2. Desired Outcome of POA 2
The risk to revenue and tax administration operations are identified and managed
effectively.
Tax administrations face numerous risks that could adversely affect revenue and tax operations.
Risk management is thus essential for effective tax administration. It plays a key part in shaping
how resources are used by the tax administration to maximize its goals effectively.
Risks must be managed effectively in a structured approach to identifying, assessing, prioritizing
and mitigating risks.
These risks include:
• Compliance risks, where revenue may be lost if businesses and individuals fail to meet their
obligations as taxpayers (registering, filing, making payments and reporting accurately).
• Institutional risks, where the tax administration functions may be interrupted or jeopardized due to
internal or external factors.
3. International
good practices
in
COMPLIANCE
RISK
MANAGEMENT
Structured
and multi-
year
approach to
compliance
risks
Identification,
assessment,
quantification
and
prioritization
of risks
Compliance risks
structured around
taxpayer
segments,
taxpayer
obligations and
core taxes
Intelligence
gathering and
research to
identify
compliance
levels and risks- Analysis of tax
audits and
declarations
- Analysis of
environmental
scanning
Third party
information
from a
variety of
sources
- Tax gap analysis
- Studies into
hidden activities
- Studies of
taxpayer attitude
towards taxes
Compliance
improvement
programs and
risk mitigation
strategies
Evaluation of
effectiveness of
major mitigation
activities as
feedback for
future planning
4. International
good practices in
INSTITUTIONAL
RISK
MANAGEMENT
A risk register with
a framework of
problems
threatening
business
continuity A plan for
continuity of tax
operations in the
event of disaster
Assessment of
likelihood and
consequences of
natural disasters
or man-made
calamities
Outline of steps in
the event of
disaster to
maintain business
continuity
Staff training in
disaster recovery
procedures
Preventive
measures and
internal controls to
protect tax
administration
systems from fraud
and error
(POA9)
Effective internal
and external
oversight to detect
and deter
undesirable events
(POA 9)
5. Performance Indicators for Effective Risk Management
P2-3:
Identification, assessment,
ranking, and quantification of
compliance risks
M1
The extent of
intelligence
gathering and
research to
identify
compliance risks
The process used
to assess, rank,
and quantify
compliance risks.
P2-4:
Mitigation of
risks through
compliance
improvement
program
M1
The degree to
which risks are
mitigated
through a
compliance
improvement
program.
P2-5:
Monitoring
and evaluation
of compliance
risk mitigation
activities.
M1
The process to
monitor and
evaluate the
impact of
compliance risk
mitigation
activities.
P2-6:
Identification,
assessment,
and mitigation
of institutional
risks.
M1
The process used
to identify,
assess, and
mitigate
institutional risks.
High Level Indicators
Dimensions
6. Scoring P2-3-1: Identification of risks through intelligence gathering and
research
A
Intelligence
gathering and
research for
understanding
compliance level
and
current/emerging
risks
Analysis of
environmental
scanning as
part of multi-
year strategic
planning
Analysis of
third party
information
from a range
of external
sources
External
studies into
taxpayer
behavior and
attitude to
compliance
Research into
hidden
activities of
businesses
Tax
compliance
gap studies
Research on
topical
compliance
issues; e.g.,
transfer
pricing, HWIs
Analysis of
audit results
and tax
declarations
7. Scoring P2-3-1: Identification of risks through intelligence gathering and
research
B
Intelligence
gathering and
research for
understanding
compliance level
and
current/emerging
risks
Analysis of
environmental
scanning as
part of multi-
year strategic
planning
Analysis of
third party
information
from a range
of external
sources
External
studies into
taxpayer
behavior and
attitude to
compliance
Research into
hidden
activities of
businesses
Tax
compliance
gap studies
Research on
topical
compliance
issues; e.g.,
transfer
pricing, HWIs
Analysis of
audit results
and tax
declarations
8. Scoring P2-3-1: Identification of risks through intelligence gathering and
research
C
Intelligence
gathering and
research for
understanding
compliance level
and
current/emerging
risks
Analysis of
environmental
scanning as
part of multi-
year strategic
planning
Less
comprehensive
analysis of third
party information
from a range of
external sources
Limited or no
external studies
into taxpayer
behavior and
attitude to
compliance
Research into
hidden
activities of
businesses
Tax
compliance
gap studies
Limited or no
research on
topical
compliance
issues; e.g.,
transfer pricing,
HWIs
Analysis of
audit results
and tax
declarations
9. Scoring P2-3-2: Assessing, Ranking and Quantification of Risks
A
• A structured risk
assessment process
based on good
practice in place.
• Assesses and
prioritizes risks for
all core taxes, and
taxpayer
obligations.
• The process is part
of a multi-year
strategic process
B
• A structured risk
assessment process
based on good
practice is in place.
• Assesses and
prioritizes risks for
all core taxes
taxpayer segments
and taxpayer
obligations
• The process is
linked to the annual
business planning
BUT NOT part of a
multi-year strategic
plan
C
• A LESS structured
risk assessment
process is in place.
• Assesses and
prioritizes risks for
all core taxes and
four main taxpayer
obligations.
D
• The requirements
for a ‘C’ rating or
higher are not met.
10. A
Compliance
improvement
program is fully
resourced and
progress
monitored
monthly
Documented
compliance
improvement
program covers
all identified high
risks
Compliance
program covers
all core taxes
Compliance
program covers
the
four main
taxpayer
obligations
Compliance
program covers
the
key taxpayer
segments
Scoring P2-4: Mitigation of risks through compliance
improvement programs
11. B
Compliance
improvement
program is fully
resourced and
progress
monitored
monthly
Documented
compliance
improvement
program covers
all identified high
risks
Compliance
program covers
all core taxes
Compliance
program covers
the
four main
taxpayer
obligations
Compliance
program covers
the
large taxpayer
segment
Scoring P2-4: Mitigation of risks through compliance
improvement programs
12. C
Compliance
improvement
program is fully
resourced and
progress monitored
every three months
Documented
compliance
improvement
program covers
all identified high
risks
Compliance
program DOES
NOT covers all
core taxes
Compliance
program DOES
NOT covers the
all four main
taxpayer
obligations
Compliance
program DOES
NOT covers all
taxpayer
segments
Scoring P2-4: Mitigation of risks through compliance
improvement programs
13. A
Risk Management
Committee at the senior
management level plays
an active role in
approving risk
mitigation strategies
Risk Management
Committee monitors
progress with
implementation of
mitigation activities
Evaluation of the
effectiveness of ALL
approved compliance
risk mitigation
activities are
documented
Senior
management
reviews the
evaluation
Scoring P2-5: Monitoring and evaluating impact of risk
mitigation activities
14. B
Risk Management
Committee at the senior
management level plays
an active role in
approving risk
mitigation strategies
Risk Management
Committee monitors
progress with
implementation of
mitigation activities
Evaluation of the
effectiveness of AT
LEAST HALF of
approved compliance
risk mitigation activities
are documented
Senior
management
reviews the
evaluation
Scoring P2-5: Monitoring and evaluating impact of risk
mitigation activities
15. C
Risk Management
Committee at the senior
management level
approves risk
management strategies
on AD HOC BASIS
Risk Management
Committee monitors
progress with
implementation of
mitigation activities
ON AD HOC BASIS
Evaluation of the
effectiveness of
approved compliance
risk mitigation activities
are documented ON AN
AD HOC BASIS
Senior
management
reviews the
evaluation ON
AN AD HOC BASIS
Scoring P2-5: Monitoring and evaluating impact of risk
mitigation activities
16. Scoring P2-6: Identification, assessment and
mitigation of institutional risks
A
Structured process is applied
annually to identify, assess and
mitigate institutional risks
across the whole organization
A documented
institutional risk
register is in place
A business continuity
plan exists to mitigate
risks and this is reviewed
annually
Staff are trained in
disaster recovery
procedures
17. Scoring P2-6: Identification, assessment and
mitigation of institutional risks
B
Structured process is applied
every two years to identify,
assess and mitigate
institutional risks across the
whole organization
A documented
institutional risk
register is in place
A business continuity
plan exists to mitigate
risks and this is
reviewed every two
years
Staff are trained in
disaster recovery
procedures
18. Scoring P2-6: Identification, assessment and
mitigation of institutional risks
C
Structured process is in place
to identify, assess and
mitigate risks associated
with the IT system
A documented
institutional risk
register is in place
A business continuity
plan exists to mitigate
risks and this is
reviewed every two
years
Staff are trained in
disaster recovery
procedures
19. Table 8
of the Field
Guide
Checklist of Questions and Evidence for POA 2