Tax Administration Diagnostic Assessment Tool

MODULE 4: EFFECTIVE RISK MANAGEMENT

Desired Outcome of POA 2The risk to revenue and tax administration operations are identified and managed effectively.

BackgroundTax administrations face numerous risks that could adversely affect revenue and tax operations.

Risk management is thus essential for effective tax administration. It plays a key part in shaping how resources are used by the tax administration to maximize its goals effectively.

Risks must be managed effectively in a structured approach to identifying, assessing, prioritizingand mitigating risks.

These risks include:

• Compliance risks, where revenue may be lost if businesses and individuals fail to meet their obligations as taxpayers (registering, filing, making payments and reporting accurately).

• Institutional risks, where the tax administration functions may be interrupted or jeopardized due to internal or external factors.

International good practices

in COMPLIANCE

RISK MANAGEMENT

Structured and multi-

year approach to compliance

risks

Identification, assessment,

quantification and

prioritization of risks

Compliance risks structured around

taxpayer segments, taxpayer

obligations and core taxes

Intelligence gathering and

research to identify

compliance levels and risks- Analysis of tax

audits and declarations- Analysis of

environmental scanning

Third party information

from a variety of sources

- Tax gap analysis - Studies into

hidden activities- Studies of

taxpayer attitude towards taxes

Compliance improvement programs and risk mitigation

strategies

Evaluation of effectiveness of major mitigation

activities as feedback for

future planning

International good practices in INSTITUTIONAL

RISK MANAGEMENT

A risk register with a framework of

problems threatening

business continuity A plan for

continuity of tax operations in the event of disaster

Assessment of likelihood and

consequences of natural disasters

or man-made calamities

Outline of steps in the event of disaster to

maintain business continuity

Staff training in disaster recovery

procedures

Preventive measures and

internal controls to protect tax

administration systems from fraud

and error (POA9)

Effective internal and external

oversight to detect and deter

undesirable events (POA 9)

Performance Indicators for Effective Risk Management

P2-3: Identification, assessment,

ranking, and quantification of compliance risks

M1

The extent of intelligence

gathering and research to

identify compliance risks

The process used to assess, rank,

and quantify compliance risks.

P2-4: Mitigation of risks through compliance

improvement program

M1

The degree to which risks are

mitigated through a

compliance improvement

program.

P2-5: Monitoring

and evaluation of compliance risk mitigation

activities.M1

The process to monitor and evaluate the

impact of compliance risk

mitigation activities.

P2-6: Identification, assessment,

and mitigation of institutional

risks.M1

The process used to identify, assess, and

mitigate institutional risks.

High Level Indicators

Dimensions

Scoring P2-3-1: Identification of risks through intelligence gathering and research

A

Intelligence gathering and research for

understanding compliance level

and current/emerging

risks

Analysis of environmental

scanning as part of multi-year strategic

planning

Analysis of third party

informationfrom a range of external

sources

External studies into

taxpayer behavior and

attitude to compliance

Internal research into

hidden activities of businesses

Tax compliance gap studies

Research on topical

compliance issues; e.g.,

transfer pricing, HWIs

Analysis of audit results

and tax declarations

Scoring P2-3-1: Identification of risks through intelligence gathering and research

B

Intelligence gathering and research for

understanding compliance level

and current/emerging

risks

Analysis of environmental

scanning as part of multi-year strategic

planning

Analysis of third party

informationfrom a range of external

sources

External studies into

taxpayer behavior and

attitude to compliance

Research into hidden

activities of businesses

Tax compliance gap studies

Research on topical

compliance issues; e.g.,

transfer pricing, HWIs

Analysis of audit results

and tax declarations

Scoring P2-3-1: Identification of risks through intelligence gathering and research

C

Limited use of intelligence

gathering and research for

understanding compliance level

and risks

Analysis of environmental

scanning as part of multi-year strategic

planning

Less comprehensive analysis of third

party informationfrom a range of

external sources

Limited or no external studies

into taxpayer behavior and

attitude to compliance

Internal research into

hidden activities of businesses

Less comprehensive

use of compliance gap studies

Limited or no research on

topical compliance issues; e.g.,

transfer pricing, HWIs

Analysis of audit results

and tax declarations

Scoring P2-3-2: Assessing, Ranking and Quantification of Risks

A• A structured risk

assessment process based on good practice in place.

• Assesses and prioritizes risks for all core taxes, main taxpayer segments and taxpayer obligations.

• The process is part of a multi-year strategic process

B• A structured risk

assessment process based on good practice is in place.

• Assesses and prioritizes risks for all core taxes, main taxpayer segments and taxpayer obligations

• The process is linked to the annualbusiness planning BUT NOT part of a multi-year strategic plan

C• A LESS structured

risk assessment process is in place.

• Assesses and prioritizes risks for all core taxes and four main taxpayer obligations.

D• The requirements

for a ‘C’ rating or higher are not met.

A

Compliance improvement

program is fully resourced and

progress monitored

monthly

Documented compliance

improvement program covers

all identified high risks

Compliance program covers

all core taxes

Compliance program covers

the four main taxpayer

obligations

Compliance program covers

the key taxpayer

segments

Scoring P2-4: Mitigation of risks through compliance improvement programs

B

Compliance improvement

program is fully resourced and

progress monitored

monthly

Documented compliance

improvement program covers

all identified high risks

Compliance program covers

all core taxes

Compliance program covers

the four main taxpayer

obligations

Compliance program covers the risks in the large taxpayer

segment

Scoring P2-4: Mitigation of risks through compliance improvement programs

C

Compliance improvement

program MAY NOT be fully resourced

and progress monitored every

three months

Documented compliance

improvement program covers identified high

risks

Compliance program MAY NOT covers all

core taxes

Compliance program MAY NOT

covers the all four main

taxpayer obligations

Compliance program MAY NOT covers all

taxpayer segments

Scoring P2-4: Mitigation of risks through compliance improvement programs

A

Risk Management Committee at the senior management level plays

an active role in approving risk

mitigation strategies

Risk Management Committee monitors

progress with implementation of

mitigation activities

Evaluation of the effectiveness of ALL

approved compliance risk mitigation activities are documented

Senior management reviews the evaluation

Scoring P2-5: Monitoring and evaluating impact of risk mitigation activities

B

Risk Management Committee at the senior management level plays

an active role in approving risk

mitigation strategies

Risk Management Committee monitors

progress with implementation of

mitigation activities

Evaluation of the effectiveness of AT

LEAST HALF of approved compliance

risk mitigation activities are documented

Senior management reviews the evaluation

Scoring P2-5: Monitoring and evaluating impact of risk mitigation activities

C

Risk Management Committee at the senior

management level approves risk

management strategies on AD HOC BASIS

Risk Management Committee monitors

progress with implementation of

mitigation activitiesON AD HOC BASIS

Evaluation of the effectiveness of

approved compliance risk mitigation activities are documented ON AN

AD HOC BASIS

Senior management reviews the

evaluation ON AN AD HOC BASIS

Scoring P2-5: Monitoring and evaluating impact of risk mitigation activities

Scoring P2-6: Identification, assessment and mitigation of institutional risks

A

Structured process is applied annually to identify, assess and

mitigate institutional risks across the whole organization

A documented institutional risk

register is in place

A business continuity plan exists to mitigate

risks and this is reviewed annually

Staff are trained in disaster recovery

procedures

Scoring P2-6: Identification, assessment and mitigation of institutional risks

B

Structured process is applied every two years to identify,

assess and mitigate institutional risks across the

whole organization

A documented institutional risk

register is in place

A business continuity plan exists to mitigate

risks and this is reviewed every two

years

Staff are trained in disaster recovery

procedures

Scoring P2-6: Identification, assessment and mitigation of institutional risks

C

Structured process is in place to identify, assess and

mitigate risks associated with the IT system

A documented institutional risk

register is in place

A business continuity plan exists to mitigate

risks and this is reviewed every two

years

Staff are trained in disaster recovery

procedures

Table 8 of the Field

Guide

Checklist of Questions and Evidence for POA 2