«A report to the Assistant Treasurer Inspector-General of Taxation October 2013 Review into aspects of the Australian Taxation Office’s use of ...»
2.10 Another common organisational risk involves the use of technology. This includes ensuring that ATO systems effectively support the organisation’s objectives and that staff are able to adapt to system changes and that the cost of maintaining or acquiring systems is adequately planned for and managed.
2.11 As an Australian Public Service (APS) agency, the ATO is subject to particular legislative requirements.19 This includes the responsibility for the effective and efficient use of Commonwealth resources. The Department of Finance and Deregulation’s Risk Management (Comcover) Better Practice Guide provides additional risk management guidance to all APS agencies in this regard.
2.12 All of these risks, including risks associated with taxpayer compliance with the law, are managed under the ATO’s Enterprise Risk Management Framework (ERMF) which is described below.
THE ATO’S ENTERPRISE RISK MANAGEMENT FRAMEWORK (ERMF)
2.13 The ATO uses an ERMF to record, categorise and manage all ‘enterprise risks’.
The ATO Corporate business line has overall responsibility for the ERMF and works Australian Taxation Office, Commissioner of Taxation Annual Report 2011-12 (2012) p a.
with all areas of the ATO to implement it.20 The ERMF is outlined in the Corporate Management Practice Statement PS CM 2003/02 Risk and issues management which is
aimed at ensuring:
A consistent, effective and integrated approach to the overall management of risks and issues at all levels to enable the ATO to achieve its outcome, deliver on government commitments and meet legislative obligations.21
… actively manage all risks and issues that may compromise either its outcome or community confidence in the fair and effective administration of Australia’s taxation and superannuation systems.22
2.15 This practice statement also places a positive obligation on all ATO personnel to identify, report and appropriately mitigate risks as part of their normal duties.23 It
establishes three key principles:
2.16 In addition to the practice statement, three other ‘Corporate Management Procedures and Instructions’ (CMPI) documents provide further details on how the ERMF is to be implemented.
2.17 For example, CMPI 2003/02/01 Risk management instructions for enterprise risk owners describes three levels of risks within the ATO:25 At the commencement of the review, the Office of the Chief Knowledge Officer (OCKO) business line had overall responsibility for the ERMF. During the review, the OCKO business line was dissolved and its functions and staff were subsumed into the ATO Corporate business line.
Australian Taxation Office, Risk and issues management, PS CM 2003/02, 22 May 2013.
2.18 At the enterprise level, the ATO has listed 22 enterprise risk categories at the highest level (known as ‘Level 0 risks’). These risks include general organisational risks, risks associated with public sector agencies, and risks associated with functions of a revenue authority. These Level 0 risk categories are grouped into four broad
• tax and superannuation administration;
• stakeholder engagement;
• enabling capabilities; and
• other businesses [that is other ATO business operations].
2.19 This grouping is represented in the ATO’s ‘Wheel of Risk’ in Figure 2 below and reproduced as a list in Appendix 2. Each of these 22 Level 0 enterprise risk categories are then broken down into Level 1 risk categories. Currently, there are 79 Level 1 risk categories. These are reproduced in full in Appendix 3.
2.20 The ATO’s ERMF intranet page also indicates that each26 of the Level 1 risk categories has an Enterprise Risk Owner who is a senior management officer. CMPI 2003/02/03 ATO Enterprise risk categories and enterprise risk owners, lists all the Level 1 enterprise risk categories, each with a risk owner who is a senior executive officer.
2.21 Second Commissioners are responsible for ‘portfolios of risk’. These portfolios are all of the 22 Level 0 enterprise risk categories divided into three groups amongst each of the three Second Commissioners.
2.22 Actual risks are mapped to these Level 1 risk categories and have operational risk owners and risk managers. Operational risk owners have accountability and responsibility for managing a discrete area of risk within an enterprise risk category.
Risk managers have responsibility for managing risk controls, treatment or mitigation, and aspects of risk assessment and identification as directed by an enterprise risk owner.27 The ATO has detailed internal documentation about these risks and mitigation strategies.
2.23 All operational risk documents, along with the Level 0 and Level 1 enterprise risk categories hierarchy supporting it, are recorded and managed in the Enterprise Risk Manager (ERM).
Australian Taxation Office, Enterprise Risk Management Framework intranet page. ‘Enterprise Change’ does not have an enterprise risk owner.
Australian Taxation Office, Risk and issues management, PS CM 2003/02, 22 May 2013, see ‘Key roles and responsibilities’.
2.24 One of the main documents recorded on the ATO’s ERM is the risk assessment. This assessment is prepared by the risk manager, and it includes, amongst
2.25 The initial level of risk is a combination of the likelihood and the consequence of the risk event occurring. This is discussed further below.
2.26 The confidence level of the risk rating takes into account the fact that the risk rating may be based on limited information. Instructions in the risk assessment
Factors determining confidence in the risk rating include availability, quality, quantity and relevance of available data and information, as well as divergence of opinion among experts and limitations to the analysis, as previously described.28
2.27 The risk manager then selects a rating of Low, Medium or High, depending on
the availability of accurate and verifiable data or information to support the risk rating:
• Low — Limited verifiable data and information available to support the risk rating.29 2.28 Such an approach is consistent with International Standard ISO 31000:2009:
The confidence in determination of the level of risk and its sensitivity to preconditions and assumptions should be considered in the analysis, and communicated effectively to decision makers and, as appropriate, other stakeholders. Factors such as divergence of opinion among experts, uncertainty, availability, quality, quantity and ongoing relevance of information, or limitations on modelling should be stated and can be highlighted.30 ATO Risk Assessment Template – March 2013 – from the Enterprise Risk Manager 22 April 2013, page 10.
2.29 Confidence levels can be used in the context of other risks, for example, in public safety. An example of such use is included in Appendix 4.
2.30 The ATO practice statement and associated CMPIs on risk management guidance appear to be silent about the use of confidence levels.
2.31 The disclosure of confidence levels may also be useful to indicate whether further research or testing is needed to increase the level of certainty about the risk rating before committing resources to address the risk.
2.32 This report now considers the types of risks the ATO associates with taxation and superannuation law compliance by taxpayers.
TYPES OF TAXPAYER COMPLIANCE RISKS
2.33 There are generally four main types of taxation obligations with which taxpayers are expected to comply:31
• registration — correctly registering in the system where required, such as for tax file numbers (TFNs), Australian Business Numbers (ABNs) or Goods and Services Tax (GST). This also includes not inappropriately registering (for an ABN etc.) where parties are not entitled to do so such as those that are not carrying on an enterprise.
• lodgment — delivery of returns or statements on time, such as income tax returns and activity statements for registered parties.
• payment — discharging taxation liabilities on time.
• reporting — ensuring records, returns and statements are complete and accurate.
2.34 With each obligation there is a risk of non-compliance. Further details about these obligations are described below, along with some basic examples on how the ATO seeks to deter, detect or deal with potential or actual non-compliance.
2.35 Entities not registered in the tax system may potentially avoid a number of taxation obligations. It is important, therefore, that the ATO is able to deter and detect instances where entities attempt to remain unregistered where they are required to do so. Various withholding, reporting and penalty regimes assist to deter or make non-registration unattractive. For example, salary and wage payments are subject to Pay As You Go (PAYG) withholding where employers are required to report these payments to the ATO. Businesses in the building and construction industry are also required to report certain payments made to other contractors for building and construction services.32 This enables the ATO to verify or reconcile this reporting Forum on Tax Administration Compliance Sub-group, Organisation for Economic Co-operation and Development, Guidance Note - Compliance Risk Management - Managing and Improving Compliance (2004) para .
Australian Taxation Office, Taxable payments reporting - building and construction industry (22 July 2013) http://www.ato.gov.au.
against non-reporting of other taxpayer information. Gaps in reporting may indicate an unregistered entity risk is present.
2.36 For transactions not subject to comprehensive withholding or third party reporting regimes, the ATO uses data matching and computer modelling to assist in detecting unregistered entities operating in the cash economy.33 Lodgment risk
2.37 After registration, verifying compliance with lodgment obligations is relatively straightforward. If a taxpayer is obliged to lodge a particular document by a particular time, the ATO will know promptly whether this is the case.
2.38 The timely lodgment of an income tax return is necessary for the ATO to accurately assess income tax liabilities. Accordingly, the ATO has a range of measures to ensure timely lodgment. Nevertheless, as recognised in the IGT’s Review into the Non-lodgement of Individual Income Tax Returns (Non-lodgment Review), the sheer number of returns and statements that must be potentially lodged means that the ATO must take a risk management approach to enforcing lodgment obligations.34 2.39 It is important to recognise that the non-lodgment of a tax return or activity statement may not only represent a risk to the Commonwealth revenue (that is, underpaid tax), it may also represent a threat to community confidence in the integrity of the tax system.35
2.40 The IGT’s Non-lodgment Review recommended several measures to reduce the risk posed by the non-lodgment of income tax returns. These measures include increasing support for the ATO use of third party data to identify non-lodgers and increasing penalties for high-risk taxpayers.
2.41 After a taxpayer has lodged an income tax return or activity statement and been subjected to an assessment process, a taxation liability may be established giving rise to a debt. The ability to collect the monies due on these debts represents the payment risk. There are strategies to reduce this risk. For example, withholding at source regimes, such as that used for salary and wage payments, assist in reducing individual PAYG taxpayer payment risk.
2.42 As with the lodgment obligation, the ATO’s systems are designed to determine whether a taxpayer has paid their tax liability on time. The ATO uses analytics and debt models to help determine the strategies to recover tax debts where they become outstanding.36 Australian Taxation Office, Compliance Program 2012-13 (2012) p 23.
Inspector-General of Taxation, Review into the non-lodgement of individual income tax returns (2009) para [4.1].
Michael D’Ascenzo, ‘The effective use of analytics in public administration: The Australian Taxation Office Experience’, (Speech delivered at the Australian Institute of Company Directors, Hobart, 22 June 2012).
2.43 Verifying compliance with taxpayers’ reporting obligations is a more challenging area for many revenue authorities.
2.44 Australia’s tax system operates on the basis of self-assessment. In general, this means that while taxpayers must lodge correct returns where required, the ATO initially accepts these claims, usually without adjustment, before issuing an assessment.37 The ATO does not necessarily verify the correctness of each return before processing it.38 For example, businesses may not be required to include financial documents with their tax returns, nor are salary and wage earners required, upfront, to include evidence supporting deductions claimed with their tax returns.
2.45 The self-assessment system reduces the costs otherwise incurred by the ATO in attempting to verify the correctness of every return, including dealing with detailed taxpayer information submitted with tax returns.39 The ATO’s decision not to request detailed taxpayer information with every return is a deliberate one, aimed at the efficient use of ATO resources and in minimising taxpayer costs associated with supplying additional information with the return.