Skip to main content


Audit & Assurance
Governance Risk & Compliance


Establishing a Tax Control Framework: The utility and necessity of IT

The Dutch Tax Administration has developed a new approach to supervise tax paying organizations. It is called “horizontal supervision.” A vital element in this approach is the “Tax Control Framework.” This article will clarify why it is not only helpful but necessary to apply IT and ERP-systems when setting up a TCF.


Prompted by the economic crisis, the interest in risk management has grown substantially. Traditionally, tax risks were not high on the agenda in the area of risk management. But times are changing.

The growing attention to tax by legal bodies and investors is primarily caused by the material impact tax has on the financial position of companies. Stakeholders, like investors, the Tax Administration and other supervising bodies, are asking for a new approach to coping with tax issues. What is at stake is more than complying with tax laws and regulations. Transparency, insight into fiscal risks and adequately controlling these risks are becoming more and more important. Apart from better understanding and controlling tax risks, this will enable companies to benefit from tax opportunities.

Besides the fact that companies are “in control” of their tax issues, it is important that this can be demonstrated to stakeholders, like the Audit Committee, the management and the tax authorities.

Among global tax authorities a similar trend is apparent. They are leaving the path of performing elaborate tax audits as in past years and are increasingly turning to current tax issues, control processes, tax strategies and tax risk management. This approach is shared and promoted by the Organization for Economic Cooperation and Development (OECD) ([OECD08]).

Tax authorities in many countries are refocusing their attention to developing similar initiatives:

  • US Compliance Assurance Program
  • Ireland Cooperative Approach to Tax Compliance
  • UK Compliance Risk Management
  • Australia Forward Compliance Arrangement
  • South Africa Enhanced Relationship Program
  • South Korea Horizontal Compliance for Corporations
  • China Large Business Taxation Department

In the following paragraphs, the concepts “horizontal supervision,” “compliance agreement” and “tax control framework” are explained in more detail. These concepts are the result of the increased attention to tax risks.

Horizontal supervision and compliance agreement

The Dutch Tax Administration describes the following in an announcement regarding horizontal supervision:

“Investigations in the past fiscal year were unsatisfactory for companies, but also for the Tax Administration whose objective is to deal with current tax issues. Sometimes, extreme positions were taken by the parties involved. There was little trust between the parties and little information was shared. Resolving a disagreement led to long delays and high costs for both sides. That did not contribute to enhancing compliance, which was one of the main objectives of the Tax Administration. In order to achieve the objective of enhanced compliance, the Tax Administration introduced horizontal supervision.”

In short, “horizontal supervision” means that the company and the Tax Administration approach each other differently. Trust, transparency and mutual respect are key. Horizontal supervision is in line with developments in the area of corporate governance.

The compliance agreement is the ultimate form of horizontal supervision. In such an agreement specifications are made about the way both parties will cooperate. If a company wants to apply for a compliance agreement, the Tax Administration expects that an adequate TCF is in place or that serious steps are being taken in order to implement a TCF within a reasonable time frame.

Because of horizontal supervision, the focus on a TCF has increased significantly. Often it is assumed that a TCF is a result of horizontal supervision. This is not true. Even companies that do not have a compliance agreement would benefit from implementing a TCF. Not because it is a recommendation from the tax authorities, but because they themselves believe that being in control of tax is essential for good business operations.

Tax control framework (TCF)

A TCF is a set of processes and internal control procedures (hereinafter referred to as “Controls”) ensuring that a company’s tax risks are known and controlled. A TCF is an important means to manage an organization’s overall tax matters.

In principle, it includes all the taxes applying to an organization: for example corporation tax, payroll tax, sales tax and excise duty. However, regulatory energy tax, gambling tax, environmental taxes, container taxes, car taxes, airfare taxes etc. should, where appropriate, also be incorporated into a TCF. The complete, accurate and timely submission of tax returns and payment of assessments also falls within the scope of a TCF.

The above-mentioned types of taxation have interfaces with almost all business processes. Closing a transaction and issuing an invoice, elements of the primary business processes, may impact upon corporation tax, sales tax and excise levies. A TCF is therefore an integral part of an overarching business control framework (BCF).

Because the audit approach of tax authorities is largely determined by the manner in which a company controls its tax and other processes, tax authorities must evaluate the design, implementation and effectiveness of the TCF. In the Netherlands, the Tax Administration has not imposed any minimum requirements on TCFs, but offers guidance for the creation of a good TCF. It has identified the COSO model as a logical starting point, since it is the international standard for setting up an internal control system and is already used by many companies for the creation of a BCF.

A TCF enables a company to achieve its operational and financial tax goals and to implement its tax strategy in a manageable and controllable manner. A TCF helps a company communicate clearly about tax issues with all its external and internal stakeholders.

Benefits of a TCF

A TCF should lead to fully functioning tax procedures. This has several advantages:

  • Work is up to date
  • Certainty about tax position (no more “surprises”)
  • Image improvement, increased stakeholder confidence
  • Efficient and effective control system for taxation
    • Improved quality of tax data
    • Faster reporting of tax
    • Better understanding of the tax situation, providing more insight into tax options
  • Fewer corrections during tax audits and lower audit costs

Additionally, a TCF is useful for much more than concluding a compliance agreement. While a compliance agreement is concluded with tax authorities and has national scope, a TCF can also be used internationally (as an integral part of a BCF), bringing all of an organization’s tax concerns “under control.”

Developing a TCF

The previous section described how a TCF covers all of an organization’s tax issues and how most business processes, often supported by different IT systems, have a direct impact on taxation. IT systems incorporate many control procedures designed to mitigate risks. The role of IT (and thus the involvement of IT consultants and auditors) is also essential in a TCF.

Designing, implementing and maintaining a TCF may involve the following phases. The role of IT is indicated for each phase.


Figure 1: TCF method

Phase 1: Planning

The aims and scope of a TCF are established in Phase 1. This involves such issues as the purpose for which the organization wants to use the TCF, the type(s) of tax on which the organization wants to place the primary focus, the decision to only use the TCF for one or more countries, etc. Another important concern is the establishment of a project team and formulation of the terms for controlling the TCF project (including project management and obtaining of resources). It is wise to first run a limited pilot. No specific IT activities are performed at this stage.

Phase 2: Insight

In Phase 2, a large number of cases are identified as a “baseline.” Not entirely voluntarily, we identify the tax strategy, the legal and tax structure, the main products/services and markets, the tax organization, tasks and responsibilities relating to taxes, the main types of taxes, the relevant business processes, IT systems (including authentication mechanisms) and other registries. This broad approach to the organization is required to identify where and how taxation affects the processes in the organization, so that a thorough tax risk analysis can be performed. It is also necessary to determine whether and, if so, to what extent these risks are covered by (automated) Controls.

Since “soft controls” have a major impact on the proper working of “hard controls,” they are also addressed. Examples are “tone at the top,” the motivation and training of employees, corporate culture, the presence of a code of conduct, compensation structure, leadership style, values and tax awareness. Tax authorities usually consider soft controls when assessing the TCF process in connection with the possible conclusion of a compliance agreement.

Eventually, the work in this phase finishes by identifying and describing internal Control deficiencies and prioritizing the next steps in the project to eliminate these defects.

IT has an active role at this stage in the analysis of processes and IT systems. When performing a risk analysis, it could be useful to have an IT auditor or consultant contribute his or her extensive experience.

Phase 3: Design

The design phase focuses on the (re)design of Control procedures. The performance of this task is of course linked to already existing procedures. Where possible, the procedures will be placed in the IT environment, mostly because automated Controls are more efficient and more effective than manual ones. This especially applies to procedures targeting risks in routine processes. For non-routine processes, such as mergers, acquisitions, IPOs or refinancing, an organizational, procedural approach is the more obvious route to take.

IT has an active role in identifying and determining existing and future Controls in tax-relevant IT systems.

Phase 4: Implementation

New and/or modified Control procedures are implemented in this phase, but not before agreeing on priorities in consultation with management and setting a schedule for improvement. “Key Controls” and obvious “control gaps” are first addressed, enabling an initial effort to generate major progress. Communication with all the employees and departments is crucial in this phase. If necessary, employees must be informed, instructed and/or trained. It goes without saying that the role of IT in this phase is also important for the successful implementation of an effective TCF.

Phase 5: Monitoring

Assessing the design, implementation and effectiveness of the Control procedures put in place for the TCF is essentially no different from assessing the implementation and effectiveness of other Controls that are part of the BCF. Wherever possible, this testing is incorporated into the management control processes (self assessment), the audit plan of the internal audit department and/or included in the audit of the external auditor.

While the implementation and effectiveness can, to a large extent, be assessed by direct observation, the repetition of procedures, procedural testing, line checks, etc., great importance is also attached to performing substantive file analysis and (mathematical) sampling of various elements. This enables critical items to be identified and monitored in an efficient manner. Tax authorities are familiar with these methodologies and will appreciate their value. IT will also play an important role in this phase.

The issue of materiality is relevant at this point. The standard of materiality employed by tax authorities is normally much lower than the one used on financial statements. However, the Netherlands Tax Administration notes in this regard that, in “low” level business processes, materiality hardly plays a role; control measures are not designed to ensure that only material items are subject to control. The low materiality standards of tax authorities seem reasonable considering the effectiveness of internal control procedures. The quantity of substantive (monitoring) activities to be performed is then greatly reduced, because a large part can be based on existing internal control procedures.

The findings arising from testing the implementation and effectiveness of a TCF together with changes in internal and external environments form the basis for continuous adjustments and improvements to the TCF.

Integration of a TCF and a BCF into a single platform

In its memorandum, the Netherlands Tax Administration states that a TCF should be regarded as part of a business control framework (BCF). Many companies have been experimenting with a BCF in response to regulations such as the Tabaksblatt Code and Sarbanes Oxley.

In practice, companies are still clearly finding it difficult to comply with such regulations and to demonstrate their compliance. An integrated BCF is set up to reduce the pressure to perform “testing” and “monitoring” activities to a degree that is acceptable to the business and, ultimately, to provide a “single view of risk” ([KPMG08]). This integrated BCF (Figure 2) will include all the Controls required to comply with relevant laws and regulations. In this way, Controls defined for different purposes are effectively and efficiently implemented.


Figure 2: Integrated approach to TCF and BCF ([KPMG08])

Support by automated tools

A fully integrated BCF is often a complex whole, and an automated tool to monitor Controls may provide a means of handling the complexity. There are many software applications available on the market that deal with governance, risk and compliance. Specific TCF tooling is becoming more widespread.

KPMG Meijburg & Co. has worked with a risk management software company to develop an application that enables a TCF to be completely set up and managed (in-house management by the organization) and to be fully integrated with or expanded by new or existing risk management applications. This application is based on COSO and contains sample risks and Controls for virtually all tax resources. It furthermore responds to the requirements and demands of many clients as well as building on extensive practical experience. Figure 3 provides an overview of the tax risk management section of the application. Figure 4 shows one of its reporting capabilities, in which the “In Control” status is displayed for each entity, tax type and process.


Figure 3: Tax Risk Management Section


Figure 4: Reporting Section

The role of ERP systems

In recent years, companies have acquired a great deal of experience in setting up BCFs and, in many cases, bringing them to maturity. By this, we mean that the Controls in the initial BCF, which are primarily manual, are further developed to the point of being automated and becoming therefore often more efficient. A TCF can be immediately integrated into this development without having to go through the learning curve again.

It could be argued that tax controls are divisible into those that ensure the quality of the reporting processes and those that are incorporated into primary business processes and provide the input for the reporting process (see Figure 5). The latter mainly comprise procedures for providing assurance about the accuracy and completeness of this input. For instance, controls may be established to ensure that a VAT declaration is submitted on time to the authorities in various countries and with adequate checks and balances. In this case, the Controls pertain to the reporting process. In business processes, it is possible to guarantee, while considering the probability of error, that VAT codes can never be entered on sales orders manually but are always automatically defined by the system and based on decisive rules. As a result, the accuracy and completeness of the input for the VAT return is ensured by the decision logic. Figure 6 contains several examples of similar VAT risks and their corresponding application Controls.

In most modern ERP systems, the development of this logic is a matter of parameterization and master data management. Assessing the quality of the decision logic in this case is an important control. Testing or data analysis should first be used to establish that the decision logic is functioning properly and can be relied on. To do this, it will be necessary to determine if the change management process in an ERP Competence Center is of sufficient quality for the ERP system in general and the decision logic in particular. A particular concern here is that, when analyzing the impact of a change request, sufficient attention is given to the consequences of the change on tax compliance. In this respect, there is nothing new under the sun. This principle has been long known insofar as it applies to BCFs.


Figure 5: Scope of tax controls


Figure 6: Examples of specific SAP VAT risks and application controls ([Zege07])

Useful tips for successful establishment of a TCF

The authors have extensive practical experience in designing, implementing, maintaining and optimizing business control frameworks and tax control frameworks.

For successful implementation of a TCF (or BCF), they would therefore like to offer you the following practical tips:

  • Dynamic: A TCF must be dynamic – not a snapshot but a film! A TCF goes beyond a quick scan of tax risks and internal Controls. The company tax department should know what is happening within the organization and be involved in it. No cabinet full of paper checklists will suffice.
  • Start small: The trick is to set up a workable and manageable TCF. Limits are necessary. It can always be expanded later. Start with 1 tax type, 1 division and a limited amount of risk. Provide support within the organization.
  • Integration: Contrary to popular belief, a TCF is certainly not just used by tax departments, but also by other staff and departments, such as risk managers, controllers, internal audit and IT. It is absolutely necessary to work with these departments in order to achieve a good and workable TCF as a component of the company’s overall risk management.
  • Platform: Provide an integrated platform for tax and other risk management. Our experience indicates that an organization generally develops a great many Controls for business control frameworks that are not thought to belong to a TCF and that are solidified into a number of procedures. An integrated platform makes everything dynamic. It is important to ensure integration with a business control framework.
  • Automated tools: A fully integrated BCF is often a complex whole. An automated tool to monitor Controls may provide a means of handling the complexity.
  • Structure: A structured and codified approach ensures that a TCF focuses on key risks and processes.
  • Communication: Organizations usually have everything under control. What is difficult is to show that this degree of control exists. This requires communication with other departments, internal and external auditors, directors, tax authorities and supervisors. In our view, a clear TCF with structured overviews and reports is essential for this communication.

We would also like to emphasize one final time that, although the attention given TCFs has certainly been strengthened by horizontal monitoring, controlling all of a company’s tax matters is essential for good business. A TCF should not therefore be limited to taxation in the Netherlands. Application to all national and international tax considerations will not only enable an organization to better manage its tax risks but also to gain greater insight into the possibilities of profiting from tax opportunities.


[Bela08] Tax Control Framework; Van risicogericht naar “in control”: het werk verandert, Belastingdienst, March 2008.

[KPMG08] KPMG, Governance, Risk, and Compliance: Driving value through controls monitoring, KPMG Advisory, 2008.

[KPMG09] KPMG, Total TAX Control, Tax Accounting & Control Services, KPMG Meijburg & Co, 2009.

[OECD08] Organization of Economic Cooperation and Development, Study into the Role of Tax Intermediaries, Fourth OECD Forum on Tax Administration, Cape Town, South Africa, January 2008.

[Zege07] A.T.M. Zegers, Omzetbelastingwetgeving en ERP systemen – een overbrugbare kloof?, Master’s Thesis, Eindhoven University of Technology, The Netherlands, 2007.