statements, there are specificrequirements for auditor attestation ofinternal control procedures over financialreporting for SEC registered clients (asrequired by Section 404 of Sarbanes-OxleyAct of 2002). As with the necessity toconsider the impact of the tax accounts onthe financial statements, the internal controlsapplicable to the tax accounts will need tobe considered in the attestation on acompany’s internal controls over financialreporting. These requirements will first apply,broadly, for accounting periods ending on orafter 15 November 2004 for US registrantsand 15 July 2005 for non-US registrants.The Public Company Accounting OversightBoard (PCAOB) rules, which govern theaudits of internal controls over financialreporting, will also have a significant impacton both auditors and registrants.

External advisors, who may or may not beyour auditors, need to understand yourappetite for tax risk. This will help them todeliver more appropriate advice and filterout unsuitable ideas they might be thinkingof bringing to you. They will also need tounderstand the accounting implications ofwhat they are advising on – this is perhapsmore of an issue for lawyers thanaccountants, but still a point to beconsidered if the advisor is not the auditor.

The understanding of the corporateappetite for risk is particularly importantfor tax advisors in foreign jurisdictionswhere tax in these jurisdictions is often theresponsibility of the finance functions. Inthese circumstances local risks and issuesneed to be understood and tax riskpolicies adapted to local circumstances. In some cases policies that do not have tobe enunciated at home may need to beoverseas, to ensure that different culturalcircumstances and local practices do notinadvertently breach corporate policy.


Revenue and other regulatory authorities

Tax authorities are taking an increasinglysophisticated approach to tax riskmanagement. If they can be clear wherethe tax risks are in any organisation theywill know where to focus their resources.

The Australian Tax Office has, for example,published a list of seven criteria they usewhen assessing an organisation’s tax riskprofile and listed the six key areas they aregoing to focus on. The seven criteria forrisk assessment are:

• Business and transactions

• Globalisation

• Attitude

• Systems of compliance

• Perceptions of stakeholders

• Materiality

• Application of the law

For each category they rate the business,and from this they can build up a pictureof the organisation they are looking at.With this analysis they are focusing on thefollowing questions to decide howdetailed a review they need to do.

• Whether the group’s financial or taxperformance varies substantially fromindustry norms?

• Are there significant variations in theamounts or patterns of tax payments?

• Are there unexplained variationsbetween economic performance,productivity and tax performance?

• Are there unexplained losses, loweffective tax rates, and cases wherepart or all of the group consistentlypays low tax?

• Is there a history of aggressive taxplanning?

• Are there weaknesses in the group’sstructure, processes and approachesto tax compliance?

Additionally a number of revenueauthorities are keen to discuss a group’srisk assessment with that organisationand discuss with them which areas willcome under particular scrutiny this year ornext. The US authorities have moved to avery specific series of regulations requiringspecific identification and disclosure oftransactions that they (the authorities) viewas giving an indication of aggressive orinappropriate tax positions. The UK InlandRevenue instigated a specific initiativeentitled ‘Spend to Save’ that particularlyfocused on where their resources shouldbest be concentrated to achieve maximumrevenue raising benefit. They have nowannounced a crackdown on tax avoidanceby introducing a package of measurestargeted at perceived loopholes, in additionto specific anti-avoidance legislation.

The issue here is not to be undulyinfluenced by either aggressive or dormantrevenue activity but rather to build therevenue authorities’ approach andinformation requirements into your riskassessment, strategy and policies. We areaware of some businesses that haveshared their tax strategy with taxauthorities in order to help demonstrate‘lower risks’ than may have otherwise havebeen perceived; however this is not acommon approach.

As well as revenue authorities there are anumber of other regulatory authorities indifferent industries (e.g. financial services)and countries (e.g. in the US, the SEC)that will be interested in the tax risk profileof a business. We have not attempted tolist these out – but are you aware of whichother authorities are looking at yourfigures and possibly also your riskmanagement systems?

Investors and analysts

One of the prime sources of informationfor investors and analysts is the accountsand other quarterly/half yearlystatements. The element of uncertainty in the financial accounts is therefore ofinterest to them – and as such they areinterested in financial accounting tax risk.To the extent that the tax charge tends to fluctuate they will wish to understandwhy this is so and how it might fluctuatein the future. Portfolio tax risk may alsobe of interest to them – is there a highportfolio of tax risk that could causesignificant fluctuations in the tax figuresor is there a small portfolio of risk and asteady tax charge is to be expected?

There seems to be an increasing focus on cash tax as opposed to theaccounting tax charge – the commentsabove are equally relevant to cash tax asthey are to the accounting charge. Finallyreputational tax risk is somethinginvestors will be interested in – what isthe effect on the share price if, forexample, a major revenue investigationbecomes public knowledge?


Documentation and communication

A theme that has been running throughthe above discussion is the width ofimpact that taxes and tax riskmanagement has in the organisation andtherefore the importance of documentingpolicies and disseminating them throughan appropriate communication strategy.Word of mouth and informalcommunications are unlikely to beappropriate for such a wide range ofdifferent stakeholders. We will explore thisin more detail in later chapters.

Types of tax risk

Stakeholders

Transactional Operational ComplianceFinancial

accountingPortfolio Management Reputational

Board

CEO/CFO

Tax function

Legal & treasury

Business units

Auditors & tax advisors

Revenue & other regulatory bodies

Investors & analysts

✔

✔

✔

?

✔

✔

✔ ✔ ✔ ✔

✔

✔

✔

✔

✔

✔

✔ ✔

?

✔ ✔

✔ ✔

✔✔

✔✔ ✔✔ ✔ ✔

✔ ✔

✔

SummaryWe have attempted to summarisewhich tax risks will be important tothe various different stakeholders intax risk management. The summarybelow will not be right for allbusinesses; however a discussionaround the grid below will helppeople focus on who should beconsidering and is responsible for the various areas of tax risk.


However we can consider how tax riskmanagement fits within an overall taxstrategy. Indeed it is the overall taxstrategy that should drive the approach totax risk management – and not the otherway around.

It is our view that there are only threebasic areas of tax that can be managedand controlled. These are:

• The tax charge (some groups maysegregate the total charge and currentcash taxes)

• Tax risk• The cost of running and managing the

tax affairs of the group

There is clearly a trade off between thesethree. One cannot have a very aggressiveapproach to managing the tax chargewithout incurring some (legitimate) tax riskand some extra costs. In our earlier guide‘The ‘Best Practice’ Tax Function’ weintroduced the Tax Strategy Template tostimulate debate in this area.

For each of the three areas there is ascale, which runs from nought to ten.Nought represents a very reactiveapproach to tax management, probablylittle more than completing andsubmitting tax returns. Ten represents a very proactive (aggressive?) approach,where the head of tax would be

prepared to spend time fighting a casein the senior law courts. As noted abovewe believe that, broadly, the threescales are correlated.

Tax risk cannot be looked at in isolation. Tax risk managementneeds to be part of a business’ overall risk management policyas well as being part of an overall tax strategy. It is not thepurpose of this guide to stray outside of the tax arena and wewill therefore leave others to consider how their tax risk policyand management fit in with what the business is doing by wayof risk management in other, non tax, areas.

Tax charge

Tax risk

Tax management costs

Notmanaged

<Reactive Proactive>

Basictax planning

Unaware of issues

Minimum

Minimum legallyachievable

Aggressiveschemes

Maximum awarenessof issues

Cost not themain issue

0 1 2 3 4 5 6 7 8 9 10

0 1 2 3 4 5 6 7 8 9 10

0 1 2 3 4 5 6 7 8 9 10

Next to bereviewed

Completedby date

4 WHERE DOES MANAGING TAX RISK FIT INTO THE OVERALL TAX STRATEGY?


To get an overall view of someone’sapproach to their tax strategy, andbecause of the correlation noted above,we ask people to draw a vertical linedown the template giving a singleoverall ‘score’ between nought and ten.The more conservative and reactivegroups would have a lower score thanthose who manage their tax moreaggressively and proactively – and areprepared to take greater tax risks.

This is an overview tool. It’s not meant tobe a ‘scientifically perfect’ model of a taxfunction’s strategy. It’s a tool that helpsclarify opinions as to overall approachand start discussions that draws outsome of the underlying issues.

The overall score above should bearsome correlation to the summary scorearrived at in the last section of thesecond chapter of this guide. (This wasthe scale that summarised yourorganisation’s overall attitude to tax riskmanagement.) If the two scores are notclose together one of them needsrevisiting. As both scales are part ofyour overall group tax strategy, in termsof best practice, both should be agreedwith the board and getting the twoscores the same should be achievable.

Tax charge

Tax risk

Tax management costs

Notmanaged

<Reactive Proactive>

Basictax planning

Unaware of issues

Minimum

Minimum legallyachievable

Aggressiveschemes

Maximum awarenessof issues

Cost not themain issue

0 1 2 3 4 5 6 7 8 9 10

0 1 2 3 4 5 6 7 8 9 10

0 1 2 3 4 5 6 7 8 9 10

Next to bereviewed

Completedby date


The COSO Internal ControlIntegrated Framework

In the early 1990s the Committee ofSponsoring Organisations of theTreadway Commission (COSO), set up in the US, called for a study to developa framework for internal control and in1992 the Internal Control – IntegratedFramework was published. Today themost widely recognised internationalstandard for an integrated framework ofinternal control is the COSO Framework.We have sought in this chapter firstly to explain how the COSO Frameworkoperates and more importantly how itmight be used to manage tax risk.

What is internal control?

The COSO Framework defines internalcontrol as:

“A process, effected by an entity’s boardof directors, management and otherpersonnel, designed to provide reasonableassurance regarding the achievement ofobjectives in the following categories:

• Effectiveness and efficiency ofoperations;

• Reliability of financial reporting; and

• Compliance with applicable laws andregulations.”

The commentary around the COSOFramework explains that whilst internalcontrol is a process that will change anddevelop over time, the effectiveness ofan organisation’s internal control is astatement of the condition of thatprocess at one or more points in time.The purpose of internal control is to helpan organisation achieve its performanceand profitability objectives, andsafeguard assets. It can also help toensure reliable financial reporting,compliance with laws and regulationsand therefore avoid damage to itsreputation and other consequences. As the COSO Framework is the leadingmodel for internal control, and is beingused on a global basis, it seems anappropriate model to consider for tax riskmanagement.

The early chapters of this guide have focused on what is tax riskand who should be interested in it. We have looked, at a highlevel, at how a tax risk policy fits into the overall strategy of abusiness. It is time to look in a bit more detail as to how tax riskcan actually be managed and what processes might be put inplace to achieve this – and introduce an internal controlframework for tax risk management. This chapter focuses ondesigning a systematic approach to tax risk management, andthe following chapter then looks at how to make the systematicapproach work in practice.

5 THE RISK MANAGEMENT CONTROL FRAMEWORK FOR TAX

INTERNAL CONTROLINTEGRATEDFRAMEWORK

COMMITTEE OFSPONSORINGORGANISATIONS OFTHE TREADWAYCOMMISSION


Components of internal control

The current COSO Framework sets outfive interrelated components in anintegrated system of internal control thatapplies to organisations of all types andsizes – and hence should equally applyto tax risk management. The fivecomponents are:

• Control environment

• Risk assessment

• Control activities

• Information and communication

• Monitoring

Let us look at these in a generic sensebefore going on to look at them specificallyin terms of tax risk management.

Control environment

The control environment is the overalltone of an organisation – the culture andatmosphere of the organisation in whichpeople conduct their activities and carryout their responsibilities, and theseriousness with which risk andcompliance with controls and processesis taken. The control environment isbased on the individual attributes andattitudes of the senior management ofthe organisation – and will reflect theirintegrity, ethical values, competence andauthority. The control environment is afoundation for all the other componentsof internal control and is the nature of theplatform on which the whole organisationis built. If risk management is notimportant in an organisation and peopledo not take processes and controlsseriously then introducing specific riskpolicies, procedures and controls in anarea like tax, may have little chance ofbeing effective.

Risk assessment

This is the awareness and response of anorganisation to the risks that it faces.Processes and procedures will need to beestablished to identify, evaluate andmanage those risks. Risk objectives mustbe set that are integrated with the rest ofthe organisation.

Control activities

Control activities are the policies andprocedures that are designed andoperate in order to manage and addressthe risks to the achievement of anorganisation’s objectives. These controlactivities need to be effective in theiroperation in order to manage and mitigatethe risks consistent with the overallobjectives of the organisation.

Information and communication

Information and communication systemsare required to support the other fourcomponents in order to ensure thepeople in an organisation understand,capture, exchange and record theinformation needed to manage andcontrol risk in an organisation.Information and communication is alsoneeded to assess how the organisationis performing and whether its goals andobjectives are being achieved.

Monitoring

The entire process, but particularlycontrols and processes, must bemonitored to assess their effectivenessand to identify where modifications orremedial actions are necessary. Monitoringallows early identification of deficienciesso that the internal control system can beresponsive to changing conditions bothwithin and from outside the organisation.

Each of these components can and willimpact and influence each of the othercomponents. The extent to which anorganisation implements these componentswill vary from business to business and willbe influenced by many different factors.However, these five components should beidentifiable in any integrated system ofinternal control for tax risk managementand should be embedded throughout theorganisation in order to be effective.

There is a direct relationship betweenthese five components and the threecategories of objective set out earlier inthe definition of internal control. The fivecomponents are what an organisationneeds to have in place and be operatingeffectively, in order to achieve each of thethree objectives throughout all activitiesand business units in the organisation.


The COSO Framework can therefore berepresented generically as follows:

COSO Enterprise RiskManagement Framework

During the summer of 2003 COSO issuedan exposure draft for public commententitled ‘Enterprise Risk ManagementFramework’. This framework broadlyfollows the framework outlined above forinternal controls, with the main differencebeing to expand the risk assessment

component in the internal controlframework into three separatecomponents – event identification, riskassessment and risk response.

In addition, the proposed new EnterpriseRisk Management Framework separatelydistinguishes objective setting as acomponent separate from the controlenvironment. The underlying philosophyitself – that senior management has aprocess in place to both set and alignobjectives within the organisation’s overallstrategy consistent with their risk appetite- is not something new. This wouldpreviously have been considered to beincluded in the control environmentcomponent in the earlier model.

We have based this chapter on theestablished internal control frameworkbecause the new Enterprise RiskManagement Framework is still in draftand may change as it goes through itspublic consultation process. That said itcould be a very useful source of furtherinformation for readers wanting a moredetailed analysis of risk management.What this all reinforces is that this is anarea which is changing rapidly andreceiving plenty of public attention.

Act

ivity

2

Act

ivity

1

Uni

t B

Uni

t A

Operat

ions

Finan

cial r

epor

ting

Complia

nce

Monitoring

Information & communication

Control activities

Risk assessment

Control environment

So how does the COSO Framework apply to tax risk management?

Let us now move on to consider how tax risk management can be considered in termsof the COSO Framework. We should firstly consider the three internal control objectivesset out above and what they mean in the context of taxes and tax risk management.

Effectiveness and efficiency of operations

Compliance with laws and regulations

Reliability of financial reporting

The effectiveness and efficiency of theorganisation’s management of taxes. This wouldinclude the financial and operational objectivesover taxes throughout the organisation.

Relates to the preparation of reliable financialinformation on taxes for inclusion in financialstatements and selected financial data derivedfrom such statements, such as earningsreleases, reported publicly.

Relates to complying with those tax laws andregulations (and other related laws andregulations such as accounting standardsrelating to taxes) to which the entity is subject.


For tax purposes we are thereforeproposing that we replace the three broadobjective categories of internal controlacross the top of the COSO cube, withour four different types of specific tax risk.

However where does this leave us inrespect of the three generic tax risk areas(portfolio, management and reputationalrisks)? We raised in Chapter 2 thequestion as to whether these threegeneric tax risk areas are tax risks orwhether they are really ways of managingthe specific types of tax risk. Thesegeneric tax risks are, by their nature,wider than any one of the individualobjectives of the generic integratedinternal control framework – the puristswill therefore argue that they should notbe included in the COSO frameworkwhen applying it directly to taxes.(Whether the top of the COSO cubeshould have four or seven risks isperhaps the area that has caused themost debate when writing and producingthis guide.)

We accept that there is no right answer; the whole of tax risk management is anarea where the thinking is still developing.However the conclusion we reached inChapter 2 is that the three generic risksshould be treated as tax risks in their ownright. Notwithstanding that theorganisation’s objectives in the genericrisk areas will, to varying degrees, impacton all three of the framework objectivesset out above, we believe it is appropriatealso to add the objectives for the threegeneric risks to the top of the cube givingus a tax risk management equivalent ofthe COSO model that looks like this:

(The various tools in Chapter 6 and theappendices are based on the COSO cubehaving all seven tax risks across the top;if you believe that there should only bethe four specific risks then the tools willneed adapting accordingly.)

You will note that on the right hand sideof the cube we have put the differenttaxes – whereas in the main COSO cube

it included business units. We acceptthis is also a debatable point. Inorganisations where the internalstructure is very centrally oriented, theconsideration of the tax risk objectivesand the internal control components foreach of objective needs to beconsidered for each separate tax withinthe organisation (as shown in thediagram above).

Withho

lding

taxes

Payro

ll taxes

Excise d

uties

Sales taxes

Co

rpo

rate incom

e taxesTr

ansa

ctio

nal r

isks

Operat

iona

l risk

s

Complia

nce

risks

Finan

cial a

ccou

nting

r

isks

Monitoring


Control activities

Risk assessment

Control environmentTr

ansa

ctio

nal r

isks

Operat

iona

l risk

s

Complia

nce

risks

Finan

cial a

ccou

nting

risk

s

Portfo

lio ri

sks

Man

agem

ent r

isks

Reput

ation

al ris

ks

Monitoring

Objectives

Co

mp

one

nts


Control activities

Risk assessment

Control environment

Withho

lding

taxes

Payro

ll taxes

Excise d

uties

Sales taxes

Co

rpo

rate incom

e taxes

Depth ofOrganisation

Effectiveness and efficiency of operations Transactional and operational risk

Reliability of financial reporting Financial accounting risk

Compliance with laws and regulations Compliance risk

An organisation’s objectives for the specific tax risk areas set out in Chapter 2(Transactional, Operational, Compliance and Financial Accounting risks), broadlyspeaking, each correlate with one of the three objectives in the general COSO Framework:

However where an organisation is more devolved and tax operates along geographical,divisional or business unit or other lines (and where these sectors have responsibilityfor all the different taxes within that sector, division, etc.) it would probably be moreappropriate to consider the internal control processes at the different locations,divisions or operating units level rather than through the different taxes as shownabove. In fact, the current PCAOB pronouncements on auditing internal controls overfinancial reporting suggest that each of the taxes should be considered in each of thesignificant business units (at least for financial reporting).

In a best practice model, the five internal control components should be in place foreach of the different types of risk objectives and each of these should apply across thewhole organisation (in whichever way the organisation operates). An alternative model,on a geographic basis, would be:

We now have an integrated model for managing tax risk management which picks upeach of the COSO components, each of the seven different tax risk areas and coversthe whole business – whether it be by type of tax or the different business units. Wenow need to look in a bit more detail at what each of the COSO components means in terms of tax risk management.

What does each COSO component mean in terms of tax riskmanagement?

Below we have summarised, from a tax risk management perspective, what each of thefive internal controls components might try and address. We then set out a series ofquestions that you might ask of yourself under each of the five headings. The answersto the questions will enable you to start judging whether your tax risk managementprocedures are acceptable and fit within the COSO Framework – which as noted earlieris recognised globally as the best practice for internal control procedures.


Tran

sitio

nal r

isks

Operat

iona

l risk

s

Complia

nce

risks

Finan

cial a

ccou

nting

risks

Portfo

lio ri

sks

Man

agem

ent r

isks

Reput

ation

al ris

ks

Monitoring

Objectives

Co

mp

one

nts


Control activities

Risk assessment

Control environment

United

States

United

King

do

m

India

Brazil

Australia

Depth oforganisation


1 Control environment

This is the attitude and culture of the board and senior management towards tax riskand their overall strategy and objectives for tax risk. This will include their commitmentto tax risk management, the degree to which tax risk policies are set and communicatedand the level of accountability for achieving and monitoring the performance of thosepolicies. This also includes consideration of the compensation ‘driver’ for the taxfunction and their overall position within the organisation.

The types of questions that need considering under this heading are:

• What influence does tax risk have when the organisation’s overall strategy andobjectives are being established?- Is tax risk considered side-by-side with other business risks in evaluating proposals

and making decisions about achieving the organisation’s goals?

• What is the organisation’s tax risk appetite/tolerance - where on the tax risk spectrumis it and where does it want to be? - What is the organisation’s approach, management style and attitude to tax risk –

what is its risk culture?

• How does the board of directors manage tax risk?- Is there a written and agreed tax risk policy and methodology?- How are the board’s strategy and objectives with regard to tax risk and tax risk

management delegated, communicated and embedded with the people throughoutthe organisation?

- Is the board’s policy understood throughout the organisation?- How do senior management ensure their policies and objectives are met – how do

they assess to whom responsibility is delegated and that responsibility is passed tosufficiently competent and experienced personnel?

• How do senior management assess whether the organisation is in compliance withtheir strategy and objectives on tax risk management?- Is information on tax risk management and measurement of achievement against

objectives gathered and regularly reviewed by senior management? - How do senior management respond to new tax risks and weaknesses or

deficiencies over tax risk management? - Do senior management demonstrate their commitment to their tax risk management

philosophy and strategy in their everyday activities?

• How do the compensation policies and organisation structure of the tax departmentsupport or conflict with the fundamental goals of the organisation?

Controlenvironment


2 Risk assessment

This is the awareness and response of the organisation to the different types of tax riskfacing the organisation (as set out in Chapter 2). This will include the organisation’sprocesses and procedures for identifying and evaluating the tax risks and how thoserisks are managed and mitigated consistent with the overall objectives of theorganisation on tax risk.

The types of questions that need considering under the risk assessment heading are:

• How are tax risks identified, evaluated, and recorded?- How are the consequences of external factors such as economic, environmental,

political, technological and social factors considered within the assessment andevaluation of tax risk?

- What policies and procedures are there in place to ensure taxrisks/issues/exposures are identified?

- What risk assessment techniques are used and do they consider past and futureevents?

- Who assesses the risk, what tax skills are brought to bear to ensure risks areproperly assessed and is there an escalation process for predetermined largeamounts?

- How is information obtained/gathered on operations and other internal activities toensure tax risks are identified?

- Although certain tax risks may be risks to one organisation there can be instanceswhere those risks fall on a different organisation in certain circumstances. Are suchsecondary risks included in the risk assessment?

• How is the effectiveness of judgements assessed?- How are the likelihood of events and the impact of events estimated/modelled?- o Is scenario planning used?- Are appropriate individuals with relevant experience and seniority involved?

• Are risks aggregated to enable a portfolio view to be considered?

• How are responses to identified risks designed and implemented?- How are the risk avoidance/risk reduction responses to mitigating tax risks

assessed and evaluated – how is residual risk quantified?

• How is the tax risk assessment documented?

Riskassessment


3 Control activitiesThese are the detailed procedures and processes that have been designed andestablished to manage the tax risks identified in the risk assessment. The design andoperation of control activities should ensure that the tax risks are managed in order toachieve the organisation’s tax risk objectives. The detailed control activities can takemany forms but will include the detailed policies, reviews, approvals, and use ofexternal tax opinions that are used to mange the tax risks.

The types of questions that need considering under the control activities heading are:

• What are the control activities policies of the organisation?- How are these policies communicated throughout and embedded in the

organisation?- Are both preventative and detective control activities used?- How might control activities be circumvented?- Are there appropriate levels of review?- When are external opinions sought?- What controls and processes are in place to ensure tax planning, transactional

issues and tax change generally is properly implemented?- Who is responsible for the control activities?- If the group is SEC listed, has consideration been given as to their adequacy

against the requirements of Section 404 of the Sarbanes-Oxley Act?

• Where are the detailed control activity procedures recorded?- What general controls (controls over information technology and information

systems) are used to mitigate risks to information technology and changes toelectronic systems?

- What application controls (controls over the completeness, accuracy, authorisationand validity of data and transaction processing) are used?

- How is the actual operation of control activities documented/demonstrated?

• Are the activities identified for each type of tax that would address controls to assure:- Timely identification of changes in tax laws, regulations and decisions?- Timeliness and accuracy of the data to which tax law applies?- Accurate application of the tax laws to the data? - Timely and accurate reporting and payment of taxes?

Controlactivities


4 Information and communication

This is the information and communication necessary to ensure the organisation’sobjectives in respect of tax risk are documented and communicated to the relevantpeople. It will include the operating policies and procedures within the organisation thatare necessary to ensure all tax risks are identified and quantified and that the controlsdesigned to manage those risks are documented. It will also cover the findings of themonitoring process so that the effectiveness of the controls over tax risk can beassessed, allowing appropriate development of controls and remedial action wherenew risks are identified or existing controls are not operating effectively.

The types of questions that need considering under information and communication are:

• How is pertinent information on tax policies, tax risk and tax control activities,identified, captured and communicated to relevant personnel?- Is there clear information about roles and responsibilities for provision of information

on tax risk management and the operation of controls over tax risks?- What procedures/processes are there to ensure information is provided on a

timely basis?- What procedures are there to communicate information requirements and provide

feedback on information sources?- What procedures are there to ensure that when people change there is

communication and a proper handover?

• How does relevant information flow up and down the organisation from board leveldown to relevant individuals in the organisation and vice-versa?

• How does relevant information pass around the business – so that the tax functionis aware of what is happening in the rest of the organisation and so the rest of theorganisation can access relevant tax information?

• How is data/information managed, controlled, aggregated and refined without losing relevance?

- How is information stored, protected and accessed?- What back-up/retrieval procedures are there for valuable/critical information?

• What information is gathered from external/independent sources and how is it usedto support tax risk assessment and development of internal controls over taxes?

Information &communication


5 Monitoring tax risk

These are the procedures put in place to review the effectiveness of the operating ofthe internal controls over tax risks, and to enable conclusions on the effectiveness ofthe controls over taxes to be reached. Monitoring will identify where controls are notoperating effectively and where the organisations objectives are not being met. Thisallows remedial action to be taken where controls are not operating effectively andmay identify where new risks are not being properly managed

The questions which need considering under this heading are:• How is the effectiveness of the operation of internal controls over tax risks assessed?

- How is tax risk assessment monitored on an ongoing basis?- What review/testing procedures are there in place that can be used as a basis for

reaching conclusions as to the effectiveness of the risk assessment process and thedesign of controls to mitigate identified risks?

- How are conclusions reached?

• Who receives the results of the monitoring process and what action do they takewith them?- What remedial actions are taken if internal control procedures are found not to be

operating effectively?- How do the findings of the monitoring process impact the control environment, risk

assessment, and control activity functions?

• Is there any independent review of the monitoring process?

• How is the monitoring process documented?

It should now be apparent how closely the various components of an integrated system ofinternal control are interrelated. Designing and operating a tax risk management internalcontrol system is an iterative process and not a linear task. Continual evaluation anddevelopment of each of the components is necessary to maintain a responsive up-to-dateinternal control system, which can deal with the uncertainties in a continually changing world.

Monitoring

SummaryMany features of the components of an integrated system of internal control over taxes arelikely to have been considered, at some point in time, in the vast majority of organisations.However, it is our experience that this tends to have taken place in a somewhat unstructured,ad-hoc and haphazard way. It is a relatively rare occurrence to find a systematic, well plannedapproach to designing and documenting internal control systems over a business’ tax affairs.Addressing tax risk has not been high on the agenda of most tax departments. Whilst mostorganisations can probably cite controls that they have in place such controls tend to beinformal, somewhat lacking in design and unlikely to be documented in any level of detail.

In the current risk environment, including the Sarbanes-Oxley Act with its requirements forsenior management to attest on the adequacy of design and the operational effectiveness oftheir internal controls over financial reporting, many organisations face a significant challengeto move to a best practice compliant regime. Documenting and monitoring internal controlsover financial reporting of taxes, within a regime of standardised controls, designed byreference to a recognised framework which are periodically tested to assess theireffectiveness, is likely to be a large leap forward for many organisations. The gap to bebridged in respect of internal controls over taxes is a significant one that should be focussingthe minds of senior management responsible for this area in the foreseeable future.

Appendix 1 introduces a tax risk management best practice checklist to help youaddress where you are today in putting a best practice framework into your organisation.

In the last chapter we considered whatmakes up an integrated tax riskmanagement system, building on theCOSO internal controls. We then went onto look at how the various objectives andcomponents of the COSO Frameworkmight apply to tax risk management. Thischapter now focuses on how we use thatframework in a practical way in managingtax risk and uncertainty and, inconjunction with Appendix 2, putsforward some tools that can be used inthe process.

It is also worth mentioning at the outsetthat the practice of using internal controlsto manage tax risk is not a simple linearprocess where you complete one stageand move on to the next. You will need tobe able to respond to the rapidlychanging environment in which yourbusiness finds itself. The controlenvironment practices of deciding on atax risk management policy and settingtax risk objectives, carrying out a riskassessment to identifying tax risk anddeveloping mitigating control activities tomanage those risks is therefore anongoing, evolving process – and it willneed to evolve and develop in line withwhat is happening in the rest of theorganisation. It is perhaps more of acircular process – it is certainlysomething that needs to be kept underconstant review and should become anintegral part of the day-to-day operationof the organisation.

Risk framework maturity spectrum

Before looking in detail at how thecomponents of an integrated system ofinternal control can be applied in practicelet us consider, at an overview level,where you are now, or in other words thematurity of your existing internal controlsystems over tax risk management. Byreviewing where you are now on thematurity spectrum below it will help youthink about where you want to be.


6 THE TAX RISK MANAGEMENT FRAMEWORK IN PRACTICE

In Chapter 2 we highlighted that managing tax risk is aboutmanaging uncertainty. By the very nature of uncertainty, therecan often be no one right or wrong answer. Managinguncertainty is about making judgement calls and the quality ofyour tax risk management will depend to a large extent on thequality of those judgement calls. However having a frameworkand system within which those judgement calls can be made is,in our opinion, vitally important to proper tax risk management.


Level 1 – Unreliable• Unpredictable environment where controls are not designed or in place

Level 2 – Informal• Controls are designed and in place but are not adequately documented• Controls mostly dependent on people• No formal training or communication of controls

Level 3 – Standardised• Controls are designed and in place• Controls have been documented and communicated to employees• Deviations from controls may not be detected

Level 4 – Monitored• Standardised controls with periodic testing for effective design and operation with

reporting to management• Automation and tools may be used in a limited way to support controls

Level 5 – Optimized• An integrated internal control framework with real time monitoring by management

with continuous improvement • Automation and tools are used to support controls and allow the organisation to

make rapid changes to the control activities if needed

At the time of writing our experience is that most businesses are at levels 1 or 2 – i.e.in the unreliable/informal stage with respect to tax risk management. However thesteps being taken to implement the provisions of the Sarbanes-Oxley Act, dealing withinternal controls, have organisations, both in the US and elsewhere, focused on rapidlymoving up the ‘maturity’ line. We would suggest that effective tax risk management is aminimum of level 3 and probably looking towards being at level 4. This involves havingstandardised controls over tax risk management that are periodically tested to ensurethey have been adequately designed and are operating effectively. It is important tonote that to be in compliance with COSO there should also be some monitoring ofcontrols as discussed below.

Where on the scale do you want to be?Let us now look at each of the five COSO framework components and consider howthey can be used in practice to help manage tax risk.

OptimisedLevel 5

MonitoredLevel 4

StandardisedLevel 3

Informallevel 2

UnreliableLevel 1


Building a tax risk managementpolicy

In our view the starting point for the controlenvironment is a documented tax riskmanagement policy. What does this meanin a large and diverse group, particularlyone operating in a multi territoryenvironment? The answer, we believe, liesin the development of two layers of policy,namely one directed, at the strategic level,on the overall organisational appetite andframework and the second focused onoperational controls.

The strategic framework or policies shouldset the tone for how tax risk should bemanaged in the organisation and thereforereflect the following:

• High level corporate policies about thelevel of risk across the various types ofrisk discussed above, outlining theposition the group wants to adopt as a whole.

• Country and/or business unit policiesthat further develop this in the individualcircumstances of that country or unit.These policies could reflect the differentpositions that the company may want totake on different types of taxes.

The scales for each type of tax risk as setout in Chapter 2 might be used as part ofthe policy. The policy should cover theentire organisation. It should be sufficientlyflexible both to avoid it having to bechanged too frequently and to encompassroutine, day-to-day, changes in theorganisation and its environment.

The formal approval of the policy is theresponsibility of the board although in

practice it is likely to be CFO (or possiblythe CEO) as the key stakeholder whowould take ownership of it. It is likely thatthe head of tax will have drafted it. Thepolicy should have the buy-in of the keyinterested parties such as the auditcommittee and the chief risk officer.

It follows that one of the key points theboard should focus on is the quality, skillsand attitude to risk of the head of tax (andpossibly others in the tax function). Arethey naturally conservative people or arethey more aggressive risk takers – and howdoes this marry up with the board’sattitude to risk? How do they rate the headof tax’s judgement and management skillsin relation to putting in place a structuredrisk management framework? Historicallyboards have put a lot of trust in heads oftax to ‘get it right’; we are moving to an erawhere the board will be taking less on trustand expecting more evidence to show thatit is right.

Beyond this, detailed operational tax riskpolicies, e.g. policies around sign off onmatters such as transactions, tax review ofnew product development, external advisoropinions, and rulings from fiscal authoritieswill be important components of a controlenvironment to manage tax risk.

When agreed, the tax risk managementpolicy should be formally documented,approved by the board and communicatedto those responsible for theimplementation of the policy and to otherinterested stakeholders.

Controlenvironment

Key board objective: We will have a formal documented tax risk managementframework and policy that will be agreed by the board and monitored by the auditcommittee. This will be in place by [date].

a) Risk control environment

It is primarily through the policy and objectives, together with thegeneral culture and approach of the organisation to risks andcontrols, that the risk culture and tone of an organisation is set. The control environment over taxes therefore manifests itself inthe setting of the tax risk management policy and tax riskobjectives, and the involvement of senior management in boththis and the ongoing monitoring.


Setting specific tax risk objectives

The next stage in tax risk management,after the setting of the high level tax riskmanagement policy, is the setting ofspecific tax risk objectives. The setting oftax risk objectives is effectively thedevelopment of a plan to deliver the taxrisk management policy. The test of theobjectives is that if these tax riskobjectives are achieved the organisationshould be delivering against its tax riskmanagement policy.

As with the policy set out above, thereare two layers of risk objectives – thoseat the strategic level and those that areoperational. The strategic objectives willrelate to the high level goals set out inthe policy; the operational objectives willbe around what happens on a day-to-day basis.

Strategic objectives

• We will not implement more than five significant tax planning ideas in any one year• The tax function must be involved in all transactions over $/£5m• No new subsidiaries may be set up without tax function input into the

structuring/financing• External opinions will be taken on any issue where the tax at stake is greater than

$/£1m• The financial accounts tax figure needs to be accurate to within 3% (or a financial

amount)• Our total portfolio risk should at no time exceed more than 10% of our annual tax

charge in the accounts• The cost of any revenue authority investigation/adjustments should not exceed

1% of the tax payable• Penalties, including tax related penalties, for late filings of tax returns will not

exceed $/£20,000 in any one year

Operational objectives

• The group head of tax will take responsibility for tax risk management for all taxeson a global basis

• We will implement tax planning strategies that will impact positively on our day-to-day business

• We aim to avoid having anything to do with our tax affairs being aired in the publicdomain

• We will file the appropriate returns in all relevant jurisdictions in accordance withtax laws and regulations regardless of local custom

These objectives will also, to a large extent,determine where resources are focused anddirected. Certain of the objectives will bemore easily achieved than others –especially those objectives entirely within theorganisation’s control. However just becausean objective is difficult to achieve does notmean it should be left off the list! When theobjectives have been established theyshould be documented and communicated

to the individuals in the organisation who willbe involved in delivering them, and built intotheir own individual performance objectives.They effectively become the target indesigning suitable tax risk managementcontrols. It is also useful to develop acommon means of documenting andcommunicating the tax risk objectives inorder to create familiarity with suchinformation throughout the organisation.

Tax risk objective Examples


The board and management will makedecisions around events and activities thatan organisation will undertake in order tomeet its overall objectives and increaseshareholder value. In virtually all casesthese events will have tax implications forthe organisation, or parts of it. Such eventscan be internally or externally generated,such as a decision to re-organise part ofthe organisation or dispose of certainassets, or, having to comply with somenew laws or regulations.

It is important to establish at the outsetthat ‘events’ in the context of riskassessment means both active eventswhere some proactive course of action isundertaken and non-active events, wherea risk arises because of the failure(whether inadvertently or by design) toundertake a particular action.

Risk identification

The first step of tax risk assessment istherefore to identify the tax risks – bothupside and downside risk. Looking at thecauses of risk, firstly there are risks arisingfrom changes in the business andsecondly there are those arising from theon going day-to-day activities.

For those risks associated with changeyou might start by considering theorganisation’s overall strategy and itsobjectives for achieving that strategy,together with the planned and potentialevents, both in the business andexternally. Board and managementmeetings, where decisions about thedirection and key events are taken areprobably the key source of identifying theitems likely to have the greatest impact ontax risk assessment. Being aware of whatis happening at such meetings shouldidentify the key risks arising where there ispro-active change in the business and

should cover all significant transactionalrisks. A way of ensuring tax functionsknow what is going on might be to copythem in on minutes of meetings, capitalexpenditure approvals, publicannouncements, etc. These can beforward looking or historic and carried outon either a top-down or bottom-up basis.

Focussing on current business processeswill be a useful source to identify key taxrisks from the ongoing, day-to-day,business where no major changes areexpected. For the risk identification to becomplete it is important to consider thoserisks (which will largely be operational andcompliance risks) arising from following ano change/business as usual approach.These risks will arise both from notproperly carrying out a process through tothe failure to do something at all.

On the compliance side you might also liketo consider your ‘compliance footprint’.This involves creating a map of the variousregulatory regimes that the organisationhas to deal with and the regulatory returnsthat have to be submitted.

On the external side, changes in tax lawsand regulations – over which theorganisation has no control – can give riskto significant tax costs, especially inorganisations which have been moreaggressive in active tax planning andexploiting loopholes. Here the likelihoodand potential impact of anti-avoidancemeasures might have a significant impact.

Another approach to risk identification isto focus on the people. In anyorganisation there will be people whocreate risks and those who mitigate risk.The risk creators will include the decisionmakers, those developing new parts of thebusiness and those driving acquisitionsand disposals – you probably know who

they are in your organisation. To identifytax risks, the tax function will need to bein close contact with these people on anongoing basis.

For those risks associated with change,the objective is to identify all future eventsthat could potentially impact the tax riskposition of the organisation. The tablebelow sets out, at a high level, some ofthe typical events that need to beconsidered in the risk identificationprocess.

Riskassessment

b) Risk assessment

Risk assessment is the awareness and response of the organisationto the different types of tax risk facing the organisation (as set out inChapter 2). This will include the organisation’s processes andprocedures for identifying and evaluating the tax risks and howthose risks are managed and mitigated consistent with the overallobjectives of the organisation on tax risk.


Transactional AcquisitionsDisposalsMergersFinancing transactionsTax driven cross border transactionsInternal reorganisations

Operational New business venturesNew operating modelsOperating in new locationsNew operating structures (e.g. JVs/partnerships)Impact of technological developments (e.g. Internet trading)

Compliance Lack of proper managementWeak accounting records or controlsData integrity issuesInsufficient resourcesSystems changesLegislative changesRevenue investigationsSpecific local in country customs, approaches and focuses in compliance

Financial accounting Changes in legislationChanges in accounting systemsChanges in accounting policies and GAAP

Portfolio A combination of any of these events

Management Changes in personnel – both in tax and in thebusinessExperienced tax people leaving – and informationbeing in their heads and not properly documentedNew/inexperienced resources

Reputational Revenue authority raid/investigationPress commentCourt hearings/legal actionsPolitical developments

Type of tax risk Typical events giving rise to tax risk


Whichever route you follow forrisk identification, the key hereis communication. Thoseresponsible for managing taxrisk need to know what ishappening in the business andthere needs to be a mechanismfor this to take place. Whatevertechniques are used it isimportant that the whole of theorganisation is considered bothat the entity and activity leveland that internal and externalfactors, as well as the risksassociated with there being nochange, are taken into account.What is needed is a thoroughand disciplined approach toensure that all areas areconsidered and nothing fallsbetween the cracks.

Risk quantification

Having identified the tax risks thesecond part of the risk assessmentphase is to consider the potential taximpact of these risks and the likelihoodof the underlying event occurring(especially where the events are notwholly within the control of theorganisation). Once the various riskshave been quantified then decisions canbe made as to which ones need themost attention.

Risk quantification is an area wherejudgement and experience play a majorrole. Various qualitative and quantitativetechniques can be used ranging from thebroad (e.g. quantification of risk ofoccurrence being high, medium or lowrisk) to more detailed approaches toassess the likelihood of occurrence of anevent (such as benchmarking andsophisticated probability analysis).

Similar judgements are also needed inestimating the tax consequence of thetype of risk identified. You will need totake account of past experience, currentknowledge about the future, and theimpact that other events and decisionswill have. The overall aim is to reach aview as to the likely tax outcome of theevent, if the event giving rise to the taxrisk were to take place. It is the inter-relationship of the event, the likelihood ofits occurrence and its tax consequencethat is important in assessing the tax riskinherent within any event.

The events of particular importance arethose which have both significant ormaterial consequences and which have a high risk of happening, since, in theabsence of any measure taken tomitigate those particular risks, theconsequences are likely to be significantto the organisation. However it is not onlythe one off events that can give rise tolarge tax risks. A large volume of smallrisks can build up into large overall risk.An example might be the regularmisposting of disallowable expenditure toan allowable code.

It should be possible to build a riskassessment table outlining the variousevents, their consequence and theirlikelihood. This could be done for eachtype of tax risk and for each differentlocation, operating unit, or alongwhichever primary organisational andreporting lines the organisation operates.However what is important is that the keyevents are collated and aggregated togive an overall risk assessment table forthe organisation as a whole.

Appendix 2 contains two sets of riskassessment templates which have theflexibility to be used in any organisationand can be structured to follow theoperational and reporting structure of anyorganisation. It is important to give somethought to the structure and content ofsuch risk assessment tools beforeadopting them in your own organisation

to ensure that they provide meaningfulinformation required to manage tax risk.You need to bear in mind that the keyobjective here is to assess tax risk sothat the organisation’s resources can bedirected to address those risks.

The first example of a tax riskassessment template is the risk prioritytemplate. This is based on the chance ofan event happening and the impact if itdoes. By grading both the chance andthe impact high (H), medium (M) or low(L), a risk priority can be arrived at whichwill help focus where action needs to betaken. For example where the chance ofan event happening is high and theimpact if it does happen is high, then thisrisk is clearly priority 1 and it needsattention. An example is set out belowbased on the particular events in theprevious table.

How are those managing tax risk informed of such changes in your organisation?


Acquisitions H H 1Disposals H M 2Mergers H L 3Financing transactions H H 1Tax driven transactions L H 3Internal Reorganisations M H 2

New business ventures M H 2New operating models M M 3Operating in new locations M L 4New operating systems H M 2Impact of technological M H 2developments (e.g. Internet trading)

Lack of proper management L H 3Weak accounting records or controls L M 4Data integrity issues H L 3Insufficient resources L L 5Systems changes M H 2Legislative changes H M 2Revenue investigations H M 2Specific local in country H L 3approaches

Changes in legislationChanges in accounting systemsChanges in accounting policy & GAAP

Changes in personnel – both in tax and in the businessExperienced people leavingInexperience resources

Revenue authority raid or investigationPress commentCourt hearing/legal actionPolitical developments

Transactional H H 1

Operational H M 2

Compliance L L 5

Financial accounting M M 3

Portfolio M M 3

Management M L 4

Reputational L H 3

EventChance of event

happeningHigh, Medium, Low

ImpactHigh, Medium, Low

Risk priority1 = High, 5 = Low

Type of tax riskChance of risk arising

High, Medium, Low

Impact

High, Medium, Low

Risk priority

High, Medium, Low

Alternatively, the position could be looked at by type of tax risk or by country or by type of tax.A table using type of risk might look like this:

The above templates give a priority rating, but do not actually spell out the financial implications ofthe risks in question. The two templates below address the same points, but do put financial figureson the results, which gives an alternative way of prioritising which risks need to be addressed.


Acquisitions 75 10 7.5Disposals 25 40 10.0Mergers 10 20 2.0Financing transactions 60 5 3.0Tax driven transactions 20 5 1.0Internal Reorganisations 5 10 0.5

New business ventures 20 5 1.0New operating models 50 8 4.0Operating in new locations 25 2 0.5New operating structures 20 3 0.6Impact of technological 80 5 4.0developments (e.g. Internet trading)

Lack of proper managementWeak accounting records or controlsData integrity issuesInsufficient resourcesSystems changesLegislative changesRevenue investigationsSpecific local in country approaches

Changes in legislationChanges in accounting systemsChanges in accounting policy & GAAP

Changes in personnel – both in tax and in the businessExperienced people leavingInexperienced resources

Revenue authority raid or investigationPress commentCourt hearing/legal actionPolitical developments

Portfolio risk – total – – 34.1

AustraliaBelgiumBrazilGermanyIndiaSingaporeUnited KingdomUnited States

Total

EventChance of event

happening% A

Impact$’m B

Potential cost$’m AxB

Country or Entity Chance of risk arising% A

Impact

$m BRisk weighted cost

$m AxB

Using the same financial approach, but looking at the risks on a country by country basis would givethe following template.

The use of scenarioplanning might beappropriate here.Scenario planning is toobig a subject to go intoin this guide but wehave used it at aconference of Europeantax directors and wouldsuggest that moresophisticated methodsof risk assessmentshould include its use.


Organisations should be able to identify andquantify their key tax risks. Can you?

Avoidance

Sharing

Reduction

Taking alternative action such that the risk no longer arises, forexample by operating using a different model such as:

– using arms length transfer price to avoid a transfer pricing tax risk; or

– restructuring an asset disposal to be a sale of a shareholding in acompany owning those same assets; or

– to operate through a legal entity with a different taxable status in a particular location

Taking action to reduce the likelihood or impact of the risk by transferringor sharing the risk in some way. This generally achieved through thetechniques such as the obtaining of warranties or indemnities, obtainingprofessional opinions, or outsourcing of tax functions

Taking action to reduce the likelihood of the occurrence and/or theimpact of the risk, for example by:

– carrying out appropriate tax planning; or

– obtaining documentary evidence or opinions in support of theproposed tax treatment such as a tax valuation, or

– restructuring the event to give a more favourable tax treatment e.g.by leasing rather than buying a capital asset; or

– carrying out a detailed review of potentially disallowable expenditureto ensure all potentially allowable amounts have been identified and claimed

The cost/benefit analysis of responding to aparticular risk needs to be taken into account.For example, you may decide to have a verylow acceptance of errors in your compliance,but for a particular disallowable expensesearching through all the various accountheadings is prohibitively expensive and timeconsuming and the better answer is to acceptthe risk and live with it.

It should also be borne in mind that the mosteffective means of mitigating the risk may be acombination of several reduction or sharingtechniques and that the residual risk, (i.e. therisk remaining after mitigating action has beentaken) should then be evaluated. If none of theabove techniques can be or are used tomitigate or respond to the tax risk then, bydefault, the organisation bears the risk andaccepts the consequences. These residualrisks should be compared with theorganisation’s tax risk tolerance level and, ifnecessary communicated up the line.

Whilst mitigating responses are generallyconsidered on a risk-by-risk basis and need tobe thought about for each tax risk identified, itis important to bear in mind the overall portfoliorisk. This ensures the impact of any lowoutcome/low consequence risks, which may,on their own, have been considered immaterialor within the organisation’s tolerance threshold,are considered. If, on a portfolio basis, theoverall level of risk does not meet theorganisation’s tax risk objectives, then it will benecessary to consider mitigating responses tomore of the risks in order to bring the overalltax risk level consistent with the objectives.

In order to document the responses to taxrisks identified, it should be a fairlystraightforward exercise to expand the riskassessment and risk priority templates referredto both in Appendix 2 and the riskquantification section above, in order to recordthe various responses that have been designedto respond to the risks identified.

Response to tax risk

The risk assessmentprocess, and the tablesabove, will have highlightedthe key tax risks that needto be managed. The specificresponse to each identifiedrisk will vary depending onfactors such as:

• The ease and cost ofmitigating the risk,

• Its potential impact on thebusiness, and

• The availability ofalternative mitigatingtechniques.

The response might be anyone or a combination of thefollowing three options:


An outline example of a tax controls template for corporate tax transfer pricing risks for a specific location (although it could equallybe a for a subsidiary, division or an operating unit) is shown below:

Goods - acquired No direct third party Comparables transfer Potential challenge Group tax manager comparables available pricing study carried to comparables

out/up-dated to being used.confirm arm’s length

price being used.

Goods – sold

Services – acquired

Services – sold

Royalties – acquired

Royalties – sold

Interest – payable

Interest – receivable

Documentation

Transfer pricing Inherent tax riskMitigating control

activityResidual risk Responsibility


C) Control activities

Control activities are the individual policiesand procedures that are put in place torespond to the identified tax risks. Controlactivities also include the policies andprocedures put in place over the entire taxrisk management process to ensure that theprocess is complete and that all relevant taxrisks are identified and considered. Controlactivities include a broad range of actionssuch as approvals, authorisations,reconciliations, reviews and policies onareas such as segregation of duties.

In the earlier control environmentsection we set out both the strategicand the operational objectives formanaging tax risk. From the riskassessment section we have highlightedwhere the key risk areas are in theorganisation. We now come to ourcontrol activities which need both tolink in with these objectives and tofocus on the high risk areas – beingareas of known risk as well as areaswhere the tax function is not closelyinvolved and which may give rise torisks which have yet to be identified.

Controlactivities

Ensure there is a grouptax risk managementpolicy

Chairman ofAudit committee

Agree broadparameters with restof the Board

Delegate detail tohead of tax

Immediate

The group head of taxwill take responsibility forall tax risk management

Head of Tax Full group tax riskassessmentDesign controlactivities around allmajor risks

Seek externaladvice on bestpractice proceduresfor this exercise

Next three months

The tax function must beinvolved in alltransactions over $/£5m

Legaldepartment

Involve the taxfunction when anysuch transactionarises

Formal notificationrequired

At the start of anynegotiations

Revenue investigations Head ofCompliance

Monitor allinvolvement withrevenue authoritieswhere tax at risk is >$/£25,000

Overview role, butinvolved in detail formajor issues

Ongoing

Objective / Risk What do they needto do?

How do theydo it? When?

Who isresponsible?

Taking the results of some of our earlier templates we might build up a picture thatlooks like this:


WhoVarious people through an organisation willbe responsible for the operation of controlactivities over tax risks. We call thesepeople the ‘risk mitigators’ (as opposed tothe risk creators mentioned earlier). Whothese people are in your organisation willdepend on your own managementstructure. The extent of these people’sresponsibility will depend on their role in theorganisation. The table at the end of thissection gives an indication of the hierarchyof responsibility for control activities overtaxes and tax risk in a typical organisationand what those individuals might beexpected to have responsibility for.

The important point is that there arepeople at appropriate levels throughoutthe organisation who have responsibilityfor both the operation of control activitiesand for the operation of tax riskmanagement procedures and policies.They also need to be clear what isexpected of them.

WhatThe answer to what those variousindividuals need to be doing will dependon their position and their role in theorganisation. Some thoughts on this areset out below.

At the board level the ‘what’ would beexpected to include high level oversightand review of the tax risk managementpolicy, and consideration anddevelopment of the tax risk managementpolicy and objectives.

The audit committee might take a slightlymore detailed interest in not only thepolicy, but also in ensuring that theappropriate control framework is in place,is being operated and is being monitored.They should keep an oversight of thepolicy; they might also want to keep aclose eye on reputational risk.

At the CFO level it would be expectedthere would be more regular review of theoperation of the tax risk management

policy and involvement in setting andmonitoring achievement of the tax riskobjectives. The CFO would also beexpected to be involved with particularlysignificant tax risk management issuesand reporting to the board or the auditcommittee on tax risk management.

The head of tax would have increasinglymore involvement and would be the keypoint for overseeing tax risk managementprocedures and policies with local CFOs or country tax managers. The head of taxwould be expected to have significantinvolvement in (and may have primaryresponsibility for setting) the tax riskobjectives and notifying the CFO on taxrisk management matters. In addition thehead of tax may also be responsible forspecific individual control activities (such asgiving input to potential major transactions,tax negotiations with fiscal authorities andin matters such as legal actions).

Local CFOs and tax managers would beexpected to have a supervisory role overthe operation of detailed control activitiesin their territory, and responsibility forreviewing and reporting up the group tothe head of tax the results of the riskassessment process for their territory.They would also be responsible for thedesign and establishment of controlactivities in response to identified taxrisks and for operating some of the moreimportant control activities (such asauthorising and reviewing certaintransactions). The local CFO/tax managerwould also be expected to haveinvolvement in the monitoring phase,especially where detailed control activitiesare found not to have been operatingeffectively in their particular location.

The individual members of the tax teamor shadow tax departments will haveongoing responsibility for the operation ofthe detailed control activities. Theseindividuals will be responsible for theperformance of the various reviews,approvals, reconciliations etc, as well asthe first level of risk assessment, sincethese individuals are also likely to havethe closest ongoing relationships withoperational people in their locality. These

people are the ‘risk mitigators’ and youneed to think through what support andhelp they will need to do their jobproperly. For example if you have junioraccount clerks coding expenses betweentax allowable and tax disallowable codes,what training and/or manuals do theyneed to help them do this.

There is nothing new in this type ofhierarchical structure. The precise roles,responsibilities and detail of it will dependon the organisation’s overall managementand reporting structure. There will alsoinevitably be additional roles which shouldbe reflected in the list above such asinternal audit and risk managementpersonnel. What is important is that theresponsibility for operation of the controls isclearly set out and understood, especiallyin large organisations operating in differentlocations, where operational, reporting andlegal structures may vary considerably.

The roles listed above are all internal rolesin an organisation. Businesses also useexternal advisors in managing tax risk,both in helping set up procedures and,perhaps more commonly, in performingmock revenue authority reviews. In thelatter case they often use people whoused to work for the revenue authority inquestion who are well placed to see thingsfrom the ‘other side’. External advisorscan therefore also play an important rolein the area of control activities.

HowControl activities should be in place tocover the risks arising from:

• What is done in the tax function• What is done in the rest of the business,

and• What is carried out externally

Control activities should be built into tothe day-to-day operations of the businesswith responsibility for the activity beingassigned to appropriate members of theorganisation’s staff. The tax riskmanagement policy should spell outlevels of authority and who has to review

So in considering the tax risk management control activities we need to look at:

• Who is responsible for the operation of the control activities?• What do they need to do? • How do they do it?• When do they need to do it?


what, and the ground rules for peopleperforming tasks where there are noreview procedures. Each organisation willhave its own way of setting up its controlactivities and it is beyond the scope ofthis guide to try and set out all thepotential controls that could be used tomitigate individual tax risks. Howeveridentifying where risks are or might be,and then considering how these risks canbe managed should give a framework inwhich control activities can be developed.

IT and tax knowledge managementsystems are in themselves controls. This is particularly important where suchsystems are used in identifying exceptionssuch as significant volume changes thatmay indicate tax risks, or alternativelyproviding information that is key todecision making on tax matters. Thereforeas well as including manual procedures,control activities should also includeapplication controls within IT systems.Additionally these need to be designed toensure the completeness, accuracy andvalidity of data capture. Such controlswithin, and over, IT systems are importantactivities since they impact on thesystematic processing of transactions for,for example, VAT/GST tax returns.

Control activities over tax risksoutside the tax function

There are many examples whereresponsibility for tax matters sits outsidethe tax function. Payroll taxes may be dealtwith in the payroll/HR function, sales taxesmay sit within the finance department, andtreasury may deal with withholding taxes.One of our examples of a strategic tax riskmanagement objective, under the controlenvironment section earlier in this chapter,was that ‘the group head of tax will takeresponsibility for tax risk management forall taxes on a global basis’. Even if this isnot the case in your organisation it is likelythat the tax function will be called in if andwhen issues arise in respect of taxes notdirectly under their control.

It is therefore important to ensure whenconsidering tax risk management that all

the relevant parts of the organisation andall its activities are considered irrespectiveof where in the organisation they reside.Unless it is clearly established who in theorganisation has responsibility for thecontrols in these areas there is thepotential for either duplication of workbetween both the tax function and theother department involved, or worse, thateach assumes the other is managing thetax risk in that area when in fact neither isdoing so. This is particularly important inthose organisations where all the financialtargets are based on the profits before tax– with the result that tax management canbe very low on some people’s agendas(assuming it is there at all).

Similar duplication or omission issues canbe found within the tax function especiallyin large organisations where there isinsufficient dialogue between local taxpeople and the head office team. Processesand procedures are needed to ensure thatall these different areas are workingtogether and effectively. The peopleinvolved are often the risk mitigators andthey need support and help in their roles.

Control activities over tax riskswhere using externaladvisors/outsourcing

Another area that needs managing is theuse of external advisors and theoutsourcing of certain activities. Someexamples on this point might be helpful.

Where external advisors are used toprovide advice on a proposed transactionit is important that there are processes inplace to ensure not only that the tax risksare captured, but that there areappropriate related controls to ensurethat the background and information onwhich the advice has been based isaccurate and reflects the actual positionof the organisation. In a fast movingtransaction these basic procedures canoften be overlooked.

Similarly, when proposed transactions areimplemented there are inherent tax risksbased on the transaction that took place.

A review to ensure that either thetransaction was implemented as proposedby the lawyers, or, if not, to consider thetax risks inherent in the actualimplementation become important inensuring all relevant tax risks are identifiedand dealt with.

In outsourcing situations, where anorganisation uses a third party serviceprovider to carry out transactionprocessing it may not be possible todirectly manage the controls in the thirdparty organisation. In such situations, thearea that is often overlooked is thedevelopment of controls to ensure thatthe output given to the third party iswhole and complete and that the inputreceived back is fully assimilated backinto the organisation. The use of a thirdparty itself may well be a control againstan identified tax risk in itself – in that theuse of specialist third party resources ishow the organisation achieves theaccuracy of, say, its tax computations,but this is dependent on full relevantinformation being provided to the thirdparty and the organisation fullyprocessing the information received back.


Preparation ofrisk policy

Tax risk objectivesagreed and

communicated

Development anddesign of control

activities

Remedialdevelopment ofcontrol activities

Risk assessment Risk assessmentupdate

Monitoring ofcontrol activities

Monitoringcontrol

Risk assessmentupdate

Risk managementpolicy agreed

by board

Feedback to Boardon tax risk

managementobjectives

Year 1 Year 2

The timeframes listed in the table below, ranging from annually for the board, down toongoing involvement for the individual staff members of the tax team, are purely indicative.The point is that there should be an agreed timetable for the control activities to take place,and progress should be monitored against this timetable.

One of the purposes of having a detailed timetable is to ensure that the control activities are put in place and implemented in a timelyand disciplined way.

Outline timetable for tax risk management activities

WhenThe regularity and frequency of involvementof the various individuals mentioned abovewill depend on the issues and theorganisation involved. For those groupswho are SEC registrants then initially thereis likely to be great deal of activity toensure that such organisations are up tospeed and in compliance with theSarbanes-Oxley rules.

nFor effective tax risk management, thecontrol activities noted above do howeverneed to be linked to a time period. Forexample, tax reconciliations may need tobe carried out monthly (VAT or GST), and atax analysis of a proposed transactionshould be carried out before the proposedtransaction is put forward for approval.


SummaryIn summary an overview of the control activities position might look like this:

The board The overall control activities of the entire organisation Annually

Internal audit Review of application of controls and procedures Bi annually

The audit committeeReview of tax risk management policy andconfirmation that the internal control framework isbeing operated and monitored

Half yearly

All control activities relating to the finance functionincluding all control activities over taxes and tax risks Quarterly

Head of tax

CFO

Control activities over tax risk and tax riskmanagement

Monthly

Local CFOs/tax managers

Control activities over the finance function includingtaxes (in the case of CFOs) or all control activitiesover taxes (in the case of tax managers) for thecountry/subsidiary/business unit for which theCFO/tax manager has responsibility

Monthly

Individual staffmembers of the taxteam or shadow tax dept.

Responsibility for the control activities over taxes andtax risk within their area of responsibility. For example,control activities over VAT and sales taxes are likely tobe the responsibility of the local VAT/sales tax managerand their team

Ongoing/Continual

Who is responsible? Review cycleWhat for?


d) Information and communicationWe have touched in the earlier parts of this chapteron the importance of communication and information.Information and communication are effectively the oilthat lubricates the whole internal control system andensures it operates smoothly.

Information &communication

Information needs to flow up, down andacross the organisation to ensure that:

• the tax risk management policy formsthe basis for the development of therisk objectives;

• the tax risk objectives underpin the riskassessment and risk quantification;

• control activities are developed to coverthe risks identified in the riskassessment consistent with the riskobjectives;

• the detailed control policies andprocedures are communicated andknown to those responsible foroperating them;

• knowledge about what is happening,and is proposed to happen, on theoperational side of the organisation isconsidered in order to identify tax risk;

• knowledge about what is happening inthe external environment feeds into therisk assessment and into thedevelopment of mitigating controlactivities;

• some general knowledge andunderstanding of the impact of taxeson the organisation are communicatedto the wider organisation so that thesecan at least be considered at a highlevel when developing the widerbusiness policy;

• support is given to those in shadow taxfunction roles to enable them to beeffective, and

• feedback as to the effectiveness of thewhole internal control system can bepassed up the organisation to enablemanagement to assess the overalleffectiveness of their tax riskmanagement activities

In practice many different forms ofcommunication will be used, both formaland informal, manual and computerised.It is important that the information isappropriate for the purpose for which it is needed and therefore it needs to be atthe right level of detail, timely, up-to-dateand accurate.

The distribution method and the nature ofthe information will need to be considered.Some of the information such as thedetailed control activities and theresponsibilities of individuals will need tobe widely communicated and may well bestored and managed in some centralrepository such as an organisation’sintranet site or in documents such as a taxcontrols and policies manual. Where suchcentral repositories of information areused it is important to ensure that they arekept up-to-date, consulted and followed ifthey are to become an integral part theorganisation’s tax risk managementprocesses. We are probably all aware oforganisations where significant time andmoney has been spent developing taxpolicy and tax procedure manuals; only for them to gather dust on the top shelvesof an office somewhere! Other less formalmeans of communicating will include e-mails, memoranda, training materials,databases, and notice boards.

To be most effective, these tools shouldbecome an integral operating tool foranyone involved in tax management. Theinformation used and key communicationmethods should form part of the trainingfor new and existing staff and when staffchange roles and take on newresponsibilities. This helps individualsunderstand how their own role andresponsibilities align with the goals of thewider organisation. Tax risk managementshould become part of the culture.

Some types of information such as theoverall tax policy and the risk objectiveswill probably be relevant across the entiretax function and to people responsible fortaxes within other parts of the business.At the more detailed level, the results oftax risk assessments and control matricesidentifying the nature of individual risks,controls and who has responsibility forthem, probably need to be made knownon a more localised basis.

Finally you might like to consider whatsort of training is needed for the tax riskmitigators, those people from accountingstaff through to the audit committee, whoare responsible for managing tax risk. For example do the people who codeincoming invoices understand why thecorrect coding is so important and thepotential tax risks that arise if they do notdo their jobs properly?

There can, of course, be no standard list of what information and forms ofcommunication should or should not beused. As each organisation is differentthen the relevance, format and types ofcommunication that best meets eachorganisation’s individual needs will be different.

Generally, however, the following commentsare likely to apply in all organisations:

• the tax risk policy and tax risk objectivesshould be known by all involved in anytax risk management role;

• individuals should know how their ownroles and responsibilities align with thepolicy and objectives and fit with thework of others in their area;

• the results of the risk assessment processlinking the risks to any mitigating controlsthat have been developed in response tothem should be documented.


e) MonitoringIn order to consider the effectiveness of the operation of thecontrol activities that have been designed and implemented inan organisation to mitigate identified tax risks, it is necessaryto monitor their operation. Following the monitoring processan organisation will be able to reach a conclusion on theeffectiveness of its controls over tax risks.

Monitoring

It is an established principle of effectivereview procedures that the monitoringprocess should be carried out by differentindividuals to those responsible for thedesign and operation of the internalcontrols themselves.

In many organisations this type of activityis carried out by the organisation’s internalaudit function. However, it is ourexperience that internal audit departmentshave tended to shy away from reviewingtax risks and controls and therefore tendto lack experience in the specific area ofassessing the design and effectiveness ofinternal controls over tax risks. Maybe thishas to change?

To be fully effective there will need to beprocedures in place to ensure that theresults of the monitoring activity are fedback into the whole tax risk managementprocess in order to ensure that:

• remedial or corrective action can betaken where the results of monitoringactivity reveal that controls are notoperating effectively or as designed;

• there is a process to consider theimpact of controls not operatingeffectively on - the achievement of the tax risk

objectives, and - risk assessment

• the results of failures and non-complianceare communicated to the relevant peoplein the organisation so that appropriateeffective action can be taken.

Documentation of the risk assessmentand the operation of control activities isessential to enable independent testing ofthe operation and effectiveness of thosecontrols. Therefore, documenting thecontrol procedures and processes needsto be embedded into the day-to-dayoperations in order to be effective.

In the Sarbanes-Oxley regime, the CEOand CFO will be required to attest on theeffectiveness of design and operation ofan organisation’s internal controls overfinancial reporting (which will include thefinancial reporting of taxes). Themonitoring process is likely to be the key means by which senior managementwill be able to reach such a conclusion. In addition, since an SEC registrant’sauditors will be required to give anopinion, a properly structured anddocumented monitoring process is likelyto be the major area that auditors willwant to consider in reaching their opinion.

Summary

Different organisations will implementinternal controls in different ways.Those businesses directly impacted bythe Sarbanes-Oxley Act of 2002 will bedriven both by what is best practiceand by the requirements of theirauditors. Other organisations will needto decide what levels of internalcontrols are appropriate for theirbusiness. What is clear to us is that,whatever route you follow, a welldefined process is needed for effectivetax risk management.


These are the risks that are perhaps not asvisible as those arising at head office level –and they are often more difficult to manageby virtue of them arising in differentcountries, different time zones, differentcultures and sometimes in a differentlanguage. Additionally in some of the lessdeveloped countries there may be a lack ofsophistication within both the tax law andthe tax authorities with the result that a verydifferent approach to tax management isneeded in these countries.

The points made in earlier chapters are ofcourse as relevant to a multinational as theyare to a domestic group. Howevermanaging tax risk for a multinational groupbrings with it a number of specific issuesand solutions that need to be addressed.We are therefore now going to consider, fora multinational group:

• What are the main local tax risks?• Who owns the different tax risks around

the world?• How these risks might be managed, and• The specific risks arising from the use of

shared service centres.

What are the tax risks?

This chapter is about managing risk arisingin local territories. It is not about managingthe international tax position of a group andthe risks which go with that; it is about whatis happening in local territories, what taxrisks might arise and how these risks canbest be managed. So what are the main tax

risks that arise in local territories? Let us goback to the seven main areas of tax risk asset out in Chapter 2 and consider them inrelation to what is happening in youroverseas subsidiaries.

We would suggest that the three mostimportant types of local tax risk areas are:

1. Operational risk – with local subsidiariescarrying out their business with little or notax involvement. You might also includetransfer pricing under this heading even ifthere is a group transfer pricing policy setat head office level. Having a policy is onething, ensuring that it is being properlyimplemented is quite another.

2. Compliance risk – in respect of thevarious local tax returns that need to besubmitted. It is important here torecognise the wide range of tax returnsthat are needed and that withholdingtaxes and sales taxes/VAT may be moreimportant and higher risk than corporateincome taxes.

3. Financial accounting risk – which may bea risk if the subsidiary in question ismaterial to the group as a whole or wherethere is a lack of familiarity with grouppolicies and non-local GAAP (especially inthe context of group reporting).

The types of risk less likely to give issues are:

4. Transactional risk – on the grounds thatfor any significant transaction you would

expect the head office tax function to be involved.

5. Reputational risk - how much damage tothe group’s reputation can a local subsidiarydo? This needs to be reviewed on a countryby country (or subsidiary by subsidiary)basis. You also need to consider the impactyour local reputation has on your ability todo business in that local country.

The types of risk that are likely to bemanaged at head office level, and hence areunlikely to be local country risks, are:

6. Portfolio risk – whilst the head office teamneeds to understand what is happeningat a subsidiary level, portfolio risk is by isvery nature something which is managedacross the totality of the group and henceneeds managing at head office level. (Aregional tax manager might disagree withthis statement and argue that they arerunning a portfolio of countries and thatthis risk is also a high priority.)

7. Management risk – our view is that themanagement of tax risk is a head officefunction and it is the head of tax whoneeds to ensure that proper managementof tax risk is in place across the group.

So let us focus on the three key local taxrisk areas, namely operational, complianceand financial accounting risks. Before goingany further you might like to list out whatyou believe are the five most significantlocal overseas tax risks for your group.

1

2

3

4

5

Type of tax riskKey overseas

tax risksType of tax

Country in which this riskis an issue

In this chapter we want to focus specifically at how a group canmanage the tax risk arising in countries other than the headoffice country.

If you are struggling to complete this table, you might like to consider how good your risk assessment procedures are. Adopting a structuredbottom-up approach to using the tax risk template tools referred to in Chapter 6 could be a useful tool for identifying the tax risks in your significantoverseas locations. If you have completed the table, how aware is your CFO or your board that these are the group’s key areas of overseas tax risk?

7 MANAGING GLOBAL TAX RISK


Ownership of tax risk

Let us now consider who is responsible for the management of the following taxes:

Corporate income taxes

Sales taxes / VAT

Excise duties

Payroll taxes

Withholding taxes

Other taxes

Head office countryPeople responsible for tax

management of:Country A Country B

If you are a head of tax the chances arethat you and your team (even if you havetax people present in some of your majorterritories) have little or no responsibilityfor the operation of some of these taxesin other countries. However when issuesarise on the tax audits, the managementof this inevitably shifts to the tax function.On the principle that it is better to getthings right at the outset, we are seeing a trend towards more centralised controlof tax matters, but most groups are stillsome way away from the tax functionhaving ownership of all tax matterswherever they happen to be. For examplehow many head office Heads of Tax areresponsible for the operation of payroll or withholding taxes in other countries?Probably none. But what about VAT orsales taxes? Still not that many. And forcorporate income taxes?

However if you are a CFO reading thisyou may well be saying that you expectyour head of tax to be responsible for alltaxes and all tax risk – whatever tax thatmay be and wherever the tax happens toarise. We are aware of CFOs, particularlyin the US, who are expecting their headsof tax to sign off on the totality of the taxposition for their group. So how do wemanage the expectations of the groupCFO (and the board) against the reality of what is happening on the ground?

The first question therefore that webelieve needs addressing for amultinational group is who has ownershipof which taxes and where – and henceownership of the relevant tax riskmanagement issues. If, as we suspect,some of the ownership will fall to localCFOs then the second question is howwell equipped they are to perform a taxrisk management role. Do theyunderstand the risks in what they areresponsible for and do they understandthe group’s attitude to, and policy on, taxrisk? Does it matter to them – particularlyif they are measured on a profit before taxbasis? The third question is who isaccountable if something goes badlywrong – e.g. a large VAT penalty arises in an overseas territory?

Notwithstanding that ownership may liewith a local CFO, what accountability willlie at the door of the head of tax ifsomething dramatic goes wrong? Theanswers to these questions will providesome initial thoughts as what structureneeds to be put in place in relation tomanaging the group’s global tax risk.

There will be some subsidiary companiesthat have their own tax teams, eitherreporting to the group head of tax or tothe local CFO (or both). The questions

above are equally relevant in suchsituations – even if the answers may beslightly different.

The final point on ownership of tax risk isto consider the reporting structure so thatthe head of tax can sign off, if required todo so by the board or CFO, that thegroup’s tax risk position is beingadequately managed. We would suspectthat there are very few local CFOs whoreport or sign off on tax risk managementto the group head of tax. How is thegroup head of tax going to gethimself/herself in a position where he/shecan sign off?

You will by now appreciate the greatimportance of information andcommunication in considering many of thequestions raised here as it is the strengthof the information and communicationprocesses which forms the foundation formanaging global tax risk.

Before addressing some of the questionsraised above, let us take a slightdigression to look at an operating modelwhich is increasingly common in aninternational group – the Shared ServiceCentre – which brings with it their own setof tax risks which need managing.


Tax risks associated with SharedService Centres

The question arises as to how the varioustax returns, for the particular countriescovered by the SCC, are dealt with – andhow, in particular, compliance tax risk ismanaged within an SSC environment. Whatlocal tax returns should an SSC deal with,what might they deal with and what shouldthey not deal with? We have worked with anumber of groups who operate out of SSCsand our comments below reflect theexperience we have gained in this area. Thekey point is to analyse the risks inherent inthe various alternative ways of dealing withtax returns and decide, on a cost/benefitbasis, which is the most appropriate wayforward for your SSC.

There are some tax returns where theposition is reasonably clear-cut. Forexample, local withholding taxes on interestgenerally arise when the interest is paid. TheSSC will often be the only party who knowswhen the interest is being paid and it makesa lot of sense for the SSC to be responsiblefor dealing with the withholding taxes. Froma risk management point of view a systemneeds to be put in place to ensure the SSCknows what taxes to withhold, what forms tocomplete and where to make the payments.Of course in some countries this is not asimple matter as there are a range ofdifferent withholding rates depending on thenature of the payments.

At the other end of the spectrum, we haveyet to come across an SSC that has theability to complete local corporate incometax returns. In our opinion, it would be veryhigh risk to try and deal with such returnsfor another country in an SSC. Such returnsrequire significant local expertise andinvariably have to be dealt with in localterritories – and they are usually outsourcedto a local service provider. The SSC doeshowever continue to have a key role inproviding the data to complete the returns.

However the position on some other taxreturns is not so clear-cut. Let us, forexample, consider VAT or sales taxes. Primafacie, these are transaction taxes, and thusshould follow the withholding tax model andbe dealt with in the SSC. But the in-countryrules for these taxes are different in eachcountry, even across Europe where there is,in theory, a common approach to VAT.Methodologies can be set up so that theinformation coming out of the SSC’saccounting systems feeds through to theappropriate boxes on the return; thequestion is how these methodologies arekept up to date when there are changes inlegislation in particular countries.

We are aware of a recent example thatcost a group a lot of money. Theirprocesses were fine and produced theright VAT information from their SSCaccounting system. What they wereunaware of was a change in local

legislation in a particular country, whichrequired a specific election to be made –and this election was missed. If VAT is tobe dealt with by an SSC then tax riskmanagement procedures need to be inplace to ensure that local changes arepicked up and such risks are identified andmanaged. Alternatively, VAT can beoutsourced to a local, or trans-national,service provider who will be closer tochanges in the countries concerned.

The main point here is that there are anumber of different ways of dealing with taxreturns when the underlying information isbeing processed in an SSC. If we go backto our COSO model, we need a proper riskassessment of the issues and propercontrol activities in place for whatevercourse of action is decided upon. Thecontrol activities need to cover not only theprocessing of the information, but also theapplication of local tax law, both presentand changes in the future.

We have set out in the table below ourexperience of the different types of taxactivity and where they are commonlycarried out when there is an SSC inexistence. The driver here is the amount of local knowledge that is required to dealwith the tax return – and how you ensurethis local knowledge is brought to bear onthe tax return before it is submitted to therelevant authority.

A number of international groups have set up Shared ServicesCentres (SSCs) – often with a focus on bringing the accountingand processing for a number of countries into one central location.The rationale behind these SSCs has been to create greaterefficiencies and greater consistency across a group with often littleor no accounting expertise left in the individual countries.

Withholding taxesTax packs/tax provisionData extraction for corporate income tax returns

VAT and sales taxes European Intrastat and sales listing returns

Property taxesMunicipal taxesStamp dutyEmployee taxes

Corporate income tax returns

Usually dealt with in the SSC

Sometimes dealt with in the SSC

Usually dealt with locally

Always dealt with locally

Type of activityWhere is it dealt with?


Managing these risks

The framework spelt out in earlier chaptersis, of course, equally valid in managing thelocal overseas tax risks as it was inmanaging domestic tax risks irrespective ofwhether an SSC is part of your operatingmodel. However, in our experience, thebiggest single issue in managing overseastax risks is communication and that iswhere we want to focus the discussions inthe rest of this chapter. Of the three tax riskareas highlighted above as being mostrelevant to managing global tax risk, thebest communication is probably seen in thearea of financial accounting, as this has tohappen annually and often quarterly.Communication on compliance risk isprobably next best, but on the operationalside, tax functions are often struggling tofind out what is happening at a localsubsidiary level.

Communication is relevant to all fivecomponents in the COSO framework.Local subsidiaries need to have someunderstanding of the group’s tax risk policyand the control environment within whichthe group is working. The head of taxneeds to understand where the local riskslie so that they can help put controlactivities in place and also find some wayof monitoring these activities.

We have worked with many global Headsof Tax and there are common themesaround their communication issues withtheir overseas subsidiaries both onmanaging the tax position and managingthe tax risk. These include:

1. How does the head of tax manage andcontrol what is happening in otherterritories? For example how do you knowwhat activities the overseas subsidiary isundertaking? How do you ensure thatlocal tax planning is for the benefit of thegroup as a whole and not just for the localsubsidiary? How do you know wherecompliance is falling behind or where themajor compliance risks areas are?

2. How do you obtain good quality andtimely information from overseasterritories of both what they are doing

and of their tax position for use inplanning and completion of hometerritory tax returns?

3. Once information is collected from theoverseas territories how is it stored sothat it is always up to date, and readilyaccessible to all those who need to useit wherever they happen to be,whenever they need it?

4. The more service providers you havearound the world the more difficult itbecomes to manage the global process.There is unlikely to be much consistencyas to the way work is carried out orinformation is reported if you use multipleservice providers around the world.

5. Managing the position around the world,in particular for financial reporting andcompliance, can be a time consumingand frustrating exercise – with numerousemails and phone calls, not necessarilyat sensible times of the day.

6. A lot of the time spent on managing theglobal issues could probably be spenton more value added activities – to thebenefit of both the business and theindividuals concerned.

In summary we would suggest that thefollowing would be high on the agenda of your head of tax:

• Getting good quality information from the subsidiaries

• On a timely basis• On a consistent basis• Ensuring it is up to date• Without spending hours doing so

To achieve this you clearly need to havesome form of system in place. How do you do this – and are there better ways ofachieving the desired result?

1. Direct communication

Face to face meetings, a lot of travel andnumerous emails and telephone calls areone way for the group head of tax to keepon top of the tax risk management issues inother countries. Where there are significant

new issues such an approach may indeedbe the best way forward so all the issuescan be thoroughly aired and discussed.However in a large group a more systematicapproach may be required.

2 Use of technology

Database and web technology lends itselfvery well to managing information acrossdisparate locations. A good technology toolwill help communicate what information isrequired (and when), standardise informationformats, provide the repository for storingand sharing information and (potentially)highlight and/or chase for missinginformation. One caution: our experience isthat provision of a good technology tool isunlikely to bring about any significantimprovement in itself. It will only deliverresults if the discipline surrounding its usecan be instilled/enforced. It is the informationcontent that ultimately matters, not thetechnology that is used to manage it.

3 Basic discipline

Easing the gathering of the appropriateinformation requires investment in scopingout responsibilities and ensuring allconcerned take them seriously. If people inlocal subsidiaries are given responsibilityfor and clear guidance as to the informationrequired, the format in which it is to besupplied, the timetable for provision andthe reasons why the information is needed,they are more likely to provide what isneeded without further chasing.

In large organisations, this discipline willneed to be continually reinforced as thegroup structure and the tax function’scontacts change. Inevitably not allinformation needed will be provided totimetable, but if the requirements andtimetable are properly defined anddocumented and responsibility for theprovision of the information has been giventhen a junior (administrative) member ofstaff can be charged with following upmissing information, rather than having tohave experienced tax staff spend timechasing it up.


4 Use of external service providers

To have an effective global tax riskmanagement system in place it isnecessary to instil the appropriatediscipline into one’s team in otherterritories. However this system and theinvestment in both managing andproducing it does not necessarily needto be made in-house.

Certainly on the compliance side anoutsourcing service provider willprobably already have put similarsolutions in place for other clients andwill be used to liaising with local territorycontacts to ensure the right informationis gathered at the appropriate time. It iscertainly worth considering leveragingoff a service provider’s investment inpeople, processes and technologyrather than try and secure internalinvestment in something that is non-core to your business?

For example, we inPricewaterhouseCoopers have designeda global compliance technology toolwhich is used to help a number of ourclients control their complianceprocesses and compliance risks. Thesort of information which our clients areable to track using this tool include:

Reference information:• Territory listing – it is perhaps surprising

how many head offices are not clear inwhich territories they have subsidiaries

• Legal entity listing – names of all thecompanies in the group

• Status of their legal entity – dormant,operations or holding.

• Legal entity type – corporation, GmbH,SA, etc.

• Identification number – VAT, corporateincome tax, other

• Address, date of formation, ownership• Global contact information – both the

client team and thePricewaterhouseCoopers team, toinclude email addresses, telephonenumbers and fax numbers

Compliance information:• Status of filings by legal entity• Due dates by legal entity• Tax payment by legal entity• Compliance process task summary –

milestones (who, when)• Work paper store – ability to attach

documents• Document store – statutory accounts,

provisions, notices, completed returns• Tax reconciliations

Revenue authority audits:• Queries from taxing authorities and

status of responses

Other matters:• Documented planning ideas and

implementation status• Global fees by jurisdiction• Foreign tax attributes to facilitate head

office tax planning

Whilst the technology tool provides rathermore than is required from a pure riskmanagement perspective, it does providea mechanism or system for the grouphead of tax to manage better, in particular,the compliance risk within their group.

SummaryThere is an increasing requirement fromCFOs for their group’s Head of Tax tohave ownership of the tax risks and taxinternal controls on a global basis.Whilst it is not only financial risk, this isparticularly so in relation to internalcontrols over the financial reporting oftaxes in SEC registrants. The Sarbanes-Oxley Act requires CEO’s and CFO’s toattest on the adequacy of the designand operation of internal controls overfinancial reporting.

For some groups this will require afundamental shift, and perhaps anincrease, in what they need to do to meetthese requirements. A systematicapproach with strong information andcommunication procedures willundoubtedly be needed and we see this as one of the biggerchallenges for the global tax function overthe next few years.


What is clear is that Pandora’s box hasbeen opened and tax risk management ison many more people’s agendas. Whilstassessing and managing tax risk is whattax functions have been doing for manyyears, there is now a need for a systematicorganisational approach that ensures thatall significant tax risks are identified andmanaged. Communication is key and at notime has ‘no surprises’ been more on theagendas of senior management, boardsand the external market. Where this willtake us over the next few years is open tospeculation. However no leading taxfunction, and certainly no leading head oftax, can afford to ignore the issues wehave raised in this guide.

We have analysed the various types of taxrisk and we have set out how arecognised internal control framework canbe applied to manage these risks. We donot pretend that we have all the answers,but we are investing in this area andworking through these issues with ourclients to develop practical andappropriate risk systems.

What we have set out to do in this guideis to stimulate the debate around tax riskmanagement and perhaps throw out oneor two challenges for people to pick upand run with. Best practice in this areawill develop and we look forward toongoing discussions around the worldwith those in commerce and industrywho have to address these issues intheir own businesses.

By way of conclusion we would like toleave you with the diagram we used inChapter 2 that reminds us that tax riskhas an upside as well as a downside.Businesses make money by taking risks.Tax risk management is about aconsidered approach to your tax risks – itis not about trying to reduce them to zero.

8 Summary

Opportunity Transactions Operations Compliance

Hazard

Uncertainty/Variance


Control environment Do you have a documented tax risk management policy?

Are there specific tax risk management objectives?

Have all relevant stakeholders had input to the policy?

Have all tax risk areas been included?

Has the tax risk management policy been discussed and agreed at board level?

Has the policy and objectives been communicated to all stakeholders?

Is there an appetite in the business to implement the policy?

Does the board review the position at least once a year?

Is the tax risk management policy aligned with the wider objectives of the business?

Risk assessment Are there procedures in place to assess the tax risks in the business?

Do they cover all areas of tax risk?

Do they cover all taxes?

Do they cover all significant countries in the group?

Do you know who are the key creators of tax risk in your organisation?

Do you have processes in place to manage these people?

Do you know what the five key tax risks are in the business?

Do you use scenario planning to assess risk?

Are tax risks considered in aggregate to allow an overall portfolio view of risks to be considered?

Is the tax risk assessment documented?

Control activities Are risk control procedures in place?

Are the five key tax risks in the business being properly managed?

Internal controlcomponent Question Yes No

TAX RISK MANAGEMENTBEST PRACTICE CHECKLIST

Appendix 1


(continued) Is it clear to the business when they need to consult the tax functionIs it clear when the tax function needs to consult with the board?Are control activities communicated and embedded throughout the organisation?Is it clear who in the organisation has responsibility forindividual control activities?Are the detailed control activities documented agreed at board level?Are you properly supporting those who have a risk mitigation role (e.g. the shadow tax function)?

Information & Is the board kept aware of the key tax risks Communication in the business?

Is the board consulted on major tax risk matters?

Is there a central place people can find out about the business’ tax risk policy?

Is there a list of people (or roles) who need to understand their role within tax risk management?

Are people new to roles within tax risk management briefed on tax risk management as it affects them?Is the shadow tax department briefed on tax risk management? Is there training in place to ensure key individuals understand their role in tax risk management?Are processes in place to ensure the tax function is kept aware of operational changes to the business?

Monitoring Is there a process in place to ensure that tax risk management control activities are operating effectively?Are internal audit involved?Are the results of monitoring activities reported back to senior management?

Is the monitoring process documented?

Is remedial action taken where risk assessment andcontrol activities are not found to be operating effectively?

Internal controlcomponent Question Yes No


TAX RISK ASSESSMENTTEMPLATES

There are a selection of different tax riskassessment templates set out below.Individual people or businesses willchoose the ones that best suit theirorganisation. The templates below arenot the definitive tool to use inassessing tax risks in a business, but asa starter that can be adapted to suitdifferent circumstances and differentorganisational structures.

1. Risk priority templates

Where such risk priority templates areused as the top level summary for theentire organisation, each line in the tablewould be supported by further tablesanalysing the risk assessment in greaterlevels of detail. For example in template1.1 below, the risk summary foracquisitions could then be analysed eitherby location, type of tax or type of tax risk.

The aggregation of the risk assessmentshould follow the entity’s organisationalstructure. So, if for example, anorganisation primarily follows ageographic reporting structure, whichthen operates within a country using taxtype as its primary reporting structure,that organisation would be expected toproduce its highest level tax prioritytemplate on a country-by countryanalysis. This would then be supportedby a tax type analysis for that particularcountry, with the most detailed level ofanalysis for each separate tax typeanalysed by event or type of tax risk.

The risk priority assessment reported isbased on the high (H), medium (M) or low(L) outcomes reported in the chance ofevent happening and the impact columnson the following basis.

HH priority 1HM and MH priority 2HL, MM and LH priority 3ML and LM priority 4LL priority 5

AcquisitionsDisposalsMergersFinancing transactionsTax driven transactionsInternal Reorganisations

New business venturesNew operating modelsOperating in new locationsNew operating structuresImpact of technologicaldevelopments (e.g. Internettrading)

Lack of proper managementWeak accounting records orcontrolsData integrity issuesInsufficient resourcesSystems changesLegislative changesRevenue investigationsSpecific local in countryapproaches

Changes in legislationChanges in accounting systemsChanges in accounting policy &GAAP

Changes in personnel – bothin tax and in the businessExperienced people leavingInexperienced resources

Revenue authority raid orinvestigationPress commentCourt hearing/legal actionPolitical developments

EventImpact

High, Medium, LowRisk priority

1 = High, 5 = Low

Chance of eventhappening

High, Medium, Low

Type of taxImpact

High, Medium, Low

Risk priority

1 = High, 5 = Low

Chance of riskarising

High, Medium, Low

1.1 Risk priority template by the type of underlying event.

1.2 Risk priority template by type of tax.

Corporate income

Sales

Excise

Payroll

Withholding

Others

Appendix 2


1.3 Risk priority template by location.

1.4 Example risk priority template analysing risk by the type of tax risk.

This template could equally be used to analyse the risk priority byentity/division/business unit etc.

Country or EntityImpact

High, Medium, Low

Risk priority

1 = High, 5 = Low


High, Medium, Low

Australia

Belgium

Brazil

Germany

India

United Kingdom

United States

Type of tax riskImpact

High, Medium, Low

Risk priority

1 = High, 5 = Low


High, Medium, Low

Transactional

Operational

Compliance

Financial accounting

Portfolio

Management

Reputational


2. Risk weighted cost templates

A more detailed risk assessmentapproach, which allows resources to bedirected towards areas where they willhave greatest impact, is to use aprobability based approach toevaluating the potential cost of tax risks.

The following templates consider thelikelihood of an event happening and thepotential impact of the event should it,in fact, occur. Multiplying these twofactors together gives a risk weightedoutcome for each event.

The flexibility mentioned whenconsidering the risk priority templatesabove apply equally to this type of riskassessment so that the risk weightedcosts outcome can be built up for anentire organisation. This is potentially amore valuable tool in directing resourcesto address tax risks. However, it mustbe borne in mind that this tool is only asstrong as the accuracy of the underlyinglikelihood and impact assessment – andjudgement calls are needed to arrive atthese figures.

AcquisitionsDisposalsMergersFinancing transactionsTax driven transactionsInternal Reorganisations

New business venturesNew operating modelsOperating in new locationsNew operating structuresImpact of technologicaldevelopments (e.g. Internettrading)

Lack of proper managementWeak accounting recordsor controlsData integrity issuesInsufficient resourcesSystems changesLegislative changesRevenue investigationsSpecific local in countryapproaches

Changes in legislationChanges in accountingsystemsChanges in accountingpolicy & GAAP

Changes in personnel –both in tax and in thebusinessExperienced people leavingInexperienced resources

Revenue authority raid orinvestigationPress commentCourt hearing/legal actionPolitical developments

Total

Event Impact$m B

Risk weighted cost$m AxB

Chance of eventhappening

% A

2.1 Risk weighted cost template by the type of underlying event.

Type of taxImpact

$m B

Risk weighted cost

$m AxB


% A

2.2 Risk weighted cost template by type of tax

Corporate income

Sales

Excise

Payroll

Withholding

Others

Total


2.3 Risk weighted cost template risk by location

2.4 Risk weighted cost template risk by type of tax risk

Country or EntityImpact

$m B

Risk weighted cost

$m AxB


% A

Australia

Belgium

Brazil

Germany

India

United Kingdom

United States

Total

Type of tax riskImpact

$m B

Risk weighted cost

$m AxB


% A

Transactional

Operational

Compliance

Financial accounting

Management

Reputational

Total/Portfolio


3. Specific tax risk templates

A series of templates can now be built upeither around a type of tax risk, or a typeof tax, or the impact of a specific event,or for a particular country or entity. Theoptions are almost infinite and we do notintend to produce all the differentpermutations and combinations. What ishowever important is that you take theitems above which are either the priorityrisks or the highest risk weighted tax costand break them down into their

component parts so you are clear wherethe largest risks arise and hence where thefocus needs to be in managing these risks.

Let us, for example, look at compliancerisk in country A – which has beenrecognised as one where there arepotential significant risks from thecorporate income tax returns beingreviewed by the local revenueauthorities. The corporate income taxtemplates may look something like this:

The aggregate assessment for CountryA’s tax compliance risks could then besummarised along with the other types oftax risk area (such as operations,transactions, etc) to give an overall taxrisk priority assessment for Country A.Alternatively it could be aggregated withthe tax compliance risk assessment for

other countries to give the organisation’soverall tax risk priority assessment for taxcompliance risks.

The detailed templates will take time tocomplete and the way forward may wellbe a rolling programme with the focusbeing on different areas at different times.

Income recognition

Disallowable expenditure:• Entertaining• Provisions• Legal

Interest deductions

Capital v revenue

Allocation of capitalexpenditure to taxcategories

R&D deductions

Transfer pricing

Compliance tax riskImpact

High, Medium, Low

Risk priority

1 = High, 5 = Low


High, Medium, Low

3.1 Example tax risk template for compliance risks for country A

Copyright ©2004 PricewaterhouseCoopers LLP. All rights reserved. “PricewaterhouseCoopers” refers to PricewaterhouseCoopers LLP (a limited liability partnership,registered in England under registration no. OC303525) or, as the context requires, other member firms of PricewaterhouseCoopers International Limited, each of whichis a separate and independent legal entity. The registered address of PricewaterhouseCoopers LLP is 1 Embankment Place London WC2N 6RH. Designed by studio ec4 16471 (04/04).

Documents

Tax Risk Management - PwC