How Internal Audit could contribute value in realizing indirect tax objectives?

How Internal Audit could contribute value in realizing indirect tax objectives?

25 September 2013

By Ferry Geertman, Sven Hesselbach, Guido Czampiel

In the news we see more focus on tax risks in various areas such as offshore tax planning to reduce effective tax rate, tax evasion and (VAT) fraud.

A recent example is Tim Cook defending Apple tax policy in a Senate hearing where Congressional investigators released findings showing that Apple uses a “highly questionable” tax minimization strategy of impressive complexity. Several subsidiaries set up by the company, according to investigators, have few or no employees. Located in Ireland, these subsidiaries allowed the company to exist effectively “nowhere” in certain cases. [Senators accuse Apple of 'highly questionable' billion-dollar tax avoidance scheme]

In addition to evaluating tax risks (level of tolerance), companies should also determine and manage their reputational risks as part of tax risk management.

It is important, as governments and tax authorities consider the combat a high priority and has introduced anti-abuse legislation, have increased tax audits and uses tax litigation at its full potential with publishing the outcome when tax evasion is in play.

"Nasir Khan had a successful accessories business, a jet-set lifestyle and reputation as a pillar of the community. But all that vanished in December when he was jailed for his part in a £250m VAT fraud. Jasper Jackson discovers how a 10-year investigation by HMRC led to his downfall. By Jasper Jackson – Mobile News March, 2012"

Recommended reading material

Auditors Anticipate Finding Fraud At Clients
Managing reputational risks

These articles give an overview of the need of (indirect) tax risk management.

Our article is about how Internal Audit could perform a more pro-active advisory role with respect to risk management and more in specific to Indirect Tax risks. Many companies prioritize too low indirect taxation, such as VAT. The consequences of this neglect can sometimes be dramatic.

Erroneous VAT calculations can wipe out a company’s profit margin, or have consequences far beyond that. The problem can often be traced to operational weaknesses: less-than-adequate internal information systems that fail to properly process and display the VAT consequences of business transactions.

At a large multinational, a software error resulted in the company paying too much VAT over an 11-year period. In the case of another company, a software error resulted in the opposite situation: it had deducted € 40 million in excessive input VAT.

Many organisations lack an ‘indirect tax control framework’ for defining a strategy, systems and control mechanisms to manage risks linked to reporting VAT. With an indirect tax control framework, companies determine the management level that is responsible for the entire VAT reporting process, from beginning to end. The risk that VAT errors will compromise companies’ financial positions and reputations is a growing one. With globalisation of business, the complexity of transactions in terms of VAT is increasing.

  • Is adequate management of material indirect tax risks actually tested in daily practice?
  • Should this be part of Internal Audit annual audit plan to investigate?


One of the objectives of Internal Audit is via a risk based methodology to provide comprehensive assurance to the Board and senior management that companies’ material risks areas are managed efficiently and effectively.

In order to meet this objective from an indirect tax perspective what does Internal Audit need to realize these aims?

Starting point would normally be the company’s Indirect Tax Control Framework. For a first impression Internal Audit could raise the following questions:

  • Is the indirect tax strategy defined and aligned with companies’ business objectives?
  • Are material indirect tax risk areas defined?
  • Are roles and responsibilities for managing these risks explicitly assigned?
  • Are the internal controls that mitigate these risks explicitly documented?
  • Are the responsibilities for executing and monitoring the internal controls assigned?
  • Are there regular meetings to discuss status of risks and internal controls and define actions?
    Has a strategy been defined for managing the relationship with tax authorities?
  • Have the responsibilities been assigned for the different geographic regions?


The answers give insight of the existence of the right building blocks of an Indirect Tax Control Framework and give an auditor the possibility to draft his first conclusion on process and risk management around indirect tax.

When however the conclusion is that the right building blocks TCF are not present (question are answered negatively), Internal Audit probably could take the role as pro-active advisor with regard to the right set up of internal indirect tax processes.

To perform such a role Internal Audit need to have the following competencies:

  • sufficient knowledge available re indirect tax risks that exceed the company’s risk appetite;
  • clear understanding of a normative framework from indirect tax perspective how and what need to be managed re these risks.


These are the conditions under which Internal Audit could fulfill a proactive role relating indirect tax risk management. In practice, the best way to achieve this is often to limit the scope and request the top 3-5 indirect tax risks that exceed the company’s indirect tax appetite. Often these risks can be benchmarked with other multinationals:

  • Intercompany transactions
  • Cross-border transactions
  • Correct deduction of input VAT (VAT paid)

An example of a normative process re cross-border transactions within the EU:

A normative framework faciltates Q&A during an Internal audit exercise.

The actual situation (IST position) within the organization is then measured against this yardstick, generally resulting in a summary of the differences. Analysis of these gaps and the associated risks may lead to acceptance or to proposals for improvement. It is an efficient and effective approach that challenges the responsible process owners.

To what extend is internal audit able to fulfill an advisory role?

From Internal Audit by ASML – Accountant September 2013 by Lieuwe Koopmans some quotes (translated from Dutch to English by authors):

"At ASML, one of the most important producers of semi-conductor systems, there is not only this ‘internal’ input but give internal auditors also actively their input on risks together with the business
My department Corporate Risk & Assurance can have an important advisory role on this topic. We can identify risks and indicate how to manage these. Also on a lower level in the organization, e.g at the implementation of a new IT-system, we can give our feedback and support.” (…) I believe that internal auditors can use their knowledge and skills besides audit, also can apply in the area of risk management. – Martin Reinecke"

From an Indirect Tax Perspective, such a proactive advisory role hardly takes place. Other examples of major indirect tax risk areas relate to change:

Another example is Supply Chain transformations such as setting up of a Principal model. Internal Audit should in our view be part of the project team and should be actively involved and monitor during the design phase whether risks in the transformation will be appropriately managed. With a supportive normative framework, Internal Audit is able to raise critical questions and facilitate that indirect tax risks are prior to go-live identified and managed.

Do you see this work in practice?

 

Back

Take aways 

Anticipate what users would want

We combine technical knowledge with industry understanding and knowhow of technologically advanced tools and methodologies available in the market or developed by ourselves.

What do we like to achieve

  • Focus on tax processes that could be improved
    • Manual process: same data requests are made by different stakeholders
  • As Is assessment
  • Anticipate future changes and the data needed
    • What are tax trends?
    • What is happening locally and what should be considered across jurisdictions where you operate?
    • Anticipate new stakeholders and their data needs or requests (internal and external)
  • Define scope and actions for short, mid and long term
  • Write business case for change
  • Realize sponsorship for implementation

‘As is’ assessment, actions and business case

  • What tax data is requested and by whom?
  • What tax process can be improved and what can be automated?
    • CIT, VAT, tax data warehouse
  • What is the Return on Investment?
    • Hard saving: process improvement
    • Meeting (new) tax requirement
  • What systems are in use: SAP, Oracle, etc
    • By which entities?
  • How many end-use computing tools (e.g. excel spreadsheet) do we have?
  • How do we avoid an ad-hoc solution?
    • Understand the bigger picture
    • Real problem and not the symptom

Risk and reward

Technology-related tax risk: understand and address the potential harms and benefits of (new) technology.

Technology tools & systems integration

Ascertaining proper IT support for ensuring efficient, timely and reliable reporting.

Change and project management

VAT should be considered in every aspect of the process, from concept through completion and beyond. Managing by design — looking at any process or transaction from end to end and factoring in all the requirements and controls essential to designing and optimizing a compliant VAT process.

Effective communication and teaming

We speak the language of the business and IT and no translation is needed.