A governance framework that lives in a drawer isn’t governing anything.
Every large organisation in Australia — certainly every Top 100 and Top 1000 taxpayer — has a tax governance framework.
It’s a document. Usually a well-written one. It describes the organisation’s approach to tax risk. It outlines roles and responsibilities. It references the board’s risk appetite statement. It was probably prepared with the help of external advisors, reviewed by the audit committee, and approved by the board.
And in many organisations, that’s where it ends.
The document exists. The governance it describes does not — at least not in any systematic, demonstrable, day-to-day sense.
This is the gap that matters. Not the gap between having a framework and not having one. The gap between having a framework and living it.
THE GOVERNANCE ILLUSION
Here’s what tax governance looks like on paper: clear escalation paths, documented review procedures, controlled access to working papers, tracked changes and approvals, and regular reporting to the board on tax matters.
Here’s what it often looks like in practice: a senior tax manager who knows everything, a shared drive full of spreadsheets with no version control, review by email attachment, approvals by verbal agreement, and a board report prepared once a year that summarises outcomes without explaining the process.
Both organisations would say they have tax governance. Only one actually does.
WHY THE GAP EXISTS
The gap isn’t about intent. Tax teams want to govern well. The gap is about tools.
Governance requires controls. Controls require systems. And the systems most tax teams use — spreadsheets, email, shared drives — don’t have controls built in.
You can’t enforce a review workflow in Excel. You can’t restrict who modifies a tax adjustment in a shared workbook. You can’t automatically log who changed what, when, and why. You can’t generate an audit trail from a process that doesn’t systematically create one.
The governance framework describes what should happen. The tools determine what actually happens. When the tools don’t support the framework, the framework becomes aspirational. And to be clear: the problem isn’t that spreadsheets exist in the process — finance teams will always use them for workpapers, and that’s fine. The problem is when spreadsheets are the governance layer itself, with no system underneath to enforce the controls your framework promises.
WHAT EMBEDDED CONTROLS LOOK LIKE
Embedded controls are governance that’s built into the system, not bolted on top of it.
Role-based access. Not everyone can modify every part of the tax return. The person preparing a section can’t approve their own work. The reviewer can approve but can’t change the underlying data without creating a new adjustment that requires its own approval.
Workflow enforcement. The return can’t progress to the next stage until the current stage is complete and approved. Not because someone checks a manual checklist — because the system won’t allow it.
Automatic logging. Every action is recorded. Every adjustment has a reason. Every approval has a timestamp and an approver. Not because someone remembered to document it — because the system makes documentation a by-product of doing the work.
Exception management. Unusual items are flagged automatically. Material changes from prior year are highlighted. Reconciliation differences above threshold require explanation. The system surfaces what needs attention instead of relying on someone to notice.
THE JUSTIFIED TRUST CONNECTION
The ATO’s Justified Trust framework specifically examines whether tax governance is real — embedded in operations — or performative — limited to documents.
When the ATO’s relationship team reviews your governance framework, they don’t just read the document. They test it. They ask your team to demonstrate how a specific transaction was treated, who reviewed it, how it was approved, and where the evidence sits.
In an embedded controls environment, this is a straightforward demonstration. Open the system. Show the workflow. Show the audit trail. Show the approvals.
In a document-only governance environment, it’s a scramble. Find the spreadsheet. Hope the right version was saved. Try to remember who reviewed it. Look through emails for the approval.
One of these responses builds trust. The other erodes it.
The principle is the same one that governs statutory audits: when auditors can rely on your internal controls, they reduce their substantive testing. The ATO operates on the same logic. Their Tax Risk Management and Governance Review Guide assesses whether the right people are in defined roles, whether controls are periodically tested, and whether there’s a formalised framework endorsed by the board. To achieve the Stage 2 rating the ATO now expects for high assurance, you need evidence that your control framework isn’t just designed — it’s operating. Embedded controls are how you produce that evidence.
THE PATH FORWARD
Moving from policy-based governance to embedded governance isn’t a technology project. It’s a mindset shift.
It means accepting that a governance framework is only as good as the systems that enforce it. That good intentions don’t constitute controls. That the ATO — and your own board — deserves to see evidence, not assurances.
The technology exists. Purpose-built tax compliance software — anchored by a tax ledger that classifies every GL account with its tax treatment — can embed the controls your governance framework describes. It can make documentation automatic, workflows enforceable, and audit trails complete.
But the technology only works if the organisation decides that governance should be real — not just documented, but lived.
Every day. In every workflow. In every adjustment, review, and approval.
That’s governance in practice. Not a document in a drawer — a system that runs.
