The ATO has developed a tax risk management and governance review guide for business. While aimed at large business, there are guidelines for small to medium businesses as well.

The ATO is encouraging businesses to adopt an internal control framework to self-assess tax and operational risks.

The full guide addresses responsibilities of both boards of directors and management personnel.

Small to medium entities may not have the formal documents of large entities, but nevertheless the same principles can apply.

• Role of management in authorising suppliers, granting credit to customers, controlling bank accounts and so on
• Levels of access and permissions granted to staff appropriate to their role
• Staff, management and board roles and responsibilities should be clearly defined and documented, with appropriate segregation of duties and security processes
• Adoption of documented policies and procedures
• Controls are checked internally by existing staff and/or business owners rather than an external person or entity
• Audit trail records
• Code of conduct for staff and associates—this may be more formal in a large business, but may be informally adopted through the accepted culture of a small business
• Chains of authority, communication and reporting should be clear
• Directors should understand their legal liabilities, rights and obligations
• Adoption of technology and information controls and security procedures
• Record keeping policies and procedures
• Accounting software and procedures