In a recent survey conducted by Protiviti, the majority of senior accounting officers (SAOs) stated that they were still unsure which issues should be reported within the Schedule 46 certificate. Many also stated that although weaknesses within the current control framework had been detected, they were unsure whether to disclose them as these might not be deemed material findings and could attract unnecessary attention from HMRC.
In light of the current uncertainties, Protiviti has prepared a short list of frequently asked questions (FAQs) that aims to assist SAOs when providing an adequate certificate to HMRC. It is important to remind ourselves that the certificates are intended to be an open reflection of the company’s tax accounting arrangements and so highlighting weaknesses will not be held against the company. The customer relationship manager (CRM) as part of their normal discussions with the customers will expect SAOs to be able to explain what action they are taking to rectify matters and will take this into account as part of the overall risk assessment.
Who Should Be Submitting the Certificate?
The SOA of a qualifying company is responsible for providing HMRC with a certificate as set out in Section 46 stating whether the company has appropriate tax accounting arrangements or, where it does not, providing an explanation as to why. Companies subject to Schedule 46 have to notify HMRC of the name of the person(s) acting as SAO for each financial year. There is no set form of notification, as a minimum it should include contact details of the SAO, period to which the notification relates and the companies for which the SAO is acting. Notification will normally be made to the CRM and should be filed within the period under Companies House requirements (6 or 9 months after the end of the relevant accounts reference period).
When to Submit the Certificate?
The certificate should be provided to the CRM for the company or companies covered, and must be submitted no later than the end of the period for filing the accounts for the financial year. An extension can be agreed with the CRM, however this is provided in exceptional circumstances (for example during mergers and acquisitions (M&A) or in the case of some other major change affecting the company, its systems or the personnel key to the systems and governance). To ensure that no notification or filing dates are inadvertently missed it is recommended that the SAO discusses a potential extension with the CRM in advance.
The Format of the Certificate
The HMRC guidance provides a suggested format and wording for the certificate, as follows:
“I…as senior accounting officer of the qualifying company/companies listed below, hereby certify that to the best of my knowledge and belief throughout the company’s or companies’ financial year ended […] the company/companies had appropriate tax accounting arrangements or to the extent it/they did not an explanation is provided below.”
What to Disclose
As outlined in Section 46, the main duty of the SOA is to take reasonable steps to ensure that the company establishes and maintains appropriate tax accounting arrangements. As such, the SAO must take reasonable steps to monitor the accounting arrangements of the company and identify any respects in which those arrangements are deemed not to be appropriate tax accounting arrangements. Although there is no official guidance on what appropriate tax accounting arrangements mean, they could include the following broad elements:
- A process for gathering and recording data in a systematic way.
- An understanding of the key tax compliance risks in the business.
- Designing and implementing control activities to mitigate these risks, for example separation of responsibilities and ensuring that people who undertake delegated activities have the right levels of skill and competency.
- Mechanisms for communicating roles and responsibilities.
- Monitoring activities to ensure that controls are operating effectively, though the level of monitoring required will vary according to the level of risk present.
In addition, as outlined in Para 16 of Schedule 46, the SOA should assess the company’s relevant liabilities and ensure that these are calculated accurately in all material respects. As such the focus should be on the significant transaction, system and tax and the relative size of these items in terms of the business. As stated in the guidelines, HMRC is not interested in small or insignificant errors consequently it is important to concentrate on significant areas of risk.
Based on the interpretation of the guidance issued by HMRC, the Schedule 46 legislation, discussion with various SAOs and CRMs and taking into account the key elements reported above, there are three main issues that we believe should be disclosed within the certificate:
- Weaknesses or deficiencies within the current control framework that are likely to result in material inaccuracies being reported to HMRC. These weaknesses have not yet been resolved and therefore the SAO has not been able to identify adequate compensating control to mitigate the risk.
As part of the review of the internal controls it has been noted that manual invoices have been created outside of the company’s enterprise risk planning system. The VAT has been correctly added to the invoice however the VAT payable to HMRC has not been captured within the VAT return as not entry has been provided for in the relevant VAT account.
- Weaknesses or deficiencies within the current control framework that are likely to result in material inaccuracies being reported to HMRC for which adequate compensating controls have been identified.
The company uses a number of spreadsheets in the creation and completion of the tax returns. Due to the nature of the manual operations outside of the system, there is a higher risk of error. Errors in key spreadsheets could result in tax payable to be incorrect and penalties associated depending on the nature of the error and whether appropriate controls are in place to mitigate the risk.
The company is currently performing a review of the key spreadsheets in use and will consider how best to reduce the risk of error. Consideration will be given to access control, including:
- Defining and maintaining appropriate user access rights and restrictions, including segregation of duties, where applicable.
- Change control: controlling changes that are made to the spreadsheet, including adequate testing and documentation of changes.
- Data input validation: ensuring completeness and accuracy of data inputs.
- Independent review: documented, independent review of spreadsheet logic.
- Identified errors: where it has been identified that appropriate tax accounting arrangements are not in place throughout the financial year and these have resulted in material inaccuracies in calculated tax liabilitie
- Weakness or deficiencies identified throughout the year: in addition the SOA should prepare a list of weaknesses or deficiencies that are not deemed to be material and for which adequate ‘compensating controls’ or remediation plans are in place to prevent an error. This list should not form part of the certificate but ought to be discussed with the CRM.
The SAO identifies a risk relating to lack of formal segregation of duties within the current enterprise risk planning system surrounding VAT tables. No error is understood to have arisen due to the team having a good understanding of their roles, unauthorised users not trained to change VAT tables and the implementation of monitoring controls able to detect changes that could lead to material mis-statements. The SAO may, however, decide to restrict access to few users in order to manage and minimise the risk that VAT tables are being incorrectly changed by unauthorised users.
Review of the Certificate by the CRM
The SAO certificate will form part of the overall information that will be used by HMRC to risk assess a business. The content of the certificate will help the CRM to focus corporate compliance activity. HMRC does not foresee the CRM specifically undertaking work to verify the accuracy of the certificate. It is therefore not envisaged that the CRM will undertake an in-depth audit review in order to cover all taxes in scope. Typically the CRMs will build up an understanding of the systems and governance through real time discussions with the business and normal risk-based compliance checks.
The CRM is expecting to see an open and transparent relationship with the SAO; therefore they would want to discuss weaknesses that have been disclosed on the certificate, or known historical weaknesses in the tax accounting arrangements, focusing on what steps the SAO is undertaking in order to solve them.
Situations where the CRM may want to consider further work on systems and governance could include:
- Historic evidence of weaknesses within the tax accounting arrangement: where the tax accounting arrangements have been certified as appropriate, if there is some historic evidence of tax accounting arrangement weakness, it is anticipated that the CRM may perform targeted checks on known areas of weakness. The CRM may also decide to undertake real-time compliance checks on key areas of risk deemed material for the company.
- Weaknesses reported within the certificate: where a disclosure has been made on the certificate stating that part of the tax accounting arrangements are not appropriate, the CRM would expect additional controls to be put in place to address the deficiencies. In certain cases the CRM might decide to undertake real-time compliance checks both on the known areas of weakness and on risks arising from the specific risk assessment performed on the company.
- Deficiencies identified: where deficiencies have been found in the tax accounting arrangements, the CRM would expect additional controls to be put in place to address the deficiencies. In subsequent periods it may be appropriate to undertake real-time compliance checks to ensure that the controls that have been put in place are working properly.
The extent of these reviews will depend on the relationship between the CRM and the SAO, and the extent to which it is open and transparent. Where, as a result of any further work, it appears that the requirements of the legislation may not have been met and penalties may potentially be applied, then there will need to be discussions with the SAO to determine whether the SAO has taken reasonable steps to ensure that the company established and maintained appropriate tax accounting arrangements.
Errors or Deficiencies Identified by the CRM not Disclosed on the Certificate
When normal compliance checks are performed it could occur that errors or weaknesses are identified in the tax accounting arrangements for which a full disclosure within the certificate for the appropriate period has not been provided.
The CRM will not necessarily conclude that the certificate was inaccurate or that there has been a failure to establish and maintain appropriate tax accounting arrangements. The conclusion reached by the SAO on whether or not there have been any failures of the SAO will depend on how the error arose and the significance of these errors.
In Case of Disagreement Between the SAO and the CRM
As previously stated, HMRC, as well as the CRM, aim to have an open, collaborative dialogue with the SOA. Where there are differences in opinion, as with any other area of risk, they would expect these to be discussed in a reasonable and professional manner to understand the difference in opinion.
It could however occur that disagreements are not resolved and that the CRM believes that the SAO or company may not have met the requirements of the legislation. In such cases, the issue should be escalated to the sector lead in the large business service (LBS) and to the business unit head in local compliance.
Link Between the SAO Penalties and Penalties for Inaccuracies Schedule 24 Finance Act (FA) 07
As outlined by the guidance provided by HMRC there is no automatic link between penalties for errors on tax returns and penalties for the SAO failing to carry out the main duty per Schedule 46, paragraph 1. These two provisions are entirely separate and consequently failure to have appropriate tax accounting arrangements will not necessarily result in an error attracting a penalty under Sch 24 FA07.
Consequently an error in the a return that has attracted a penalty under Sch 24 FA07 will not automatically mean that a company does not have appropriate tax accounting arrangements and that there is any failure under Sch46 FA09. However, it is important to outline the fact that appropriate tax accounting arrangements will not necessarily result in a mitigation of a penalty for an error under Sch 24 FA07. There may be circumstances where penalties under both Sch 46 FA09 and Sch 24 FA 07 are chargeable. It will depend entirely on the circumstances of each individual case.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
Despite all the automation and improvements that digital banking has the potential to achieve, customers and their needs still form the very core of the banking sector.
Banks might feel justified in victim blaming when fraud occurs, but it does little for customer confidence.
Politicians have united in urging the Reserve Bank of Australia to lend its backing to the digital currency by officially recognising it.