The legislation, introducing the Senior Accounting Officer (SAO) measures, places personal accountability on senior financial officers in relation to accounting arrangements that support the basis of various UK tax filings.
In summary, the provisions require compliance with the 'main duty' for an SAO to take reasonable steps to ensure that a company establishes and maintains appropriate accounting arrangements.
The guidance is principles based and not prescriptive. Any interpretation is likely to be subjective and dependant on specific facts and circumstances and organisations will therefore need to interpret what this measure means for them. We have long had strong views of the various features of a well managed and controlled tax department and have advised clients on what best practice tax management looks like based on our experience of HMRC risk reviews, SOX implementations and years of experience advising on tax risk and controls projects. Below we apply our knowledge to the problem of what reasonable and appropriate may actually mean within the context of the SAO measures, the Tax Compliance Risk Framework and for internal audit purposes and how it can bring real benefits to the tax department beyond just compliance with these new requirements.
RISK ASSESSMENT AND YEAR 1
Although no official transitional rules are included in the legislation, HMRC may accept that reasonable steps have been taken in the first financial year for which the measures apply if a "review of the appropriateness of the tax accounting arrangements" has commenced. In our view, any such review should begin with a risk assessment of the existing arrangements.
Introducing The Cube
To assist this risk assessment process Deloitte has developed The Cube which is based on our view of good practice in the area of tax risks, systems, processes and controls.
The Cube has been developed in the light of SAO guidance and includes a comprehensive set of questions, covering all taxes and duties. It categorises responses into five interrelated components that together form an integrated risk framework for internal controls over tax. These components are:
Where the Cube is used as a basis for an initial risk assessment for SAO purposes, this should constitute reasonable steps in Year 1 and therefore give considerable comfort that a penalty, for not complying with the main duty, will not be incurred.
The results may identify that appropriate tax accounting arrangements are not in place in some areas. To the extent that these are not reasonably capable of being fixed during the first period it may be necessary for the SAO to submit a qualified certificate. It is our view that SAOs will not wish to file such a certificate, even for the first period, owing to potential implications for reputation, HMRC risk assessment etc. Therefore, we would expect to see many SAOs identifying and implementing remediation plans within a shorter timeframe.
The Cube generates an indicative assessment of risk, using the system of red, amber and green, based on a series of questions which seek to explore the existence and effectiveness of a company's internal controls over tax compliance.
The results of the Cube will allow an SAO to understand and identify key priorities for change and identify where actions are required to comply with the measures.
Reporting, Recommendations And Prioritisation
Following the risk assessment, a report is produced documenting the identified issues together with an explanation of the impact on the organisation and the materiality of that impact.
The report can prioritise areas by reference to materiality and relative difficulty of implementation. This analysis will facilitate the identification of significant 'quick wins' and those issues which, while important, will necessarily form part of a longer transformational exercise.
Deloitte was contacted by the Tax Director of a large UK group who was keen to provide the new FD with an immediate sense of their readiness for the SAO regime.
The team worked with the organisation to arrange a number of workshops across the business – operations, finance and tax. At these workshops the Cube questions were completed and the results and key messages were presented back.
The business saw the key benefits as being:
The business is now moving on to addressing the key risk areas identified and will continue to use the structure of the Cube to monitor future compliance.
Illustrative Project Plan
Assumes calendar financial year and project kick-off on 29 June 2009
Tax accounting arrangements cover the entire end to end process of calculating a tax liability from initial data input into accounting systems to arriving at the numbers which form the basis for the tax return. 'Appropriate' may therefore mean something different for each business depending on its size and complexity. However, it is our view that there are common features which we would expect to see in many businesses.
The remainder of this document will give our view of good practice in each of the key areas of the Cube and demonstrate how this goes a long way towards reasonable steps to maintain appropriate tax accounting arrangements.
It is our view that to create an environment for robust processes there should be appropriate 'tone from the top'. This may involve a documented and board approved tax strategy covering governance of tax and approach to tax risk supported by a risk assessment which demonstrates how risks are identified, measured and controlled. The challenge here is for companies to produce a tax strategy that not only reflects the aims and objectives of the tax function, but also responds to the company's overall corporate strategy. We would expect a tax strategy to feature the overall aims that underpin the organisation's goals, how tax risk will be effectively managed, decision support for tactics and choices including tax planning and details of how the strategy will be delivered.
Deloitte was asked by a multinational business to help define its tax governance standard (i.e. a statement of their approach to tax and tax risk) and develop a framework to embed this within their day to day operations. A key driver was the need to enhance the tax function's efficiency and effectiveness.
Internal and external stakeholder expectations were prioritised and the key expectations informed the tax governance standard. A common approach for discussing and assessing tax risk was then agreed. Next a set of standardised global control processes for all taxes and jurisdictions were created and were aligned with the tax function's governance standard. A web-enabled system was created that provided easy links to the standard, control processes, practices and tools. The benefits were:
Tax Operating Model
One approach to defining and documenting a tax strategy (including key KPIs such as Effective Tax Rate, cash tax outflow etc.) and tax policy is to use a tax operating model. This should be aligned with wider corporate strategy/policy and consider key stakeholder needs. It could be a simple, internal document or public statement. The benefits are that it:
- aligns tax aims and activity with that of the wider business;
- enhances confidence by facilitating board oversight and approval; and
- enables communication of strategy/policy throughout the organisation.
This provides the infrastructure to support the governance and delivery of tax. It defines minimum expectations and procedures over global tax control processes. The framework may enable cost efficiencies by enhanced performance and standardisation, define accountabilities and responsibilities and facilitate sharing of best practice, methodologies and tools.
Decision tools facilitate the comparison of new tax planning ideas and other 'decisions' against the group strategy/policy. These can involve detailed definition of decision factors, scales and policy for each and a visual way of displaying results:
- helps develop a common language of tax risk within the organisation;
- enables improved cashflow by efficient implementation of planning;
- transparent decision-making; and
- helps focus resource on 'weak' elements of the decision.
Tax Decision Support
A tax strategy document should then filter down into the operations of the group, rather than be a document for documentation's sake alone. It should drill down into processes and systems around tax and include evidencing of the approach and processes used in respect of each of the taxes operating in the group i.e. what are the escalations models, the review procedures, the materiality levels and why, but also detail the key decisions to be made, who the decision makers are and what are their responsibilities and qualifications to make such decisions.
Partnering with every area of a multinational organisation's business, the tax compliance process was comprehensively mapped, identifying the data sources at every stage. This mapping enabled the identification of the main areas of risk inherent in the tax compliance process, for example, the points of interface at which data was at a high risk of being communicated or recorded inaccurately. Once the main risks had been identified, mitigation plans were designed. For example, a key risk area was identified around the data entry stage of the process, so a training package was designed and delivered to raise awareness among the data entry staff of the consequences of inaccurate data entry. To preserve the future integrity of the data, ongoing tests were designed to highlight errors at every stage of the compliance process, involving Internal Audit in the design so they were able to play a key role in monitoring these processes in the future.
Relevant process owners should be interviewed to document the processes and controls in place. This can enable an assessment of how key risks are managed through the existing tax management framework.
If process/control failures are identified, further testing of your underlying systems and data using data mining tools may be appropriate. This can enable a view to be taken as to whether processes are robust enough to identify accurate and complete numbers for the tax return.
Deliverables would typically include:
- documentation of underlying tax processes/controls and systems, highlighting key areas of risk;
- an assessment of the above against HMRC expectations and 'best practice'; and
- recommendations for bridging the gap between the current and desired state.
The final two steps are implementation of any remedial actions which are identified and then to monitor performance on an ongoing basis.
One-off, unusual events which impact an organisation's ability to achieve its objectives can occur as a result of external factors (such as macro-economic events) or because of internal events (such as acquisitions or disposals, changes in key personnel etc). Organisations may not always be able to predict these events but need to be ready to respond appropriately and accurately reflect these in their tax deliverables. Tax teams who are unable to achieve continuity in anything other than 'business as usual' may find themselves grinding to a halt which will have a detrimental impact on the delivery of tax reporting. Conversely, an ability to deal with the unexpected suggests that "appropriate tax accounting arrangements" are in place.
The best processes in relation to dealing with events will normally include the following:
- a detailed risk map which identifies all potential eventualities and prioritises them based on likelihood of occurrence and significance of impact and development of mitigation plans to minimise the impact of these events;
- strong communication channels with the rest of the business to ensure timely awareness of issues that may impact on tax obligations; and
- mandatory sign off required from tax on any unusual transaction before the transaction occurs. Once potential risks have been identified then their possible impact can be built into tax budgeting and forecasting therefore enabling sensitivity analysis on cash tax and effective tax rate.
A risk map evaluates and monitors the impact of one-off events/risks. This is achieved using scales to measure the likelihood and impact (qualitatively and quantitatively) of a risk crystallising and a standard approach to their 'management'. This is then reported and tracked over time. The map:
- provides a common language for defining and reporting tax risk;
- facilitates identification of key risks and action plans to mitigate/manage etc; and
- enables progress to be tracked over time.
Controls cover the policies and procedures that are in place in order to ensure the existence of an appropriate control environment. The main question here is whether the infrastructure exists to ensure that reasonable steps have been taken.
HMRC guidance describes this as being 'the steps a person in this situation would normally be expected to take to ensure that risks to tax compliance are properly managed and to enable the various returns to be prepared with an appropriate degree of confidence'. They envisage reasonable steps to include the delegation of control and monitoring activities to other people, but within its own risk management framework.
So what is clear is that reasonable steps will vary based on the specific circumstances of an organisation e.g. size, complexity, acquisitions or other business events occurring in the year etc. But, there will be some common themes, and strong evidence of reasonable steps being taken in the first financial year covered by the measure is likely to include the following:
- reviewed and documented understanding of the current state process;
- risk assessment undertaken and potential issues identified;
- mitigation plan to deal with issues identified and communicated to relevant parties;
- evidence of the commencement of the mitigation plans; and
- monitoring of progress of mitigation plans and testing of results.
In the longer term, the focus on reasonable steps is likely to change and become more centred on:
- control and monitoring of existing activities;
- ensuring compliance with new tax law and requirements; and
- incorporating new businesses or reviewing new companies' processes following corporate acquisitions.
HMRC envisages an open working relationship, and therefore more 'real time' consideration of a company's accounting arrangements. HMRC may consider that open discussion during, for example, a "business risk review" can of itself contribute to reasonable steps.
Common key controls that we believe may be reasonable steps in ensuring appropriate arrangements are:
- requiring sign off from tax on unusual transactions or major business decisions before implementation by the business;
- documentation of the basis for key judgements taken on tax sensitive items (including interpretation of legislation/case law, advice taken, underlying facts and information etc);
- ensuring robustness of spreadsheets by including audit trail functionality and sensitivity analyses, updating tax logic and streamlining data input;
- an appropriate review of all aspects of the final calculation;
- ensuring appropriate training of key personnel;
- procedures to recruit appropriately experienced and qualified staff who are competent to perform their duties; and
- appropriate delegation of authority and segregation of duties
With the agreement of HMRC, Deloitte worked with a large UK group to undertake a controls review. Processes and controls across all taxes were documented and certain under and overstatements of tax were identified. The report contributed to the Group's overall 'Low Risk' rating which should reduce compliance costs over time. Penalties were minimised through voluntary disclosure of errors and opportunities for increased claims for relief were identified and subsequently pursued.
This is an enhanced process mapping tool which highlights controls and risks together with the volume and value of transactions/adjustments within a tax process, focussing attention and resource on the key risk areas. This tool:
- provides a detailed understanding of end-to-end tax process;
- highlights areas of key risk;
- is in line with HMRC and other external expectations; and
- demonstrates 'reasonable care' for the purposes of reducing penalties.
Dynamic Process Mapping
Reliance On SOX?
The SAO legislation is not SOX for tax, but companies who apply SOX are likely to be able to place some reliance on the work undertaken. Areas of comfort include governance ('tone at the top') involving board engagement on tax matters; preventative controls for key tax risks such as segregation of duties; detective controls, such as sample testing of outputs; and documentation of the existence and ongoing effectiveness of these areas.
It should be noted that the focus of SOX compliance is financial reporting and so incorporates a concept of materiality not recognised in the SAO provisions which may not pick up all taxes. Also, controls for SOX purposes can be at a level above that of a UK tax payer. 'Immaterial' failures may therefore not be considered relevant to the SOX attestation but would be for SAO purposes. So while there may be strong compliant behaviour stemming from being within SOX it may be necessary to perform additional work to build on these behaviours.
The Tax Control Framework
Our Tax Control Framework is based on internationally accepted COSO internal controls and is consistent with HMRC guidance of their understanding of what is 'reasonable', 'adequate' and 'accurate' in the context of the management of UK taxes and duties.
This integrated framework incorporates the full scope of our understanding of 'tax accounting arrangements': from the strategic and governance direction from the Board; through the internal environment which brings that strategic direction to life; the management of tax implications arising from events; and finally, the day-to- day controls and compliance activities.
For each tax and element of the arrangements we have an established view of the aim of the relevant controls, i.e. the 'Tax Control Objectives'. These are designed to provide reasonable assurance that particular aims are achieved, or related progress understood. Examples of high-level Tax Control Objectives include:
- a clear allocation of responsibility for the computation of tax liabilities;
- tax implications for new activities are considered;
- suitable tax experience resides within the organisation or is sought from external advisors as appropriate;
- tax filings are complete, accurate and submitted on a timely basis; and
- tax planning mechanisms are in line with the agreed strategy.
These enable us to quickly and effectively help clients identify risk areas, review the current state of their controls, develop a plan for resolving any issues and test performance going forward.
Tax Controls Framework
Processes, people and systems ensure effective and accurate compliance. Having the right personnel in place will be the foundation for appropriate tax accounting arrangements. Typically this includes an experienced and appropriately qualified Tax Director in charge of an adequately resourced tax department with regular training of personnel on processes and tax technical issues. There should also be clear lines of accountability for all taxes where this does not lie within the Group Tax department. Consideration should also be given to involving experienced and appropriately qualified tax advisors on major transactions and other complex areas.
Technology can also facilitate appropriate tax accounting arrangements. A tax sensitised chart of accounts coupled with well trained data input personnel can enable accurate source data for tax purposes with minimal intervention required from the tax department in terms of adjustments. Automation of data extraction and the use of robust tax return software can also resolve key risk areas around manual intervention, audit trails and maintaining tax logic. Controls and exception routines can be built into automated tax processes to reduce the chance of errors going undetected. For example, indirect tax systems can include controls for spotting duplicate transactions or the use of a non-standard tax rate. Data warehouses can store information relating to past years' tax liabilities and those of other group companies, enabling comparative reports to be generated automatically. Cross checks can, for example, compare the entertainment expenses identified for indirect and direct tax purposes.
Use Of Shared Service Centres
Outsourcing and offshoring, common practice in the finance function, can be equally applicable to tax. Tax resource can be located in Shared Service Centres (SSCs) to maximise the efficiency and improvement gains from creating centres of excellence. While a large part of the work performed by SSCs is transactional, appropriate recruitment and training mean that scope can be extended to processes such as reporting, analysis and financial planning.
For many organisations today, finance directors retain responsibility for preparing the local tax pack in readiness for filing a tax return. Typically, this is a manual process whereby information is extracted from the financial systems and reanalysed for tax purposes before submission to the tax department who generates the tax return. Companies are now beginning to use shared service centres to remove some of the burden from entity level finance directors. Combined with automation of data directly into tax return software, a review-ready return can be produced by suitably trained resources in an SSC.
Use Of Technology
Tax sensitising your chart of accounts is a preventative measure that may form part of appropriate accounting arrangements but this may equally be achieved by way of detective measures i.e. a thorough review of account codes to identify mis-postings or use of data mining tools. The right answer is likely to depend on factors specific to your organisation such as volume and complexity of transactions and resource.
Data Mining Software (IDEA)
Data interrogation software is used to:
- check controls operating correctly;
- identify mis-postings;
- facilitate the calculation for enhanced deductions e.g. R&D expenditure; and
- identify allowable/disallowable items.
At Deloitte we have a range of tools to help clients with their compliance responsibilities. All the compliance tools are both licensed to clients or used by Deloitte internally as part of delivering an outsource service to clients.
Abacus Enterprise Direct Tax
- Abacus Enterprise Direct Tax Compliance is a tax determination engine that calculates and populates filings.
- It is used internally by Deloitte and 60% of the top FTSE companies.
Abacus Enterprise Indirect Tax
- Tax sensitised worksheets including a full audit trail and prior period comparisons to enable completion of VAT returns on a pan-European basis.
- An excel-based data collection tool to enable the upload of data directly into the worksheets.
- A database that will import transaction level information from
source systems and run data analysis tests before summarising ready
for upload into the worksheets.
An Outsource Solution?
We would expect that in complying with the main duty an SAO may rely on external service providers. Many companies outsource some or all of their tax compliance while others perform this work in house. Neither of these methods is necessarily better than the other. What is clear is that regardless of which option is chosen, the SAO must be comfortable about the quality and ability of those undertaking the work. If retaining compliance in house, then he/she will need to ensure that the requisite quality of staff is employed (sometimes difficult due to significant workload fluctuations) and adequate review processes are in place. Similarly, outsourcing of parts of the compliance process does not mean that the SAO is relinquished of all responsibility. An appropriate outsource provider, such as Deloitte, could be engaged and a review undertaken by the officer who signs the tax return. In that situation, we believe that the SAO can be comfortable based on the outsource provider's reputation that they have taken reasonable steps. The right answer for a company between in-house, co-source and outsource is likely to depend on factors specific to that organisation such as internal resource, review and control processes and complexity of the company and its business.
Tax Compliance Automation
Much of the time associated with tax compliance is spent on non-value added activities such as pulling reports from underlying accounting systems and manually re-keying these into spreadsheets or tax compliance software.
These activities can, to a large extent, be automated thereby saving time and reducing risk. The better the underlying quality of data the greater the savings and benefits achieved, but even where underlying data is not of a high quality, time spent moving this data around can be saved. The key features of tax automation are:
- ERP mapped via software (e.g. Deloitte Integrator) to tax compliance software.
- Use of the same mapping each time for rapid import of data.
- Allows more time for you to focus on the tax.
- Standardisation of computations.
- Reduced re-keying and associated risk of human error.
Improving Tax Data Processes
Extraction from underlying systems of data required to prepare the tax return, and the quality of that data, are a common source of difficulty of difficulty to organisations. Often money is even left on the table when it comes to estimating tax payments and filing the return because they are forced to take a conservative or round-sum approach. The reasons for this tend to be:
- The information required exists in the accounting system but the tax department can't get at it.
- The information required exists in the organisation but not in the accounting system (and the tax department can't get at it).
- The information required does not exist in the organisation at all.
We will review your current and prior year tax computations, tax returns, statutory accounts, HMRC correspondence (where available) and VAT accounts and map against our checklist of high opportunity areas for savings. Then we can identify likely high-value areas in an organisation (e.g. fixed assets, R&D credits, legal & professional expenditure) and apply an appropriate solution.
These can include:
- Where information is in your ERP system, writing reports to extract it in an appropriate format.
- Where information is not in your ERP system, enhancing ERP reporting with additional fields and supplement with Business Intelligence reporting to produce fully auditable reports.
- Where the information does not exist in your organisation recreating the data by way of web based survey tools and importing relevant data from other systems (such as timesheets) to help collect new data.
Improving Tax Data Processes
Tax Compliance Management
A key component of tax compliance is the time and effort that goes into managing the process. At Deloitte we manage deadlines and task delegation using our Abacus Enterprise Workflow tool. Information is managed and stored using the associated on line file-stores.
Abacus Enterprise Workflow
- Abacus Enterprise Workflow is a web enabled enterprise-wide process management solution that tracks key tax reporting deadlines.
- Dashboard reporting allows you to see the status at the touch of a button.
- Flexible collaboration tools that can be tailored to your individual requirements.
- Each site can have its own email inbox allowing you to easily add content to the collaboration area.
- Flexible security allowing special project rooms with
It is important not to forget employer tax issues even though these are often not controlled by the tax department. Complex issues, in particular, may exist around PAYE or international assignments.
Mobility Risk Management
We have developed a methodology to evaluate internal and external risks in compensation, cross-border workers, equity, expenses, benefits, relocation, social security and immigration.
We are able to help companies confront the issues of risk, compliance and visibility pro-actively, and to assist them in being compliant, becoming more efficient and having better controls.
Mobility Risk Management
An End To PAYE Audits?
Following the introduction of the new penalty regime in conjunction with the review of links with large business we have seen a change in approach from HMRC in the area of employment taxes. HMRC has moved away from periodic PAYE audits to a more flexible approach dependent on the company's risk profile. Companies that are deemed to be low risk see a reduction in HMRC interventions and an increase in dialogue, as they are expected to manage their own risk and governance. Deloitte has developed an approach to facilitate an end to PAYE Audits, helping companies to navigate through these changing expectations
Share Scheme Withholding – GA Equity Awards
Equity is an area likely to increase the complexity of payroll compliance especially where companies have mobile employees assigned to various locations around the globe. GA Equity Awards calculates the defensible tax and social security withholdings that must be deducted from your associates.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.