8.1 Thus far, this report has covered specific issues in relation to the ATO's risk assessment approaches for particular market segments. This chapter draws together key themes in the earlier chapters. The reason for doing so is to draw out general design elements that assist with future risk assessment architecture in the tax administration environment.

8.2 The key themes adopted based on stakeholder feedback and reflected in the earlier chapters were:

  • governance;
  • effective use of inputs;
  • transparency and communication; and
  • proportionality of the compliance approach.


8.3 Good governance is a cornerstone of effective tax administration. The revenue authority must have confidence that its risk assessment approaches are being carried out as intended.

8.4 All risk assessment approaches should ensure that stakeholders and officers are aware of their roles and responsibilities. This may come in the form of job descriptions or duty statements. Key committees or decision-making bodies should have their authority and remit clearly articulated. Internal reporting structures need to be in place to ensure problems and issues are escalated to the appropriate committee or decision-maker for timely action. This may come in the form of charter documents.

8.5 Decision-making bodies need to ensure that they are following agreed, articulated processes and that decisions are made on a timely basis. Decisions should be appropriately documented with supporting evidence and reasoning.

8.6 Risk assessment approaches should also have a clear line of sight from the highest level, that is the Enterprise Risk Management Framework. The ATO has, at the strategic level, identified 22 key enterprise risk areas. Any risk assessment approach, or risk management campaign, should be able to indicate to which key enterprise risk area it relates. This may be evidenced by risk assessment and risk treatment documents on the Enterprise Risk Manager.

8.7 Documentation at the business line level may be required to indicate how the enterprise risk will be addressed at the strategic or tactical level.

8.8 Furthermore, risk assessment and risk treatment measures should have an evaluation strategy, which indicates how the ATO will measure the effectiveness of, and improve, the risk assessment or risk treatment method. A continuous improvement outlook should also be a hallmark of the entire process.

Effective use of inputs

8.9 A system is only as good as the inputs that go into it. Relevant and effective inputs are vital for risk identification and capture. It facilitates the direction of limited resources to areas that most warrant it.

8.10 It is important to clearly articulate the risk hypothesis to ensure risk inputs are relevant to the risk being identified. In the LBTC booklet, the risk event, for example, is the taxpayer having a tax position with which the ATO disagrees or the taxpayer through error or omission has misreported their obligations.369

8.11 In this case, there are two types of risk events and it is important to ensure that the ATO does not attribute one risk factor against the wrong risk event. For example, a taxpayer may undertake transactions in an uncertain area of the law. To infer that this indicates a higher likelihood of 'non-compliance' (that is error or omission) is not appropriate. It is important that risks be more specifically identified and the expected remediation or action required more carefully targeted.

8.12 This report recognises that the ATO uses a combination of quantitative and qualitative inputs. Quantitative data has the benefit of being perceived as objective fact. Furthermore, quantitative data lends itself well to analysis by computerised methods rather than manual analysis. This means a great deal of analysis can be performed at a high volume at relatively low cost to the ATO.

8.13 The application of quantitative approaches in certain situations need little qualitative inputs where there is objective, verifiable and direct evidence of non-compliance, such as those used in data-matching of interest income disclosures in income tax assessments.

8.14 In the absence of quantitative inputs, the IGT recognises the need to employ qualitative inputs. The small business benchmarks provide a good example of where both these types of input need to be used to arrive at an appropriate outcome.

8.15 The benchmarks are derived from taxpayer income tax returns and activity statements from statistically valid populations of similar businesses. Whether a particular taxpayer's cost of sales to turnover ratio is different to the benchmark range is also objectively verifiable. However, a departure from the benchmark hypothesises an increased risk of underreported income. Therefore, as set out in the IGT's Review into the ATO's Use of Benchmarking to Target the Cash Economy (Benchmarking Review), ATO officers also need to examine qualitative inputs, including a better understanding of the taxpayer's business and the consideration of other qualitative risk factors, such as the nature of the business, cash controls and its business mix and record keeping management.

8.16 The ATO should ensure that qualitative information is considered in an objective and non-arbitrary manner. Adopting appropriate governance arrangements should assist in this regard. In the Large Business and International (LB&I) business line, the adoption of the risk template, which lists specific risk factors to consider, and the moderation panel, which subjects the risk factors to peer review and collective decision making, are helpful measures in ensuring the integrity of the use of qualitative inputs. The LB&I approach is designed to ensure that evidence is tested consistently across the risk population.

8.17 The ATO should also ensure that there are processes in place to refine the accuracy of their risk inputs. In the IGT's Benchmarking Review, the ATO agreed to examine the results of the completed audits to identify any other risk factors which may assist in better targeting likely non-compliant taxpayers.

8.18 In the SME business line, risk managers have responsibility for the regular review of the risk rules under their ownership. This business line has also agreed to previous ANAO recommendations to review their risk rules.

8.19 In LB&I, it is noted that the risk filters are currently generating many false positives that are subsequently filtered out by risk managers. This represents an opportunity to review the risk filters with a view to ensuring they are generating more useful output and reducing the need for risk managers to do this filtering.

8.20 Risk managers play an important role in all business lines. They identify potential risks, develop rules to detect those risks, and develop risk treatment strategies. The ATO should ensure that risk managers have an adequate understanding of the business and economic environment pertaining to the risk over which they have responsibility. This ensures that risk managers can identify potential risks in a timely manner.

8.21 The ATO should also ensure that risk managers are adequately supported in their role. This includes ensuring they have the adequate skills to identify and analyse risk as well as develop guidance for active compliance officers on the indicators and evidence of non-compliance to test the risk hypothesis.

8.22 Risk managers should also be able to articulate what evidence active compliance officers can rely upon to confirm compliance and close the review or audit as soon as practicable. Risk managers should also have regular contact with compliance officers as an additional source of risk intelligence.

8.23 The ATO's Compliance Effectiveness Methodology provides guidance to ATO officers who are developing risk treatment strategies. One aspect of this guidance is that processes should be in place to gather evidence to indicate whether the ATO's intervention was effective in changing compliance behaviour.

8.24 From a risk assessment perspective, the IGT is of the view that the ATO should also consider how to measure the effectiveness of their risk assessment approaches in detecting non-compliance and not just the effectiveness of the compliance activities themselves.

8.25 One such way of evaluating the accuracy of risk assessment methods is through the examination of strike rates and audit yields. Both of these measures provide useful information in more accurately determining the probability and consequence aspects of a risk rating for a population.

Strike rates and audit yields

8.26 Strikes rates are essentially the ratio of cases where there is a positive adjustment in tax payable (that is a 'strike') as a proportion of all cases conducted. The remainder of cases are often referred to as 'nil outcome' cases.

8.27 For a given audit selection method, a pool of 'positive' cases is generated. Where the subsequent compliance activity results in a strike, the case is considered a 'true positive' if the result is not reversed on objection, review or appeal. The taxpayer is non-compliant in this case and the risk method accurately detected it.

8.28 As mentioned earlier, where the audit case results in a nil outcome, the case can be said to be a 'false positive'. The taxpayer is actually compliant, but the risk method inaccurately has detected the taxpayer as being non-compliant.

8.29 In limited situations, a nil outcome may be underlying non-compliance due to certain factors.370 Importantly, the tax administration is not assessing risk of over-compliance, being situations where taxpayers have under claimed deductions or not availed themselves of full entitlements.

8.30 It is also important that likely compliant or lower risk taxpayers are spared from unnecessary compliance costs. As such, risk assessment methods should also be accurately identifying likely compliant taxpayers. For example, in the Compliance Program 2012-13, the ATO said of their small business benchmark approach:

We have developed benchmarks for over 900,000 small businesses in over 100 industries. The program was promoted by extensive communication and consultation with tax practitioners, industry associations and taxpayers in those industries.

Approximately 90 per cent of businesses in benchmarked industries fall within a benchmark range. This means around 800,000 businesses are likely to be competing on a level playing field with their peers.371

8.31 The above highlights that the benchmarks are used as much as a tool to identify likely compliance as it is to identify potential non-compliance. However, such likely compliance is an assumption, as the ATO cannot be certain that those businesses within the benchmarks are actually compliant unless they are audited.

8.32 In the case above, the benchmark approach has identified a pool of 800,000 cases as 'negatives'. Whether these cases are truly compliant ('true negatives') or truly non-compliant ('false negatives') would require some degree of verification. That is, the ATO may need to audit some of these taxpayers to verify if they are indeed 'likely to be competing on a level playing field with their peers'.

8.33 The evaluation of the accuracy of risk assessment tools can be better understood by adding the potential true negatives and false negatives:

Table 4: 'Confusion matrix'
Actual Compliant Non-compliant
Compliant True negative (TN) False positive (FP)
Non-compliant False negative (FN) True positive (TP)

Source: Adapted from Gupta and Nagadevara 2007 — Audit Selection Strategy for Improving Tax Compliance — Application of Data Mining Techniques.372

8.34 It may be apparent from the above table, that the ability for a risk assessment tool to accurately detect non-compliance is reliant on the underlying level of compliance or non-compliance in the risk population. That is, the combination of false negatives and true positives (FN + TP) represents all the non-compliant taxpayers for a given risk population.

8.35 If the population has a low proportion of non-compliance, it is inevitable that any risk assessment tool will have a low strike rate. Therefore, when assessing the accuracy of a risk assessment tool based on strike rate alone, one needs to be aware that a reduced strike rate may be due to a combination of either:

  • overall reductions in the level of non-compliance in the risk population (that is reductions in FN and TP); or
  • the risk assessment tool is becoming less accurate at detecting non-compliance (that is reductions in TP only, but not FN).

8.36 Strike rate analysis is limited in that it only considers selected cases (the 'positives') and which of these were 'true positives' (strike rate = TP/[TP+FP]). It does not consider false negatives (FN).

8.37 Determining the true cause of low strike rates, therefore, relies on an understanding of the underlying level of non-compliance in a given population. One method for determining this is the use of random audits.

Random audits

8.38 According to the ATO's research in compliance effectiveness, randomised controlled trials are one of the most accurate ways of determining whether a particular compliance intervention was the cause of changes in taxpayer behaviour.

8.39 Similarly, auditing a random sample of taxpayers in a given population, such as a representative sample of the 900,000 benchmarked small businesses, may indicate the underlying level of non-compliance. If the underlying level of non-compliance is under say, 24 per cent, then it can be said that using the benchmarks alone to select taxpayers for audits is 'better than random'.373

8.40 Until such sampling is undertaken, however, it cannot be said with certainty that the use of benchmarks alone is indeed better than random selection. Furthermore, random sampling may indicate a higher level of underlying non-compliance. For example, if a random representative sample of the benchmarked population revealed a non-compliance rate of over 24 per cent, it could be said that the benchmarking method was ineffective at targeting likely non-compliant taxpayers. In such a case, the sampling may reveal other correlations or relationships that can be used as a risk inputs besides benchmarks.

8.41 One of the main reasons why the ATO does not conduct random audits is the cost they impose on compliant taxpayers and the opportunity cost to the ATO in conducting a random audit instead of a risk-based audit which is likely to yield more tax revenue.

8.42 Compliance costs imposed on compliant taxpayers through random audits may be mitigated by the ATO reimbursing taxpayers for the additional compliance costs incurred if any. In the case of random audits, the taxpayer is not being audited because they represent a direct risk necessarily, but they are rather contributing to make the ATO's risk assessment method more effective. That is, when they are compliant they are bearing some cost for the benefit of the greater taxpayer population in better identifying non-compliance more broadly.

8.43 Such an approach is not without precedent in Australia. The ATO's test case litigation program is an example of the ATO protecting individual taxpayers from the cost of litigation which is likely to benefit a broader range of other taxpayers through achieving greater certainty of the law:

Under the test case litigation program, the ATO provides financial assistance to taxpayers whose litigation is likely to be important to the administration of Australia's revenue and superannuation systems. The aim of the program is to develop legal precedent — that is, legal decisions that provide guiding principles on how specific provisions we administer should be applied more broadly.374

8.44 The IGT's Review into the ATO's Use of Early and Alternative Dispute Resolution also considers the concept of 'public benefit' in greater detail.375

8.45 Whilst reimbursing compliant taxpayers for the additional costs associated with random audits would increase costs for the ATO, it would enhance the system leading to greater overall public benefit. Consistent with the above test case litigation sentiment, the aim of a random audit program is not to raise revenue, but to provide information and intelligence to optimise the ATO's risk assessment outcomes and increase integrity.

8.46 Random audits are also known to have other benefits, such as assisting in the calculation of the so-called 'tax-gap', and also potentially as a deterrent effect for certain taxpayers. Several OECD countries have conducted random audits, often with the objective of validating risk assessment models, and measuring compliance levels.376

8.47 With respect to the opportunity costs represented by the ATO expending resources on random audits instead of risk-based audits, one should bear in mind the opportunity cost the ATO currently incurs in audits which result in 'no further action' under its current risk-based approach, without the insight provided by random audit data.

Transparency and communication


8.48 The IGT is of the view that key reasons for transparency or providing information about the risk assessment process are to engender community confidence and improve taxpayer behaviour and practices.

8.49 Transparency of the ATO's risk assessment framework enhances community confidence that the ATO chooses taxpayers for audits on an objective and coherent basis. A lack of transparency may increase taxpayer perceptions that audit selection decisions are arbitrary or subject to individual officer discretion.

8.50 The publication of details such as risk factors or risk filters facilitates objective verification of the basis for decisions. The publication of the small business benchmarks is a good example of this transparency, where benchmark ranges are published on the ATO's website. Where taxpayers are selected for compliance activity due to variances from the benchmarks, the taxpayer can refer to the website to verify this basis.

8.51 Other examples of transparent approaches include the publication of the Large Business and Tax Compliance (LBTC) booklet and Tax compliance for small-to-medium enterprises and wealthy individuals (Tax Compliance) booklet. Although the ATO does not give the same specific detail as in the case of the small business benchmarks, the publications do show, to some extent, how the ATO applies their risk differentiation framework, as well as what taxpayers can expect from the ATO by way of compliance activities and ATO officer conduct.

8.52 In considering what level of transparency to afford a certain risk assessment process, the ATO needs to balance the need for community confidence in a robust risk-based system and the risk of taxpayer manipulation.


8.53 The IGT acknowledges that the ATO communicates through tailored communication as well as general communication. Examples of general communications include the annual Compliance Program (now Compliance in focus) as well as those mentioned above, that is the small business benchmarks and LBTC and Tax Compliance booklets.

8.54 Examples of tailored communications, on the other hand, are the RDF notification letter for taxpayers in the large business market segment and small business benchmark letters for those operating in the cash economy.

8.55 How the ATO communicates risk related information with taxpayers depends on the number involved and the resources required. To facilitate positive change in taxpayer behaviour, taxpayers must be provided with adequate information to understand:

  • the ATO's concerns including the risk hypothesis that generated the enquiry;
  • the action that the ATO expects them to take (for example review your records, improve your governance arrangements);
  • whether a response is required; and
  • the action the ATO will take as a consequence of the taxpayer's response or non-response.

8.56 It should also be noted that the ATO must recognise the potential for unintended outcomes resulting from inadequately designed and tested communications. For example, in the case of the small business benchmarks, the ATO sent letters to taxpayers where it did not expect a response from a large proportion. Despite this, many taxpayers responded where this was not required. This caused considerable concern and uncertainty as the ATO initially did not acknowledge these letters.

8.57 Before embarking on large scale communication campaigns, the ATO should ensure that it has accounted for potentially unintended behavioural responses. This may take the form of community consultation, letter testing, or using a limited pilot.

8.58 By way of example, the ATO had intended to issue letters to large numbers of lower risk SME taxpayers, advising them of their lower risk categorisation. Importantly, the letter was intended to be advisory and no action was required from the taxpayer. Consultation with tax practitioners through the ATO Tax Practitioner Forum (ATPF) revealed that such a letter was likely to increase compliance costs, with taxpayers inclined to contact their agent to discuss the letter. As such, the ATO discontinued this initiative.

8.59 The IGT has also noted in his, Review into the ATO's Compliance Approach to Individual Taxpayers — Income Tax Refund Integrity Program (ITRIP Review), the potential benefits in having regard to research from the Behavioural Insights Team within the UK Cabinet Office. A key to this approach is the use of randomised controlled trials to assist in developing communication approaches that best achieves the desired behavioural outcome. The ATO currently undertakes a range of testing, such as 'user-testing' and 'simulation centre' projects as prototypes to determine the likely response of taxpayers to ATO communication approaches. Randomised controlled trials, however, are often considered to be the 'gold standard' in generating that evidence.377

8.60 The IGT also notes that the ATO recognises the value of randomised controlled trials as 'the ideal evaluation methodology to infer program effectiveness' including with respect to compliance activities.378 However, the application is not widely adopted as a standard across the ATO.

Communicating outcomes and due process

8.61 Pursuant to the legal principles of natural justice, affected taxpayers or tax practitioners must be afforded a right of review of their initial risk rating particularly where they are categorised at the higher levels which may potentially result in further compliance activity.

8.62 How such a right of review should operate and be communicated to the taxpayer with respect to the large business market is detailed in the IGT's LB&I Review379 and is augmented in Chapter 3 of this report. In this market segment, the ATO has developed a tailored letter, regarding the taxpayer's risk rating, which is addressed to the board or CEO rather than the tax manager. In these circumstances where the ATO is effectively issuing a regulator's opinion, it is particularly important that the ATO ensure it has the most accurate and up-to-date information by giving the taxpayer an adequate opportunity to comment on such information before issuing the letter. Without such due diligence, this type of ATO action may impede behavioural change because of a lack of confidence in the ATO's analysis.

8.63 It should be noted that such rights of review are also considered in Chapters 4 and 7 of this report with respect to SME taxpayers and tax practitioners.

Proportionality of ATO compliance approach

8.64 The IGT's view is that the ATO's compliance approach, and potential imposition of compliance costs, should be proportionate to the level and type of risk presented by the taxpayer as well the information confidence and cost levels. Where taxpayers pose a lower risk, less intense enquiries should be made of them. It is important, therefore, that the ATO has processes in place to measure the actual risk, as opposed to the perceived or anticipated risk, posed by the taxpayer or taxpayer population.

Inherent and behavioural risk factors

8.65 The ATO needs to also distinguish between different risk factors, such as inherent risk factors and behavioural risk factors. Such differences are explained in greater detail in Chapter 3. By distinguishing between these risk factors, the ATO is able to ensure that their compliance approach addresses the particular risk and minimises the generation of mistrust between administrator and taxpayer.

8.66 For example, where a large consolidated taxpayer has undergone a large corporate restructure, it would be appropriate for the ATO to focus its enquiries in relation to the inherent risk factors associated with consolidation and capital gains tax.

8.67 On the other hand, where the taxpayer has poor governance controls or record keeping practices, then it is appropriate for the ATO to focus their attention on improvements in those areas. Naturally, if inherent risk factors were also a concern, then these should be addressed specifically. As mentioned in Chapter 3, the separate consideration of inherent risk factors and behavioural risk factors is consistent with the practices of both the HMRC in the UK and by APRA in Australia.

Information confidence and cost

8.68 The ATO requires a certain level of taxpayer information to make informed decisions about the taxpayer's level of risk. Where the taxpayer chooses a relationship approach that may delay this process and increase information costs, the ATO should respond in a manner that it is appropriately more formal.

8.69 Nevertheless, it is important to specifically address the issue of information confidence and cost levels separately from that of likelihood of non-compliance. This allows the ATO to directly address the specific concerns with the taxpayer. The taxpayer is in a position to determine what behaviour it wishes to adopt in full knowledge of the ATO's corresponding response.

8.70 Furthermore, dealing directly and separately with information confidence considerations should reduce the level of concern relating to perceptions that the ATO is drawing subjective or inappropriate conclusions about taxpayer behaviours or actions. This separation is illustrated in Figure 21 below which is reproduced from Chapters 2 and 3 for convenience.

Figure 21: Risk and information confidence and cost

Graphic showing the relationship between risk and information confidence and cost.

Source: IGT

8.71 It is apparent that the method by which the ATO gathers information is influenced by a variety of factors besides risk and information confidence and cost. For example, in the large business market, 'higher consequence taxpayers' represent such a large compliance risk to the ATO in terms of consequence that likelihood as a risk factor has little role to play in influencing the decision to engage the taxpayer. This higher consequence means that the ATO seeks a high level of confidence in the information in order to make judgements about the taxpayer's compliance level. The information that the ATO seeks is only partly accessible through third parties. Most of the information has to be provided by the taxpayer on a regular basis as reflected in the real-time compliance approach and the PCR. These taxpayers are, therefore, frequently dealing with information requests.

8.72 Currently, the ATO divides this group of higher consequence taxpayers between key taxpayers and higher risk taxpayers. The RDF puts these taxpayers on a 'likelihood of non-compliance' continuum. In reality, however, the IGT considers that the underlying factor is really whether the taxpayer's approach to the provision of information will allow the ATO to quickly develop an informed view about the taxpayer's risks. An inability to do so is likely to increase the ATO's costs in obtaining information. If the taxpayer chooses a relationship option whereby it will only provide information to the ATO on the basis of the ATO's formal access and information gathering powers, the ATO will continue to gather that information at increased cost since the consequence of not doing so would be considered too high. The PCR is the default means of obtaining this information.

8.73 Where taxpayers have 'sound tax risk-management processes' and indicated a 'commitment to ongoing disclosure of tax risks380', they may be eligible to enter into an annual compliance arrangement (ACA) with the ATO. By providing a degree of certainty to the taxpayer, ACAs provide an incentive for taxpayers to adopt a relationship option that favours real-time informal information disclosure. Such arrangements, however, entail significant obligations and costs for the taxpayer. Relatively few taxpayers have entered into ACAs to date largely for these reasons. These issues are explored in the IGT's Self Assessment Review where there are also recommendations for improvement.381

8.74 The following table illustrates a sample of ATO information gathering approaches and indicates that several factors besides risk, information cost and confidence levels influence the resulting ATO approach.

Table 5: Sample of ATO information gathering approaches
  Taxpayer group or 'risk population'
  LB&I higher consequence taxpayers LB&I lower consequence taxpayers Individual taxpayers in receipt of interest income Individuals subject to ITRIP
Risk event Taxpayer being non-compliant or having a contestable tax position. Taxpayer being non-compliant or having a contestable tax position. Taxpayers not correctly reporting interest income. Individual income tax return is fraudulent.
Information confidence level sought High: A high consequence requires a high level of confidence. Medium: Although not the largest taxpayers, these taxpayers are large nonetheless. High: Although it is relatively easy to establish if interest has been derived. High: The possibility of fraud risk means the ATO needs to be sure the refund is legitimate.
Continuous or periodic Continuous: A high consequence means the ATO should review these taxpayers every year. Periodic: A lower consequence means the ATO is willing to not review them every year unless there is a reason for doing so. Continuous: The risk is endemic and can occur every year. Continuous: The risk is endemic and can occur every year.
Real-time or post-lodgment Real-time: A high consequence means it is important to detect risks early. Post-lodgment: A lower consequence means the ATO is willing to address risks after lodgment. Both: pre-filling can remind taxpayers about interest income. Where discrepancies persist, post-lodgment verification is available. Real-time: The risk of fraud or identity theft means such refunds should be withheld lest they be irrecoverable.
Taxpayer or third party information Taxpayer: the information sought is unlikely to be with a third party. Taxpayer: risk filters are based on returns and schedules lodged by taxpayers. Third-party: Financial institutions must provide third party data to the ATO in a suitable format. This is legislative data. Both: some information can be sourced from employers. Other information may require direct verification or substantiation from the taxpayer.
Cost of obtaining information Seek to keep both ATO and taxpayer costs low. However, a high consequence means the ATO is prepared to incur significant ATO and taxpayer costs to obtain the information it needs. Seek to keep both ATO and taxpayer costs low. Only initiate taxpayer contact where a risk recommendation has been made (usually by the risk manager) based on evidence (usually risk filter output). Seek to keep both ATO and taxpayers costs low by using third party information as a preference. Seek taxpayer information where necessary. Seek to keep both ATO and taxpayers costs low by using third party information as a preference. Seek taxpayer information where necessary.
Litigation ready? Contestability brings interpretation risk. The ATO should seek the full facts as early as possible. Contestability brings interpretation risk. The ATO should seek the full facts as early as possible. n/a n/a
Resulting approach An ACA for taxpayers with sound tax risk-management process and willing to disclose tax risk information on an ongoing and informal basis. A PCR for the remaining taxpayers. Client Risk Reviews for taxpayers as and when specific risk concerns arise. The conduct of such reviews, however, is comprehensive in nature. Data matching approach using legislative third party data. Stop refunds in real time and verify compliance before issuing the refund (pre-issue checks).

Source: IGT

8.75 A balance needs to be struck between the requirement for information and the compliance costs that such information gathering would impose on both the ATO and taxpayers. This balance is highlighted by the Productivity Commission:

Much of the information collection for a risk based approach occurs early in implementation. Correctly identifying and measuring risks may require regulators to invest in additional training and guidance material to overcome knowledge gaps and other limitations, and undertake extensive consultation and analysis.

… Regulated businesses may also incur costs when regulators seek to measure risk. For instance, one dilemma a regulator can face is that good information is integral to accurately assessing the cost and benefits of alternative regulatory approaches. However, if collected from business this data requirement imposes a burden on these businesses. The regulator must ensure this burden is not excessive, and endeavour to make more effective use of existing and other sources of information wherever possible.382

8.76 The Productivity Commission also highlights the need to view risk management from a 'net benefit' perspective, taking into account the costs of risk management, both for the regulator and the regulated:

A well designed risk based approach should be used within an explicit net benefit framework. When applied in this way, a risk based approach is not just a simple guide to deployment of regulatory resources, but rather determines the optimal regulatory strategy that maximises net benefits to the community. Such an approach seeks to align the allocation of regulatory resources and the consequent compliance costs for businesses to the risks presented by the actions of businesses and the benefits of reducing these risks (box D.4). Regulatory activities involve an 'opportunity cost', so economic efficiency requires that resources be allocated to alleviating risks where there is the greatest net benefit to society.

For instance, while reducing a risk may yield large gross benefits, the costs of intervention may also be large — including the cost and resources involved in identifying and measuring risks and classifying businesses, whether borne by the regulator or the businesses they administer.383

… Using a net benefits framework should mitigate the potential tendency of regulators — caused, in large part, by their traditional role as purely enforcers of legal compliance — to adopt an overly 'safe' approach and attempt to reduce a particular risk beyond the point where the benefits of doing so outweigh the costs.384

8.77 As noted earlier in this report, taking into account 'risk premium compliance costs' may assist in understanding the community costs associated with a regulator's risk management.

'Funnelling' and case refinement products

8.78 Case refinement products are a class of ATO activities that are undertaken often after a large case pool has been determined by a quantitative method. Importantly, these activities are performed by ATO officers, who must undertake a degree of qualitative research and analysis and come to a judgement about whether there is sufficient risk to proceed to a more intense or formal product, such as an audit.

8.79 The use of case refinement products, with limited taxpayer contact, can minimise compliance costs and is a useful way of treating compliance risks where:

  • the level of risk is relatively low (that is historically low strike rates); or
  • the actual level of risk is unknown, or there is low confidence in the actual level of risk.

8.80 In the micro enterprises context for example, prior to the IGT's Benchmarking Review, the ATO conducted correspondence audits directly from cases where taxpayers were outside the benchmarks by a pre-set threshold. As a result of the IGT's review, those 'significantly outside the benchmark' cases are now subject to an 'office review product':

A new product, the Office Review product has been introduced as a precursor to all correspondence audits. It allows case officers to determine, based on limited contact with a taxpayer, if there is sufficient risk to progress to a more intensive correspondence audit. This product includes:

  • A new profiling document [that] has been introduced to allow staff to early exit case prior to client contact is now in use. The document is supported by a tips sheet that helps our staff get the most out of their profiling and in identifying risk.
  • Case guides that step auditors through the case process and provide guidance and links to assist during the progress of the case. The case guides also provide points at which a case can be exited early if insufficient risk exists and guidance as to what records should be sort if verification is warranted. Case guides have also been introduced for other products.385

8.81 As a result, the ATO's strike rate for correspondence audits increased from 24 per cent to over 50 per cent.386

8.82 Case refinement in LB&I is essentially conducted by risk managers who examine the output of the risk filters and remove those cases which are understood to be false positives. There is generally no taxpayer contact for this activity. If a case is ultimately recommended for compliance activity, such as a risk review, the recommendation must be approved by the Case selection sub-committee. This committee, however, has in the past given some consideration to the use of a formal case refinement product.387

8.83 In the SME business line, ATO officers may undertake 'preliminary risk reviews' (PRR) before going on to conduct a comprehensive risk review (CRR). Due to the comprehensive nature of CRRs, they can involve substantial time and cost, both for the ATO and the taxpayer. The PRR gives the ATO an opportunity to determine if sufficient risk exists to justify escalating to a CRR. Importantly, as in the case of the cash economy Office Review and large business Case selection process above, the SME product allows lower risk taxpayers to be identified and removed from the process.

8.84 In the Indirect Taxes (ITX) business line (responsible for GST and excise), the ATO undertakes 'refinement' and 'review' activities:

Case refinements are internal review products, used across markets, to conduct in-house analysis and assessment of client risk. Cases are selected to determine whether further compliance action is required or if the indicative risks can be explained at the case refinement stage. No contact is made with the taxpayer at this stage.

Case reviews are used to determine the existence of a specified risk or the existence of risks generally in respect of that particular entity. Reviews are also used to collect information about specified risks across particular industries and activities to determine the existence and level of risks and the effectiveness of mitigation strategies.

Depending on the nature of the entity and the risk under review, the review process may be conducted by letter, phone or at the entity's business premises. A review is usually less intrusive than an audit and is designed to encourage voluntary disclosure. It is designed to obtain sufficient information to demonstrate that a specified risk does not exist or has been mitigated substantially by the entity's business processes.388

8.85 Support for the use of case refinement activities can also be found overseas.389 This approach recognises that there are limitations on relying on mathematical methods to select audit cases. There are expectations that the tax administrator undertake such additional work beyond risk models to filter out lower risk taxpayers.

8.86 The use of increasingly intense activities is often regarded as a type of 'funnel' as shown in the figures below relating to the SME and ITX business lines respectively.

Figure 22: SME business line compliance 'funnel'

Graphic showing the SME business line compliance 'funnel'.

View image enlarged

Source: ATO handout to ATPF SME RDF workshop, 14 March 2013.

Figure 23: Indirect taxes business line compliance funnel

Graphic showing the indirect taxes business line compliance funnel.

View image enlarged

Source: ATO, ITX Strike Rate analysis.

8.87 It should be noted that client risk reviews and comprehensive risk reviews often occur before an audit to give the ATO an opportunity to assess the risk with a high level of taxpayer interaction in order to come to a judgement about whether to proceed to an audit. However, due to their intensity, resources and length of time required as well as the extent of taxpayer contact, these are often regarded as 'compliance products', which may carry significant associated compliance costs and are not considered to be 'case refinement products'.

Compliance effectiveness

Measuring compliance effectiveness and compliance costs

8.88 As highlighted in Chapter 5, the ATO has reported on behavioural changes in the micro business market segment in relation to the small business benchmarks. The Compliance Program 2012-13 tracked the financial performance of a set of taxpayers in certain cash economy industries. It reported 'significant increases in the number of businesses that now report income in the same range as their industry peers when they had previously reported income tax that was well below that of other similar businesses'.390

8.89 Chapter 5 also observed that such convergence may be the result of:

  • previously non-compliant taxpayers becoming compliant (positive change in taxpayer behaviour);
  • non-compliant taxpayers reporting within the benchmark, but still underreporting their actual income (strategic taxpayer behaviour); and
  • compliant taxpayers now over-reporting their income to stay in the benchmarks to reduce audit risk (taxpayer over-compliance).

8.90 Compliant taxpayers may decide to deliberately over pay their tax so as to reduce the chance of an audit.391 This 'over-compliance' may be regarded as one indicator of taxpayer perceptions of costs associated with ATO compliance activity. The existence of an audit insurance industry is also indicative of the perceived costs of ATO audits.392 Taxpayers may decide to pay such insurance premiums to limit the risks of excessive audit costs.

8.91 Should the ATO be unable to persuade the community that their compliance interactions are low cost, there is a risk that compliance costs for taxpayers may be increased even without any ATO compliance activity through the cost of audit insurance premiums or overpayment of tax. These costs are separate to 'baseline compliance costs' such as those associated with record keeping and correct reporting which all taxpayers must bear. Acknowledgment of these risk premium compliance costs is useful to the revenue authority in terms of appreciating the overall compliance cost burden imposed on taxpayers. The ATO has already commenced some work in this area with its TPALS 'environmental scan'. The IGT is of the view that awareness of these types of risk premium compliance costs should be enterprise-wide and could be included in the compliance cost considerations in the current enterprise risk framework.

8.92 The IGT observed in his Benchmarking Review that taxpayers can be expected to incur a 'baseline' level of compliance costs in administering their tax affairs, such as adequate record keeping.393 These are the costs associated in complying with tax law requirements. The taxpayer may be subject to additional compliance costs as a result of interactions with the ATO. The IGT is focussed on ensuring that these additional compliance costs are minimised through more targeted compliance interactions and the manner in which they are carried out.

Project management — balancing risk, resources and time

8.93 The IGT's ITRIP Review has shown that the number of refunds stopped during the 2011-12 year exceeded the expected case load. As such, the ATO did not have adequate staffing resources to action all the stopped returns within the original expected timeframe.

8.94 The ATO applied extra resources by bringing on additional staff and using overtime to assist in clearing the cases. The escalation of such resources, however, was not substantially implemented until six months after the ATO was aware of the increased workload.

8.95 In addition to applying additional resources, the ATO sought to manage the increased workload by contacting taxpayers and tax agents to alert them of longer delays, seeking efficiencies in case work and releasing 'lower-risk' refund cases that were stopped by the ITRIP.

8.96 From a project management perspective, the above scenario highlights the 'triple constraint394' or 'project management triangle', in which there is a tension between the scope of, the time taken to complete, and the resources required to execute the project. For example, in the event that a project's timeline has been shortened, the project would normally require additional resources or a consideration to reduce the scope of work or a combination of both to successfully complete the project within the reduced timeframe.

Figure 24: The triple constraints of project management

Graphic showing the triple constraints of project management: time, resources, and scope.

Source: Adapted from Marchewka 2009.

8.97 Applying this model to the ITRIP, the increased case load can be regarded as an increase to the scope of work requiring the ATO to take some or all of the following remedial actions:

  • reducing the scope of the increased workload, by re-configuring the risk models to release previously stopped lower risk refunds;
  • increasing the resources available to action the stopped refunds, by using overtime, or bringing in additional staff from other areas; and
  • accepting the scope of work and resetting expectations of the completion timeframes.

8.98 As set out in the figure below, each option carries an impact.

Figure 25: Applying the triple constraint to risk treatment projects

Graphic showing the impacts of applying the triple constraint to risk treatment projects.

Source: IGT

8.99 One of the objectives of risk management is to effectively allocate resources and one of the enterprise risks is 'client experience'.395 Therefore, if workload or scope increases unexpectedly, the ATO must decide how much additional risk of non-compliance it can accept (that is, 'letting through' potential non-compliance cases) due to the risk models. This may be done by either:

  • raising the threshold of what it would regard as a significant enough risk to stop the refund for pre-issue verification activity; or
  • differentiating its case actioning so that the refunds with most risk were stopped pre-issue, with the remainder released but subject to verification activity post-issue as resources allowed.

8.100 There is a direct relationship between the level of risk the ATO is willing to retain and/or treat and the scope of work planned for a project such as the ITRIP. The nature of the trade-offs is further illustrated in the table below:

Table 6: Triple constraint applied to ITRIP
Selected priority Time Resources Scope
Minimising taxpayer compliance costs is priority by adhering to original timeframes.
  Determine the additional cost you are willing to incur. Determine the level of risk you are willing to retain by reducing the cases you are going to action or action at a later time.
Containing ATO costs is priority by not adding staff or using overtime.
Determine the extent you are willing to extend timeframes, and manage taxpayer expectations accordingly.   Determine the level of risk you are willing to retain by reducing the cases you are going to action or action at a later time.
Treating the risks is priority by ensuring all cases are actioned.
Determine the extent you are willing to extend timeframes, and manage taxpayer expectations accordingly. Determine the additional cost you are willing to incur.  

Source: IGT

8.101 In planning to address a particular risk through a strategy such as the ITRIP, the level and type of risk is known. However, due to a degree of uncertainty, the actual work generated by this approach is not known until the income tax returns are lodged. It should be noted that 'stress-testing' or 'scenario-testing' is one method the ATO can use to predict the workloads generated by new risk models.

8.102 As part of the ITRIP, the ATO did use some scenario testing for the 2011-12 financial year by applying the new risk rules to the tax returns lodged in 2010-11 to predict the workload for the 2011-12 year. Limitations with the testing, however, meant that the actual workload was far in excess of that anticipated.

8.103 In planning future risk treatment initiatives, the ATO would benefit from considering, in advance of implementation, the triple constraint trade-offs it is willing to make. For example, where it is important for the ATO to audit every case generated by a risk model and where it is also important for the ATO to ensure case timeframes are met as planned, then a plan needs to be developed to ensure the ATO can call on additional appropriate resources at relatively short notice to complete the additional work.

8.104 A failure to adequately consider the implications of changes to the triple constraints may result in:

  • unexpected increases in taxpayer compliance costs;
  • unexpected increases in ATO administrative costs; and
  • the ATO unexpectedly raising its risk thresholds or differentiating its risk treatments.

8.105 This requirement is consistent with observations made by the ANAO in its Better Practice Guide Administering regulation:

In circumstances where compliance risks increase suddenly and significantly, insufficient resources may be available to a regulator to conduct the necessary monitoring activities. For example, if an unexpected event affects the risk profiles of a substantial number of regulated entities, the regulator may have insufficient resources to conduct not only the compliance assessments that are scheduled, but also the additional high-priority assessments that are required to address the increased regulatory risks.

When this occurs, a special interim monitoring strategy needs to be designed and implemented. The interim strategy operates until either the regulatory environment returns to normal or a new monitoring strategy is implemented because the nature and extent of regulatory risks have fundamentally changed.

At a minimum, the interim strategy should:

  • fully document the non-compliance risks that cannot be monitored in accordance with the established monitoring strategy
  • identify the types and frequency of activity that will provide a level of assurance (albeit a lower level) that regulatory requirements are being met.396


8.106 The above factors, which should be considered in developing compliance risk assessment tools, have been summarised into a checklist in Appendix 12 of this report. The IGT believes that the ATO may improve the quality of its compliance risk assessment tools by incorporating this checklist in the design of those tools. The checklist is not prescriptive, but requires those responsible for designing and implementing compliance risk assessment tools to turn their mind to key issues and, in particular, to any problems that may arise and how to mitigate them.

Recommendation 8.1

The IGT recommends that:

  1. the checklist in Appendix 12 of this report should be incorporated into the ATO's compliance risk assessment tool design processes; and
  2. the ATO's Enterprise Risk Management Framework consider risk premium compliance costs as a type of taxpayer compliance cost.

ATO response


The ATO currently considers taxpayer cost of compliance as a fundamental component of its operations and actions. While the associated Enterprise Risks are currently under review, the ATO agrees where appropriate and feasible, to give consideration to risk premiums in relation to taxpayer compliance costs.

369 ATO, above n 63, p 25.

370 Australian Taxation Office, Strike rate - An analysis of Indirect Tax audits, April 2012, slide 19.

371 ATO, above n 33, p 28.

372 Manish Gupta and Vishnuprasad Nagadevara, 'Audit selection strategy for improving tax compliance -application of data mining techniques' in Ashok Agarwal and Venkata Ramana (eds), Foundations of E-government (2007) p. 378.

373 IGT, above n 7, para [4.33].

374 Australian Taxation Office, Test case litigation program (10 May 2013).

375 Inspector-General of Taxation, Review into the Australian Taxation Office's Use of Early and Alternative Dispute Resolution (2012) rec 4.2.

376 Organisation for Economic Co-operation and Development, Forum on Tax Administration, Compliance Risk Management: Use of random audit programs (2004) para [15].

377 Cabinet Office Behavioural Insights Team, Applying behavioural insights to reduce fraud, error and debt (2012), p 21.

378 Australian Taxation Office, Literature review - Measuring compliance effectiveness (2007) p 51.

379 IGT, above n 122, pp 53-54.

380 Australian Taxation Office, Annual compliance arrangements - what you need to know (7 June 2013).

381 IGT, above n 5, pp 92-100.

382 Productivity Commission, Regulator Engagement with Small Business - Productivity Commission Research Report (2013) p 275.

383 Ibid p 279.

384 Ibid p 281.

385 ATO communication to IGT, 25 February 2013.

386 Australian Taxation Office, Senate Estimate Briefing October 2012, page 1. Disclosed under FOI reference number 59632 on ATO FOI disclosure log.

387 Australian Taxation Office, Case Selection Sub-Committee Minutes 7 December 2011, page 9.

388 Australian Taxation Office, Indirect tax case selection framework, page 10.

389 United States Treasury Inspector General for Tax Administration (TIGTA) Report 2012-30-062, The Recommended Adjustments From S Corporation Audits Are Substantial, but the Number of No-Change Audits Is a Concern, 21 June 2012, page 10.

390 ATO, above n 33, p 29.

391 H&R Block Tax Accountants, 'ATO Scrutiny must not stop Labourers from claiming their entitlements' (Media release, 26 July 2013).

392 Australian Taxation Office, TPALS draft July-October 2012 environmental scan.

393 IGT, above n 7, para [5.58].

394 Jack T. Marchewka, Information Technology Project Management, providing measurable organizational value (John Wiley and Sons, 2009) p 15.

395 This is currently under review by the ATO. Australian Taxation Office, Cost of Compliance Tasking Plan, ATO response to Information Request 4.

396 Australian National Audit Office, Better Practice Guide, Administering Regulation (2007) p 58.