The audit reviewed the ATO's collection and management of activity statement information. The audit paid particular regard to:
- the environment into which activity statements were introduced;
- taxpayer concerns with activity statement administration;
- the mechanisms the ATO uses to capture and process activity statements;
- the change processes the ATO uses to change and test activity statement IT systems; and
- the management methodology used to report on, and assess the performance of, activity statement related systems and processes.
Activity statements are the Australian Taxation Office's (ATO) approved forms that enable ATO clients with specific tax obligations to remit or calculate their taxes. The management of activity statements is an important aspect of Commonwealth revenue collection as approximately 65 per cent of revenue ($120 billion) collected by the ATO was received through activity statements in 2002-03. Collecting activity statement revenue poses a significant challenge to the ATO, as it processes approximately 15 million activity statements annually.1
Activity statements comprise the Business Activity Statement (BAS) and Instalment Activity Statement (IAS), which are used to report and/or remit multiple Commonwealth taxes.2 Clients are able to lodge their activity statements monthly, quarterly or annually depending on their income, Pay As You Go (PAYG) withholding obligations, and the reporting option nominated by the client and agreed to by the ATO.
The ATO introduced three principal Information Technology (IT) systems to process activity statements. These are the Instalment Processing System (IPS), Pay As You Go Instalments (PAYGI) system, and the Risk Rating Engine (RRE). Since their introduction, the ATO has made many significant changes to improve their efficiency and effectiveness, and to provide the additional functionality required by subsequent changes to policy and legislation.
Objective and scope
The objective of the audit was to assess the ATO's collection and management of activity statement information. Specifically the audit sought to:
- report on the environment into which the activity statement collection and processing systems were introduced;
- identify taxpayer concerns with activity statement processing, and the measures the ATO has undertaken to address those concerns;
- assess the systems, processes and controls used by the ATO to capture and process activity statement information;
- assess the mechanisms the ATO has in place to maintain, change and test activity statement IT systems, which bear on the integrity and security of activity statement information; and
- assess the management methodology used by the ATO to report and assess the performance of activity statement related systems and processes.
The focus of the audit was on activity statement data capture and activity statement processing activities.
Background and context (Chapter 1)
The effective management of activity statement information is an important issue for the ATO. A failure of the systems, processes and controls used by the ATO to manage activity statement information could not only undermine the ATO's reputation within the community, but also has the potential to impact significantly on tax revenue.
The introduction of A New Tax System (ANTS) legislation represented the single largest change to tax operations in the ATO's history. The ATO recognised that activity statements, and its ability to process them, were critical to the effective implementation of this legislation.
Although the ATO had been considering the administrative implications of introducing ANTS since 1996, the exact form of ANTS legislation was not known until the final weeks preceding it taking effect. This meant that there was only a short period of time to change activity statement processing systems to reflect the ANTS legislative changes.
The ANAO recognises that effectively implementing highly complex activity statement processing systems to administer multiple taxes, in such a short period of time, is a significant achievement.
Client education and liaison (Chapter 2)
The ATO relies on its clients submitting activity statements that are completed correctly and on time, as this significantly reduces processing time and costs. Important aspects of ensuring that activity statement forms are completed correctly are that clients are educated effectively on their reporting obligations, and good relationships are established between clients and the ATO.
In the past, there has been a level of dissatisfaction amongst clients regarding aspects of the ATO's administration of activity statements. Taxpayers' concerns have included compliance costs, access to ATO running balance accounts, and the use of electronic lodgement facilities. We found that the ATO is investing significant resources to address these concerns and has made some progress in this regard. This is also evident from surveys conducted by the ATO and tax practitioner representative bodies, and in recent decreases in the number of complaints received by the ATO about activity statement related issues.3
The ATO has introduced a number of initiatives to educate and inform clients of their tax obligations, and of ATO administrative practice and procedure, regarding activity statements. It is important that the ATO effectively coordinates these initiatives to direct correct information to relevant clients when they require it. The ATO has also recently introduced a Community Relationship Model to channel education material more effectively to clients. However, the success of this model will need to be determined through future evaluation.
Activity statement data capture (Chapter 3)
Activity statement data capture refers to the process of accurately replicating the data submitted by ATO clients in a standard electronic format that can be processed by ATO activity statement IT systems. Clients, or their tax agents, can lodge activity statements: electronically; using paper activity statements; or by using the telephone.4
The ATO has an adequate control framework in place to capture activity statement information, with electronic systems, supported by manual controls, used to manage data capture workflow. However, there are a number of areas of this framework that could be enhanced for greater effectiveness.
Although the ATO has improved its processes for identifying and mitigating risks relating to activity statement data capture in 2003-04, we consider that a single, coordinated approach to risk management for data capture processes will be more efficient and provide more consistent results over time. The consideration of quality assurance (QA) mitigation strategies as part of this process would provide additional assurance.
The ATO has developed appropriate controls to provide assurance that data capture procedures documentation is sound. However, the consistency of this documentation between ATO offices, and the ongoing review of this documentation for currency, accuracy and completeness, could be improved.
Australia Post provides some of the activity statement pre-processing services for the ATO, including opening and sorting activity statements in readiness for processing by ATO staff. To provide increased assurance that these services are of high quality, Australia Post staff should be subject to the same QA processes as ATO staff.
Activity statement processing (Chapter 4)
Activity statement processing refers to the manual and electronic processes the ATO uses to provide assurance that the information contained on activity statements complies with tax legislation, as well as with ATO administrative policy and practice. Overall, we found that the ATO's manual procedures and controls provide adequate assurance that activity statement information is processed effectively.
Data exceptions occur when an electronic or manual process detects incorrect information contained on an activity statement. Activity Statement Exception (ASE) teams are responsible for correcting data exceptions relating to IPS and the PAYGI system. The ATO has strong controls in place to assist ASE teams to correct data exceptions. However, a number of enhancements could be made to improve the efficiency and effectiveness of ASE teams. These include:
- using a single, consistent approach to identify activity statement processing risks, including consideration of QA processes and controls;
- improving the currency, accuracy and completeness of activity statement processing procedures and education documentation; and
- examining options for a more efficient, automated, work allocation system for ASE teams.
Compliance Verification Centres (CVCs) are responsible for correcting data exceptions relating specifically to the Goods and Services Tax. Generally, the controls the CVC teams have in place are sound. However, there are aspects of the ATO's management of its CVC procedures and education documentation that could be enhanced.
The effective management of procedures and training documentation across all activity statement data capture and processing areas can be improved to provide increased assurance that it is relevant, current, complete and secure. Similar enhancements should also be considered for IT specifications documentation. The ANAO considers that the ATO should develop a nationally consistent policy to manage and secure this, and other applicable documentation.
Systems change management processes (Chapter 5)
To provide assurance that activity statement related systems operate as intended, the ATO needs robust processes to implement and monitor changes to these systems. If the ATO does not have these processes in place, it will be unable to provide adequate assurance that business rules are applied to activity statement information correctly, and that activity statement information is being processed efficiently.
A critical element in managing change to ATO IT systems is the creation and maintenance of IT technical documentation (or IT specifications). IT specifications should include an up to date description of all aspects of the system, including hardware, software and data. Although IT specifications documentation for the RRE is well managed and tightly controlled, the consistency and security of PAYGI system specifi cations require improvement.
Historically, the ATO's management of changes to IPS has been less than adequate, with IPS specifications being incomplete at the time of the audit. The ATO is undertaking measures to compile a new set of IPS specifications, and will need to implement controls to maintain their ongoing currency and completeness.
The ATO uses three separate systems to manage system exceptions workflow. This means that many processes are duplicated, and system exceptions do not include clearly defined audit trails. To provide increased assurance that system exceptions are managed efficiently and effectively, the ATO should develop a standardised approach to manage system exceptions, and examine the costs and benefits of developing a single system to manage them efficiently.
The ATO classifies the most critical system exceptions as Priority 1 (P1) cases. The system the ATO uses to manage P1 cases does not have the capacity, or the controls necessary, to ensure the integrity of the information required to manage P1 cases effectively. The ATO needs to develop a system capable of managing P1 cases effectively. That would provide a high level of assurance that all project documentation relating to P1 cases is kept securely.
System testing provides assurance that all changes to IT systems operate as intended before they are released into a ‘live' production environment. We found that an integrated testing methodology is not applied consistently to all system changes.
Aspects of governance (Chapter 6)
Activity statement data capture and processing activities are managed by a number of ATO business and service lines, and divisions. A robust governance framework is required to provide assurance that activity statement related activities are coordinated and managed effectively. An essential element of a robust governance framework is that corporate objectives and planning documentation are fully aligned and mutually supportive.
The ATO has significantly improved its planning framework for 2003–04, compared with that of the previous year. However, some inconsistencies remain between higher-level strategic plans and lower-level operational plans with regard to the management of activity statements. The ATO has a number of risk assessment processes that identify and assess activity statement related risks. These risk assessments are developed independently from one another. To provide assurance that a coordinated and comprehensive approach is undertaken when assessing risks, the ATO should aim to ensure that activity statement risk assessment processes identify and pay regard to risks identified in other activity statement risk processes.
The ATO's Certificate of Compliance for the Payment of Public Money (Certificate of Compliance) is used to provide assurance to the ATO's Chief Finance Officer that all refunds are correct following processing by ATO business systems. A key aspect of the Certificate of Compliance process is that activity statement related controls are monitored and reported on regularly by ATO staff. The ATO last undertook a risk assessment to identify controls that are critical to the Certificate of Compliance process in 2000. Since that time, activity statement systems and controls have changed significantly. To be fully effective, the Certificate of Compliance should include a process to assess control risks associated with activity statement and other systems on a regular basis.
Collecting and processing activity statement information is a high-profile, challenging and complex area of tax administration. If not managed well, it has the potential to not only undermine community confidence in ATO administration, but also to impact adversely on revenue collections.
There has been community criticism of the ATO's management of activity statements. The ATO has devoted significant resources to addressing these concerns, and has made progress in this area. This is evident in the results of independent surveys, as well as in the decrease in the number of complaints the ATO has received about activity statements over the last 12 months.5
Although there is still progress to be made in implementing ‘ideal' activity statement systems, we found that current systems, processes and controls provide a sound basis for the efficient and effective administration of activity statements. That said, we consider there are a number of areas that could be improved to enhance administrative practices relating to activity statements, for example, that the ATO:
- implement nationally consistent policies, systems and processes to manage and secure procedures, training and system specifications documentation;
- assess the costs and benefits of implementing automated systems for managing activity statement data exceptions and system exceptions;
- compile and maintain specifications for activity statement related systems, and introduce robust controls to maintain the currency and completeness of these specifications;
- apply a consistent and integrated system testing methodology for changes made to activity statement systems; and
- develop and implement a comprehensive and coordinated approach to risk management and planning at the strategic and operational levels.
We made nine recommendations aimed at strengthening the ATO's documentation, risk management and planning practices. The ATO agreed with all recommendations, one with qualification.
Summary of ATO's response
The ATO notes that the Australian National Audit Office concludes that the ‘current systems, processes and controls provide a sound basis for the efficient and effective administration of activity statements'. The ATO believes that this conclusion reflects well on the ATO staff involved in managing a complex process.
The ATO agrees that implementing the activity statements processing systems to give effect to the A New Tax System legislation was a significant and important achievement.
Since implementing these systems the ATO has worked with the community to continue to refine and improve them. The ATO acknowledges that these systems can continue to be improved and recognises the recommendations made by the ANAO assist in that aim.
Overall the recommendations are supported, except to the extent outlined in Recommendation Number 9. The ATO's full response is reproduced in Appendix 1 of the audit report.
1 ATO analysis of business and service line financial and performance information.
2 These specific tax obligations include: Goods and Services Tax (GST); Pay As You Go (PAYG); Fringe Benefits Tax (FBT); Wine Equalisation Tax (WET); Luxury Car Tax (LCT); and company instalment obligations.
3 AC Neilson, 2003, Survey of Business Experience with BAS–July 2003. p.61; ATO, 2002, Summary of Market Research Findings for Business Compliance Experience with the BAS and the New Tax System–Two Years on–Quantitative Report August 2002, p.29; and ANAO analysis of ATO complaints information.
4 From 1 October 2003, clients are only able to lodge activity statements with a ‘nil' balance over the telephone.
5 AC Neilson 2003, op. cit.; ATO 2002, op. cit.; and ANAO analysis of ATO complaints information.