In order to illustrate the methodology to be applied to devise and implement a Tax Control Framework (TCF), we need to start from its definition: a Tax Control Framework is a component of the internal control system which guarantees the accuracy and completeness of the tax documentation and of the fulfilments carried out by a company.
To this end, it is necessary for a company wishing to create a Tax Control Framework to have an internal control system which allows a preliminary self-assessment of tax risks, providing a continuous and updated monitoring of the situation and which can help to eliminate, or at least mitigate, the uncertainties related to the management of tax risks.
Generally speaking, the tax risk detection, measuring, management and control system needs to be integrated in the corporate management and internal control system, with a clear assignment of roles and responsibilities to guarantee an ongoing mapping and monitoring of the most significant risks.
A key role to this end is played by management bodies (usually the Board of Directors) which can perform an assessment and evaluation of said risks, identifying the criticalities and the proper corrective actions.
This obligation also involves, to a given extent in terms of corporate liability, the supervisory bodies (such as the internal audit function, the board of statutory auditors and the legal auditor) and is a commitment by the corporate top management with reference to the activities planned to remedy gaps possibly identified in the period considered.
A tax risk management framework should include the following elements:
It is clear that such a system cannot do without a correct circulation of relevant information within the organisation, as well as a suitable information flow and reporting to all corporate levels.
Below are analysed in detail the factors above.
This implies a document undersigned by the Directors, containing a long-term action plan which defines the company’s targets in the management of tax risks, both from a strategic and operational point of view.
The tax strategy needs, first of all, to reflect the company’s risk appetite and should include the operational paths to be followed in order to align the company to the selected risk levels, such as for example the rationale of incentives granted to managers with reference to the tax factor, the adoption of detailed procedures to guard against tax risks with the identification of roles and responsibilities and the approach towards the Tax Authorities.
It should also include codes of conduct related to tax matters, training plans for employees, management commitment towards a correct tax approach, as well as penalties for those breaching the code of conduct rules.
The development of a Tax Strategy and of a TCF in general is the primary responsibility of the company’s senior management, but a critical success factor for an effective implementation is the involvement of people with the right abilities and expertise.
Therefore, there needs to be a clear assignment of roles and responsibilities, also according to segregation of duties criteria, both horizontally and vertically:
Control functions include:
The map of tax risks identified by the tax risk control system plays a key role within the Tax Control Framework.
It is worth making a preliminary distinction right away between tax risks which can originate within ordinary activities related to the usual corporate functioning cycles and risks related to specific transactions which, for their qualitative or quantitative aspects, cannot be considered as routinary activities (e.g. M&A operations).
Consequently, the approach to the assessment of the relevant tax risks should be adequately adjusted keeping into account the specific features of the relevant areas.
Tax Risk Assessment should start from the mapping of processes to identify tax risks. Therefore, the Risk Owners will have to be involved, i.e. the corporate management in charge of the process, for the identification of tax risks potentially related to a specific process, tracking information on taxation (direct taxation, indirect taxation, local taxation) and the type of tax on which the risk impacts (e.g. IRES, IRAP, VAT, etc.).
Each risk will have to be assessed in terms of probability and impact (economic/fines, reputational, legal) to determine the inherent risk; the controls in force to address the risk then need to be identified and the residual risk evaluated. For those risks in which the residual risk is higher than the acceptable risk, the controls will need to be integrated with further ones.
In the Risk Assessment phase, the use of a RIsk Assessment Criteria Matrix, in short RACM, can be of help to break down processes into activities and, within activities, to identify and evaluate risks and the relevant controls.
As far as non-routinary operations are concerned, instead, it is clear that the method to assess related tax risk should necessary be simplified and that, even if it is applied basing on criteria of probability and impact, it implies a case-by case analysis.
Within Tax Risk Assessment, it is possible to capitalise on what possibly already analysed about the company with reference to tax offences ex Legislative Decree no. 231/01; this analysis can be a good starting point, though not comprehensive, to address the activities related to tax risk management.
The internal control system must include effective monitoring procedures allowing the identification of possible gaps or errors in its functioning and the consequent activation of corrective actions.
It will also be advisable to identify Key Risk Indicators (KRI) to measure the performance of the TCF as a whole and the effectiveness of the controls put in place; besides, the TCF must adjust to the main internal changes, i.e. concerning the business, and in the external scenario, such as possible amendments to the tax legislation.
The system is to be based on accurate, complete and timely information flows and guarantee the circulation of information to all corporate levels, each insofar as it concerns them; in particular, it must include, on a predefined basis (e.g. yearly) the sending of a report to the management bodies, containing the result of the assessments made on tax fulfilments, planned activities, results obtained and actions implemented to remedy possible gaps identified further to the monitoring.
Considering the above, it is evident that the devising and implementation of a Tax Control Framework requires a multi-disciplinary approach involving tax, legal, organisational, risk governance and technological skills.
The devising, preparation and maintenance of a TCF over time must be included within the wider internal government and control system, without being a tax appendix of other control systems.
A full and constant involvement of the tax function will be necessary, also prior to business decisions; this involvement will need to be granted by processes which involve the participation of the head of the tax function in committees in which operations and significant project regarding the company are evaluated or resolved upon.
All the above, together with the monitoring and continuous improvement requirements, leads to the need to create a Tax Management System with a consistent approach with other management systems, possibly already in place in the company.
