Tax Governance and Accountability: Who Owns the Risk and Responsibility?

One thing should be set straight: tax risk no longer resides solely in the hands of the tax department. Due to constant changes in regulations, the rise of digital tax administration, and global exposure to indirect taxes, several functional units, primarily finance, IT, and operations, have become stakeholders in tax governance. 

Consequently, tax risk management is no longer the responsibility of a few individuals, but of several departments, and effectively tackling tax risk demands clarity on specific key questions. To successfully navigate that terrain, businesses should clearly understand what tax risk is, who should identify, classify, and prioritize it, and who is responsible and accountable for its mitigation.

What Is Tax Risk and Why Does It Matter

Tax risk should be primarily viewed as the possibility of unexpected financial, operational, or reputational losses arising from errors or uncertainties in tax compliance, reporting, or strategy. However, understanding it is not that straightforward, as several types of risk make up tax risk. While compliance risks, such as failing to register or file a tax return correctly or on time, are the most apparent, other risks, including operational, strategic, and reputational, also play vital roles in overall tax risk governance and management.

In addition to this, there is an increasing trend among Tax Authorities to evaluate taxable persons, whether individuals or businesses, not only on their timely payment of VAT, GST, or sales and use tax, but also on the trustworthiness and robustness of their governance framework. Therefore, not having such a framework is an additional risk factor for businesses.

Financial losses, such as penalties, interest, or missing tax benefits, are not the only negative consequences that businesses may face. Missteps in tax governance can also erode stakeholder confidence, trigger cascading regulatory attention, and restrict a company’s ability to undertake necessary business transformations. While many businesses are aware that the volume and intensity of tax audits will increase in the upcoming years, establishing a unified view of tax risk across their operations remains a big issue.

From Detection to Decision: Identifying, Classifying, and Prioritizing Tax Risks

Detection, classification, prioritization. These are the building blocks of a practical tax control framework and tax governance that every responsible business must establish, maintain, and continuously refine to ensure transparency, compliance, and informed decision-making.

To identify potential tax risks, businesses cannot rely solely on a single source of information. Instead, they must adopt an integrated approach that combines data from multiple sources. Some of the key sources that must be consulted include transaction data, updates and interpretive guidance from the Tax Authority, internal audits, court decisions on relevant provisions affecting business operations, and any past tax disputes or non-compliance cases.

Although tax risks are increasingly identified using automated digital data analytics tools, manual reviews should not be neglected, as they may offer better insights and different perspectives on critical areas. 

Once tax risk becomes visible to key stakeholders, it must be classified in accordance with predefined, consistent criteria that allow for an objective evaluation and proportional management of each identified risk. For example, risks can be classified by type, including financial, operational, reputational, compliance, blind spots, personal liability of legal representatives, and management.

Finally, risk can be categorized into criticality levels or exposure levels, ranging from low to high or even critical. Prioritization can be done through a risk heat map or a risk-ranking matrix.. Regardless of which scale, scorecard, or matrix is used, one thing is sure. Tax risks, high on the scorecard, must be prioritized. In contrast, lower risks can be categorized as “acceptable”, meaning the adverse effects are not severe enough to impact the business significantly, and may be addressed later once more critical issues are resolved.

This three-step process ensures that businesses clearly understand and document potential and existing tax risks, identifying which risks require immediate action and which can be monitored. Moreover, the integral part of this process is identifying the negative consequences of each risk. However, mapping risks is only one part of the process.

Shared Responsibility: Defining Roles and Boundaries

Defining roles and boundaries in tax governance involves assigning and delegating responsibilities to effectively mitigate, allocate, control, and monitor risks. However, one thing must be clear. Ownership of the risk may be shared, but accountability must be clearly defined. Since tax governance is increasingly complex, the key questions are who owns a particular piece of tax risk and compliance, and how they act and coordinate actions.

Naturally, tax departments are the central point of tax governance as they are responsible for technical tax interpretation, policy setting, and overall risk oversight. Tax departments typically define risks, develop policies, manage compliance, and serve as the bridge between the business and external tax experts or Tax Authorities. Additionally, it is the responsibility of this department to monitor any interpretive or legislative changes that may alter risk profiles.

Although the tax department is usually part of the financial department, the responsibility for maintaining the integrity of financial data and ensuring that accounting figures align with tax calculations remains with the financial department, not the tax department. Any discrepancies between accounting data and tax data, or misalignment between accounting and tax rules, may give rise to hidden exposures. 

Since the finance team is usually responsible for providing core financial figures that the tax department relies on for its analyses and filings, both departments must collaborate very closely to maintain accuracy, transparency, and compliance, as well as reduce tax risks.

Systems design, control of master data, automation workflows, and data transfer and exchange are the responsibilities of the IT department. These are critical for tax governance because they either mitigate or add to tax risks, yet they are sometimes underappreciated. In an era where e-invoicing, real-time digital reporting, and automated transfer pricing engines are increasingly used and required by governments, inefficient control in IT significantly increases tax risks. Moreover, typical modern tax control frameworks (TCFs) embed IT controls as a core pillar.

Business operations teams are the first line of tax governance. Financial, tax, and IT departments are typically at the back of the businesses, whereas business operations departments are executing transactions. Members of this team must understand the tax implications of their actions, collect and maintain proper documentation to support each transaction, and ensure their actions follow internal tax policies. If the operational team misapplies tax rules or misses documentation requirements, it can turn what looks like a well-designed control framework on paper into a real-world compliance failure.

Integrating Tax Risk Management into Daily Operations

First of all, tax governance must not be viewed as an annual audit exercise. Embedding risk management into day-to-day operations and transforming it from a compliance exercise into a business enabler is where its true value lies. 

Tax risk should be part of the decision-making process when businesses are launching a new product, entering a new market, or making a significant investment. For example, a company can require the tax department to be included in the decision-making process once the project exceeds a defined level of financial importance, known as a materiality threshold. This is a proactive approach to addressing potential tax risk, rather than applying a reactive approach after the decision is made.

Continuous monitoring and control testing of tax-relevant processes is critical. This not only ensures that all processes are operating correctly and accurately, but also is a vital action in identifying exemptions or failures. Consequently, monitoring and control testing help improve the risk identification process.

From automation and dashboards to alerts flagging anomalies, technology and data integration tools, including analytics tools, are essential elements of tax risk management. Businesses that still do not utilize technology and rely on disconnected spreadsheets are at risk in modern tax governance.

Additionally, developing and conducting regular training and fostering a tax risk awareness culture are beneficial for day-to-day business operations, especially in the long run. For a governance framework to function in practice, not just to be an internal policy or governance paper, all departments must work together. Some of the ways to achieve this goal are to invest in tax awareness programs and embed tax performance metrics into managerial KPIs.

Finally, every practical tax governance and risk management framework must have feedback loops. Once failures or audits reveal new lessons or blind spots, the risk taxonomy must be updated, controls refined, and ownership re-evaluated. Being static about tax governance may put the company at risk, especially when it is growing or facing new regulatory challenges. 

Conclusion

In the modern corporate environment, tax governance is a shared discipline that involves clearly dividing accountability across tax, finance, IT, and operations departments while embedding governance into everyday business operations. Nevertheless, tax governance must evolve, and key stakeholders must be held accountable not only for implementing and monitoring current processes but also for further developing them based on changes and analysis results.

FAQ

Source: Australian Taxation Office, PwC, EY, VATabout