A12.1The following checklist should be used in the design and implementation of the ATO's compliance risk assessment tools.
- What is the risk event you are seeking to manage? This may be framed in terms of the 4 pillars of compliance or with reference to an existing enterprise risk.
- What governance arrangements do you have in place?
- What documentation and record controls do you have in place?
- What inputs are you using to detect the risk event?
- What evidence do you have to support your inputs?
- What is the expected strike rate and average adjustment?
- What evidence do you have to support expected strike rates and adjustments?
- Have you undertaken any testing or trials to test the accuracy of your inputs?
- Do you have processes in place to ensure your inputs are regularly reviewed in light of compliance activities?
- Which compliance effectiveness methodology will you be using to evaluate the effectiveness of your risk treatment?
- If you are not using one, explain why not.
Transparency and communication
- What general information will you provide publically about your approach?
- Is there any information that you should provide to a group of taxpayers?
- At what point will you communicate with a particular taxpayer?
- What will you tell them?
- How will you tell them?
- Will you provide with them a right of review?
- What behavioural responses are you expecting from taxpayers or their representatives?
- What evidence do you have to support the expected behavioural responses? For example: pilots, user testing, randomised controlled trials.
- What opportunities will you give to taxpayers to respond to you or address your concerns?
- Is it clear to taxpayers why the ATO is contacting them?
- Have you communicated the risk hypothesis to the taxpayer?
- Are your expectations of the taxpayer clear in your communication?
- Are your anticipated ATO responses (for example escalation) clear to the taxpayer?
- What impact on the taxpayer's compliance costs are you anticipating?
- What evidence do you have to support this figure?
- How will you distinguish between different levels of risk?
- How will you distinguish between different types of risk or concerns, for example inherent, behavioural or information confidence and cost?
- Do you have a range of risk treatment options to match different levels or types of risk?
- Are you able to use 'case refinement' products to reduce the numbers of taxpayers subject to higher intensity compliance activity?
- Do you have a strategy in place to escalate lower risk cases to higher intensity compliance activities where higher risks are confirmed?
- What are the planned resources for your risk treatment plan?
- What timelines are you expecting for your risk treatment plan?
- How many cases are you anticipating will be created as a result of your risk detection methods?
- If there are any unexpected changes to any of the above parameters, what are your priorities?
- To what extent are you willing or able to extend the time taken to action the cases?
- How will you manage timeline changes in terms of managing ATO staff and taxpayer expectations?
- To what extent are you willing or able to reduce the cases you action or change the way you action them?
- Have you identified what level of risk you are willing to retain by not actioning certain cases?
- Do you have alternative risk treatment strategies for some cases? For example, a lower intensity compliance activity?
- To what extent are you willing or able to call on additional resources?
- Have relevant stakeholders agreed to make those resources available to you?