CYPRUS: Audit of Tax Management System
According to the 2019 Fiscal Report of the General Accounting Office (GAO), the revenues of the Central Government related to direct taxation amounted to approximately €2.1 billion or 21%. These revenues are managed by the Tax Department (TD) depending mainly on Tax Management System (TMS).
TMS is used for direct taxation in a wide range of functions such as managing taxpayer data, managing tax declarations, calculating and enforcing taxes and managing revenues and tax returns.
In November 2019, our Office initiated an IT Audit engagement of IT environment and procedures that include TMS in order to evaluate reliability of data and operations and the effectiveness and efficiency of controls in place.
We evaluated the organizational structures, policies and IT procedures of TD and the supporting unit of the Department of Information Technology Services (DITS) and examined the general controls which affect the reliability of the IT control environment regarding TMS.
Based on the collected information we identified the system’s different modules, processes and supported functions. On those areas we assessed the risk and selected the entities of the system that have the most impact on the financial statements for which we assessed the existing internal controls to identify vulnerabilities that affect the confidentiality, integrity and availability of information.
As a general conclusion TD is exposed to a number of risks which may have a significant impact on its tax collection capacity, its compliance with legislation and data integrity of TMS.
The most important findings concern the following:
- Deficiencies in matters of management and organization of IT teams of TD and DITS such as insufficient definition of responsibilities, delay in the implementation of the recommendations from external consultants, non-adoption of information security policy and lack of coordination in matters of contract execution.
- Weaknesses in change management, such as the absence of recorded procedures, limited scope of the existing change management process and cases of implementation of changes without adequate evaluation and authorization.
- Weaknesses in matters of access management such as insufficient definition of responsibilities and liabilities and absence of recorded procedures.
- Deficiencies in the Business Continuity Plan, in relation to the determination of the recovery point objective and recovery time objective.
- Absence of an action plan for incident management and issues regarding IT infrastructure.
- Delays in the transfer of tax declarations to the TMS from Taxisnet and shortcomings in data security issues.
- Insufficient integration of preventive controls in TMS for cases of conflict of interest (e.g., the ability of the taxpayer to tax himself, without this being able to be identified in time).
- Increased risk of circumvention of mass taxation controls, due to complimentary procedures outside TMS environment and lack of control and reconciliation procedures of the tax confirmation.
- Manual collection management procedures and increased dependency on specific personnel.
- Changes in the systems source code by management’s instructions, in order to circumvent controls for data extraction to update the netting system of GAO.
- Some tax categories were not included in the 2019 arrears report submitted to GAO. We also noted the absence of a reconciliation mechanism in the process of preparing the report on arrears.
For the findings included in the report, we submitted specific recommendations addressed to both TD and DITS, with the aim of improving the procedures and strengthening the controls of TMS.
The full CAO report can be found at www.audit.gov.cy.