But while it may be in use elsewhere in an organization, so far it hasn’t been widely applied to the management of risk in tax. This is not, we suspect, because there is any marked resistance to the idea, but more because tax risk management is itself an emerging discipline, and is still looking for methodologies that meet its needs.
In fact, the two seem made for each other. Tax risk management is about having clearly defined and understood roles and responsibilities covering data management, transaction processing, information gathering, verification, and escalation. The three lines of defense is an ideal framework for just this kind of endeavor.
Applied to tax, the three lines concept could broadly look like this:
Any function in a business needs to know how it fits into the company’s strategic plan, and to be sure that its own purpose and activities are properly aligned with the company’s aims. Tax departments are no different.
The first line of defense essentially means having this strategic understanding in place and the right people responsible for the basic business processes as they affect tax – the complete and accurate recording of transactions, for example the purchase to pay, record to report and fixed asset processes, and the gathering and processing of the related tax information.
Some tax professionals may say that this is not their role, but tax authorities are beginning to challenge tax processes ‘end-to-end’, including all the information gathering stages, right from the point of initiation. This means that it is ever more important to ensure that responsibility for all taxes is formally documented, and that the processes necessary to produce accurate information are embedded in the financial fabric of the organization. These measures help to establish a strong control environment for tax.
This is the regular monitoring process. It requires frameworks and guidelines, developed by the tax and finance functions together, which are designed to facilitate effective monitoring of tax risks, pick up problems early and identify weaknesses in the process. People are human and they do make mistakes.
This is independent assurance that the tax function is running properly, through both internal and external auditing. It requires both that internal auditors bring themselves up to speed on tax risk matters, and that tax functions welcome the additional assurance that a successful audit can bring. After all, it’s better to have your internal auditor spot a mistake than to have to explain it to a tax authority.
In a traditional, well defined tax department, which takes information from finance, calculates the tax liability and files the tax returns, the three lines of defense might be a relatively straightforward set of ideas to apply. Unfortunately, modern tax departments rarely conform to this model. In many businesses, large and small, responsibility for tax is spread far and wide throughout an organization. For mid-market groups and those in the emerging economies the challenge can be even greater as they may well not have a tax director let alone a tax department.
Many organizations measure profit in individual profit centers, product lines or business units in different locations. So the process of gathering the information necessary to draw up an accurate and detailed view of a business’s overall tax liability relies on many different people, many of whom may not have specific tax skills.
Even more important is the cumulative effect of taxes not directly related to profits, like value added taxes on sales, customs duties, social security contributions and in some instances personal taxes. Taken as a whole, these can often involve sums much larger than those involved in taxes on profits, but these taxes are rarely handled by a designated tax person. They are often seen simply as costs of doing business, and are managed by finance people working with the sales operations on the ground.
We use the phrase ‘shadow tax team’ to refer to this wide group of people, and the effective management of the shadow tax team, we believe is a major element in the responsibilities of a modern senior tax professional.
Applying the first line of defense, many tax directors are trying to bring new controls to their shadow tax teams. They are being driven by increasing pressure from regulators all over the world for more and better information to support a company’s tax position. They are also under pressure from Boards, who have realized both the cash savings that can be made by managing tax more efficiently, and the dire consequences of getting their tax calculations wrong.
Ilana Rinkoff, formerly with group internal audit at AstraZeneca plc, and founder of the Tax Risk Management Network, says establishing and embedding an effective process and controls framework can be a challenge.
“How does the individual FD/CEO or tax team assure themselves that the shadow tax team understand the risks and that the tax risk controls are embedded and operating effectively at all levels?” she asks, “especially when a business is spread across various sites or international locations and there are many process stakeholders?”
“The tax department can’t directly manage the rest of the business, but it is ultimately held responsible for the reported tax figures that emerge from profit centers. If it doesn’t have people on the ground, then it needs to have clarity over who is responsible for what. So, for example, it might rely on the CEO of a particular country for formal, documented assurance that the key tax controls are embedded and operating effectively and tax figures for that country are correct. This is a verification process that can subsequently be checked by auditors.”
Other solutions to this problem have included dispersing tax professionals throughout the organization — an effective but expensive option — or reorganizing the work of the central tax team to release senior people and allow them to work much more closely with their finance and operational colleagues on the ground.
One international food company has used this latter approach to embed tax considerations in the day-to-day business decisions of its sub-groups. This company’s tax function outsources routine work, helping to free up its tax professionals to travel widely and build up the necessary personal relationships to work directly with business managers in the countries in which it is active.
The outcome is that this tax function is measured on the value that it returns to the business in tax savings. It is expected to return 3-5 times the cash cost of running the department in tax initiatives through the course of a year. In practice, it normally returns around 10 times its costs.
Effective monitoring, the second line of defense, can be easier to implement, at least in theory. One head of an international investment group has approached this issue by producing a tax framework and procedural guidelines for her organization, and introducing an annual self-certification process which allows the businesses to check their compliance with the guidelines. She then carries out spot checks, looking at evidence to support the self-certification.
The challenge here has been to get far-flung finance or operational managers to agree to carry out what they see as tax department activities. It can be a major change for them. One effective method is to run a pilot scheme to demonstrate the benefits, for the people on the ground, of this new approach. A focused ‘hearts and minds’ program to persuade them that this is indeed part of their responsibilities can also be useful.
Another route is to introduce tailored tax management software into the finance system. If information can be gathered and verified automatically, it is clearly much easier to monitor and less of an additional burden to non-tax people. This is a route that many organizations are following, as tax management software becomes more flexible and reliable, and they realize that older, spreadsheet-based systems are just not secure enough to meet modern-day standards of scrutiny.
Independent verification, the third line of defense in these disparate tax networks, has to come from the audit function, internal and external. The problem KPMG firms can often come across here is that some internal auditors can see tax as a hugely technical ‘black box’ — one which they do not have the experience to delve into.
We have some sympathy with that view. Tax people have become very specialist and it can be hard to separate the detailed technical material from the process and monitoring work. But it’s clear from the trends described here that today’s senior tax people are not necessarily technicians — they are people with operational experience and the people skills necessary to run a complex function across international boundaries.
To do this effectively, tax-trained auditors can help, as they are able to apply the three lines of defense framework to this complex and challenging area.
Ms Rinkoff agrees. “For internal audit departments,” she says, “tax risk is a complex but key element of the audit universe and specialist independent tax knowledge input is vital at all stages of the audit process; scoping, planning work programs, fieldwork, benchmarking and reporting.”
“Tax audits can be focused on specific areas of risk like payroll tax, transfer pricing, expatriate tax or a high level assessment of the management of tax risk across the business. Processes and controls to mitigate tax risk need to be embedded in the wider organization, and there should be robust monitoring by management, as suggested in the first and second lines of defense. As the third line of defense, auditors will be able to give assurance over the management of tax risk and help the organization by identifying gaps or weaknesses and working with management to agree remedial actions.”
It can certainly work. Indeed it has to work if companies are to meet ever tougher reporting and compliance requirements everywhere in the world. But it needs auditors and tax people to work much more closely together to develop a tax risk management system that meets today’s needs.
Stephen Callahan, director and Gary Harley, partner, KPMG in the U.K.
(Ilana Rinkoff’s comments are made in a personal capacity and not as an employee or spokesperson for AstraZeneca)