Risk and Control Framework - VAT Risks & Controls for Organisations 

​​​​​

Introduction

​​

A VAT risk and control framework is a documented and structured system to identify, manage, and mitigate VAT risks to ensure accurate and compliant VAT and GST reporting to a local tax authority (HMRC in the UK). It involves establishing a VAT risk register, defining key controls, who is responsible and accountable for them, confirming controls are documented, applying a risk weighting for each risk and conducting regular reviews and testing of each control to ensure they are effective and thus preventing tax authority penalties.

​​

It is important for a risk and control framework to be a "living document" in that it is constantly reviewed and updated to ensure that an organisation continues to mitigate risks associated with Indirect Tax.

​​

VAT can be a significant cost to a business, especially those that are partially exempt (unable to recover all of their input VAT from HMRC that they incur on their costs. For example, Large multinational banks and insurance companies.

​​​

Senior Accounting Officer Sign off

​​​

Where an organisation has a Risk and Control Framework for VAT & GST, it will assist and enable the Senior Accounting Officer to sign off  their annual declaration to HMRC confirming that the organisation:​

​​

• Has adequately documented its controls and processes for the following areas - Customer on-Boarding, Accounts Payable and Receivable, Inter-Company Recharging, Capital Good Scheme, Partial Exemption Methods agreed with HMRC, Internal VAT Allocation Methodologies for VAT recovery, Outsourced Services, Finance and Tax Service Centre supplied services, VAT and other Indirect Tax System change processes, Automated Processes. Front End System to SAP System Interfaced Transactions, Payments Outside of the Accounts Payable Processes, International VAT Transaction Compliance, Imports and VAT compliance, Entertainment and Company Events Compliance, Employee Expenses and VAT etc.       

• Has carried out testing of these controls

• Has complied with all the necessary VAT legislation in relation to returns filed with the tax authority

• Has adequately trained staff with the appropriate qualifications and experience to prepare returns, advise and monitor VAT & GST risks ​

• Has filed accurate VAT and GST returns on time and paid the correct amount of tax

• Has appropriate VAT accounting and reconciliations procedures

• Has documented and reviewed all new products and services to ensure the correct VAT treatment from a systems and billing perspective

• Has reviewed any changes in business structure to ensure there has been correct inter-company billing

• Is MTD compliant

• Is E invoicing compliant post 2029    

​​​​

Uncertain Tax Treatments​

​​​​

An organisations VAT Risk & Control Framework should include a control that ensures that any uncertain tax treatments which have a tax advantage of more than £5 million for each relevant period are identified where and organisations:

​​

• Turnover is over £200 million in a financial year

• Balance sheet total is over £2 billion in a financial year

​​

HMRC Risk & Controls Guidance for VAT (GFC8)

​​

HMRC (UK Tax Authority)have issued guidance on the risks and controls and requirements (GFC 8) that they would expect organisations to adopt to demonstrate that their VAT processes are documented and robust to ensure accurate reporting and compliance. Its important for organisations to review this document and embed any control gaps within their processes as this will enable HMRC to have greater confidence in their risk and controls culture and processes if they conduct an audit. 

​​

Business Risk Review

​​

HMRC or other global tax authorities may conduct Business Risk Reviews as part of their risk and compliance monitoring of organisations.​

​​

This will involve HMRC evaluating overall Tax and VAT governance, billing and VAT reporting systems, documentation of processes, risk and control frame works to determine if risks are being effectively managed. The aim will be to provide a business with a risk rating high, medium or low and as such will determine how often they scrutinise the business in future.

​​​

As such, if an organisation has robust Risk and Control Framework for VAT & GST and it is embedded within the company's culture then this will help businesses in securing a low VAT BRR rating. 

​​

Internal & External Audits

​​

Having a VAT Risk and Control Framework will be a good premise for the internal and external auditors to review at the start of their audit. It will provide a greater understanding of the business, inherent risk and how they are being managed or mitigated. Without a VAT risk and control framework, auditors will have to conduct a more extensive audit to gather information that would normally be included within a risk and control framework document or pack.   

​​​

Board Level Approval and Embedding a Visible Risk Culture ​​

​​​​

Having a VAT Risk and Control Framework Document is a good start but one has to always ask, how will the controls be implemented, tested and embedded within the culture of the organisation. Unless a company has a strong risk and control culture embedded from Board level down, having a VAT / Tax Risk and Controls Framework document may not be enough mitigate against Finance, Tax and VAT risks. 

​​​

As such, It is important that the TAX / VAT Risk & Controls Framework becomes part of an organisations culture by building it into employee objectives, recruitment policies, company policy and backed up by inter functional Service Level Agreements (SLA's) which can be reviewed against performance annually.  ​​

​​​​

​​​

​​​

​​​