2.1 The activities of any organisation involve some level of risk.8 Risk can be defined as the effect of uncertainty on objectives.9 All organisations must effectively manage the impacts of this uncertainty to ensure they can deliver on their objectives. Risk management, therefore, is commonly considered to be a key governance and management tool within the private and public sectors.10

2.2 Internationally, risk management is also recognised as a key part of organisational management. As such, the International Organization for Standardization (ISO) issued International Standard ISO 31000 Risk management — Principles and guidelines. In Australia, this standard has been adopted as AS/NZS ISO 31000:2009. The ATO's enterprise risk management framework refers to this standard as one of the reasons for the framework's current form.11

2.3 Risk management has also been the focus of research and public discussion as both a management discipline and as a profession in various industries.12 For example, other approaches have suggested a greater focus on identifying vulnerabilities beyond those currently identified through intelligence sources.13 Other research indicates the need for paradigm shifts in risk prevention strategies as the return on investment of current risk detection methods begins to decline.14 Such approaches are also applicable to revenue authorities.

2.4 Guidance from the Organisation for Economic Co-operation and Development (OECD) Committee on Fiscal Affairs15 has also advocated that revenue authorities adopt a risk management approach:

Revenue authorities have turned to risk management in order to allocate better scarce resources to achieve an optimum compliance strategy — one aimed at achieving the best long-term compliance for the resources employed. Without a systematic methodology to do this, resource allocation decisions are open to question and criticism and, for a revenue authority, potential tax revenue may be lost.16

The ATO's organisational objectives

2.5 As risk is defined as the effect of uncertainty on objectives, it is important to articulate the ATO's actual objectives. The ATO's objectives, on one view, may be described in terms of their stated outcomes and vision. Both are articulated in their 2011-12 Annual Report:

2.6 The ATO's vision is:

... that Australians value their tax and superannuation systems as community assets, where willing participation is recognised as good citizenship.17

2.7 The ATO's outcome is:

Confidence in the administration of aspects of Australia's tax and superannuation systems through helping people understand their rights and obligations, improving ease of compliance and access to benefits, and managing non-compliance with the law.18

2.8 In order to achieve the above vision and outcome with the resources at their disposal, the ATO adopts a risk-based approach.

2.9 In addition to taxpayer non-compliance risks, the ATO, like any other organisation, faces a variety of risks which can impact on its ability to deliver on its objectives. These may relate to areas such as technology, people or finances. For example, the ATO needs to manage the risk of skilled, knowledgeable or experienced employees leaving the ATO. As a human capital risk adequate succession management plans need to be considered for the management of knowledge transfer.

2.10 Another common organisational risk involves the use of technology. This includes ensuring that ATO systems effectively support the organisation's objectives and that staff are able to adapt to system changes and that the cost of maintaining or acquiring systems is adequately planned for and managed.

2.11 As an Australian Public Service (APS) agency, the ATO is subject to particular legislative requirements.19 This includes the responsibility for the effective and efficient use of Commonwealth resources. The Department of Finance and Deregulation's Risk Management (Comcover) Better Practice Guide provides additional risk management guidance to all APS agencies in this regard.

2.12 All of these risks, including risks associated with taxpayer compliance with the law, are managed under the ATO's Enterprise Risk Management Framework (ERMF) which is described below.

The ATO's enterprise risk management framework (ERMF)

2.13 The ATO uses an ERMF to record, categorise and manage all 'enterprise risks'. The ATO Corporate business line has overall responsibility for the ERMF and works with all areas of the ATO to implement it.20 The ERMF is outlined in the Corporate Management Practice Statement PS CM 2003/02 Risk and issues management which is aimed at ensuring:

A consistent, effective and integrated approach to the overall management of risks and issues at all levels to enable the ATO to achieve its outcome, deliver on government commitments and meet legislative obligations.21

2.14 The ATO's risk and issues management policy is to:

... actively manage all risks and issues that may compromise either its outcome or community confidence in the fair and effective administration of Australia's taxation and superannuation systems.22

2.15 This practice statement also places a positive obligation on all ATO personnel to identify, report and appropriately mitigate risks as part of their normal duties.23 It establishes three key principles:

  • enterprise risk owners will record all enterprise and operational level risks against the relevant risk category in the Enterprise risk register [now renamed Enterprise risk manager];
  • [the] risk management process will be applied to all risks in accordance with the corporately endorsed ATO Risk Matrices instructions; and
  • identified risks will be categorised using the corporately endorsed ATO Risk Categories.24

2.16 In addition to the practice statement, three other 'Corporate Management Procedures and Instructions' (CMPI) documents provide further details on how the ERMF is to be implemented.

2.17 For example, CMPI 2003/02/01 Risk management instructions for enterprise risk owners describes three levels of risks within the ATO:25

Table 1: ATO levels of risk
Level A guide to the characteristics of the risk Management arrangements

The risk relates to a core or enabling business function or process.

The risk usually occurs in all or many parts of the ATO.

The risk is described in the enterprise risk categories.

The risk is rated high or severe when assessed on a corporate scale.

Includes strategic risks.

Risks are normally managed at the sub-plan or ATO Executive level.

The risk is a component or a part of an enterprise risk.

The risk may be limited to one or a small number of Business and Service Lines (BSLs).

Risks at this level are normally managed by BSLs and capability areas.
Tactical The risk is associated with localised events or activities such as transactions, incidents and cases. Risks at this level are managed by individuals or teams as part of their day-to-day management.

Source: ATO, Corporate Management Procedures and Instructions CMPI 2003/02/01 Risk management instructions for enterprise risk owners.

2.18 At the enterprise level, the ATO has listed 22 enterprise risk categories at the highest level (known as 'Level 0 risks'). These risks include general organisational risks, risks associated with public sector agencies, and risks associated with functions of a revenue authority. These Level 0 risk categories are grouped into four broad categories:

  • tax and superannuation administration;
  • stakeholder engagement;
  • enabling capabilities; and
  • other businesses [that is other ATO business operations].

2.19 This grouping is represented in the ATO's 'Wheel of Risk' in Figure 2 below and reproduced as a list in Appendix 2. Each of these 22 Level 0 enterprise risk categories are then broken down into Level 1 risk categories. Currently, there are 79 Level 1 risk categories. These are reproduced in full in Appendix 3.

Figure 2: ATO 'Wheel of Risk'

Graphic depicting the ATO 'Wheel of Risk'.

Source: ATO.

2.20 The ATO's ERMF intranet page also indicates that each26 of the Level 1 risk categories has an Enterprise Risk Owner who is a senior management officer. CMPI 2003/02/03 ATO Enterprise risk categories and enterprise risk owners, lists all the Level 1 enterprise risk categories, each with a risk owner who is a senior executive officer.

2.21 Second Commissioners are responsible for 'portfolios of risk'. These portfolios are all of the 22 Level 0 enterprise risk categories divided into three groups amongst each of the three Second Commissioners.

2.22 Actual risks are mapped to these Level 1 risk categories and have operational risk owners and risk managers. Operational risk owners have accountability and responsibility for managing a discrete area of risk within an enterprise risk category. Risk managers have responsibility for managing risk controls, treatment or mitigation, and aspects of risk assessment and identification as directed by an enterprise risk owner.27 The ATO has detailed internal documentation about these risks and mitigation strategies.

2.23 All operational risk documents, along with the Level 0 and Level 1 enterprise risk categories hierarchy supporting it, are recorded and managed in the Enterprise Risk Manager (ERM).

2.24 One of the main documents recorded on the ATO's ERM is the risk assessment. This assessment is prepared by the risk manager, and it includes, amongst other things:

  • a risk description;
  • the impacted taxpayer market segments, ATO areas and revenue products;
  • the initial level of risk;
  • the confidence level in the risk rating;
  • the residual risk; and
  • whether a treatment plan exists.

2.25 The initial level of risk is a combination of the likelihood and the consequence of the risk event occurring. This is discussed further below.

Confidence levels

2.26 The confidence level of the risk rating takes into account the fact that the risk rating may be based on limited information. Instructions in the risk assessment template indicate:

Factors determining confidence in the risk rating include availability, quality, quantity and relevance of available data and information, as well as divergence of opinion among experts and limitations to the analysis, as previously described.28

2.27 The risk manager then selects a rating of Low, Medium or High, depending on the availability of accurate and verifiable data or information to support the risk rating:

  • High — Sufficient accurate and verifiable data and information available to support risk rating.
  • Medium — Gaps or inconsistencies in available data and information, some not verifiable.
  • Low — Limited verifiable data and information available to support the risk rating.29

2.28 Such an approach is consistent with International Standard ISO 31000:2009:

The confidence in determination of the level of risk and its sensitivity to preconditions and assumptions should be considered in the analysis, and communicated effectively to decision makers and, as appropriate, other stakeholders. Factors such as divergence of opinion among experts, uncertainty, availability, quality, quantity and ongoing relevance of information, or limitations on modelling should be stated and can be highlighted.30

2.29 Confidence levels can be used in the context of other risks, for example, in public safety. An example of such use is included in Appendix 4.

2.30 The ATO practice statement and associated CMPIs on risk management guidance appear to be silent about the use of confidence levels.

2.31 The disclosure of confidence levels may also be useful to indicate whether further research or testing is needed to increase the level of certainty about the risk rating before committing resources to address the risk.

2.32 This report now considers the types of risks the ATO associates with taxation and superannuation law compliance by taxpayers.

Types of taxpayer compliance risks

2.33 There are generally four main types of taxation obligations with which taxpayers are expected to comply:31

  • registration — correctly registering in the system where required, such as for tax file numbers (TFNs), Australian Business Numbers (ABNs) or Goods and Services Tax (GST). This also includes not inappropriately registering (for an ABN etc.) where parties are not entitled to do so such as those that are not carrying on an enterprise.
  • lodgment — delivery of returns or statements on time, such as income tax returns and activity statements for registered parties.
  • payment — discharging taxation liabilities on time.
  • reporting — ensuring records, returns and statements are complete and accurate.

2.34 With each obligation there is a risk of non-compliance. Further details about these obligations are described below, along with some basic examples on how the ATO seeks to deter, detect or deal with potential or actual non-compliance.

Registration risk

2.35 Entities not registered in the tax system may potentially avoid a number of taxation obligations. It is important, therefore, that the ATO is able to deter and detect instances where entities attempt to remain unregistered where they are required to do so. Various withholding, reporting and penalty regimes assist to deter or make non-registration unattractive. For example, salary and wage payments are subject to Pay As You Go (PAYG) withholding where employers are required to report these payments to the ATO. Businesses in the building and construction industry are also required to report certain payments made to other contractors for building and construction services.32 This enables the ATO to verify or reconcile this reporting against non-reporting of other taxpayer information. Gaps in reporting may indicate an unregistered entity risk is present.

2.36 For transactions not subject to comprehensive withholding or third party reporting regimes, the ATO uses data matching and computer modelling to assist in detecting unregistered entities operating in the cash economy.33

Lodgment risk

2.37 After registration, verifying compliance with lodgment obligations is relatively straightforward. If a taxpayer is obliged to lodge a particular document by a particular time, the ATO will know promptly whether this is the case.

2.38 The timely lodgment of an income tax return is necessary for the ATO to accurately assess income tax liabilities. Accordingly, the ATO has a range of measures to ensure timely lodgment. Nevertheless, as recognised in the IGT's Review into the Non-lodgement of Individual Income Tax Returns (Non-lodgment Review), the sheer number of returns and statements that must be potentially lodged means that the ATO must take a risk management approach to enforcing lodgment obligations.34

2.39 It is important to recognise that the non-lodgment of a tax return or activity statement may not only represent a risk to the Commonwealth revenue (that is, underpaid tax), it may also represent a threat to community confidence in the integrity of the tax system.35

2.40 The IGT's Non-lodgment Review recommended several measures to reduce the risk posed by the non-lodgment of income tax returns. These measures include increasing support for the ATO use of third party data to identify non-lodgers and increasing penalties for high-risk taxpayers.

Payment risk

2.41 After a taxpayer has lodged an income tax return or activity statement and been subjected to an assessment process, a taxation liability may be established giving rise to a debt. The ability to collect the monies due on these debts represents the payment risk. There are strategies to reduce this risk. For example, withholding at source regimes, such as that used for salary and wage payments, assist in reducing individual PAYG taxpayer payment risk.

2.42 As with the lodgment obligation, the ATO's systems are designed to determine whether a taxpayer has paid their tax liability on time. The ATO uses analytics and debt models to help determine the strategies to recover tax debts where they become outstanding.36

Reporting risk

2.43 Verifying compliance with taxpayers' reporting obligations is a more challenging area for many revenue authorities.

2.44 Australia's tax system operates on the basis of self-assessment. In general, this means that while taxpayers must lodge correct returns where required, the ATO initially accepts these claims, usually without adjustment, before issuing an assessment.37 The ATO does not necessarily verify the correctness of each return before processing it.38 For example, businesses may not be required to include financial documents with their tax returns, nor are salary and wage earners required, upfront, to include evidence supporting deductions claimed with their tax returns.

2.45 The self-assessment system reduces the costs otherwise incurred by the ATO in attempting to verify the correctness of every return, including dealing with detailed taxpayer information submitted with tax returns.39 The ATO's decision not to request detailed taxpayer information with every return is a deliberate one, aimed at the efficient use of ATO resources and in minimising taxpayer costs associated with supplying additional information with the return.

2.46 With this approach, the ATO accepts a degree of uncertainty or risk as to whether a particular taxpayer has complied with their obligation to report correctly when accepting their return and issuing the assessment.

2.47 This uncertainty or risk is partially addressed through the use of third party reporting regimes. In particular, employers and financial institutions are all required to report certain payments to the ATO, for example, salary, interest and dividend details. Once taxpayers have lodged their returns, the ATO may use available third party data to verify the data provided in tax returns ('data matching').

2.48 Where the ATO identifies a potential risk that a taxpayer has not correctly completed their tax return, it may seek to understand the taxpayer's situation via an enquiry and if necessary via a formal review or audit. An audit examines the relevant taxpayer's affairs to ensure the ATO is reasonably satisfied that the taxpayer's tax position is correct.40 The ATO has extensive access powers to compel taxpayers and third parties to provide information, with limited exceptions.41 Since the ATO generally seeks limited information up-front in the self-assessment environment, these powers may be called upon to seek information at a later stage.

Different types of reporting risk

2.49 The risk that a taxpayer has not correctly reported required information can manifest itself in several ways, depending on the nature of the taxpayer's circumstances and the applicable law. One may consider two main situations where there is a risk that the taxpayer has incorrectly reported their tax information:

  • the law is clear about the taxpayer's obligation but the taxpayer does not make full disclosure to the ATO; or
  • information is fully disclosed to the ATO but there is uncertainty as to how the law applies and the taxpayer has applied the law in a manner with which the ATO disagrees.

2.50 The first type of risk is illustrated through the following example. The law clearly requires taxpayers to report all cash income received from business activities as assessable income. If a taxpayer inadvertently or consciously omits this from their reported income, it will be inconsistent with the law. In this case, the ATO may take action to determine whether such omitted income was received by the business. If that is found to be the case, the ATO may take corrective action. Taxpayers who consciously take this course are said to be taking a 'detection risk', whereby they rely on the ATO not detecting their omission.

2.51 In the second type of risk, for example, the taxpayer has undertaken a business sale but the taxpayer has applied the capital gains tax and consolidation law in a manner with which the ATO disagrees. Where the area of law is uncertain, the taxpayer and ATO may find themselves seeking the final view of the courts to determine the correct meaning of the law and its application to the facts. These taxpayers are ultimately taking an 'interpretation' risk, whereby they rely on their view of the law prevailing over that of the ATO.

2.52 These two categories are not necessarily mutually exclusive, as a taxpayer may take an interpretation risk by adopting a contestable tax position while also taking a detection risk by not fully disclosing details of the position to the ATO.

2.53 The current taxation environment presents challenges and heightens the interpretation risk for taxpayers and the ATO alike. Taxation law is extensive, regularly changing and increasing in complexity.42 Furthermore, announced but unenacted tax law changes are likely to increase uncertainty for taxpayers and the ATO, particularly where such measures are intended to be retrospective.43

2.54 Under self-assessment, taxpayers are required to lodge their tax returns after forming a view about the correct legal treatment of the transaction. To reduce the risk of the ATO challenging the taxpayer's view, taxpayers may seek the advice of the ATO before lodging their return. Nevertheless, taxpayers may be required to take an increased interpretation risk by lodging tax returns without the benefit of ATO advice due to commercial timing considerations and/or delays in obtaining that advice. This risk is also significant in the GST context, where taxpayers often lodge activity statements on a monthly basis, compared with annual income tax returns.

Interpretation risk

2.55 In relation to interpretation risk, the ATO, as the administrator of the tax law, may provide advice as to its interpretation of the law. This advice is only the ATO's view of the law and not the law itself.44 A court may find such interpretation to be incorrect.

2.56 Some aspects of the ATO's advice and guidance framework seek to protect taxpayers from adverse tax outcomes should they rely on certain ATO advice that a court ultimately determines to be incorrect. Such protections only exist for 'binding' ATO advice. Further discussion about the ATO advice and guidance framework can be found in the IGT's Review into Improving the Self Assessment System (Self Assessment Review) and Review of the Tax Office's Administration of Public Binding Advice.45

2.57 There may be a number of factors which increase the interpretation risk for the ATO. For example, an interpretation put forward in court by the ATO may not succeed due to:

  • case selection;46
  • the collection and management of evidence;47 and
  • how and which arguments are put forth to the court.48

2.58 The ATO's management of interpretation risk is undertaken at the enterprise level through 'Enterprise Risk ER-11 — Law interpretation'. Further details about this enterprise risk can be found in Appendix 3.

ATO risk management approach to taxpayer compliance

2.59 Traditionally, compliance risk management may be understood as a form of risk analysis focussing mainly on better selection for tax audits49, with an emphasis on increasing the 'detection' capability of the revenue authority. Audits, however, are comparatively costly activities for both the taxpayer and the ATO.50

2.60 There is ongoing recognition that compliance risk management goes beyond making the best audit selection decisions. The goal is ultimately optimising taxpayer compliance.51 In a self assessment system, this means understanding and influencing taxpayer behaviour. An example is the ATO's research into taxpayer behaviour in the 1990's, culminating in the Cash Economy Taskforce Reports. The Improving Compliance in the Cash Economy April 1998 Second Report52 (Second Report of the Cash Economy Taskforce) led to the ATO's adoption of the ATO Compliance Model shown in Figure 3 below:

Figure 3: ATO Compliance Model

Graphic showing the ATO Compliance Model. The model was originally designed to support voluntary compliance by, in part, increasing a taxpayer's perceptions of fairness of the system.

View image enlarged

Source: ATO Compliance Program 2012-13, page 1.

2.61 Importantly, the ATO Compliance Model emphasises the need for the ATO to address the underlying drivers of taxpayer behaviour.53 This is illustrated by the left side of Figure 3 above, known as 'BISEP' which encourages the ATO to understand the Business, Industry, Sociological, Economic and Psychological factors affecting taxpayer behaviour.

2.62 By addressing these behavioural drivers, the ATO may be able to prevent and deter non-compliant behaviour in the first place, rather than solely relying on sophisticated audit selection techniques to detect the risk of non-compliance after it has occurred. The right side of the ATO Compliance Model also describes a series of regulatory responses to non-compliance, ranging from education through to penalties or prosecutions, depending on the taxpayer's attitude to compliance. The BISEP factors assist ATO officers in understanding the taxpayer's attitude to compliance.54

2.63 Such models or approaches are applied by other revenue authorities overseas55, with publications from the European Union and the OECD providing additional guidance on compliance risk management for tax administration in this regard.56

2.64 The ATO Compliance Model as originally conceived and recommended in 1998 in the Second Report of the Cash Economy Taskforce was not strictly a risk management or resource allocation model. It was a model originally designed to support voluntary compliance by, in part, increasing a taxpayer's perceptions of fairness of the system.57 Such perceptions of fairness could be enhanced by the ATO not routinely applying penalties when faced with non-compliance, forgiving past poor behaviour, and recognising good behaviour.58 The ATO should take into account the taxpayer's different circumstances and respond appropriately.59

2.65 Broadly, risk detection assists in helping the ATO prioritise 'who' it should review or audit, and the Compliance Model guides the ATO 'choice of remedy' if a risk of non-compliance is identified.60

2.66 The ATO Compliance Model approach of seeking to positively influence taxpayers through differentiated ATO responses, is an indirect form of risk management that recognises the ATO's finite resources:

An approach which relies simply on detecting non-compliance and imposing sanctions on detected non-compliers will tend to be short term in effect and increasingly resource intensive for the ATO. It will also place an unreasonable compliance burden on good compliers.61

2.67 The ATO employs a range of activities aimed at preventing, deterring, detecting and dealing with the risks of non-compliance. The relationship between these activities can be understood in terms of the 'bow-tie' risk assessment technique. This technique, included in ISO 31010:2009 Risk Management — Risk Assessment Techniques62, has been implemented by the ATO and is represented in its Large Business and Tax Compliance (LBTC) booklet:63

Figure 4: Risk bow-tie for large business

Graphic explaining the risk 'bow-tie' for large business.

View image enlarged

Source: ATO, Large business and tax compliance 2012, page 24.

2.68 The 'detect' column in Figure 4 above shows that the risk event is 'non-compliance' with the four main taxation obligations described above as 'compliance obligations'. Recognising that detection is part of a broader picture of compliance risk management, attention is now directed towards how the ATO's uses a risk management approach to detect non-compliance.

ATO detection of taxpayer risk of non-compliance

2.69 The ATO takes a risk management approach to its compliance activities, directing its resources to areas of greatest risk.64 The ATO chooses which taxpayers it will audit. The ATO's Strategic Statement 2010-15 says 'we use a risk-based approach to prioritise our work'.65 The ATO has also indicated:

Where you have limited resources and the scale of your role covers a broad canvas, it is necessary to adopt a risk management approach.

... Managing risk is about recognising risks, and making the right choices, and opting for the right trade-offs.66

2.70 A risk-based approach to compliance activity is often contrasted with random selection.67 While random selection is useful for gathering compliance information, and presents a 'fair selection strategy' — in that a given population of taxpayers have the same chance of being selected — it does have a drawback of presenting a high opportunity cost.68 The World Bank notes:

Cases selected for audit by methods focused on high-risk taxpayers or even by manual screening are likely to raise higher revenue than cases selected randomly (even with stratification). As a result, random audits have a low impact on direct generation of revenue and, arguably, on deterrence of non-compliance.69

2.71 The risk-based approach, therefore, may be viewed as a way of managing the opportunity costs associated with limited resources:

We are in an opportunity cost business. For all practical purposes, the areas and issues we can cover are limited, and every hour we spend with taxpayer A is an hour we cannot spend with taxpayer B. Effective use of our time is vital. If there are areas with high levels of compliance we will get out and look elsewhere.70

2.72 It should also be noted that the adoption of a risk-based approach to resource allocation is well founded in the origins of the administrative law notion of the 'good-management rule'. This rule acknowledges that, whilst the Commissioner must administer the tax law and ensure the correct amount of tax is collected, it has finite resources with which to do this:

Having regard to the competing duties and powers that arise under the taxation laws, the courts have acknowledged that the Commissioner must make administrative decisions as to the allocation of scarce resources to achieve an optimal, though not necessarily the maximum, revenue collection. This ensures that the Commissioner is not obliged, for example, to pursue every last cent of revenue where the cost of doing so is prohibitive.71

2.73 Section 44 of the Financial Management and Accountability Act 1997 (FMA Act) also imposes a general obligation on the Commissioner to 'manage the affairs of the [ATO] in a way that promotes proper use of the Commonwealth resources for which the [Commissioner] is responsible'.72 Section 16 of the Public Governance, Performance and Accountability Act 2013 (which is anticipated to effectively replace the FMA Act from 1 July 2014) imposes a new specific duty for the Commissioner to establish and maintain an appropriate system of risk oversight and management.73

2.74 However, another important reason for the risk-based approach is to seek to reduce the compliance burden on low-risk or compliant taxpayers. The use of random selection methods inevitably means that some compliant taxpayers will be audited. In responding to the recommendation by the Joint Committee of Public Accounts and Audit (JCPAA) that the ATO report on a mechanism to estimate the GST gap, the ATO said:74

Not only would [a random audit program] consume large amounts of Tax Office resources that could otherwise be targeted at substantive compliance risks, it would place a significant additional burden on compliant taxpayers who otherwise would not need to incur audit-related costs.

2.75 A risk-based approach, therefore, is also considered to have a twin virtue of excluding likely compliant taxpayers from unnecessary interactions, while focusing ATO attention and resources on higher-risk taxpayers or populations. As an example, the ATO regards its small business benchmarks as a tool to, not only identify 76,000 small businesses likely to attract ATO attention, but also to exclude 800,000 businesses who it regards as 'likely to be competing on a level playing field with their peers'.75

2.76 The risk management approach not only means the ATO is selective as to which taxpayer it audits. It also means that the ATO takes a variety of approaches depending on the taxpayer's situation. The ATO has said:

... if you are in a lower risk category, our help and support services assist you to comply and the lower intensity of our compliance activities reduces compliance costs.76

2.77 In its 2008-09 Compliance Program, the ATO highlighted the relationship between the level of risk, the intensity of verification activity and the numbers of taxpayers involved. The ATO states that:

When risks are identified, our contact with people depends on the nature and complexity of the risk. But it typically starts with letters and phone calls seeking more information or clarification, and extends to field visits and audits where required. Risk profiling is as much about identifying individuals or businesses that represent little or no risk to the tax and superannuation systems, as it is about identifying non-compliance.77

2.78 This risk management differentiation approach ensures the intensity of the compliance activity is commensurate with the risk. The approach also reduces the taxpayer population it seeks to interact with as risk increases. This is shown diagrammatically in Figure 5 below:

Figure 5: Differentiation in intensity and visibility of ATO verification activities

Diagram setting out differentiation in intensity and visibility of ATO verification activities.

Source: ATO, Compliance Program 2008-09, page 8.

2.79 The IGT made similar observations in his Review into Tax Office Audit Timeframes:

... audit activities are directed at areas of greatest risk. The level of taxpayer interaction should be proportionate to the nature of the risk being addressed and such matters as the complexity of the issue and the level of taxpayer assistance. The aim is to minimise the level of taxpayer interaction to that needed for the Tax Office to assure itself of a business's compliance level.78

2.80 Therefore, where there is a level of uncertainty as to the correctness of a taxpayer's tax return, the ATO may not necessarily conduct a full audit to verify it. Rather, the ATO may use information gathering approaches which are less formal, intense and costly to ensure returns are correctly lodged. These may include telephone enquiry, letters requesting an explanation or substantiation for a particular item in the tax return, or more comprehensive risk review interactions. In some circumstances, where the level of risk is considered low, the ATO may take no further action despite the existence of such uncertainty. Where ATO perceptions of risk persist, the above figure highlights the ATO's ability to escalate its verification activities.

Risks associated with taxpayer compliance costs

2.81 The ATO's Wheel of Risk in Figure 2 above shows that there are several risk categories that are related to taxpayer compliance with tax laws. In addition to taxpayer compliance risks, the ATO also recognises risks in relation to 'Client Experience', such as compliance costs. These risks include:

  • failure to manage and reduce the cost of compliance to taxpayers within agreed tolerances (excluding large business); and
  • failure to manage the cost of compliance for large business at appropriate levels.79

2.82 The importance of minimising the level of costs incurred by taxpayers in complying with the law is vital. These costs include those imposed on intermediaries such as advisors. The cost of compliance can take various forms. For example, it may include time and expense in relation to:

  • completing forms such as income tax returns or business activity statements;
  • establishing and maintaining record keeping systems;
  • dealing with the ATO;
  • dealing with advisors;
  • tax planning; and
  • learning about tax.80

2.83 At the time of this report, the ATO was undertaking a review of the 'Cost of Compliance' enterprise risk.81

2.84 The risks associated with increasing compliance costs are of particular interest to the IGT as a number of recommendations in previous IGT reviews were directed at minimising taxpayer compliance costs. These recommendations are in Appendix 5.

2.85 Figure 5 above highlights the ATO's attempt to minimise taxpayer compliance costs by escalating compliance activities according to their risk.

2.86 In summary, the ATO risk management approach to taxpayer compliance:

  • consists of a range of strategies to deter, detect and deal with taxpayer non-compliance;
  • seeks to foster voluntary compliance where possible;
  • includes the ATO understanding and influencing of taxpayer behaviour, including choosing appropriate sanctions to deal with non-compliance depending on the taxpayer's circumstances;
  • with respect to detection, requires the ATO to make choices as to which taxpayers will be the subject of inquiry;
  • seeks to minimise taxpayer compliance costs by taking a graduated and differentiated approach to its inquiries and escalating them where risks persist; and
  • means undertaking audits for the areas of highest risk.

2.87 This report now describes how the ATO assesses risk.

How the ATO assesses risk

2.88 The ATO uses a range of methods to apply differentiated compliance risk and verification strategies. This report refers to these strategies as 'compliance risk assessment tools'. To address the diverse nature of the taxpayer population, the ATO uses specific tools for each taxpayer segment to ensure the most appropriate approach is taken. Appendix 6 illustrates the variety of the tools the ATO uses for various market segments.

2.89 The ATO's Corporate Management Practice Statement PS CM 2003/02 Risk and issues management outlines various roles and responsibilities with respect to risk management. One of them is the requirement to apply the risk management process in accordance with CMPI 2003/02/02 ATO risk matrices. This instruction specifically mandates the use of matrices which assess the combination of a risk event's likelihood and the consequences of the risk event happening. It should be noted that the likelihood/consequence table is a method derived from the International Standard ISO 31010 — Risk assessment techniques.82 One example of an ATO risk matrix is shown below.83

Table 2: ATO operational risk matrix

Image of a table showing the ATO operational risk matrix.

Source: ATO, CMPI 2003/02/02 — ATO risk matrices.

2.90 In making a risk assessment the ATO seeks to establish the two key criteria of likelihood and consequence. Each criterion is addressed in more detail in the next sections.

Likelihood criteria

2.91 The likelihood of a given risk is estimated by the ATO using various techniques. The ATO's Risk Matrices (CMPI 2003/02/02) offers some guidance on estimating likelihood in a rating-based framework. The table in this document is reproduced in Table 3 below:

Table 3: The ATO Enterprise level risk likelihood rating table
Likelihood rating Likelihood guide Risk probability guide Issue frequency guide*
1 Rare 0-5% chance of occurring Less than 1% of the risk population involved in non-compliance
2 Unlikely 6-30% chance of occurring Between 1 and 10% of the risk population involved in non-compliance
3 Even Chance 31-70% chance of occurring Between 11 and 20% of the risk population involved in non-compliance
4 Likely 71-95% chance of occurring Between 21 and 25% of the risk population involved in non-compliance
5 Almost Certain 96-100% chance of occurring Greater than 25% of the risk population involved in non-compliance

* Frequency is a measure of the number of occurrences per unit of time (or some other base unit of measure; for example, distance, population etc.). In a compliance risk context this should be an estimated frequency of occurrence of an issue in the target population.

Example: The fact that we know that work related expenses (WRE) claims are being fraudulently claimed does not mean the likelihood rating for this incorrect reporting is '5 Almost Certain'. If in the population of individual clients only approximately 10 per cent of clients are involved then the likelihood rating should be '2 — Unlikely'.

Source: ATO, including note.

Consequence criteria

2.92 The consequence from a given risk arising is also estimated through various techniques depending on the nature of the risk. For tax compliance, this is often through financial analysis. In the case of a tax deduction under review, this would include the amount actually being claimed by the taxpayer and the reduction in tax payable as a result. If the amount claimed is significant, then the consequence is prima facie higher.

2.93 There may be other circumstances where an amount at risk is relatively low, but the consequence may still be considered higher if the taxpayer is considered influential in the market place.84 Additionally, a particular taxpayer in a select population may represent a low risk to the revenue (due to the amount of the revenue at risk), but the risk may have high cumulative effects, in that the entire select population represents, in aggregate, a large amount of revenue at risk.85 It should be noted, however, that the ATO considers this type of cumulative effect in the likelihood part of the risk assessment, as seen in the 'issue frequency guide' column in Table 3 above.

2.94 This approach, with respect to the cash economy, is supported by the OECD Forum on Tax Administration:

For many participants the amounts of tax involved are relatively small; however, given the large numbers involved, the aggregate tax revenue at stake is sizeable.86

2.95 It is one reason why the ATO directs significant compliance resources toward addressing the cash economy. Community confidence is also another reason why addressing the cash economy is so important. The risk posed by the cash economy is described in the Enterprise Risk Framework as:

Failure to identify and respond to major threats posed by the cash economy which have the potential to undermine community confidence in the integrity of the system.87

2.96 For the ATO, therefore, consequences may relate to amounts of revenue at risk, community confidence, or other outcomes related to taxpayer compliance.

Operational risk management matrix

2.97 The ATO assesses the likelihood and consequence of risks through a matrix construct, shown in Table 2 above. In the case of small deductions claimed in individual tax returns, the combination of 'likely' likelihood and 'low' consequence scores may result in a 'moderate' risk. In this situation, the ATO may wish to avoid a costly comprehensive audit and instead seek verification of that particular deduction through informal means, such as a letter requesting a copy of a receipt.

2.98 Alternatively, the ATO may face a different scenario with large business taxpayers where deductions are much larger. In this case, the consequence would be regarded as 'high'. Due to the size of the deduction, even if the likelihood was 'unlikely', the risk would still be regarded as 'moderate'. The ATO may still decide to review the claim even if there is a low likelihood that it is incorrect. The ATO indicates:

As you know, the ATO's approach to compliance across the taxpayer spectrum is about assuring the community of the integrity of the taxation system. This means that large business is always an area of focus for us; not necessarily because you are less compliant, but because the value and complexity of your transactions are so great that the potential impact of non-compliance on the taxation system could be extreme.88

2.99 Therefore, the risk matrix may indicate that different combinations of likelihood and consequence may result in the same nominal level of risk. However, a given 'moderate' outcome does not necessarily mean the ATO treatment is the same. The type of taxpayer, the type of risk and the level of risk all influence the ATO approach.

Inputs into ATO risk assessment tools

2.100 There are generally two forms of data used in risk assessment processes, quantitative data and qualitative information.

2.101 In general, ATO compliance risk assessment tools require quantitative data or information to process. The sources for such information include tax returns or activity statements and third party data.

2.102 At the other end of the spectrum, the ATO may use qualitative information sourced from the media or other disclosures and ATO officer judgement of a taxpayer's behaviours and attitudes. Use of this type of information is necessary where a smaller or heterogeneous taxpayer population make it difficult for the ATO to develop and rely simply on statistical, analytical and quantitative methods. A case in point is the large business market segment89, which encompasses only 1850 economic groups and entities.90 With respect to this market, the ATO states:

Our perception of the likelihood of non-compliance is an informed professional judgment based on assessing a range of risk factors for each tax type. We undertake a moderation process to ensure the RDF categorisation is consistent and supported by the evidence.91

2.103 Depending on the situation, the ATO may use quantitative data, qualitative information or differing combinations of both, as inputs into risk assessment tools.

Outputs of risk assessment tools

2.104 After a risk has been identified and assessed, some form of output is produced. Depending on the specific compliance risk assessment tool it may be a ranking system, a risk rating number, a risk categorisation, or a 'risk population' after filtering.

2.105 The ATO risk differentiation framework (RDF) is one approach that provides a risk output. The RDF was first introduced in the Large Business and International (LB&I) business line, to allow the ATO to assess the risk of large business taxpayers in relation to each other. The RDF is used to identify the level of risk relative to the rest of the large business population, rather than the absolute level of risk. This relative risk categorisation assists the ATO determine which taxpayers to review, and what compliance product or approach to use in relation to that taxpayer.

2.106 The small business benchmarks are a different type of risk assessment tool. It is used to assess the risk of underreported income by businesses operating in the cash economy. Businesses that report within the benchmarks for certain financial performance ratios (such as cost of sales to turnover) are 'filtered out' from this process. Those that report outside the benchmarks remain inside the risk population for further ATO consideration.92 In this sense, there is no particular risk rating created as an output from this process.

2.107 The ATO has indicated in the Compliance Program 2012-13 and various other publications that it is using the RDF for the large business market93, the small-to-medium enterprises market94, the mineral resource rent tax and petroleum resource rent tax95, as well as tax practitioner practices96 and self-managed superannuation funds.97

2.108 The RDF is now a central ATO compliance risk assessment tool. It is considered in detail in Chapter 3 in the context of the large business market where it has had longer application. The RDF is also considered in Chapter 4 and 7 in relation to SME and tax practitioners respectively.

Health of the system assessments — HOTSA

2.109 The ATO also regularly conducts what are known as 'Health of the System Assessments' (HOTSAs). These HOTSA processes have been conducted by the ATO for income tax or GST a number of years prior to the adoption of the current ERMF.98

2.110 The ATO advised the IGT in relation to this review:

[the] Health of the System Assessment (HOTSA) is an integral part of the processes adopted by the ITSC [Income Tax Steering Committee] to monitor and evaluate the health of the income tax system. All business lines and sub-revenue products with an income tax focus provide input to the income tax HOTSA on an annual basis.

... The value of the HOTSA is not only in the informative documents generated from the process. The primary value is the opportunity the process provides to discuss the numerous income tax risks in a structured format on an annual basis. It provides a rigorous method by which to examine and analyse the assessment and treatment of income tax risks.99

2.111 The ATO also notes:

HOTSAs are recognised as an effective process to assist Enterprise Risk Managers in managing their enterprise risk categories. The HOTSA approach will equip the Enterprise Risk Owners with the best information and intelligence available to produce the best possible assessment of their risk areas.100

2.112 HOTSAs continue to be prepared for each revenue product, (such as income tax, GST, excise and superannuation) and for each market segment (such as individuals and large business) every year.

2.113 The Income Tax Revenue Product HOTSA is created primarily for the Income Tax Steering Committee (ITSC) which is responsible for contributing to the strategic direction of income tax administration (which includes PAYG withholding, PAYG instalments, capital gains tax and fringe benefits tax).101 The Chair of the ITSC is also the Enterprise Risk Owner for income tax under the enterprise risk management framework.

2.114 With respect to income tax or GST HOTSAs, the process is designed to ask and answer specific questions focussed on three broad areas, each with a series of 'focusing questions':102

  • Outcomes
    • Appropriate revenue, transfers and payments?
    • Cost to operate?
    • Community confidence in the system?
  • Operating Features
    • Are the right players in the system?
    • Clients understand their obligations?
    • Clients meet obligations?
    • Risks identified and acted upon?
    • Internal capability?
    • Role of intermediaries?
  • Administrative design features
    • Effective design?
    • Sustainable design?

2.115 The HOTSA uses a coloured rating system to convey the status of each of the above strategic questions, known as 'element status ratings', as shown in Figure 6 below:

Figure 6: Element status ratings for HOTSA reporting

Graphic giving element status ratings for HOTSA reporting. The three ratings are green, amber, and red.

Source: ATO communication to IGT, 20 March 2013

2.116 Each of the element status ratings is accompanied by a 'data integrity status rating'. This is a numerical rating used to indicate confidence levels, 1 being the highest and 3 the lowest. An extract of this is provided in Figure 7 below.

Figure 7: Data integrity status ratings for HOTSA reporting

Graphic giving 3 data integrity status ratings for HOTSA reporting, 1 being the highest and 3 the lowest.

Source: ATO response to information request 4, supplied 20 March 2013

2.117 Like the confidence levels used in risk assessment templates on the ERM, the data integrity status ratings recognise that assessments rely on information with varying degrees of completeness, accuracy and verifiability.

2.118 The HOTSA process, therefore, represents one of the key methods in which the ATO identifies and monitors enterprise risks including taxpayer compliance risks.

IGT observations

Risk ratings and confidence levels

2.119 As indicated above, the ATO assesses enterprise risks with a risk rating based on likelihood and consequence. A separate confidence level is then articulated for that risk rating based on the quality and completeness of the information used to determine that rating. The ATO uses this approach for all of its enterprise risks, such as business continuity and security and not just for compliance risks.

2.120 This distinction between the confidence level and the risk rating assists in determining what further action is required. For example, a high risk rating may require a particular form of risk treatment, whilst a low confidence level may require the ATO to gather more information to increase its confidence level before implementing a risk treatment.103

2.121 As outlined above in paragraph 2.105, the ATO uses the RDF as a means of communicating a risk rating to taxpayers. It has been used for large business taxpayers for a number of years with more recent implementation for other market segments. One distinctive feature of the RDF is that, whilst it is an adaptation of the likelihood and consequence risk matrix, a separate confidence level is not a part of the model.

2.122 The ATO may have a low level of confidence about the information it receives from certain taxpayers or a low level of confidence that the taxpayer will proactively provide the necessary information. In these circumstances, rather than communicating a low confidence level separate to the risk rating, the ATO instead increases the risk rating. The reasons for this approach in the large business market and the consequent stakeholder concerns are discussed in Chapter 3.

Information confidence levels and cost

2.123 A low level of confidence may be due to a lack of ATO information or a low level of quality or accuracy of the information it already holds. In these circumstances, the ATO may attempt to obtain more or higher quality information to improve its 'information confidence' level. The extent to which the ATO can reasonably obtain more information is limited by the cost of doing so and the risk level at play.

2.124 It would be difficult for the ATO to justify incurring and imposing significant costs for low level risks. Conversely, the ATO may be able obtain high levels of confidence, even for low levels risks, at relatively low cost where the additional information is easily obtainable.

2.125 For example, the ATO requires a higher level of information confidence for very large business taxpayers, where the risk to the revenue may be substantial, and is prepared to devote significant resources to obtain further information.

2.126 For risks involving lower amounts of revenue, the ATO does not necessarily require a high confidence level but may be able to achieve it cost-effectively anyway.

2.127 For example, whilst not all 12.4 million individuals who lodge tax returns may be seen as a higher risk, the ATO has 'an almost complete picture of each individual's financial dealings'.104 The ATO has acknowledged that, for taxpayers with simple tax returns, it is in a position to exploit the 'substantial amounts of information' it routinely receives about those taxpayers to potentially send a completed tax return to taxpayers without the need for those taxpayers to actively lodge a return.105

2.128 The above demonstrates that the ATO has a high level of confidence in the information at its disposal and no further taxpayer disclosures are required. Accordingly there is no direct cost to individual taxpayers — the costs are borne by third party information providers.106

Taxpayer 'transparency' and ATO information gathering approaches

2.129 In the large business market segment, a relevant consideration relating to information confidence is the taxpayer's 'willing participation'107 or 'transparency'.108 The ATO is reliant on direct disclosures from these taxpayers and has an increased focus on real-time engagement with them. For example, the ATO describes the large business taxpayer Annual Compliance Arrangement (ACA) in these ways:

The ACA is an administrative arrangement developed to manage the compliance relationship with you in an open and transparent environment.

... By committing to work in a frank and transparent environment with an assurance based approach we can tailor your compliance relationship and experience, rather than working through traditional compliance approaches such as audits and risk reviews.

... Collaboration, transparency and trust are the key features throughout the ACA process.

... Subject to true and full disclosures, and a commitment to adhering to the corporate governance principles, ACAs provide practical certainty for your tax return, shortly after lodgment.109

2.130 The IGT notes that large business taxpayers which the ATO considers 'higher consequence' and who are not in an ACA are subject to Pre-lodgment Compliance Reviews (PCRs).

2.131 The ATO has also expanded the disclosure requirements associated with income tax returns. For both large and small-to-medium enterprises with international transactions reaching certain thresholds, the ATO requires the lodgment of an International Dealings Schedule (IDS). With respect to higher consequence large business taxpayers, there is also the reportable tax position schedule (RTP schedule) which the ATO describes as supporting:

a more contemporaneous review of, and engagement with these taxpayers, supporting increased taxpayer transparency in a targeted and efficient manner.110

2.132 It should be noted that the IGT has considered products such as ACAs, PCRs as well as IDS and RTP schedule in a previous review.111 Furthermore, the IGT has made specific recommendations about the ATO's information gathering approaches to large businesses and SMEs and high wealth individuals in a number of other reviews.

2.133 Whilst the ATO prefers to obtain information by informal means, the ATO has strong access and information gathering powers to obtain the information it needs to increase its information confidence levels.

2.134 The ATO's wide ranging112 access and information gathering powers may be used to improve information confidence with respect to both risk assessment as well as subsequent compliance activities. The ATO has described these powers in the following manner:

Access powers

We have, at all times, free and full access to all buildings, places, books, documents and other papers for the purposes of the Acts we administer. We can also take extracts from or copies of any such books, documents or papers.

Under the indirect tax and excise laws, this also extends to goods and includes the capacity to take samples.

Information gathering powers

Our information gathering powers allow us to require:

  • information to be given
  • a person to attend an interview with us and to provide information and evidence
  • documents to be produced.

In some circumstances we use a combination of these powers.

We can only use our information gathering powers by serving you with a notice.113

2.135 Some important exceptions to these access and information gathering powers are discussed in the ATO Access and information gathering manual.114 These limitations are:

  • legal professional privilege, which is a taxpayer right conferred by law;
  • the Accountants' Concession, which is an administrative concession established by the ATO; and
  • the 'corporate board documents' concession, which is also an administrative concession established by the ATO.

2.136 Legal professional privilege is a substantive common law right, and cannot be abrogated by the Commissioner's access and information gathering powers.

2.137 Administrative concessions are self-imposed restrictions on the ATO's access and information gathering powers. The ATO undertakes not to compel the production of information falling within the above two categories 'in all but exceptional circumstances'.115 Where 'exceptional circumstances' exist, the ATO may 'lift' the concession and continue to seek that information.

2.138 Despite the above exceptions, the ongoing disclosure requirement, along with expanded tax return schedules and the ATO's formal access and information gathering powers mean that taxpayers regard themselves as highly transparent to the ATO.

2.139 The ATO's view of transparency, however, is based on whether taxpayers provide such information proactively without being compelled to do so. The ATO uses its RDF-related communication in order to encourage taxpayers to 'adopt a more open stance'.116 The ATO approach to seeking information directly from taxpayers in the large business market is further discussed in Chapter 3 and more generally in Chapter 8.

2.140 Other sources of data for the ATO, as noted above, are third parties such as financial institutions, who may be able to provide the ATO with large amounts of data at a relatively low direct cost to taxpayers.117 These data sources are particularly useful in relation to individual taxpayers and are explored in greater detail in another IGT review which examines the ATO's use of data matching for individual taxpayers.118

2.141 For present purposes, it is sufficient to note that some of the information from third party providers may be available to the ATO under the law ('legislative data') whilst some have to be obtained by the Commissioner under his formal information gathering powers ('special purpose data' or 'non-legislative data').

2.142 Legislative data is provided by certain third parties under a legislative regime. For example, banks and other financial institutions are required by law to provide the ATO with the details of investors, including their names, interest and dividends paid and tax file numbers.119 Other providers of annual legislative data include Centrelink, the Department of Veterans' Affairs, private health insurers and superannuation funds.120

2.143 The ATO has a high level of confidence in the legislative data that it receives, such as salary, interest, dividends and managed funds distribution information. For individual taxpayers who receive income from such sources, the ATO may more readily rely on this data to notify the taxpayer of a discrepancy between the data and the reported income as well as any proposed adjustments if the taxpayer does not respond to ATO enquiries.

2.144 In addition to the data matching approach to individuals described above, the ATO has also highlighted its increasing use of third party data for the small-to-medium enterprises market:

This year, we will continue to expand sources of third party data to further enhance our data mining capability to identify risks relating to related-party transactions, disposals of capital assets and international dealings.

… Our risk models use information in income tax returns and schedules, business activity statements and a range of information we gather from government agencies, financial institutions and other third parties.121

2.145 For high wealth individuals, it is more difficult for the ATO to obtain low cost third party data about private group structures or business details. As an alternative to compliance activity such as a risk review or audit, which could be costly, taxpayers are required to complete questionnaires or expanded income tax returns in the first instance. Taxpayers may incur significant additional costs in meeting those requirements.

Other drivers of ATO information gathering approaches

2.146 As noted above, the level of confidence sought and the cost of obtaining the necessary information to assess risk as well the level of risk itself both influence the ATO's demand for information and its approach in gathering it. Another reason for the ATO's desire for obtaining more information at an early stage, particularly in the large business market segment or more complex cases, is Federal Court Practice Note TAX 1. The discovery limits of this practice note essentially require the ATO to be 'litigation-ready' by the time the matter has reached the objection stage. This requires the ATO to have 'full facts quickly' during compliance activities. The IGT had raised this issue in his Report into the Australian Taxation Office's Large Business Risk Review and Audit Policies, Procedures and Practices122 (LB&I Review) and Self Assessment Review.123

Likelihood, consequence, information confidence and cost

2.147 Figure 8 below summarises the relationship between risk, which is composed of likelihood and consequence, on the one hand, and information confidence and cost on the other. Consistent with the ISO approach and the ATO approaches as set out in its Risk Assessment Template and HOTSA process, information confidence and cost is considered separately to the likelihood and consequence considerations. The required level of information confidence, as well as the ATO action to attain that level of confidence, may vary depending on the context.

Figure 8: Risk and information confidence and cost

Graphic showing the relationship between risk and information confidence and cost.

Source: IGT

2.148 As noted, the RDF currently does not communicate information confidence and cost separately from the risk rating. The IGT has generally observed that the 'likelihood' axis in the RDF is not readily understood or appreciated. This had led to some taxpayers considering that the system fails to recognise that they are highly compliant.

2.149 The interaction between risk and information confidence and cost is discussed further in Chapter 3 with reference to the use of the RDF in the large business market segment. Whilst the ATO has begun using the RDF for the small to medium enterprise market segment, and earmarked it for other areas, the ATO has been using the RDF in the large business market segment for a number of years. By addressing specific stakeholder concerns with the ATO's use of the RDF in the large business market segment, this report seeks to identify opportunities to improve the use of the RDF more broadly.

8 International Organization for Standardization, ISO 31000 Risk management - principles and guidelines (2009), p v.

9 Ibid para [2.1].

10 Comcover, Better Practice Guide - Risk Management (June 2008).

11 Australian Taxation Office, 'Enterprise Risk Management Framework' intranet document.

12 For example, the Risk Management Association of Australia; Risk Management Institution of Australasia; Australian Risk Policy Institute.

13 Australian Risk Policy Institute, The Risk Policy Model (2012) p 25.

14 IGT stakeholder consultation 21 May 2013.

15 Centre for Tax Policy and Administration, Organisation for Economic Co-operation and Development, General Administrative Principles - GAP003 Risk Management (2001).

16 Ibid para [10].

17 Australian Taxation Office, Commissioner of Taxation Annual Report 2011-12 (2012) p a.

18 Ibid.

19 One of the main sources being the Financial Management and Accountability Act 1997.

20 At the commencement of the review, the Office of the Chief Knowledge Officer (OCKO) business line had overall responsibility for the ERMF. During the review, the OCKO business line was dissolved and its functions and staff were subsumed into the ATO Corporate business line.

21 Australian Taxation Office, Risk and issues management, PS CM 2003/02, 22 May 2013.

22 Ibid para [7].

23 Ibid para [14].

24 Ibid para [16].

25 Australian Taxation Office, Risk management instructions for enterprise risk owners, CMPI 2003/02/01, 22 May 2013, para [9].

26 Australian Taxation Office, Enterprise Risk Management Framework intranet page. 'Enterprise Change' does not have an enterprise risk owner.

27 Australian Taxation Office, Risk and issues management, PS CM 2003/02, 22 May 2013, see 'Key roles and responsibilities'.

28 ATO Risk Assessment Template - March 2013 - from the Enterprise Risk Manager 22 April 2013, page 10.

29 Ibid.

30 International Organization for Standardization, ISO 31000 Risk management - principles and guidelines (2009) para [5.4.3]

31 Forum on Tax Administration Compliance Sub-group, Organisation for Economic Co-operation and Development, Guidance Note - Compliance Risk Management - Managing and Improving Compliance (2004) para [4].

32 Australian Taxation Office, Taxable payments reporting - building and construction industry (22 July 2013).

33 Australian Taxation Office, Compliance Program 2012-13 (2012) p 23.

34 Inspector-General of Taxation, Review into the non-lodgement of individual income tax returns (2009) para [4.1].

35 Ibid para [4.8].

36 Michael D'Ascenzo, 'The effective use of analytics in public administration: The Australian Taxation Office Experience', (Speech delivered at the Australian Institute of Company Directors, Hobart, 22 June 2012).

37 Australian Taxation Office, Self-assessment and the taxpayer (7 March 2013).

38 IGT, above n 5, para [3.13]. The IGT noted that increased ATO information gathering activities at or before the time of lodgment represented a pendulum swing back towards full assessment 'without any of the previous benefits available from the former full assessment regime.'

39 Michael D'Ascenzo, 'Self assessment: the ATO perspective', (Speech delivered at the Taxation Institute of Australia, 9 May 2012).

40 Australian Taxation Office, Taxpayers' charter - If you're subject to review or audit (2010).

41 For example, Income Tax Assessment Act 1997 ss 263 and 264.

42 Joint Committee of Public Accounts and Audit, Parliament of Australia, Report No 410 — Tax Administration (2008) paras [3.9] to [3.39]. See also, Inspector-General of Taxation, Review into improving the self assessment system (2013) paras [5.3] to [5.6].

43 The Tax Institute, Submission to the Treasury (Cth), 2013-14 Federal Budget (13 February 2013) p 5.

44 IGT, above n 5, para [2.20].

45 Inspector-General of Taxation, Review of the Tax Office's Administration of Public Binding Advice, publicly released 7 August 2009).

46 Inspector-General of Taxation, Submission to the Australian Government, Tax Forum - Next steps for Australia (September 2011) p 17.

47 The Senate, Economics Legislation Committee, Parliament of Australia, Tax Laws Amendment (Countering Tax Avoidance and Multinational Profit Shifting) Bill 2013 [Provisions], May 2013, paras [2.10] and [2.14].

48 Commonwealth, Estimates, Senate Economics Committee (30 May 2012) p 99.

49 Fiscalis Risk Management Platform Group, European Union, Compliance Risk Management Guide for Tax Administrations (2010) para [1.3]

50 Inspector-General of Taxation, Review into Tax Office Audit Timeframes (2008) para [3.7].

51 Michael D'Ascenzo, 'Optimising voluntary compliance', (Speech delivered to the Australian Securities and Investment's Commissioner Summer School, Sydney, Tuesday 14 February 2006).

52 Australian Taxation Office, Improving Tax Compliance in the Cash Economy (1998).

53 Ibid p 19.

54 Rob Whait, 'Developing risk management strategies in tax administration: the evolution of the Australian Taxation Office's compliance model' (2012) 10(2) eJournal of Tax Research 436-464, p 446.

55 For example, the UK's HMRC Risk and Intelligence Service drives risk-based compliance activity. See Fiscalis Risk Management Platform Group, European Union, Compliance Risk Management Guide for Tax Administrations (2010) p 108.

56 See for example, Fiscalis Risk Management Platform Group, European Union, Compliance Risk Management Guide for Tax Administrations (2010) and OECD, above n 31.

57 ATO, above n 52, pp 57 and 59. Other parts include building community partnerships, making it easier to comply, improving detection capability and enforcing record keeping obligations.

58 ATO, above n 52, p 41.

59 Ibid p 47.

60 Stuart Hamilton, 'New dimensions in regulatory compliance - building the bridge to better compliance' (2012) 10(2) eJournal of Tax Research 483-531, p 483.

61 ATO, above n 52, p 19.

62 International Organization for Standardization, ISO 31010 Risk management - risk assessment techniques (2009) para [B.21].

63 Australian Taxation Office, Large business and tax compliance publication (2012) p 24.

64 ATO, above n 33, p 2.

65 Australian Taxation Office, Strategic Statement 2010-15 (2010).

66 Michael D'Ascenzo, 'Risk: The framework, the vision, the values', (Speech delivered at the CPA Public Sector Finance and Management Conference, Barton, 12 August 2010).

67 World Bank, Risk-based tax audits: approaches and country experiences (2011) p 18.

68 Ibid p 19.

69 Ibid p 20.

70 Michael D'Ascenzo, 'Commissioner's perspective on audit programs', (Speech delivered at the Taxation Institute of Australia's Lecture Series on Tax Audits, Sydney, 10 October 1990).

71 Bruce Quigley, 'The Commissioner's power of general administration: How far can he go?', (Speech delivered at the Taxation Institute of Australia's Convention, Sydney, 12 March 2009).

72 Financial Management and Accountability Act 1997 s 44.

73 Australian Government Solicitor, Bill introduces new governance, performance and accountability framework for Commonwealth bodies (28 June 2013).

74 Australian Taxation Office, Response to Joint Committee of Public Accounts and Audit, Recommendation 5 of Report 398 —Review of Auditor-General's Reports 2002-2003 Fourth Quarter March 2004(undated).

75 ATO, above n 33, p 28.

76 Ibid p 2.

77 Australian Taxation Office, Compliance Program 2008-09 (2008).

78 IGT, above n 50, para [2.5].

79 The ATO was reviewing this enterprise risk during the IGT review.

80 Philip Lignier and Chris Evans, 'The rise and rise of tax compliance costs for the small business sector in Australia' (2012) 27(3) Australian Tax Forum 615-672, p 634.

81 Australian Taxation Office, Strategic Intelligence Product Tasking Plan - Cost of compliance, 10 October 2012.

82 Known as a consequence/probability matrix. See International Organization for Standardization, ISO 31010 Risk management - risk assessment techniques (2009) p 82 and para [B.29].

83 It should be noted that this is a simple example for illustrative purposes. Risks registered in the ERM must be assessed using the more sophisticated 'enterprise level risk matrix' reproduced in Appendix 7.

84 Michael D'Ascenzo, 'Do you see what I see?', (Speech delivered at the 22nd Australasian Tax Teachers Association Conference, Sydney, 22 January 2010)

85 International Organization for Standardization, ISO 31010 Risk management - risk assessment techniques (2009), p 82 and para [5.3.3].

86 Forum on Tax Administration Compliance Sub-group, Organisation for Economic Co-operation and Development, Information Note - Reducing opportunities for tax non-compliance in the underground economy (2012) p 2.

87 Australian Taxation Office, Risk Description - Enterprise Risk 13.3: Cash Economy (From the ATO Enterprise Risk Manager).

88 Bruce Quigley, 'We can see clearly now: growing transparency with large businesses', (Speech delivered at the Corporate Tax Association Convention, Melbourne, 7 June 2011).

89 With respect to income tax and indirect taxes.

90 ATO, above n 63, p 5.

91 Ibid p 25.

92 IGT, above n 7, para [2.12].

93 ATO, above n 33, p 45.

94 Ibid p 32.

95 Ibid p 53.

96 Ibid p 13.

97 Australian Taxation Office, Superannuation Consultative Committee Minutes September 2012 (12 November 2012).

98 A form of HOTSA has been in existence since 2003. The ERMF in its current form was implemented in 2010 after the adoption of ISO31000:2009. See Julian Jenkins, 'Information Design for Strategic Thinking: Health of the system reports' (2008) 24(1) Design Issues, p 77.

99 ATO communication to IGT, 20 March 2013.

100 Ibid.

101 Ibid.

102 Ibid.

103 United States Department of the Interior, Reclamation Managing Water In The West - Interim Dam Safety Public Protection Guidelines, August 2011, page 24.

104 ATO, above n 33, p 19.

105 Geoff Leeper, Second Commissioner of Taxation, Transforming the taxation experience: insights and opportunities, Speech, To the Trans-Tasman Business Circle Canberra, 13 August 2013.

106 Australian Taxation Office, Access and Information Gathering Manual (1st version, 2010) para [2.4.57].

107 Quigley, above n 88.

108 Mark Konza, 'Our compliance approach and management of risks in the energy and resources sector', (Speech delivered at the Minerals Council of Australia Biennial Tax Conference, Brisbane, 16 April 2013).

109 ATO, above n 63, p 22.

110 Ibid.

111 IGT, above n 5, pp 92-100.

112 Australian Taxation Office, Taxpayers' charter - Fair use of our access and information gathering powers (2010) p 1.

113 Ibid p 2.

114 Australian Taxation Office, Access and information gathering manual.

115 See Australian Taxation Office, Access to 'corporate board documents on tax compliance risk', PS LA 2004/14, 1 July 2006, para [1] and Australian Taxation Office, Access and Information Gathering Manual (1st version, 2010) para [7.1.1].

116 Bruce Quigley, 'The power of transparency - 12 months on', (Speech delivered at the Corporate Tax Association Conference, Canberra, 18 June 2012).

117 Australian Taxation Office, Data matching (22 January 2013).

118 Inspector-General of Taxation, Review into the ATO's Compliance Approach to Individual Taxpayers - Use of Data Matching.

119 Income Tax Regulations 1936 reg 54, requires the lodgment of the 'annual investment income reports'.

120 Australian Taxation Office, Small Business Partnership meeting minutes 18 April 2012 (27 June 2012).

121 ATO, above n 33, p 31.

122 Inspector-General of Taxation, Report into the Australian Taxation Office's Large Business Risk Review and Audit Policies, Procedures and Practices (2011) para [3.21].

123 IGT, above n 5, para [3.17].