General approach to VAT compliance controls (part 2)
Updated 25 September 2024
Read purpose, scope and audience (part 1) of Help with VAT compliance controls — Guidelines for Compliance GfC8, if you have not already.
These guidelines can help in establishing an appropriate tax control framework. Such a framework identifies and assesses tax risks and puts in place effective controls to reduce those risks.
HMRC set out good practices related to specific areas of VAT accounting and compliance processes throughout the guidelines. Each specific part sets out the overall objective of the controls for that part and provides control points that may be helpful in achieving those control objectives.
The other parts of the guidelines cover the processes for:
- order to cash
- procure to pay
- employee expenses
- record to report
- VAT reporting
- VAT reporting — manual adjustments
- outsourcing
This part sets out general good practices to help manage VAT accounting and compliance processes. This includes risk management, control design considerations, documentation for internal controls, and assessing controls for VAT. We also outline control points which are relevant to all VAT accounting processes including people, third party services, Information Technology infrastructure, Artificial Intelligence, and data.
Risk management
Risk management is the identification, evaluation, and prioritisation of risks, followed by applying appropriate controls to reduce those risks.
Overall risk management is tailored to the size and complexity of an organisation, and their desire to reduce risk. Good practices for risk management include:
- risks are identified and documented
- controls and procedures are up to date, well documented and regularly evaluated to reflect current processes and organisational changes
- large and complex organisations should consider the use of automated tools for process mapping and mining to accurately model business processes — these tools can identify variations and errors to help evaluate the effectiveness of controls
- each business process will have an owner, who is responsible for the internal controls.
- employees are aware of their responsibility for control activities
- a self-assessment process is used to evaluate the design and effectiveness of controls
- processes are in place to ensure an independent evaluation of risks and controls
Examples of events that might prompt evaluation of the approach to risk management are:
- a change in the size and complexity of the business, for example through rapid expansion, acquisition and merger
- a change in the ownership of the business
- a significant change in business activities, such as entering a new market, or the offer of new products or services
- legislative changes
- a change in regulatory requirements
- major technology changes and system upgrades
- business model changes, for example a move to de-centralisation
- the identification of a material accounting error
- the outcome of significant audits or risk reviews
- compliance problems are occurring
We expects businesses, particularly if large or complex, to have documented VAT compliance processes. A well-documented process would:
- have clear ownership and accountability
- include sign-off at the appropriate level
- be regularly reviewed and updated
- be version controlled
- cover the complete process under review
- include clear step-by-step sub-process guidance
- include checklists to help with completeness and task deadlines
- be easily understandable, to help with deputising and succession planning
Control design considerations
The effective design of a control will look at the nature, frequency and coverage of the control. Good practices for control design would include:
- automated control is preferred over manual control
- simple control is preferred over complex control where available
- control activities should be performed by experienced individuals who have a good understanding of the purpose of the control
- preventive (blocking) control is preferred over a detective control which operates after the fact when an error may have already occurred
- key risks benefit from multiple, overlapping controls which complement each other
- full coverage transaction-level control is preferred over high-level analytical control
- using effective, monitored automation to perform a 100% check provides more assurance than sampling
- control occurring in real time is preferred to retrospective control
Documentation for internal controls
Documentation, appropriate to the size and complexity of an organisation, is required to manage and evidence the design and effectiveness of the internal controls. Documentation specific to VAT may be useful as part of tax risk management, or to support Senior Accounting Officer (SAO) sign-off if this is required. Good practices for control documentation would include:
- documents should define the scope of internal control for VAT purposes in terms of business functions, processes, IT systems and locations
- document whether VAT relevant internal controls are in-house, shared service centre or outsourced to a third-party
- document the flow of transactions through in-scope functions and processes, and identify the control activities within these processes
- process documentation is up to date and version controlled
Assessing controls for VAT
VAT risk management should include an assessment of the design of controls, evaluating whether they are adequate to mitigate the risk of VAT declaration errors. A good way of doing this is setting up a VAT risk register. Good practices for assessing VAT controls would include:
- document all the VAT risks identified, including their frequency, likelihood and impact
- document the nature, type and frequency of control activities covering the risks
- document how the control activity is performed
- record who is responsible for the control activity, and who has overall sign-off
- document how testing the effectiveness of the control has been planned and performed
- document how the control will be monitored for continued relevance
- ensure a process is in place for reporting deficiencies to the appropriate level of management and undertaking remedial action
People
VAT compliance relies on the management and professionalism of appropriately trained staff in an organisation.
Control points
- Staff roles and responsibilities in respect to VAT compliance are documented.
- Role documentation, including updates, is accessible and available.
- Role documentation is referenced as part of staff training.
- Management assurance periodically checks that staff are appropriately trained and confident with their roles and responsibilities in respect to VAT compliance.
- There is a clear process for the escalation of VAT issues and queries.
- Segregation of duties is in place where appropriate, to have confidence in checks and sign-off.
- Key staff and processes have contingency cover in place.
- Key staff and processes have a succession plan in place.
Third-party services
VAT processes and compliance activities, such as customer billing or tax reporting may be outsourced to a third-party provider. We provide more information in Outsourcing part 9 of these guidelines.
IT infrastructure
Both the in-house and outsourced IT Infrastructure of larger businesses will probably aim to meet some or all of the IT Governance standards that are recognised in the UK.
A risk area for VAT exists where data is transmitted across system interfaces and loss or change can occur.
Control points
- Interfaces between systems should be documented for VAT process flow as necessary.
- Interface controls relevant to VAT information should be documented.
- Interface failures relevant to VAT information should be reported and investigated.
Artificial Intelligence
The use of Artificial Intelligence (AI) and Machine Learning in tax tools is increasing. Traditional computer code ensures data is processed in the same way each time. Machine Learning takes a different approach and works on data input to build new sets of rules. Use cases in tax include:
- chatbots answering tax questions
- transaction processing
- tax code classification
- document processing including sentiment analysis (assessing good, bad or indifferent opinion)
- generative AI producing documents on tax and business analysis
Control points
- There should be an awareness of the risks around training data quality for algorithmic tools, which needs to be sufficiently cleansed and up to date.
- Testing should involve a realistic volume of data input (as seen in the live system).
- Procedures are in place to schedule and monitor the deployment of AI tax tools.
- Tax decisions that rely on algorithms should be explainable in terms of decision factors and audit trail and monitored for accuracy.
Configuration data
System configuration data is the process of adjusting settings and parameters within a computer system to align with a business’s specific needs and requirements. It is important for VAT processing and reporting. Organisational unit structure should facilitate the reporting of VAT through the correct VAT registration. Well maintained VAT determination data, supports the correct calculation of VAT values.
Control points
- Business units within an organisation should have standardised configuration processes where possible.
- Where practical, company codes should accurately reflect UK VAT registrations to aid VAT reporting.
- Organisation hierarchy should accurately map to VAT group and divisional registrations.
- Changes to organisational data should be authorised, accurate, cross-checked, promptly processed and recorded.
- Only authorised individuals should create new tax codes, if these are being used to identify VAT liabilities.
- A record of tax code set up and changes is kept.
- Tax codes have clear descriptions and VAT rate.
- Where appropriate, tax codes have accurate determination logic derived from master data and shipping information such as ship-from and ship-to indicators.
- Tax codes are accurately configured for output or input tax.
- Tax codes are linked to the correct general ledger account, for example output and input tax, reverse charge, 50% recovery or non-deductible.
- Tax codes are unique.
- Tax codes and rates reflect current legislation and codes not in use are disabled.
- The tax code list is sufficient to cover all organisational supply chains and VAT rates applicable to the sales and purchases made by the business.
- Tax code use is monitored (using data analysis where reasonable) and errors are flagged to posting teams to reduce errors.
Master data
Master data is core to a business and is used in the processing of sales and purchases transactions. VAT indicators attached to master data records help ensure the accurate calculation of VAT values.
Customer master data information may include:
- name
- addresses
- VAT registration number
- VAT determination indicators such as country code or VAT exemptions
- pricing and billing currency
Supplier master data information may include:
- name
- addresses
- VAT registration number
- VAT determination indicators such as reverse charge applicability and VAT code
Product or stock master data information may include:
- description
- VAT determination indicators, including VAT liability code
- pricing and discounts
Control points
- New customers and suppliers should undergo appropriate due diligence.
- Master data entries are uniquely referenced.
- Changes to master data should be authorised, accurate and promptly processed.
- A change log should be kept that includes, for example date and time stamp.
- A process is in place to ensure master data remains current.
- All customer master data repositories must be aligned.
- Customer data includes corporate and VAT group identifiers if applicable.
- Customer data includes VAT indicators for the correct identification of international services, if applicable.
- Customer VAT numbers are verified.
Source documents
Source documents prepared by an organisation such as contracts, orders and billing timesheets are part of the financial and tax control framework.
Control points
- Documents should be created by authorised and suitably qualified staff following established procedures.
- There should be appropriate segregation of duties regarding origin and approval.
- Documents should be created using good input-form design to minimise errors.
Data input, transmission and output
Data from hard-copy source documents, both internally created or received from customers and suppliers is entered into financial systems for processing. Data can be transmitted between applications and output produced for information.
Control points
- Data input should be performed in a timely manner by authorised and suitably qualified staff.
- Transaction authorisation levels should not be compromised where correction and resubmission of data occurs.
- Original source documents are retained for the appropriate amount of time for error correction.
- Transaction data should be accurate, complete and valid.
- Transaction data should be corrected without disrupting the processing of valid transactions.
- Ensuring corrections occur as close to the point of origin as possible.
- Addressing should be checked before transmission of data.
- Authenticity of origin and integrity of content controls should be in place for transmission of data.
- Access to data output should be authorised.
- Ensuring data output is delivered to the appropriate recipient.
- Considering data protection, such as encryption, during transmission or transport of data output.
- Output should be subject to accuracy verification, error detection and correction.
- Ensuring data output is used appropriately for valid business purposes.