Richard Cornelisse

How Internal Audit could contribute value in realizing indirect tax objectives?

In Audit Defense, Benchmark, Business Strategy, EU development, Indirect Tax Strategic Plan, Processes and Controls, Technology on 24/09/2013 at 8:46 pm

KEY Group new logo long

By Ferry GeertmanSven HesselbachGuido Czampiel

In the news we see more focus on tax risks in various areas such as offshore tax planning to reduce effective tax rate, tax evasion and (VAT) fraud.

A recent example is Tim Cook defending Apple tax policy in a Senate hearing where Congressional investigators released findings showing that Apple uses a “highly questionable” tax minimization strategy of impressive complexity. Several subsidiaries set up by the company, according to investigators, have few or no employees. Located in Ireland, these subsidiaries allowed the company to exist effectively “nowhere” in certain cases. [Senators accuse Apple of ‘highly questionable’ billion-dollar tax avoidance scheme]

In addition to evaluating tax risks (level of tolerance), companies should also determine and manage their reputational risks as part of tax risk management.

It is important, as governments and tax authorities consider the combat a high priority and has introduced anti-abuse legislation, have increased tax audits and uses tax litigation at its full potential with publishing the outcome when tax evasion is in play.

Nasir Khan had a successful accessories business, a jet-set lifestyle and reputation as a pillar of the community. But all that vanished in December when he was jailed for his part in a £250m VAT fraud. Jasper Jackson discovers how a 10-year investigation by HMRC led to his downfall. By Jasper Jackson – Mobile News March, 2012

Recommended reading material

These articles give an overview of the need of (indirect) tax risk management.

Our_Key_Focus-418px-1Our article is about how Internal Audit could perform a more pro-active advisory role with respect to risk management and more in specific to Indirect Tax risks. Many companies prioritize too low indirect taxation, such as VAT. The consequences of this neglect can sometimes be dramatic.

Erroneous VAT calculations can wipe out a company’s profit margin, or have consequences far beyond that. The problem can often be traced to operational weaknesses: less-than-adequate internal information systems that fail to properly process and display the VAT consequences of business transactions.

At a large multinational, a software error resulted in the company paying too much VAT over an 11-year period. In the case of another company, a software error resulted in the opposite situation: it had deducted € 40 million in excessive input VAT.

Many organisations lack an ‘indirect tax control framework’ for defining a strategy, systems and control mechanisms to manage risks linked to reporting VAT. With an indirect tax control framework, companies determine the management level that is responsible for the entire VAT reporting process, from beginning to end. The risk that VAT errors will compromise companies’ financial positions and reputations is a growing one. With globalisation of business, the complexity of transactions in terms of VAT is increasing.

  • Is adequate management of material indirect tax risks actually tested in daily practice?
  • Should this be part of Internal Audit annual audit plan to investigate?

One of the objectives of Internal Audit is via a risk based methodology to provide comprehensive assurance to the Board and senior management that companies’ material risks areas are managed efficiently and effectively.

In order to meet this objective from an indirect tax perspective what does Internal Audit need to realize these aims?

Starting point would normally be the company’s Indirect Tax Control Framework. For a first impression Internal Audit could raise the following questions:

  • Is the indirect tax strategy defined and aligned with companies’ business objectives?
  • Are material indirect tax risk areas defined?
  • Are roles and responsibilities for managing these risks explicitly assigned?
  • Are the internal controls that mitigate these risks explicitly documented?
  • Are the responsibilities for executing and monitoring the internal controls assigned
  • Are there regular meetings to discuss status of risks and internal controls and define actions?
  • Has a strategy been defined for managing the relationship with tax authorities? Have the responsibilities been assigned for the different geographic regions?

The answers give insight of the existence of the right building blocks of an Indirect Tax Control Framework and give an auditor the possibility to draft his first conclusion on process and risk management around indirect tax.

When however the conclusion is that the right building blocks TCF are not present (question are answered negatively), Internal Audit probably could take the role as pro-active advisor with regard to the right set up of internal indirect tax processes.

To perform such a role Internal Audit need to have the following competencies:

  • sufficient knowledge available re indirect tax risks that exceed the company’s risk appetite;
  • clear understanding of a normative framework from indirect tax perspective how and what need to be managed re these risks.

These are the conditions under which Internal Audit could fulfill a proactive role relating indirect tax risk management. In practice, the best way to achieve this is often to limit the scope and request the top 3-5 indirect tax risks that exceed the company’s indirect tax appetite. Often these risks can be benchmarked with other multinationals:

  • Intercompany transactions
  • Cross-border transactions
  • Correct deduction of input VAT (VAT paid)

An example of a normative process re cross-border transactions within the EU:

Tax Control Framework - Role of Internal Audit v10 - September 2013

A normative framework faciltates Q&A during an Internal Audit exercise.

The actual situation (IST position) within the organization is then measured against this yardstick, generally resulting in a summary of the differences. Analysis of these gaps and the associated risks may lead to acceptance or to proposals for improvement. It is an efficient and effective approach that challenges the responsible process owners.

To what extend is internal audit able to fulfill an advisory role?

From Internal Audit by ASML – Accountant September 2013 by Lieuwe Koopmans some quotes (translated from Dutch to English by authors):

At ASML, one of the most important producers of semi-conductor systems, there is not only this ‘internal’ input but give internal auditors also actively their input on risks together with the business
My department Corporate Risk & Assurance can have an important advisory role on this topic. We can identify risks and indicate how to manage these. Also on a lower level in the organization, e.g at the implementation of a new IT-system, we can give our feedback and support.” (…) I believe that internal auditors can use their knowledge and skills besides audit, also can apply in the area of risk management. – Martin Reinecke

From an Indirect Tax Perspective,  such a proactive advisory role hardly takes place. Other examples of major indirect tax risk areas relate to change:

Another example is Supply Chain transformations such as setting up of a Principal model. Internal Audit should in our view be part of the project team and should be actively involved and monitor during the design phase whether risks in the transformation will be appropriately managed. With a supportive normative framework, Internal Audit is able to raise critical questions and facilitate that indirect tax risks are prior to go-live identified and managed.

Do you see this work in practice?

Ferry Geertman is COO of the KEY Group and was Director IT Audit and Data Analytics at Deloitte Netherlands. From his background in Applied Mathematics, Ferry has vast experience in data analysis, including the design and evaluation of statistical samples as part of internal and external control. Ferry has extensive experience in advising about and evaluating of (IT)- risk management and internal control for multinationals.

Sven Hesselbach is partner at compliance-net GmbH and was a partner in charge of the Enterprise Risk Services Line at Deloitte in Frankfurt. Sven specializes in Corporate governance and compliance, internal audit, internal controls testing and documentation and to a great extent the IT part of these topics. Sven assists medium-sized and large companies in achieving their compliance and governance objectives.

Guido Czampiel is a partner at LiNKiT Consulting. Guido has more than 12 years of consulting experience focusing on large transformation projects within finance and IT. Guido has helped clients of different size and branches in successfully managing changes within their organization, processes and their systems.

VOORKEUR Logo Keygroup?compliance-net_logo_cl8zMDd4NDlfL19hc3NldC9fcHVibGlj_c7f3e8ebLiNKiT-small

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: