Professional Documents
Culture Documents
RRM Guidelines and Toolkit V2.1 Final
RRM Guidelines and Toolkit V2.1 Final
RRM Guidelines and Toolkit V2.1 Final
in consortium with
ACA/2020/417-214
Funded by
The European Union
1
This publication was produced with the financial support of the European Union. Its
contents are the sole responsibility of DT GLOBAL IDEV Europe S.L. and do not
necessarily reflect the views of the European Union.
Revenue Risk Management Guidelines and Toolkit
Sub-Activities: 1.2.1.1 and 1.2.1.2
Prepared by:
Revenue Risk Management Non-Key Expert: Aija Mackenzie-Frazer
June 2022
Submitted by:
In consortium with:
1. Table of Contents
1. TABLE OF CONTENTS...............................................................................................................4
2. ACRONYMS...................................................................................................................................6
3. INTRODUCTION..........................................................................................................................7
3.1. GUIDELINES AND TOOLKIT RELATIONSHIP TO APPROVED WORKPLAN............................7
3.2. SCOPE OF GUIDELINES AND TOOLKIT......................................................................................7
4. DEFINING AND COMPUTING RISK........................................................................................9
4.1. PURPOSE OF THE RISK MANAGEMENT FUNCTION.................................................................9
4.2. RISK ASSESSMENT AS A COMPLIANCE TOOL............................................................................9
4.3. WHAT IS RISK IN THE TAX CONTEXT.....................................................................................11
4.4. RISK CATEGORIES......................................................................................................................12
4.5. COMPUTING RISK......................................................................................................................12
4.5.1. DETERMINING RISK PROBABILITY (P)..................................................................................13
4.5.2. CONSIDERING WEIGHT IMPACT OF PREVIOUS AUDITS........................................................15
4.5.3. DETERMINING RISK SEVERITY (S).........................................................................................16
4.5.4. APPLYING PROBABILITY AND SEVERITY TO DETERMINE RISK (R)...................................16
4.5.5. SELECTING CASES ABOVE THE AUDIT THRESHOLD..............................................................16
4.5.6. FUTURE ENHANCEMENT..........................................................................................................16
5. THE AUDIT PLAN.....................................................................................................................18
5.1. THE PROCESS TO PREPARE FOR THE AUDIT.........................................................................18
5.2. DESCRIPTION OF AUDIT PLAN................................................................................................18
5.2.1. WHY DO WE NEED AUDIT PLAN.............................................................................................18
5.2.2. COMPILATION PROCESS............................................................................................................18
5.2.3. DETERMINE THE NUMBER OF CASES THAT CAN BE MANAGED.........................................18
5.3. OBTAINING THE DATA NEEDED FOR RISK ASSESSMENT.....................................................19
5.3.1. DATA COLLECTION FROM PAPER-BASED DATA SOURCES...................................................19
5.3.2. DATA SOURCED FROM AUTOMATED ENVIRONMENT: E-FILING AND FUTURE NBR
SYSTEMS......................................................................................................................................21
704052653.docx Page 4 of 45
7.6. USING RISK AS AN AUDIT TOOL..............................................................................................38
7.6.1. TYPICAL AREAS OF SUSPICION FOR DIFFERENT TAX TYPES...............................................38
7.6.2. AREAS OF SUSPICION DOCUMENTS TO BE CHECKED DURING AUDIT................................39
7.7. STEP BY STEP GUIDE TO AUDIT PLANNING PROCESS.........................................................41
7.8. RECOMMENDED DATA MODEL FOR RISK DATA....................................................................43
8. CONCLUSION.............................................................................................................................44
1.1. Tables
Table 1: Example of selection criteria that can typically used for probability determination............13
Table 2: Last audit multiplier.............................................................................................................15
Table 3: Rang of probability...............................................................................................................23
Table 4: Example of risk criteria based on Bangladesh legislation.....................................................27
Table 5: Areas of suspicion for different tax types.............................................................................38
Table 6: Step-by-step guide as to implement this risk-based, automated selection process.............41
1.2. Figures
Figure 1: The Audit planning process................................................................................................18
Figure 2: Sources of data permitting data mining as well as potential areas where risk analysis can
be used in NBR.................................................................................................................................................................. 21
Figure 3: Risk based case selection and audit plan composition within NBR.............................................23
Figure 4: Proposed, risk-based audit plan compilation process within NBR..............................................25
Figure 5: Taxpayer risk related data derived from e-Filing as well as from DACON................................37
Figure 6: Data model needed to support these systems related toolkit items.........................................43
704052653.docx Page 5 of 45
2. Acronyms
AUD Audit
DACON Data Consolidation Application
ENF Enforcement and compliance
ETX Employee Tax (final tax deducted by employer)
EU European Union
EUD EU Delegation (Bangladesh)
GoB Government of Bangladesh
IT Information Technology
ITX Income Tax
KE Key Expert
MIS Management Information System
MoF Ministry of Finance
NBR National Board of Revenue
NKE Non-Key Expert
OGA Other Government Agencies
PFM Public Financial Management
RET Returns processing
RRM Revenue Risk Management
TA Technical Assistance
TDS Tax deducted at source
ToR Terms of Reference
VAT Value Added Tax
704052653.docx Page 6 of 45
3. Introduction
The project will assist NBR’s income tax wing in raising analytical capacity and
adopting effective risk management schemes. Planned activities aim at providing
NBR with operating guidelines for risk management and toolkits for risk analysis,
training staff on suitable risk planning approaches and risk analysis techniques,
supporting subscription to a reference database for transfer pricing, and providing
hands-on guidance to proactively develop a pilot risk management plan.
The purpose of this Guidelines and Toolkit is thus to provide guidance for staff responsible for
risk management activities within NBR. It sets out the operational guidelines for business
processes that need to be understood and followed, along with the toolkit for risk analyses to
assist in this process.
Currently, Bangladesh taxpayers can submit their Income tax return in paper-based format or
use e-filing as an alternative at the same period. NBR plans to migrate most taxpayers to e-
Filing in the next five years. During that time NBR is planning to implement an interim system
called DACON to manage paper-based returns until all taxpayers have been migrated to e-
Filing.
This Guidelines and Toolkit also explains how the risk management process can be
implemented with DACON and how it can be used to:
Start the data cleansing process via detection of:
704052653.docx Page 7 of 45
deceased / liquidated / deregistered taxpayers,
Identification of duplicate taxpayers (distinct TIN, but same name, address, telephone
address, etc),
incorrect data (incorrect contact information, taxpayer that moved to a new location
and now should be in a different tax circle, etc),
missing taxpayers (for example in the case of professionals, etc),
Intensify risk management and case selection based on data.
Detect non-filers.
Associate payments to each assessment and identify submitted returns that do not have
associated payment challans.
It should be noted that this Guidelines and Toolkit deals with Risk Management as it applies to
Individual Taxpayers. The Risk Management approach applicable to businesses will be
addressed in a separate document or in a supplement to this Guidelines and Toolkit, as that
functionality has not yet been added to e-Filing and the detail of the fields to be captured in
DACON as interim measure have also not yet been finalized. The approach for corporate tax
will however have many similarities; but it is important to note that business risks have their
own unique approaches.
704052653.docx Page 8 of 45
4. Defining and computing risk
A tax compliance risk management cycle is a structured process for the systematic
identification, assessment, ranking, and response to tax compliance risks (e.g., failure to
register, failure to properly report tax liabilities etc). As with risk management in general, it is a
constant process that consists of well-defined steps to support improved decision-making:
Identification – obtaining a clear and detailed understanding of the relevant risks and how
those break down into different forms of non-compliance (such as registration risk, late
filing risk, under-filing of the correct amount of tax due, late or non-payment risk).
Analysis – taking the risks identified at the previous stage and obtaining a clear and
detailed understanding of the scale and impact of each risk, the groups of taxpayers who
most contribute to this risk, and the sort of behaviours which lead to the risk materialising.
Prioritisation – building on the risk assessment developed at the previous stages as well as
its overall compliance strategy, the tax authority will decide where to allocate its resources
and what types of intervention/ response to adopt.
Response – deciding on the best and most appropriate tool to tackle non-compliance.
Evaluation – in which the results of the cycle are evaluated, and lessons learned applied to
future cycles.
Risk Management is designed to identify non-compliant behaviour and provide the taxpayer
with the motivation to join the tax system and comply with tax laws. Ideally, any such risk
management process should comply with the following requirements – and further in this
document, we will indicate how these requirements could be specifically tailored to fit NBR’s
processes, regulations and legislation. An effective risk-based compliance system should
contain the following characteristics:
The system should identify cases that are created and allocated through pre-determined
risk assessment criteria and should provide a process for continuous risk
management/assessment, via the following steps:
Risk identification,
Risk assessment and prioritisation,
704052653.docx Page 9 of 45
Analysis of compliance behaviour - causes and options for treatment,
Determination of treatment strategies,
Application of strategies,
Evaluation of outcomes.
The system should enable the development of predictive risk models to identify potential
risk (e.g. taxpayers who may not be completing their returns properly – reporting risk).
The system should have the capability to develop analytic models enabling NBR to evaluate
the tax at risk for a potential audit, the tax risk from a missing return or declaration, in
addition to the tax at risk for balances owing or instalments not paid.
These analytic models should use available information to build a given taxpayer’s risk
level. These models should assign overall scores to taxpayers based on:
The taxpayer’s profile,
The taxpayer’s tax history,
The amount of tax revenue at risk,
Third party information.
The system should have the capability to recommend treatment strategies for risks
identified:
Conduct risk analysis of returns and other data to automatically select cases for audit,
Prioritise selected cases based on predetermined risk management criteria,
Select cases based on random criteria (risk testing),
Allocate cases for action via the case management system.
The system may enable the management of risk at various levels including: tax compliance,
taxpayer segment, and compliance risk.
The system may allow for the analysis of risk using data grouped in the following areas:
Economic and tax data, for example industry indices and ratios concerning economic
growth of a business,
Data supplied by taxpayers, for example the data from the tax return(s),
Data supplied by a third party, for example a bank, Customs Dept., VAT Dept.
704052653.docx Page 10 of 45
Given this environment it would be inappropriate to recommend that the NBR develops fully-
fledged risk management at this stage. Indeed, with the weakness of the legacy system data to
be input into the e-system, it will be a while until the e-system has collected enough
information to enable such a system to be fully utilised. In the meantime, the Risk
Management system to be initially implemented should focus on a few basic risks so as to
introduce real “risk management” to the direct tax collection process (and NBR as a whole)
and build on this over time. DACON developers however need to be aware of the intended
end product that has been described above. It is also important to remember that DACON is
not an end, it is a means to an end – where all taxpayers submit returns via e-Filing and all risk
assessment is managed within the e-Filing applications.
The risk analysis system utilizes expert system technology to apply the knowledge and
experience of Revenue’s most experienced personnel (in the form of rules that make up the
knowledge base) to different parts of the available taxpayer information to develop a risk
profile of the taxpayer. This profiling technique establishes detailed observations and ranking
scores for each taxpayer. This step can be scheduled to take place at different times in the
year or it can be undertaken on an ad hoc basis.
An important feature of the system is auditor participation in the formulation of new rules,
amending existing rules and in identification of new data. The Audit Manager shall be
responsible for the local development, testing and revision of the rules before they are
submitted to the “live” system.
The system shall therefore facilitate the capture and incorporation of audit results, auditors’
experience and insights. It also shall allow for the evaluation of the rules and scoring against
the actual audit results.
“Anything negatives that can affect the organisation's ability to achieve its
objectives.”
Thus, to have risk, one must have both uncertainty and exposure to loss. Risk consists;
vulnerability, severity or significance and relative occurrence or frequency.
In theory, risk ranges anywhere from zero (0.0), where there is complete certainty of no
material misstatement, to one (1.0), where there is complete certainty of a material
misstatement. In practice, however, risk is always greater than zero. There is always some risk
of material misstatement as it is not possible, (except for the audit of the simplest of financial
statements), due to the limitations inherent in both accounting and auditing, to be absolutely
certain a material misstatement will not exist.
704052653.docx Page 11 of 45
4.4. Risk categories
We can categorise tax risk into the following1:
Registration risk: Those that are on the register but have no entitlement to registration:
within this category the full range of taxpayers can be found, ranging from ‘Carousel’
fraudsters and classic repayment frauds through to potentially compliant taxpayers who by
act of error or omission have remained registered when entitlement ceases.
Also, those who fulfil the requirements to register but fail to do so: this encompasses the
informal economy, taxpayers who remain unregistered for some taxes and taxpayers who
use avoidance devices to remain unregistered. Incorrect information about a taxpayer
being held on the register: data quality will always be an issue, and there is also a danger of
carrying out inappropriate treatments based on incorrect information as well as the
potential for tax loss due to incorrect information being held.
Filing Risk: risk that tax yield will be understated/reduced by taxpayers not filing their
returns by the due date. In order to provide the correct preventive and corrective
treatments there is a need to be able to target those taxpayers likely to file their returns
late, or not at all. There are many treatment options available to tax administrations to
cover this risk before an audit is considered.
Declaration Risk: risk that tax yield will be affected where the amounts shown on the tax
return are incorrect by error or deliberate act. Traditionally, many tax administrations
concentrated on this risk area with the intention of determining which cases should be
selected for conducting audit activity. It is now being increasingly recognised that other
treatment options are available to verify that the declarations made by taxpayers are
correct and where error or fraud is discovered, to allow for corrective action to be taken.
Tax administrations also have the option now to carry out preventive programmes to help
and encourage taxpayers to get it right from the start.
Payment Risk: risk that tax yield will be reduced by non-payment of amounts due on tax
returns and assessments.
Payment risk and filing risk could be closely related but it is important to analyse them
separately since the treatments may vary. In times of economic recession, it is especially
important to manage taxpayers’ debts and to avoid accumulation of debts. The risk that
concerns Revenue is the risk that taxpayers will not comply with the Tax Act, either
deliberately or inadvertently with the result that NBR suffers a loss.
704052653.docx Page 12 of 45
Generally, the larger the case, the greater the impact or consequence of a risk. Case size is a
function of turnover, no. of employees, size of balance sheet or a combination of two or more
of these criteria.
There are however exceptions to this rule, the impact of a risk in sectors with a high profit:
turnover ratio (e.g. professionals, services) may be just as great as in sectors such as a high
turnover retail business with a low profit: turnover ratio (e.g. supermarkets, petrol stations).
The combined of the probability and severity allow the manager to rank risks in order of
priority. This allows to focus attention on those risks that have the greatest impact. The
manager must then decide which risks receive treatment and which are acceptable given the
resources available.
The likelihood can be expressed in both a qualitative and quantitative manner. When
discussing probability in a qualitative manner, terms such as frequent, possible, rare etc. are
used. It is also possible to describe the probability in a numerical manner. This can be done
using scores. As mentioned in the above section, we elect to use a scale of 0 to 1. Assign a
score of 0 when a risk is extremely unlikely to occur and use a score of 1 when the risk is
certain to occur. Using this approach, we can estimate the impact on the tax compliance if the
risk occurs.
We can then sum the possible score if all criteria were present – this is the highest score a
taxpayer could ever achieve, and this becomes the denominator in our probability equation.
The taxpayer actual score – is the numerator. The probability ratio can this be expressed as
follows:
Probability=
∑ of actual weight scored
∑ of highest possible weight score
Where the Probability score “P” will always be 0 > P < 1
Table 1: Example of selection criteria that can typically used for probability determination
Individual Company
1. Tax return not To identify cases where Income Tax return not 100 200
submitted a taxpayer has not submitted
submitted a return
2. Tax return submitted To identify cases where Income Tax return 100 200
2 Note that these are illustrative weights
704052653.docx Page 13 of 45
Ref. Criteria Name Purpose Criteria Standard Weight
Individual Company
4. The taxpayer's To identify cases where Allocate score if “Tax 100 200
declaration of a loss a taxpayer has payable’’ field in Tax
for X consecutive submitted returns with return = 0
years not declared tax
payable.
10. The taxpayer’s Identifies taxpayers Allocate score if Actual 100 200
declaration Actual whose Actual paid levels paid % for Year n <
paid as % of Actual have declined in Actual paid % for Year
paid is less then X% in taxpayer segment n-1 in taxpayer
taxpayer segment segment
11. Earlier violations Identifies taxpayers 1) If more than 20% of 100 200
(assessment of the whose has previous ITX was assessed to be
degree of violations violations under declared during
found in previous
704052653.docx Page 14 of 45
Ref. Criteria Name Purpose Criteria Standard Weight
Individual Company
12. The taxpayer has not Identifies taxpayers Score if taxpayer has 100 200
been audited for an whose have not been not been audited in the
extended period audited recently previous five years.
Total Sum of highest possible weight score (Probability Denominator) 1,200 2,400
We have included a proposed set of actual criteria in the toolset – that can readily be used by
NBR against the respective tax return forms used. Please see section 7.1.
The frequency of previous audits should be considered when computing the assessed risk. To
do this, NBR may create a selection criterion that considers the value and frequency of
previous audits. A score can be assigned if there was no previous audit, and the score may be
adjusted based on the time passed between current date and the date of last audit. Audit
manager may add a probability criterion for this domain based on:
Criteria score = value x last audit multiplier
Audited in PY + 1 2
Audited in PY + 2 3
Audited in PY + 3 or greater 5
704052653.docx Page 15 of 45
4.53. Determining risk severity (S)
While the probability defines the likelihood of default by taxpayer, the severity is an indicator
of the loss that could be incurred by the Revenue Authority in the event of default. A high
probability score (P) – does not necessarily mean high risk – the absolute risk is a product of
both probability AND severity.
Severity is a measure of the financial exposure of NBR. The most readily accessible indicator is
the total tax owed by the taxpayer. This is normally read from the Debtor’s Ledger. In cases
where we do not have access to an automated debtor’s ledger, we recommend NBR to use
the tax due, as declared on the latest submitted tax return.
Assuming ACME Taxpayer Ltd. declared tax payable of BDT 100,000, - this would be an
indicator of the Severity of exposure by him. The actual value used depends on NBR policy
decision – declared taxable income on the return form is a common choice, total liability is a
better choice – but requires an accurate, accrual-based accounting system with individual
taxpayer accounts. Regardless of the financial measure used – the severity factor should be
applied consistently for all taxpayers and then forms the basis for computing overall risk.
From our examples above – we can compute the total risk score for the taxpayer concerned
as:
Risk=Probability x Severity
or
Risk = P x S
This implies a total risk score of 75,000. If ACME Taxpayer Ltd had a Severity score, or tax
exposure of BDT 25,000 – their risk score would be significantly reduced to 18,750.
Once we have allocated a risk score to each taxpayer, we sort these scores from highest to
lowest score. This forms the basis of case selection. NBR needs to define a given threshold
above which cases are selected for audit, and below which – they are ignored from a risk
assessment approach – primarily due to the limitation imposed by a finite number of auditors
and audit time capacity.
Going back to example of taxpayer ACME Taxpayer Ltd – if the selection threshold was set at
50,000 – taxpayer ACME Taxpayer Ltd would have been selected for audit. This ties in to the
audit capacity which will be addressed below under “Audit Plan.”
For Income tax taxpayers, the audit selection will be based on the tax returns and the annual
balance sheet. The risk assessment will be influenced by the income tax findings on risk
probability and severity against norms and falling income trends. A comparison will be made
704052653.docx Page 16 of 45
of the profitability of individual taxpayers matched up against the average for the industry,
(which can be either calculated or locally assessed) and where the declared profit exhibits a
falling trend. The size of the taxpayer will determine how many audit days will be spent on
examining the taxpayer’s records.
Audit selection for Income tax audit should be of the taxpayers showing (1) lower than
average profits for the industry of the taxpayer, (2) showing losses, or (3) exhibiting a falling
profit trend. The number of taxpayers selected will be limited to those taxpayers that can be
audited by the available auditors.
704052653.docx Page 17 of 45
5. The Audit Plan
The planning process normally follows three main steps: (1.) Prioritisation and audit planning;
(2.) case selection and (3.) feedback collection.
704052653.docx Page 18 of 45
The Audit Plan should be achievable and promote the efficient and effective use of resources.
The audit plan provides:
a basis for the assessment of resource requirements;
authority to act once approved by senior managers;
something against which actual performance can be measured.
The Audit Plan sets the scope of audit work of those officers given “audit” responsibilities for a
time period of 12 (or 6) months. The Audit Plan should be updated every 12 (or 6) months
taking into account audit results, resources, unplanned audits and other factors influencing
audit work.
When developing an Audit Plan, a decision should be taken on the number of days necessary
for conducting audits, according to the risk assessment, existing resources allocated for audits,
skills and experience of staff conducting audits, as well as taking into account the specific
requirements of the NBR. The actual number of days needed for audit performance should
only comprise the time required by staff involved in audit work, and the time needed for their
supervisors to carry out their functions. This will determine the number of audit cases that
can be managed within the audit year.
Once the audit capacity has been, we can assign taxpayer cases to the audit plan.
To start with data analysis, there has to be data to analyse and the system or person doing the
analysis needs access to the data. This analysis itself can be either a rule-based approach or
using data mining techniques.
The recommended NBR a rule-based approach may be more applicable as a starting point
because it does not require specific statistician or data scientist skills. Basically, it means that
using tax auditors’ knowledge, NBR has to set parameter driven rules that he/she wants the
machine to do with data to find something from data or rearrange the data – different kinds of
calculations, groupings, calculating facts, etc. The standard of the tax auditor (analyst)
depends on her/his ability to create different relevant views of the data.
For effective data analysis, it is necessary to play with data, try different approaches, different
angles, link different tables, and look for correlations and deflections between variables. There
is no one ever lasting good solution, but a permanent search for better model. One of the key
issues is to focus on the following relations:
changes of variables during time period;
mutual relation of two or more variables;
changes in relations during time period.
It is easy if it is known what kind of relations or changes in time would be interpreted as risky.
It means risk criteria already exist and may just be planted onto data. If the risky behaviour or
risk profile is not described, then data would need to be observed to detect illogical patterns.
What to look for?
Deflection from expected business logic behaviour.
704052653.docx Page 19 of 45
Unusual deflection from previous common behaviour.
Deflection from comparable taxpayers’ behaviour.
There is a need to keep in mind to estimate the deflection in context of taxes. If the strange
behaviour does not bring any tax benefits, then it does not need much more attention. If it
does, there is need to analyse further if the deflection could be occasional or deliberate.
It is advisable to approach the data also from the risk point of view, what is planned to detect
from the data. For detection of different risks or for testing different criteria about the same
risk, distinct variables would be required. The proposed risk analysis model for paper-based
return regime could be described as follows:
defining what risk to detect (advisable to involve auditors’ representative also);
figuring out what kind of data pattern could refer to that (requires provisional business side
analysis, what noncompliant taxpayer has to do to evade the tax);
during analysis, it quite often comes out that some additional data is needed, which mean
repetitive turns to IT, but that is the price that has to be paid if there is not direct access to
initial data source;
after analysis is completed overview of risk’s nature and spread, and list of possible audit
cases;
analysis results should be discussed with the representative of auditors to have common
understanding about the risk, and agreement that selected risk criteria really helped to
reach the right objects
For the “raw” database (under paper-based return regime) we should built an analytical store,
where there are already some aggregations, quality checks, merging of different tables, etc.
basically making data more understandable. This should be the data source that can be re-
used and built on, for other applications (e-Filing).
It can be said that analysis of these that are in NBR’s possession is the only way to see and
understand the situation in the surrounding environment. Without proper data analysis, tax
auditors are aware only of things they have heard, seen, read or been in contact with, but
nobody has been in contact with the whole spectrum of taxpayers and their behaviour. Tax
auditors usually try to formulate the whole picture from different pieces they have received
through different channels. It is very common to approach through cognition but usually these
pieces of information are of a different size, from different time periods and may not match
with each other at all.
The dislocate the mass data analysis from paper-based analysis to within e-filing the amount
of manual work to be executed by NBR officers - both at the tax circle and central level. It will
help to both: record in a system return data, while also allowing to act on the taxpayers with
computer generated reports, clearing the way for more taxpayers to file electronically. As
such, DACON should expected to provide:
A database of taxpayer data obtained from the captured returns;
Along with these captured data, a set of outcomes of the risk criteria – for each taxpayer,
indicating their arithmetic score to the probability criteria;
Corresponding severity data, based on the determination methodology chosen by NBR;
Risk score per taxpayer;
704052653.docx Page 20 of 45
From these collected and computed data, NBR will be able to derive:
Reports ready for the use of tax officers on suspect cases.
An iterative tool that can be used to refine and update the e-TIN tax database.
A simplified risk management solution, which can be used to select and prioritize cases for
both audit and collections.
Increased overall capacity of tax officers to deal with complex cases in an automated
environment.
5.32. Data sourced from automated environment: e-Filing and future NBR systems
Data mining is a process used by governments and organisations to turn raw data from
multiple sources into useful information using software to look for patterns in these large
batches of data.
Figure 2: Sources of data permitting data mining as well as potential areas where risk analysis can be used in
NBR
For a revenue authority, it means sorting through data that comes from internal tax-based
data stores as well as using data from other tax regimes (VAT and Customs in this case) as well
as data from other government agencies. Private sector data, much of are open source – also
provides a vast pool of invaluable information. Data mining is closely related to applied
statistics and using its related algorithms, tax officers have the ability to identify key attributes
of tax processes and target opportunities.
The main logic of data mining is that it enables estimation; what is the probability that in a
given period something will happen that has happened many times before – this is the
foundation of the estimation of probability of taxpayer default, and the cornerstone of tax risk
assessment! There is a need to have enough historical data about the taxpayer related data-
set and a lot of different variables, from which some could predict the expected outcome-
data mining is however not a tax department’s crystal ball.
704052653.docx Page 21 of 45
6. Computing and allocating risk to each taxpayer
Compliance risks should need to be identified at a level of taxpayer segmentation that will
allows the NBR to treated risks. Because taxpayer populations are not homogeneous, the NBR
may turn to segmenting the taxpayer population into groups with similar characteristics and
identify compliance risks at these segment levels.
Risk can be analysed from a number of perspectives. Most commonly, it is analysed from the
perspective of the individual taxpayer. However, it can also be analysed from the perspective
of an industry grouping.
In a taxation context, the NBR may segmented they taxpayers from the perspective of
business as ‘small’ businesses, ‘medium-sized’ businesses, and ‘large’ businesses and these
may be defined on the basis of turnover or gross revenues, but may also be defined on the
basis of assets or number of employees.
Other segments what may be used the NBR based on industry type (farming, professional, and
business) and the type of tax (income tax, withholding tax) or the type of risk (declaration risk,
filing risk, payment risk).
It is envisaged that in Risk Management, the level of risk of taxpayers will be calculated
through a points system. For each criterion, the score can be expressed by assigning scores
from 1 to X (or as decided by the NBR based on needs). The overall score for the risk level of
taxpayers is calculated through an algorithm by adding up the scores assigned for each risk.
The NBR based on their strategy, may revise the risk and scores.
Below is an example of a set of criteria to identify potential tax risks across different Income
tax types and income tax returns for individual taxpayer. All numeric figures given in the
criteria are informative and included only for the purpose of better understanding. The exact
limits and coefficients need to be adjusted after analysis of individuals actual behaviour in
Bangladesh. This analysis must also answer the question, whether the relevant indicators
differ in size, region or activity of the individuals. In case of divergence, the risk shall be
adjusted accordingly for each of the groups under consideration.
Some of this risk will not be able to be applied until NBR has enough tax periods of data to be
able to apply them.
From the sample table, we see the natural person denominator as being 1,200. This is the
highest possible score a natural person taxpayer could score – and if that was the allocated
score, the risk probability would be P=1 (i.e. 1,200/1,200)
As an example, and using the above table, we allocate sample taxpayer ACME Taxpayer Ltd, a
weighted score of 900. Knowing the denominator is 1,200. We thus compute probability as:
900
Risk=
1200
In this example, P is 0.75. This is the probability of default by ACME Taxpayer Ltd. This range
of probability may be expressed in relative terms as per the below table (Note that a
704052653.docx Page 22 of 45
probability score of zero implies that there is no probability of the event occurring, and a
probability score of 1 implies certainty that there will be default):
Table 3: Rang of probability
Probability of default
704052653.docx Page 23 of 45
Figure 3: Risk based case selection and audit plan composition within NBR
All generated cases that have a risk score above the selection threshold should be assigned a
unique case number and case generation date. Every case should have information about:
taxpayer (name, tax number)
tax period
tax type (Income tax, withholding tax)
risk score
refund amount (if it is refund case, where is refund decision is not made)
audit type (verification, comprehensive, etc)
audit duration (in case it can be set automatically)
The ideal system should also be able to send all automatically generated cases to the audit
manager (audit coordinator, supervisor or other manager), who is responsible for these types
of cases. For example: large taxpayer cases, must be sent to the manager, who is responsible
for large taxpayer audits etc. The Manager should have possibility to add the audit duration (if
audit duration is not set by system), tax periods and tax types, before assign case to auditor. In
704052653.docx Page 24 of 45
case duration it is set by the system, then manager can extend this duration only if into system
is attached extension decision.
The Audit Manager should also be able to generate manual cases. In such case the manager
must choose taxpayer, tax period, confirm that he/she want to proceed with creating a new
case. To all manually created cases, system shall add case number and flag or other
identification that this case is manually created.
As part of the Audit Planning process, all taxpayers are placed into a specific audit segment
within their zones. This segment defines if they are Individual assessments or Salaried
individuals for audit purposes (audit segment for Individual taxpayers.).
Using the audit selection methodology (IT or manual) the plan should include the taxpayers to
be audited as well as the number of days to be spent for each tax audit. Each Tax circle or Tax
zone can change the selected taxpayers; but it cannot change more than 20% of the total
number of taxpayers selected by the audit section, neither can it change the taxpayers that
have been selected by the IT system, if such system is in use. Each Tax circle or Tax zone can
add other taxpayers for audit and they should be part of the 20% of manually selected
taxpayers together with the selections made by the selection system.
Audit plans should closely relate to the human, material and financial resources needed to
conduct the audits. This includes the forecast number of days and people spent for each
audited taxpayer. After calculating the necessary time based on the number of people
available, it is compared with the necessary time required for fulfilling the audit plan and
identify the risks which might have a negative impact on the fulfilment of the audit plan, such
as: financial and human resources available, sick leave and failure to substitute audit in due
time for various reasons, etc.
704052653.docx Page 25 of 45
Draft audit plan should be prepare depending on the results to the NBR would like to achieve
and to be established for each of the risk in order of priority.
Each risk needs to be managed and must have the appropriate measures or set of different
control measures. The type of control activities should not be limited to regular audits or desk
audits; the NBR should apply all their available administrative measures to control risks –
monitoring, inspecting, letters, special cross-checking, cooperation with the public,
cooperation with other Government authorities, changes in laws and so on.
The action plan for audit should correspond to the annual plan of the NBR.
The draft action plan for audits should be agreed with other departments of NBR to evaluate
of human resources. Human resources should be allocated for the implementation of the
planned audit measures
The draft audit plan should be present to the NBR Bord for approval. The draft audit should
contain an action plan for monitoring and a list of criteria for the assessment.
If the NBR board does not approve the audit plan, then they should give their comments and it
should be revised and updated.
704052653.docx Page 26 of 45
From the audit results the manager need to know whether the risk(s) existed or not. There is a
necessity to differentiate between audit results and feedback collection. It is possible that
during the audit, noncompliant behaviour was discovered and proved. It could be the same
risk that taxpayer had brought out, but it could also be something totally different, something
that manager could not or did not see. It is also possible that auditors have agreed with
manager about the existence of risk, but legally are just not able to prove it. In this case, risk
exists but the audit has been completed without conclusive findings.
The Tax zones and HQ monitor on-going performance through periodic reports, reviews of
case work and work plan accomplishments, to identify any problems, including training needs
or work plan changes that may be required.
The manager should also have the possibility to change the audit start date. Manager shall
have possibility to add/extend deadline (extend deadline is possible only if into system is
attached extension decision), tax periods and tax types, before assign case to auditor.
At the level of the NBR HQ, the list of taxpayers is distributed and sent to the Tax Zones for
rechecking and confirmation of the violations detected. In addition, an analysis is made of the
workload of the auditors for each section of taxpayers to be included in the audit plan.
The Tax Zones check the validity of the assignment of points and form a preliminary plan of
audits. The distribution of taxpayers included in the tax audit plan is carried out in accordance
with an internal order.
If taxpayers are given the same score, the taxpayer with the largest amount of aggregate
annual income is selected for audit. In the event that taxpayers are given the same score and
they also have the same amount of aggregate annual income, the taxpayer with the largest
unaudited tax period is included in the audit plan.
As a result of the work done, a preliminary plan for taxpayers to be audited is sent to the
Direct Tax Audit head-office in NBR for ratification. This HQ then sends the final plan of
selected cases back down to the Zones and Circles, once the overall plan has been approved
by Chairman and executed.
704052653.docx Page 27 of 45
7. NBR Toolkit for risk analysis and risk-based audit
Y = Registration Year
D = Year of last audit
704052653.docx Page 28 of 45
Criteria Label of risk
Classification Description
ID assessment
Event Based Subject to an The criteria assesses if a taxpayer has been subject to any
enforcement enforcement measure – if true, taxpayer is flagged. If the
procedure taxpayer has not been subject to any enforcement measure,
the criteria exits
Deviation in On submission of Form IT-11GA2016 the criteria gathers:
Trend declared tax
comparing to last (*) X as the amount of declared tax for the current fiscal year
year value for (*) Y as the amount of declared tax for the previous year if
same tax type applicable
(Form IT-
11GA2016) If both X and Y can be defined, then the criteria computes |(X-
Y) / Y| - If the value of the ratio is greater than 15% the
taxpayer is flagged
Deviation in On submission of Form IT-11GHA2016 the criteria gathers:
Trend declared tax
comparing to last (*) X as the amount of declared tax for the current fiscal year
year value for (*) Y as the amount of declared tax for the previous year if
same tax type applicable
(Form IT-
11GHA2016) If both X and Y can be defined, then the criteria computes |(X-
Y) / Y| - If the value of the ratio is greater than 15% the
taxpayer is flagged
Deviation in On submission of Form IT-11CHA2016 the criteria gathers:
Trend declared tax
comparing to last (*) X as the amount of declared tax for the current fiscal year
year value for (*) Y as the amount of declared tax for the previous year if
same tax type (IT- applicable
11CHA2016)
If both X and Y can be defined, then the criteria computes |(X-
Y) / Y| - If the value of the ratio is greater than 15% the
taxpayer is flagged
Deviation in On submission of Form IT-11GAGA the criteria gather:
Trend declared tax
comparing to last (*) X as the amount of declared tax for the current fiscal year
year value for (*) Y as the amount of declared tax for the previous year if
same tax type (IT- applicable
11GAGA)
If both X and Y can be defined, then the criteria computes |(X-
Y) / Y| - If the value of the ratio is greater than 15% the
taxpayer is flagged
Comparative Discrepancy On submission of Form IT-11GA2016 the criteria gathers:
between Gross tax
and tax payable X = "Gross tax"
(Form IT- Y = "Total amount payable " minus "Advance tax paid"
11GA2016)
If |(X - Y) / Y| is greater than 15%, the taxpayer is flagged
Comparative Discrepancy On submission of Form IT-11CHA2016 the criteria gathers:
704052653.docx Page 29 of 45
Criteria Label of risk
Classification Description
ID assessment
between total
income and X = "Total income"
taxable income Y = " Taxable income"
(Form IT-
11CHA2016) If |(X - Y) / Y| is greater than 15%, the taxpayer is flagged
Comparative Ratio of sale On submission of Form IT-11CHA2016 the criteria gathers:
output/income
(Form IT- X = "Gross Profit"
11CHA2016)) Y = "Sales" or "Income"
Z = industry index (for the ratio X over Y) related to main
activity code of taxpayer (provided by NBR within the Section
Criteria Rule)
R=X/Y
704052653.docx Page 30 of 45
Criteria Label of risk
Classification Description
ID assessment
In case X and Y can be retrieved, and if |(X - Y) / Y| is greater
than 15%, the taxpayer is flagged
Comparative Decrease in On submission of Form IT-11GAGA the criteria gathers:
"current year
declared income" X = "Declared income"
compared to the Y = "Declared income for the previous year" (Provided the value
last year (Form IT- can be retrieved)
11GAGA)
In case X and Y can be retrieved, and if |(X - Y) / Y| is greater
than 15%, the taxpayer is flagged
Closing balance of On submission of Form IT-11GHA2016 the criteria gathers:
Trend produced goods
declared value X = "Closing balance of inventories (Current Year)"
comparing to last Y = "Closing balance of inventories (Previous Year)"
year (Form IT-
11GHA2016) In case X and Y can be retrieved, and if |(X - Y) / Y| >30 %, the
taxpayer is flagged
Closing balance of On submission of Form IT- 11CHA2016 the criteria gathers:
Trend produced goods
declared value X = "Closing balance of inventories (Current Year)"
comparing to last Y = "Closing balance of inventories (Previous Year)"
year (Form IT-
11CHA2016) In case X and Y can be retrieved, and if |(X - Y) / Y| >30 %, the
taxpayer is flagged
Change in ratio On submission of Form IT- 11GHA2016 the criteria gathers:
Trend between Revenue
and Number of N1 = "Number of employees of previous year"
employees (Form N2 = "Number of employees of current year"
IT-11GHA2016) P1 = "Previous year declared income"
P2 = "Current year declared income"
The criteria applies only if N2 > N1, then, if all values, can be
retrieved, and, if (P2 - P1)/P1 <= 40% * (N2 - N1) / N1 then the
taxpayer is flagged
Change in ratio On submission of Form IT- 11cHA2016 the criteria gathers:
Trend between Revenue
and Number of N1 = "Number of employees of previous year"
employees (Form N2 = "Number of employees of current year"
IT-11CHA2016) P1 = "Previous year declared income"
P2 = "Current year declared income"
The criteria applies only if N2 > N1, then, if all values, can be
retrieved, and, if (P2 - P1)/P1 <= 40% * (N2 - N1) / N1 then the
taxpayer is flagged
Comparative Net profit margin On submission of Form IT-11GHA2016 the criteria gather:
comparison to
industry (Form IT- X = "Net Profit"
704052653.docx Page 31 of 45
Criteria Label of risk
Classification Description
ID assessment
11GHA2016) Y = "Net Sales" + "Other operating income"
Z = industry index (for the ratio X over Y) related to main
activity code of taxpayer, and provided by NBR
R=X/Y
If all values (X1, Y1, X2, Y2) can be retrieved and if R1 < R2 *
0.85 then the taxpayer is flagged
Net margin trend On submission of Form IT- 11CHA2016 the criteria gathers:
Trend (Form IT-
11CHA2016) X1 = "Net profit (Current Year)"
Y1 = "Net Sales (Current Year)" + " Other operating income
(Current Year)"
R1 = X1 / Y1
If all values (X1, Y1, X2, Y2) can be retrieved and if R1 < R2 *
0.85 then the taxpayer is flagged
Comparative Discrepancy of The items to be compared must be specified! The expression
declared income "info received from other sources" must be made more explicit
as we can only compare quantitative values. The one or more
data sources must be precised, and for each the field from
704052653.docx Page 32 of 45
Criteria Label of risk
Classification Description
ID assessment
where data is fetched! For now, this criteria cannot be taken
into consideration
Comparative Discrepancy in the On submission of Form 11-ITGA2016 the criteria gathers:
tax withheld from
TP (Form 11- X = "Withholding payments" (From the "Tax Computation and
ITGA2016) Payment" table)
704052653.docx Page 33 of 45
Criteria Label of risk
Classification Description
ID assessment
Comparative Discrepancy of On submission of Form IT-11GHA2016 the criteria gathers:
declared sales with
VAT return (Form X = "Declared Sales"
IT-11GHA2016)
Then, based on the TIN of taxpayer, the criteria, gathers all
submitted VAT forms for the period covered by the fiscal year.
It sums the "Sales amount" values found in the VAT forms as Y.
If X<>Y the taxpayer is flagged
Note: for each TIN, the "Sales amount" values found in the VAT
forms will be computed in the data warehouse
Comparative Discrepancy of On submission of Form IT- 11CHA2016 the criteria gathers:
declared sales with
VAT return (Form X = "Declared Sales"
IT-11CHA2016)
Then, based on the TIN of taxpayer, the criteria, gathers all
submitted VAT forms for the period covered by the fiscal year.
It sums the "Sales amount" values found in the VAT forms as Y.
If X<>Y the taxpayer is flagged
Note: for each TIN, the "Sales amount" values found in the VAT
forms will be computed in the data warehouse
Comparative Discrepancy of On submission of Form IT-11GHA2016 the criteria gathers:
declared purchases
with VAT return X = "Declared Purchases"
(Form IT-
11GHA2016) Then, based on the TIN of taxpayer, the criteria, gathers all
submitted VAT forms for the period covered by the fiscal year.
It sums the "Sales amount" values found in the VAT forms as Y.
If X<>Y the taxpayer is flagged
Note: for each TIN, the "Sales amount" values found in the VAT
forms will be computed in the data warehouse
Comparative Discrepancy of On submission of Form IT-11CHA2016 the criteria gathers:
declared purchases
with VAT return X = "Declared Purchases"
(Form IT-
11CHA2016) Then, based on the TIN of taxpayer, the criteria, gathers all
submitted VAT forms for the period covered by the fiscal year.
It sums the "Sales amount" values found in the VAT forms as Y.
If X<>Y the taxpayer is flagged
Note: for each TIN, the "Sales amount" values found in the VAT
forms will be stored and computed in the data warehouse
TP size Taxpayer Segment The criteria flags taxpayers belonging to the Audit "Large
Taxpayer" segment
TP size Taxpayer Objection Criteria will compute value of objections as a ratio of total
704052653.docx Page 34 of 45
Criteria Label of risk
Classification Description
ID assessment
ratio by value liabilities for given TIN:
704052653.docx Page 35 of 45
Criteria Label of risk
Classification Description
ID assessment
X = "Total Exemptions"
704052653.docx Page 36 of 45
For information on using this toolkit item refer to section 4.52.
For information on using this toolkit item refer to section Error: Reference source not found.
704052653.docx Page 37 of 45
7.4. Where to get the data needed for risk assessment
NBR is able to harvest taxpayer data from both the paper-based returns using DACON as well
as from electronically submitted returns by using e-Filing. The following diagram provides a
representation of how this data may be obtained and used:
Figure 5: Taxpayer risk related data derived from e-Filing as well as from DACON
Based on the above logic, only medium taxpayers should be evaluated to define if they are
subject of field, e-Audit, paper audit or office audit – other decisions should be system based,
due to the given rules.
NBR may further define a set of rules that governs the allocation of audit types, based on
taxpayer size, turnover economic activity or in the final instance, the decision of the audit
manager.
704052653.docx Page 38 of 45
7.6. Using risk as an audit tool
Risk presents an important tool for use while an audit is being conducted. There is usually a
direct relationship between risk criteria score that has been found to be true – and areas of
suspicion within the taxpayers return and financials.
These areas of suspicion are good indicators to the auditor as to where to start the audit
investigation. The following tables provide an indication of the link between Risk Criteria and
potential areas of suspicion:
704052653.docx Page 39 of 45
7.62. Areas of suspicion documents to be checked during audit
704052653.docx Page 40 of 45
Area of Suspicion Documents to Check
Checking the account of individuals’ overhead expenses in legal
books
Enquiry from TP’s corresponding individuals if needed
Distribution and sale Documents of expenses
expenses Documents of paying incurred expenses
Checking legal books for being in accordance with documents of
expenses
Checking the account of individuals’ overhead expenses in legal
books
Enquiry from TP’s corresponding individuals if needed
Wage and salary Personnel employment files
expenses Personnel presence and absence list
Cash flow Cash accounts in legal books
Financial security documents
Documents of TP liabilities’ payment,
Receivable and payable accounts
The account of property acquisition and sale in legal books and
matching them with legal books
Profit sharing account
The level of self-assessed profit or loss
Assets and under- Documents of acquisition or sale of TP’s fixed assets and matching
completion assets them with TP’s legal books
Associated persons and Documents of all cash and non-cash transactions among associated
those of the same persons and companies of the same group and matching them with
group TP’s legal books
Calculation of depreciation expenses
Reservoirs Documents of expenses related to received reservoirs and their
modifications
Advance payments Documents of advance payments and their clearance
Paid salaries and wages A list of salaries and allowances submitted to tax offices and the
amount of paid tax and matching them with TP legal books and
comparing with list of the salaried submitted to the NBR
Personnel employment files
Personnel’s hours of presence and absence
Employers’ employment regulations
Paid fee, paid expenses Documents and lists of paid fees along with taxes paid for these
for purchase of services fees and their related contracts
from foreign persons Contracts concluded with foreign persons and the documents of
paying funds to them and documents related to the paid taxes
Real estate physical Real-estate ownership documents
dimensions of the Lease documents
property owners Contracts of real-estate disposal or rights arising from it
Identity documents of the owner, purchasers or leasers
Sale of liable or exempt Documents of goods and services sale & purchase
goods and services Legal books
Tax and duties received Documents related to goods/services import and export
from customers
704052653.docx Page 41 of 45
Area of Suspicion Documents to Check
Sale of liable or exempt Documents related to tax payment along with return
goods and services
1. Tax zone Start process The process must be run every 12 or 6 months, as decided by
NBR.
2. Tax zone Collect data Information on Income tax taxpayers should come from different
sources in to DACON data warehouse based on TIN, and can be
grouped as follows:
a. Database (declarations);
b. Information from external sources i.e. banks,
informants etc.
c. Information from internal sources i.e. audits, customs,
VAT etc.
d. Collected data will be aggregated based on the Risk
Assessment process & DACON.
e. A record will be created for every Income tax return as
a result of data collection and aggregation. This record
will contain:
o Initial (raw) data that was used for calculation;
o Aggregated data (attributes);
f. Date & time stamp of data collection procedure
4. Tax zone Create list of The list of tax returns to be audited is created based on
taxpayers for identified risk criteria. Only data identified through the TIN in
audit DACON data warehouse can be used for the risk assessment
calculation for:
a. Specific taxpayers
b. Specific sets of risks.
5. NBR Decision on the The output of audit planning consists of a list of taxpayers sorted
list of taxpayers by risk value calculated for every selected taxpayer. (Risk
704052653.docx Page 42 of 45
Step Role Step name Description/ System Requirements
6. NBR Create plan for It is necessary to develop a draft version of the Audit Plan. In this
national/ plan, the following should be defined:
regional audits
a. The taxpayer3 segment to be audited
b. Fiscal risks4, arranged in order of priority
c. Taxpayers scheduled for audit
The Audit Plan should be determined as follows:
Risks, arranged in order of priority
Nature of risk
Events control
7. Plan approved? Before submission of the Audit Plan to the Chairman of the NBR
for approval, the Member (ITX Operations) should ensure the
plan has been prepared in accordance with instructions,
explanations contained in the audit strategy and explanations of
the plan development process, (what, why etc.)
8. NBR Release the plan The Audit Plan needs to be approved by an internal order of the
NBR and should clearly identify:
The person or unit responsible for their delivery
Measurable standards by which performance can be assessed
and ideally, measures of the quantity, quality and timeliness of
delivery
9. Tax zone Analysis and The collection of the data must be organized for evaluation of
evaluation of the control measures and will be based on the approved
the results evaluation criteria. For analysis and evaluation of the results, the
following reports are needed:
a. Performance dashboard by Tax Zone;
b. Performance dashboard by Tax zone staff
responsible for audits;
c. Back log analysis by Tax zone staff responsible for
audits;
d. Audit performance and financial efficiency by Tax
704052653.docx Page 43 of 45
Step Role Step name Description/ System Requirements
Data entities in white are within e-TIN whilst those in blue belong within DACON and/or e-
Filing:
Figure 6: Data model needed to support these systems related toolkit items
704052653.docx Page 44 of 45
8. Conclusion
We have provided NBR with the foundations for risk related audit management in this
Guidelines and Toolkit. The foundations of how to compute risk, as well as the method of
assigning risk to taxpayers is well known and used as a standard practice throughout the
world. The first part of this document this focusses on these approaches and methods. We
covered risk as a concept, where to find the data needed to compute risk, how to compute
risk and once we have a risk score for a taxpayer – how to use that score to do case selection
and allocation. We trust this may add to the knowledge pool within NBR.
In the second part of this Guidelines and Toolkit – we have provided NBR with hands-on
toolkit items, methods and approaches that can readily be implemented “as is” within DACON
and e-Filing. The case selection criteria as well as the audit areas of suspicion provide a strong
basis to rapidly advance digital case selection and audit processing within direct taxes. These
procedurals, as well as systems related recommendations have been specifically tailored to
the NBR circumstances based on our existing knowledge.
All of these toolkit items will be further expanded by the advanced risk assessment- and
advanced tax audit training, which provides yet another important toolkit item – that of
knowledge!
704052653.docx Page 45 of 45