«A report to the Assistant Treasurer Inspector-General of Taxation October 2013 Review into aspects of the Australian Taxation Office’s use of ...»
2.96 For the ATO, therefore, consequences may relate to amounts of revenue at risk, community confidence, or other outcomes related to taxpayer compliance.
Operational risk management matrix
2.97 The ATO assesses the likelihood and consequence of risks through a matrix construct, shown in Table 2 above. In the case of small deductions claimed in individual tax returns, the combination of ‘likely’ likelihood and ‘low’ consequence scores may result in a ‘moderate’ risk. In this situation, the ATO may wish to avoid a costly comprehensive audit and instead seek verification of that particular deduction through informal means, such as a letter requesting a copy of a receipt.
2.98 Alternatively, the ATO may face a different scenario with large business taxpayers where deductions are much larger. In this case, the consequence would be regarded as ‘high’. Due to the size of the deduction, even if the likelihood was ‘unlikely’, the risk would still be regarded as ‘moderate’. The ATO may still decide to
review the claim even if there is a low likelihood that it is incorrect. The ATO indicates:
As you know, the ATO’s approach to compliance across the taxpayer spectrum is about assuring the community of the integrity of the taxation system. This means that large business is always an area of focus for us; not necessarily because you are less compliant, but because the value and complexity of your transactions are so great that the potential impact of non-compliance on the taxation system could be extreme.88
2.99 Therefore, the risk matrix may indicate that different combinations of likelihood and consequence may result in the same nominal level of risk. However, a given ‘moderate’ outcome does not necessarily mean the ATO treatment is the same.
The type of taxpayer, the type of risk and the level of risk all influence the ATO approach.
INPUTS INTO ATO RISK ASSESSMENT TOOLS
2.100 There are generally two forms of data used in risk assessment processes, quantitative data and qualitative information.
2.101 In general, ATO compliance risk assessment tools require quantitative data or information to process. The sources for such information include tax returns or activity statements and third party data.
Australian Taxation Office, Risk Description - Enterprise Risk 13.3: Cash Economy (From the ATO Enterprise Risk Manager).
Bruce Quigley, ‘We can see clearly now: growing transparency with large businesses’, (Speech delivered at the Corporate Tax Association Convention, Melbourne, 7 June 2011).
2.102 At the other end of the spectrum, the ATO may use qualitative information sourced from the media or other disclosures and ATO officer judgement of a taxpayer’s behaviours and attitudes. Use of this type of information is necessary where a smaller or heterogeneous taxpayer population make it difficult for the ATO to develop and rely simply on statistical, analytical and quantitative methods. A case in point is the large business market segment89, which encompasses only 1850 economic
groups and entities.90 With respect to this market, the ATO states:
Our perception of the likelihood of non-compliance is an informed professional judgment based on assessing a range of risk factors for each tax type. We undertake a moderation process to ensure the RDF categorisation is consistent and supported by the evidence.91
2.103 Depending on the situation, the ATO may use quantitative data, qualitative information or differing combinations of both, as inputs into risk assessment tools.
OUTPUTS OF RISK ASSESSMENT TOOLS2.104 After a risk has been identified and assessed, some form of output is produced. Depending on the specific compliance risk assessment tool it may be a ranking system, a risk rating number, a risk categorisation, or a ‘risk population’ after filtering.
2.105 The ATO risk differentiation framework (RDF) is one approach that provides a risk output. The RDF was first introduced in the Large Business and International (LB&I) business line, to allow the ATO to assess the risk of large business taxpayers in relation to each other. The RDF is used to identify the level of risk relative to the rest of the large business population, rather than the absolute level of risk. This relative risk categorisation assists the ATO determine which taxpayers to review, and what compliance product or approach to use in relation to that taxpayer.
2.106 The small business benchmarks are a different type of risk assessment tool. It is used to assess the risk of underreported income by businesses operating in the cash economy. Businesses that report within the benchmarks for certain financial performance ratios (such as cost of sales to turnover) are ‘filtered out’ from this process. Those that report outside the benchmarks remain inside the risk population for further ATO consideration.92 In this sense, there is no particular risk rating created as an output from this process.
2.107 The ATO has indicated in the Compliance Program 2012-13 and various other publications that it is using the RDF for the large business market93, the small-to-medium enterprises market94, the mineral resource rent tax and petroleum With respect to income tax and indirect taxes.
resource rent tax95, as well as tax practitioner practices96 and self-managed superannuation funds.97
2.108 The RDF is now a central ATO compliance risk assessment tool. It is considered in detail in Chapter 3 in the context of the large business market where it has had longer application. The RDF is also considered in Chapter 4 and 7 in relation to SME and tax practitioners respectively.
HEALTH OF THE SYSTEM ASSESSMENTS — HOTSA
2.109 The ATO also regularly conducts what are known as ‘Health of the System Assessments’ (HOTSAs). These HOTSA processes have been conducted by the ATO for income tax or GST a number of years prior to the adoption of the current ERMF.98
2.112 HOTSAs continue to be prepared for each revenue product, (such as income tax, GST, excise and superannuation) and for each market segment (such as individuals and large business) every year.
2.113 The Income Tax Revenue Product HOTSA is created primarily for the Income Tax Steering Committee (ITSC) which is responsible for contributing to the strategic
Australian Taxation Office, Superannuation Consultative Committee Minutes September 2012 (12 November 2012) http://ato.gov.au/Super/Consultation--Super/In-detail/Super-Consultative-Committee/Minutes/SCCMinutes,-September-2012/.
A form of HOTSA has been in existence since 2003. The ERMF in its current form was implemented in 2010 after the adoption of ISO31000:2009. See Julian Jenkins, ‘Information Design for Strategic Thinking: Health of the system reports’ (2008) 24(1) Design Issues, p 77.
ATO communication to IGT, 20 March 2013.
direction of income tax administration (which includes PAYG withholding, PAYG instalments, capital gains tax and fringe benefits tax).101 The Chair of the ITSC is also the Enterprise Risk Owner for income tax under the enterprise risk management framework.
2.114 With respect to income tax or GST HOTSAs, the process is designed to ask and answer specific questions focussed on three broad areas, each with a series of ‘focusing questions’:102
2.115 The HOTSA uses a coloured rating system to convey the status of each of the above strategic questions, known as ‘element status ratings’, as shown in Figure 6
Source: ATO communication to IGT, 20 March 2013 2.116 Each of the element status ratings is accompanied by a ‘data integrity status rating’. This is a numerical rating used to indicate confidence levels, 1 being the highest and 3 the lowest. An extract of this is provided in Figure 7 below.
DATA INTEGRITY STATUS RATINGSThe report shows rating of the level of confidence we have in the integrity, reliability, and/or availability of the data/information used to assess the issues.
Source: ATO response to information request 4, supplied 20 March 2013
2.117 Like the confidence levels used in risk assessment templates on the ERM, the data integrity status ratings recognise that assessments rely on information with varying degrees of completeness, accuracy and verifiability.
2.118 The HOTSA process, therefore, represents one of the key methods in which the ATO identifies and monitors enterprise risks including taxpayer compliance risks.
IGT OBSERVATIONSRisk ratings and confidence levels 2.119 As indicated above, the ATO assesses enterprise risks with a risk rating based on likelihood and consequence. A separate confidence level is then articulated for that risk rating based on the quality and completeness of the information used to determine that rating. The ATO uses this approach for all of its enterprise risks, such as business continuity and security and not just for compliance risks.
2.120 This distinction between the confidence level and the risk rating assists in determining what further action is required. For example, a high risk rating may require a particular form of risk treatment, whilst a low confidence level may require the ATO to gather more information to increase its confidence level before implementing a risk treatment.103
2.121 As outlined above in paragraph 2.105, the ATO uses the RDF as a means of communicating a risk rating to taxpayers. It has been used for large business taxpayers for a number of years with more recent implementation for other market segments.
One distinctive feature of the RDF is that, whilst it is an adaptation of the likelihood and consequence risk matrix, a separate confidence level is not a part of the model.
2.122 The ATO may have a low level of confidence about the information it receives from certain taxpayers or a low level of confidence that the taxpayer will proactively provide the necessary information. In these circumstances, rather than communicating a low confidence level separate to the risk rating, the ATO instead increases the risk rating. The reasons for this approach in the large business market and the consequent stakeholder concerns are discussed in Chapter 3.
Information confidence levels and cost 2.123 A low level of confidence may be due to a lack of ATO information or a low level of quality or accuracy of the information it already holds. In these circumstances, the ATO may attempt to obtain more or higher quality information to improve its ‘information confidence’ level. The extent to which the ATO can reasonably obtain more information is limited by the cost of doing so and the risk level at play.
2.124 It would be difficult for the ATO to justify incurring and imposing significant costs for low level risks. Conversely, the ATO may be able obtain high levels of confidence, even for low levels risks, at relatively low cost where the additional information is easily obtainable.
2.125 For example, the ATO requires a higher level of information confidence for very large business taxpayers, where the risk to the revenue may be substantial, and is prepared to devote significant resources to obtain further information.
2.126 For risks involving lower amounts of revenue, the ATO does not necessarily require a high confidence level but may be able to achieve it cost-effectively anyway.
United States Department of the Interior, Reclamation Managing Water In The West – Interim Dam Safety Public Protection Guidelines, August 2011, page 24.
2.127 For example, whilst not all 12.4 million individuals who lodge tax returns may be seen as a higher risk, the ATO has ‘an almost complete picture of each individual’s financial dealings’.104 The ATO has acknowledged that, for taxpayers with simple tax returns, it is in a position to exploit the ‘substantial amounts of information’ it routinely receives about those taxpayers to potentially send a completed tax return to taxpayers without the need for those taxpayers to actively lodge a return.105
2.128 The above demonstrates that the ATO has a high level of confidence in the information at its disposal and no further taxpayer disclosures are required.
Accordingly there is no direct cost to individual taxpayers — the costs are borne by third party information providers.106 Taxpayer ‘transparency’ and ATO information gathering approaches
2.129 In the large business market segment, a relevant consideration relating to information confidence is the taxpayer’s ‘willing participation’107 or ‘transparency’.108 The ATO is reliant on direct disclosures from these taxpayers and has an increased focus on real-time engagement with them. For example, the ATO describes the large
business taxpayer Annual Compliance Arrangement (ACA) in these ways:
… By committing to work in a frank and transparent environment with an assurance based approach we can tailor your compliance relationship and experience, rather than working through traditional compliance approaches such as audits and risk reviews.
2.130 The IGT notes that large business taxpayers which the ATO considers ‘higher consequence’ and who are not in an ACA are subject to Pre-lodgment Compliance Reviews (PCRs).
2.131 The ATO has also expanded the disclosure requirements associated with income tax returns. For both large and small-to-medium enterprises with international transactions reaching certain thresholds, the ATO requires the lodgment of an International Dealings Schedule (IDS). With respect to higher consequence large