A12.1The following checklist should be used in the design and implementation of the ATO's compliance risk assessment tools.

  1. What is the risk event you are seeking to manage? This may be framed in terms of the 4 pillars of compliance or with reference to an existing enterprise risk.


  1. What governance arrangements do you have in place?
  2. What documentation and record controls do you have in place?


  1. What inputs are you using to detect the risk event?
  2. What evidence do you have to support your inputs?
  3. What is the expected strike rate and average adjustment?
  4. What evidence do you have to support expected strike rates and adjustments?
  5. Have you undertaken any testing or trials to test the accuracy of your inputs?
  6. Do you have processes in place to ensure your inputs are regularly reviewed in light of compliance activities?
  7. Which compliance effectiveness methodology will you be using to evaluate the effectiveness of your risk treatment?
  8. If you are not using one, explain why not.

Transparency and communication

  1. What general information will you provide publically about your approach?
  2. Is there any information that you should provide to a group of taxpayers?
  3. At what point will you communicate with a particular taxpayer?
  4. What will you tell them?
  5. How will you tell them?
  6. Will you provide with them a right of review?
  7. What behavioural responses are you expecting from taxpayers or their representatives?
  8. What evidence do you have to support the expected behavioural responses? For example: pilots, user testing, randomised controlled trials.
  9. What opportunities will you give to taxpayers to respond to you or address your concerns?
  10. Is it clear to taxpayers why the ATO is contacting them?
  11. Have you communicated the risk hypothesis to the taxpayer?
  12. Are your expectations of the taxpayer clear in your communication?
  13. Are your anticipated ATO responses (for example escalation) clear to the taxpayer?
  14. What impact on the taxpayer's compliance costs are you anticipating?
  15. What evidence do you have to support this figure?


  1. How will you distinguish between different levels of risk?
  2. How will you distinguish between different types of risk or concerns, for example inherent, behavioural or information confidence and cost?
  3. Do you have a range of risk treatment options to match different levels or types of risk?
  4. Are you able to use 'case refinement' products to reduce the numbers of taxpayers subject to higher intensity compliance activity?
  5. Do you have a strategy in place to escalate lower risk cases to higher intensity compliance activities where higher risks are confirmed?

Project management

  1. What are the planned resources for your risk treatment plan?
  2. What timelines are you expecting for your risk treatment plan?
  3. How many cases are you anticipating will be created as a result of your risk detection methods?
  4. If there are any unexpected changes to any of the above parameters, what are your priorities?
  5. To what extent are you willing or able to extend the time taken to action the cases?
  6. How will you manage timeline changes in terms of managing ATO staff and taxpayer expectations?
  7. To what extent are you willing or able to reduce the cases you action or change the way you action them?
  8. Have you identified what level of risk you are willing to retain by not actioning certain cases?
  9. Do you have alternative risk treatment strategies for some cases? For example, a lower intensity compliance activity?
  10. To what extent are you willing or able to call on additional resources?
  11. Have relevant stakeholders agreed to make those resources available to you?