What does the ATO expect of businesses?
Section 262A of the Income Tax Assessment Act 1936 states that a person carrying on a business must keep records that record and explain all transactions and acts engaged in by the business that are relevant to the Australian income tax legislation.
Earlier this year the ATO issued taxation ruling TR 2005/9 to explain their view on electronic record keeping systems. A tax ruling is not legislation, however, it does explain the ATO’s opinion on certain tax laws and the ATO will follow this opinion when determining whether or not a business is complying with the tax laws.
The Tax Office considers that electronic record keeping systems operate essentially in the same manner as paper based systems, and the records kept in them are, in principle, the same as those kept under manual / paper based record keeping systems. The Tax Office requires that the records, whether kept on paper or electronically, must be kept accurately so as to enable the business’s tax liability to be readily ascertained.
There are many risks involved in keeping electronic records instead of paper records and the ATO expects taxpayers to minimise these risks by implementing the following controls into their electronic records:
- Record retention
- Data security and integrity
- System documentation
- Retaining archival copies; and
These controls enable businesses to protect the security and integrity of their electronic records and are described in more detail below.
Taxpayers should retain electronic records for the same length of time that it retains paper records. For tax purposes this is generally for a period of 5 years. If a taxpayer routinely destroys records it is advised that this occurs in accordance with a regular schedule which is part of the document record retention procedures. A routine procedure may provide the ATO with an explanation as to why documents were destroyed.
Data Security And Integrity
A taxpayer should be able to demonstrate that their electronic records system is secure from both unauthorised access and data alterations. This usually involves developing and documenting a security program which achieves the following:
- Ensures that only authorised people have access to the system;
- Provides for backup and recovery of electronic records;
- Ensures that authorised people are trained to protect sensitive or classified records;
- Minimises the risk of unauthorised alteration, addition or erasure of electronic records;
- Ensures that the environment in which the records are electronically kept must be temperature and humidity controlled to prevent defect equipment and therefore lost data.
The entire electronic records system should be documented, including physical and logical descriptions of the system’s structure and programs, including inputs and outputs. System documents should be retained to explain aspects of that system so ATO officers can ascertain the system is doing what it is claimed to do. Any related numeric, textual or graphic information should also be documented for easy retrieval.
Retaining Archival Copies
Generally it is not necessary to retain a hard copy of the information contained in an electronic record unless a particular law or regulation requires the taxpayer to retain the paper copies. However, electronic records must be in a form which ATO staff can access and understand.
Electronic records should be readily accessible. Under Section 263 of the Income Tax Assessment Act, the Commissioner of Taxation or any authorised officer has full and free rights to access all buildings, places and documents including electronically stored records that are required for the purposes of the Tax Act. Furthermore the occupier of a building or place is required to provide the officer with ‘reasonable facilities and assistance’, this includes login codes, encryption keys, passwords, access to hard copies, and computer and software manuals. If the ATO’s system is not compatible with the taxpayer’s system then the information will need to be produced in a hard copy.
The ATO expects businesses to adopt sensible practices that reduce the likelihood of loss of decryption keys and passwords i.e. keeping a copy written down, or on other storage, such as a floppy disk, or by the use of a trusted third party.
The ATO issued this tax ruling to explain to businesses what is expected of them and to advise them how they can meet these expectations. If the ATO audits a business, they will not accept the excuse that the businesses electronic data has become corrupt or been lost.