ATO releases its GST Governance, Data Testing and Transaction Testing guide

23 July 2020

In brief

The Australian Taxation Office (ATO) has released its highly anticipated GST Governance, Data Testing and Transaction Testing Guide (the Guide) explaining how the justified trust methodology is applied to reviewing the existence, design and operation of goods and services tax (GST) controls as part of an effective tax control framework. 

The purpose of the Guide is to assist taxpayers to prepare for a GST streamlined assurance review (GST SAR) under the ATO’s top 100 and top 1,000 programs, review the design and operation of a taxpayer’s GST controls as part of updating its framework or undertake data and transacting testing to ensure business systems are correctly reporting GST.

The Guide identifies the following three fundamental GST controls and provides practical guidance on how to conduct a self-review of a taxpayer’s GST control framework:

• Management level control 4 - Data controls in place for GST purposes (MLC4)

• Management level control 6 - Documented GST control frameworks (MLC6) 

• Board level control 4 - Periodic internal controls testing for GST (BLC4)

The Guide also provides detailed guidance on how to undertake data and transaction testing to ensure that a taxpayer’s business systems are creating, capturing and correctly reporting GST and identifies areas where a taxpayer’s GST control framework may not be designed or operating effectively.

In detail

The Guide addresses three main topics:

1. The ATO’s approach to reviewing GST governance,

2. Guidance for self-review of a taxpayer’s GST control framework, and

3. Guidance for self-review of a taxpayer’s GST correct reporting through data testing and transaction testing.

The ATO’s approach to reviewing GST governance

The ATO’s approach to reviewing GST governance as part of a GST SAR is to seek objective evidence of the design of GST and tax controls. The ATO identifies three fundamental controls for GST purposes:

• MLC 4 - Data controls in place for GST purposes
• MLC 6 - Documented GST control frameworks
• BLC 4 - Periodic internal controls testing for GST

These fundamental GST controls will be the focus of a GST SAR where an income tax assurance review has previously been undertaken (the ATO’s “top-up” approach). However, where an income tax review has not yet been undertaken, the ATO will also seek evidence of the tax controls common to all taxes.

The ATO will utilise its standard governance ratings (staged ratings system for income tax and GST) to rate a taxpayer’s GST governance, with Stage 3 being the highest rating achieved where there is evidence to demonstrate operational and design effectiveness across all fundamental GST controls. In order to receive a high rating overall as part of a GST SAR, a taxpayer needs to obtain at least a Stage 2 rating in respect of GST governance, demonstrating that an effectively designed tax control framework exists.

Guidance for self-review of a taxpayer’s GST control framework

The ATO sets out detailed guidance on scoping a self-review of a taxpayer’s GST control framework, including detailed and specific expectations on the scope of the review and evidence sought for each fundamental GST control.

The ATO also acknowledges that undertaking a self-review requires a substantial investment of time and resources, and invites taxpayers to discuss the intended scope and methodology for a review with the ATO before beginning to ensure the ATO does not need to undertake further testing during a GST SAR.

MLC4 – Controls in place for data for GST purposes

The focus of MLC4 is to establish that controls are in place to ensure GST data integrity based on the design of, and interaction with, business systems. The effectiveness of a taxpayer’s business systems for GST will depend on the extent of automation and manual intervention required to calculate, allocate, create, capture, record and report GST amounts on impacted transactions.

The objective evidence sought by the ATO to support this conclusion is in the form of documented policies and procedures informed by walkthroughs undertaken on a taxpayer’s business systems to evaluate the design of the systems and identify gaps that may give rise to errors. In particular, the ATO focuses on two core elements:

1. Business systems setup, incorporating:

    a. IT controls for integrity and security of GST data – the design of business systems and related application controls that are used for GST calculation, recording and reporting; and

    b. GST tax codes and master data – the existence and design of GST data and calculation controls built into business systems, including GST tax codes and customer, vendor and product master files.

2. Data processing and manual controls – the application of GST treatment and calculation rules through GST tax codes to transactions.

The GST Guide provides an extensive list of examples of the type of objective evidence the ATO looks for, including:

• an IT systems architecture diagram for GST calculation, recording and reporting; 
• IT controls for integrity and accuracy of GST data input and processing, including how IT and tax/finance teams interact;
  
  
• controls regarding GST tax codes and customer, vendor and product master file, including ownership, processes for setup, review, adding and deleting tax codes and assignment of GST tax codes;
• existence and controls regarding rules and conditions for the automatic application of tax codes to transactions;
  
  
• the end to end flow of information to record sales, purchases and associated GST; and
  
  
• GST tax coding procedures and controls to ensure correct GST coding and calculation; and particularly over manual processes.
  
  

In assessing MLC4, the ATO will also consider systemic errors identified through other parts of an assurance review, for example, where data testing identifies errors directly linked to missing or poorly designed data controls.

MLC6 – Documented GST control frameworks

The focus of MLC6 is evidence of the GST compliance procedures for the monthly preparation, review and approval of the Business Activity Statement (BAS), in particular to review data from source systems and check them against source documents to ensure BAS disclosures are correct and the right amount of GST is remitted and claimed.

The objective evidence sought by the ATO is the detailed work instructions which describe the controls and processes for each step of the monthly BAS end to end process to ensure compliance with the law and to manage risks regarding GST disclosures.

The GST Guide provides an extensive list of examples of what should be included in the instructions, including:

• data extraction process, including report set up and the process for verifying the correct capture of transactions from business systems in the reports;
• data analysis process, including trending and variance analysis, reconciliations and transaction data testing to identify processing errors and standard checks for high risk and material transactions (including review of tax invoices and contracts); and
• processes for reviewing and signing off the monthly BAS, including checklists to confirm review of data analysis results, review of adjustments and authorisations evidencing segregation of duties.

BLC4 - Periodic testing plan

Under BLC 4, the ATO expects Boards to obtain assurance that the internal control framework it has endorsed is operating effectively. The ATO does not conduct the testing required to assess the operational effectiveness of tax controls, instead the ATO recommends that testing of the operating effectiveness of a taxpayer’s tax control framework be performed by an independent reviewer as part of a periodic testing program. An independent reviewer is someone with a suitable degree of independence and skill, for example, internal audit function, external auditor or external advisor. The ATO also states that testing by the tax function of GST controls for data could also qualify as independent, where the controls are owned outside the tax function.

The ATO expects the testing program to include the testing of MLC4 and MLC6 and looks for policies or procedures documenting the tax controls testing program, extracts of the testing plan and the testing methodologies to be used. Evidencing an effectively designed testing program is a pre-requisite for achieving a Stage 3 justified trust rating for GST governance.

Self-review of correct reporting through data and transaction testing

The ATO considers data and transaction testing as critical aspects of assessing the correct reporting of a taxpayer’s GST obligations.

Data testing refers to running pre-determined tests against transaction data to identify reporting errors and exceptions for further investigation and/or correction.

Transaction testing refers to tracing identified transactions from source documentation to financial reports and the BAS to confirm the accuracy of the GST treatment, calculation and reporting of the transaction.

The ATO will review data and transactions for correct reporting as part of a GST SAR, including analysing transactions where errors or exceptions are identified and transactions relevant to risks flagged to market and new or large transactions. However, the ATO expects that taxpayers undertake assurance and verification procedures tailored to their own operating environment on an ongoing basis, including as part of their BAS preparation process. The Guide sets out guidance on how a taxpayer may undertake self-review of correct reporting through data and transaction testing.

The Guide includes detailed guidance on self review processes for data and transaction testing, including:

• the approach to identifying data to be included in testing, including the overall architecture of the source systems, the relevant data sources (including general ledger transactions, chart of accounts, purchase and sale transactions, trial balance, GST coding listing and supplier master file), data sample sizes and data fields;
• the data tests the ATO expects taxpayers to undertake using GST data analytics software, including listings of general data tests, industry specific and business specific tests;
• the documentation and other evidence required to validate the correct GST treatment of transactions reviewed; and
• the documentation of findings and actions to address deficiencies in GST reporting, including a comprehensive list of matters to be included in the recording of outcomes of data testing.

The takeaway

The Guide sets out clear expectations from the ATO regarding GST governance and GST data and transaction testing. It is detailed and includes extensive information to assist taxpayers to assess whether their GST control frameworks meet the ATO’s expectations and to prepare for a GST SAR. A taxpayer that is familiar with the Guide should not be surprised by the extent and breadth of any GST SAR.

A few key takeaways:

Focus on GST control frameworks as part of GST SARs – The Guide makes clear that GST control frameworks are a key focus of the ATO as part of a GST SAR.  This is consistent with our experience in assisting taxpayers respond to GST SARs, with extensive requests for information and documentation of the systems, processes and controls in place for GST calculation and BAS reporting, detailed walkthroughs of systems and processes and comprehensive data testing.

Importance of objective evidence to support your GST control framework – The Guide contains numerous references and examples of the documentation that the ATO expects to see to evidence an appropriately designed GST control framework, including policies, procedures, work instructions, workpapers and source documentation. To complement this, the ATO also sets out a detailed list of the matters it expects to address in walkthroughs of the business systems and BAS preparation processes. 

Once again, this is consistent with our experience in relation to GST SARs. Understanding these expectations and assessing the current documentary evidence of the design of your GST control framework is an important part of preparing for a GST SAR. In addition, in our experience, documentation of the overarching end to end data, systems, processes and controls for GST calculation and BAS reporting is an important element in drawing the disparate components together and demonstrating the robustness of the GST control framework as a whole. 

Value in preparing for a GST SAR – As noted above, the Guide contains extensive information to assist taxpayers to prepare for a GST SAR and we highly recommend that taxpayer’s familiarise themselves with that information and consider the best approach to preparation in their circumstances. 

In addition, the ATO anticipates that taxpayers will undertake self-review of their GST control framework and data testing and acknowledges the investment of doing so. The alignment of the scope, method and reporting of the outcomes of the self-review to the Guide, including the independence of the person undertaking the testing, will determine the extent to which the ATO will rely on the outcomes of the self-review and avoid the need for the ATO to undertake further testing as part of a GST SAR. In our experience, engaging with the ATO on the scope, methodology and reporting of preparation work can streamline the GST SAR process and significantly reduce the time and effort required in responding to the review.