In April 2010, HM Revenue and Customs (HMRC) introduced a new penalty regime through the introduction of Schedule 24 of the Finance Act 2007 and Schedule 40 of the Finance Act 2008. The new penalty regime applies to all companies in the UK and significantly increases penalties HMRC can apply if a company is found to have not taken due care when preparing a tax return. Penalties will be reduced if a company can demonstrate it has taken reasonable care to ensure its returns are accurate.
The guidance provided by HMRC on Schedule 46 sets the standards that all companies should adopt when preparing a filing for the HMRC and clarifies the concept of reasonable care. Schedule 46 was introduced by HMRC in the Finance Act 2009 and aims to ensure that large companies1 liable for taxes and duties in the UK certify that appropriate tax accounting arrangements have been established and maintained.
In particular, large companies are required to appoint a senior accounting officer (SAO) and notify HMRC of the name of any person/s acting as SAO for each financial year. The SAO will be personally responsible for:
- Taking reasonable steps to monitor the accounting arrangements of the company and its subsidiaries.
- Determining any respects in which those arrangements are not appropriate for tax reporting purposes.
- Certifying annually that the accounting processes in operation are adequate for the purposes of accurate tax reporting or specify the nature of any inadequacies.
Given the change in the HMRC penalty regime, and regardless of whether they are subject to Schedule 46, some companies are starting to pay more attention to their tax processes and controls, as a mistake in their tax filing could potentially result in thousands of pounds being paid to the authorities. Senior executives and board members of major corporations are now asking themselves if adequate procedures have been implemented within their company to comply with the new legislation and if these are cost effective, adding value to the business and addressing key risks.
But more importantly they should be asking themselves if the adequate procedures have been performed by the SAO to obtain the necessary level of assurance over tax reporting prior to a certificate being issued.
It is inevitable that senior executives will rely upon chief audit executives and heads of internal audit to provide them with the necessary assurance. However, audit committees, chief audit executives and heads of internal audit are not always able to effectively assess the new requirements of Schedule 46, particularly if their organisations display the following characteristics:
- Absence of resources with specific Schedule 46 or tax skills.
- Lack of understanding or benchmarks for how other organisation manage specific risks and their relationship with HMRC.
- Lack of a formal methodology, tools or software to accomplish specific audit objectives.
Historically, audit executives have a fairly good handle on the company’s corporation tax processes by relying on external advisors to assess and improve their annual tax calculations. However, the same can’t be said about transactional taxes, such as value added tax (VAT), customs and excise duties, pay as you earn (PAYE), etc. Transactional taxes are not usually reviewed in detail by external tax advisors and are typically managed and controlled by the finance department. Most of the time, the primary focus for the finance department is to follow standard compliance and comply with the necessary filing requirements. It is also quite common to see internal auditors predominantly relying on controls focused on the monitoring of these types of taxes, rather than controls surrounding inputs. For example, an auditor would historically review and recalculate whether an invoice has the correct amount of VAT included, instead of verifying if it is indeed a valid invoice that should be included within the VAT return.
When performing specific audit reviews surrounding tax process, audit committees and heads of internal audit should assess whether they have access to individuals with the necessary knowledge of the requirements of Schedule 46, the expectations of HMRC, the impact of the new penalty regime, and the underlying tax reporting processes to conduct these reviews.
Does this mean that internal auditors should rely 100% on external tax advisors to review their tax processes? No, this should not be the case. External advisors should be brought into the company to assess critical key risks related to specific tax processes when it is not possible for the audit team to find the necessary skills in-house. Having said this, an external tax advisor should not be engaged by a company to assess adequacy of standard monitoring controls or standard transactions. They should rather focus on assessing high risks related to compliance with tax legislation.
Internal audit departments should learn how to co-operate with external advisors and assess which risks and controls can be assessed and tested by external parties and which ones can be reviewed internally. Tax subject matter experts should provide the company with an in-depth understanding of the end-to-end tax processes and provide the internal audit team with useful insights on how other businesses interact with the HMRC and their customer relationship manager (CRM). This will allow the internal audit department to enhance their current know-how on taxes, tailor their work programmes accordingly, and reduce reliance on external tax advisors. It is also important to note that tax experts are not necessarily experts in designing and implementing assurance processes, and may not necessarily have a good understanding of process, risk and control. In addition, tax advisors may have less knowledge of the processes that are impacted than internal auditors.
It therefore goes without saying that significant opportunities still exist to date to improve the cost effectiveness and business value of compliance programmes, such as Schedule 46. But how does a head of an internal audit department know if he or she needs to assess the sustainability, cost effectiveness and/or value of its Schedule 46 compliance? Based on our recent audit reviews, some key indicators could include the following:
- The company relies 100% on independent consultants to assess the effectiveness of its Schedule 46 controls.
- The company lacks a standardised framework and/or appropriate metrics to understand and make informed decisions about the quality and value of the current Schedule 46 compliance process.
- The company is documenting all tax processes even though HMRC is categorising the organisation as low risk.
- The company places more emphasis on taxes in scope for Schedule 46 in order to prevent potential personal penalties to the SAO, rather than applying a risk-based approach review, to identify key areas of risks that could affect the company’s liabilities.
- The company is heavily audited by HMRC and the company’s risk profile is categorised as high.
- The company is not relying on existing compliance or assurance processes to comply with the requirements of Schedule 46 and the new HMRC new penalty regime.
- The company is performing several risk assessments to address various compliance programmes.
Although some of the indicators reported above might be applicable to a specific company, this should not prompt an immediate review of the Schedule 46 compliance programme. It goes without saying that a full review of an assurance project such as Schedule 46 should not be taken lightly, as it can become easily unmanageable if not well thought through from the beginning.
Some of the initial key steps companies will need to address before embarking on a full review the Schedule 46 compliance programme would include:
- Risk assessment: Review your current risk assessment and assess whether the company or SAO has concentrated on material and complicated taxes where the company is likely to encounter potential mistakes. For the purpose of the Schedule 46 compliance programme, internal audit should assess the company’s relevant liabilities and ensure that these are properly covered by an assurance programme.
- Integration: For organisations with an established Sarbanes-Oxley (SOX) programmes, or internal control framework, Schedule 46 compliance requirements should be fully integrated with the existing assurance programmes. Internal audit should review its existing internal compliance programmes and assess whether there are (further) opportunities to integrate Schedule 46 with the company’s current assurance programmes.
- Expertise: Assess the current skills and knowledge of your internal audit team on tax processes. Based on the outcome of the analysis and taking into account the outcome of your risk assessment, establish if critical risks have been assessed adequately. But remember that tax advisors are not necessarily experts in designing and implementing assurance processes and may not have a good understanding of process, risk and control. Create a model whereby tax advisors are working together with your internal audit team to share knowledge on the company tax processes in order to reduce unnecessary future cost and maintain the know-how in-house.
- Cost: Review your current cost to comply with Schedule 46. Tax practices are typically significantly more expensive than assurance practices. Yyou will therefore need to assess what resources you would need to undertake the review.
1Qualifying UK companies must satisfy either or both of the following requirements: £200m in relevant turnover relates to the companies or combined total of a UK group of companies; or a relevant balance sheet total of £2bn in gross assets.
Regulation technology is fast gaining currency by transforming how financial institutions can tackle compliance in a swift, comprehensive and less expensive manner.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.
Banks might feel justified in victim blaming when fraud occurs, but it does little for customer confidence.