77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
Building a tax compliance management system: Seven building blocks according to IDW PS 980
Governance & Compliance

Building a tax compliance management system: Seven building blocks according to IDW PS 980

22 June 202613 min readBy Dr. Henrik Bauer
CIVAC

A tax compliance management system only protects against criminal proceedings if all seven basic elements according to IDW PS 980 are implemented and documented. The application decree for Section 153 AO expressly recognises the Tax CMS as an indication of intent.

The application decree of the Federal Ministry of Finance on Section 153 AO of May 23, 2016 makes it clear that an effective internal control system for the fulfilment of tax obligations can be an indication of intent or carelessness if an error is noticed in a tax return submitted and needs to be corrected. This means that the tax compliance management system is no longer an option but has become an obligation. Anyone who submits a correction report according to Section 153 AO and cannot provide a documented Tax CMS risks criminal tax proceedings according to Section 370 AO or a careless tax evasion according to Section 378 AO as well as an administrative offense according to Section 130 OWiG for the management with fines of up to one million euros per breach of duty.

The IDW practical note 1/2016 on Designing a Tax Compliance Management System translates the IDW PS 980 auditing standard into the tax context and names seven basic elements against which every implementation must be measured: compliance culture, compliance goals, compliance organisation, compliance risks, compliance program, compliance communication and compliance monitoring. This article shows how these seven building blocks are practically set up in a medium-sized company, which roles need to be filled, which thresholds have proven successful and at which point CIVAC as a compliance platform and officer-as-a-service closes the gap between concept and lived practice. The representation remains operational. You will receive a demonstrable structure, not a theoretical treatise. At the end of the article there is a 90-day construction plan, which is included in the external inspection appointment.

Key Takeaways

  • According to the BMF letter on Section 153 AO, a tax CMS according to IDW PS 980 with seven documented modules acts as an indication against the accusation of conditional intent.
  • The critical threshold is not the concept, but the evidence in the external audit appointment: appointment certificate, risk matrix, proof of training, control protocol, all versioned and findable.
  • CIVAC delivers the 37 audit templates, the workspace with reporting line to management and, if requested, the external tax compliance officer within two working days.

Legal starting point: Section 153 AO, Section 370 AO and Section 130 OWiG

The legal basis for a Tax CMS results from the interaction of several standards. Section 153 of the Tax Code obliges every taxpayer to immediately report and correct any identified inaccuracies in a submitted declaration. If the report is omitted or filed late, this can be viewed as tax evasion according to Section 370 AO or as careless tax evasion according to Section 378 AO. The management is additionally liable in accordance with Section 130 OWiG for the breach of the supervisory duty, with fines of up to one million euros per breach of duty as well as the possibility of profit skimming in accordance with Section 17 Paragraph 4 OWiG. The deadline begins as soon as we become aware of it. Anyone who notices the violation must act immediately, which, according to the established case law of the Federal Court of Justice, requires a reaction within a few days.

The BMF letter of May 23, 2016 on the application decree § 153 AO contains in paragraph no. 2.6 the decisive sentence: If the taxpayer has set up an internal control system that serves to fulfil tax obligations, this can speak against the existence of intent or recklessness. This actually shifts the burden of proof in the defence strategy. Anyone who presents a tax CMS in use during the external audit procedure has evidence of acting in good faith. Anyone who does not present anything bears the burden of proof that there was no intent and is in a structurally weak position compared to a suspicious auditor. The responsible compliance officer should therefore agree in writing with management on what level of maturity must be achieved by when and which documents can be presented immediately in the event of an audit. CIVAC delivers the appointment certificate, the reporting line and the risk matrix in a platform with audit-proof versioning and EU data residency, so that in the event of an audit, every status can be reconstructed and the chain of documents is available without any search effort.

Building blocks 1 and 2: Compliance culture and compliance goals

The first building block according to IDW PS 980 is the compliance culture. In the tax context, this means a written policy statement from management in which the commitment to the correct fulfilment of tax obligations is formulated. This explanation must be concrete. General phrases about how we act ethically are not enough. Instead, you formulate measurable specifications: Tax issues with a scope of more than 250,000 euros are presented to the tax advisor or tax compliance officer before implementation. Correction notices in accordance with Section 153 AO are created within 14 days of becoming aware of them. Aggressive arrangements without substance are rejected, even if they appear to be tax-advantageous in the short term. The culture is lived when this rule holds up in the event of a conflict, even against sales pressure or against short-term results goals, and when management visibly defends this priority.

The second building block is the compliance goals. Here you specify which tax areas are actually covered by the Tax CMS. Sales tax, wage tax, corporate income tax, trade tax, transfer prices in accordance with Section 90 Paragraph 3 AO and, in internationally active groups, withholding tax as well as the topics of unity and reverse charge are common. Each area receives its own protection goal: For example, zero incorrect advance VAT returns per quarter, complete transfer pricing documentation by May 31 of the following year, annual training for all employees with exposure to payroll, travel expenses and benefits in kind. These goals are linked to the respective risk in the risk matrix and provided with measurable indicators. In the CIVAC workspace, you maintain these goals as verifiable data sets with the person responsible, deadline and document path. Each update creates a new version with a timestamp and author ID. Licence the workspace for your internal representatives or have our representatives order it. Both models produce the same documentation status.

Module 3 and 4: Compliance organisation and risk analysis

The compliance organisation determines the roles. In a medium-sized company with 50 to 500 employees, it is recommended to have a tax compliance officer who reports directly to management and is not organizationally located in the operational tax department, otherwise conflicts of interest arise between operational tax planning and critical control. In addition, specialists responsible for each tax type are named, such as the payroll accountant for income tax, the chief accountant for sales tax and the tax advisor for corporate income tax and transfer pricing documentation. The appointment certificate documents tasks, authorities, escalation paths, reporting obligations and replacement arrangements for vacation and illness. It is signed, filed and verifiable. Without this document, the allocation of responsibility in the event of a dispute with the tax office is not reliable and the tax compliance officer cannot rely on a clear mandate in criminal proceedings, which increases personal liability.

The fourth component is the risk analysis. Here you can systematically record where tax risks can arise. Typical drivers are foreign business, intra-group supply relationships, new business models, reorganizations, IT migrations, personnel changes in accounting as well as special transactions such as conversions or share sales and employee secondments. Each risk is assessed with the probability of occurrence and amount of damage and assigned to a protective measure, ideally on a five-stage scale with clear thresholds. The risk matrix is ​​not a one-off document, but is updated at least annually and as necessary when there are significant changes to the business model. If you also employ a compliance officer, tax risks and general compliance risks should be managed in an integrated matrix, otherwise blind spots will arise at the interfaces between tax, money laundering and data protection issues. The 490 audit templates from CIVAC contain the risk matrix template, the appointment certificate template and the role document already in an IDW-compliant structure and can be used without any further adjustment.

Building block 5: Compliance program with controls and thresholds

The compliance program is the operational layer. Here you define a specific control for each identified risk. A control consists of four elements: trigger, performer, frequency, evidence. Example of sales tax: The trigger is the monthly advance registration. The person carrying out the work is the chief accountant. Frequency monthly. The evidence is the printed four-eye report with signatures, stored in the workspace in the VAT advance registration directory in the respective monthly folder with a clear file name according to the year-month-VAT-VA scheme. There is no control for the external auditor without evidence. The most common weakness in practice is not the lack of controls, but rather the lack of documentation of a control that has been carried out. This is exactly where the defence in criminal proceedings regularly fails when those responsible verbally assure that an examination has been carried out, but there is no evidence in the file.

Threshold values ​​make the program practicable. Not every business transaction requires the full depth of control. A three-stage logic is common: routine incidents up to 25,000 euros are checked at random, around every 20th booking using a documented selection method. Incidents between 25,000 and 250,000 euros go through the four-eyes principle before booking with both signatures on the receipt. Incidents over 250,000 euros also require written approval from management or the tax compliance officer with a brief tax assessment. These thresholds must be fixed in the program document and accessible in the workspace so that every employee can look them up if in doubt. In the case of transfer pricing issues, the threshold according to Section 90 Paragraph 3 AO is already lowered to exceptional business transactions without an amount limit, which is why a separate control chain with its own documentation requirement is necessary here. During the external audit appointment, the auditor typically asks specifically: Show me the control for this exact incident. With the CIVAC workspace, the person responsible delivers the chain of documents within minutes, not days. The auditor calls, the evidence is ready.

Module 6: Compliance communication and training obligations

Compliance communication covers two directions. Top-down, management communicates the policy statement, the protection goals and changes in the program to all employees and managers, ideally with documented confirmation of receipt via the workspace system. Bottom-up, information about possible violations, suggestions for improvement and risk reports flow back, either via the line organisation or via the whistleblower office. Both methods must be documented in the appointment certificate and in the procedural instructions, with clear contact points, deadlines and escalation rules. A practical element is the annual tax compliance declaration, in which every manager confirms in writing that they are not aware of any tax violations in their area of ​​responsibility and that they have actively implemented the applicable requirements. In criminal proceedings, this declaration acts as additional evidence against the breach of supervisory duty and also excludes claims of ignorance because the manager documents knowledge and responsibility with his signature.

Training is not an option. Anyone who combines a breach of duty with a failure to train risks a breach of supervisory duty according to Section 130 OWiG with full personal liability for the management. The training program should cover at least three levels: basic instruction for all employees who are exposed to tax-relevant processes, in-depth training for accounting and purchasing with industry-specific case studies, special training for employees with a foreign connection or special topics such as reverse charge, fiscal organisation, travel expense law or benefits in kind. Each training course is documented with a list of participants, proof of content, date, duration and comprehension check. Training without a list of proof is worthless in the external audit appointment and cannot be used in the fine proceedings. CIVAC provides the training planning, the participant lists and the evidence with version status and audit trail via the workspace. If you also need to serve a money laundering officer function, the training processes can be carried out in the same workspace, without redundant tools and maintenance effort.

Building block 7: Monitoring, improvement and effectiveness testing

The seventh component according to IDW PS 980 is monitoring. The effectiveness of the Tax CMS is tested in two stages: adequacy test and effectiveness test. The adequacy test answers the question of whether the system is conceptually suitable to control the identified risks. The completeness of the risk map, the consistency of the controls and the coverage of the main tax types are checked. The effectiveness test checks whether the controls have actually been carried out and work in practice. Here, samples are taken, receipts are viewed and employees are interviewed. Both audits can be carried out internally by an independent body or externally by an auditor in accordance with IDW PS 980. A certifying external audit significantly increases the evidentiary value in criminal proceedings, but is expensive for smaller companies with costs of 30,000 to 80,000 euros.

For ongoing monitoring, quarterly spot checks by the tax compliance officer on the documented controls are recommended. It is checked whether the chain of documents is complete, the signatures are present, the threshold values ​​have been met and whether the training has been carried out as planned. Anomalies are reported to management in a structured reporting system, ideally with traffic light status for each risk area. The reporting line is fixed in the appointment certificate and is not negotiable. The tax compliance officer's annual report to management contains the risk development, the controls carried out, the deficiencies identified, the improvement plan and the recommendations for the following year. These reports are stored in versioned form in the CIVAC workspace, each status can be reconstructed, and each change can be documented with a time stamp and author. Audit-proof, documented, § 153 AO-proof. That is the claim, and this claim can be fulfilled if the platform systematically takes over the documentation.

Practical development plan: 90 days until documented maturity

A tax CMS can be brought to an audit-proof starting level in 90 days if management allocates resources and the platform is in place from day one. Days 1 to 14 serve as the kick-off: Appointment of the tax compliance officer with an appointment certificate, definition of the reporting line to management, inventory of the existing tax processes, identification of the central stakeholders in accounting, purchasing, sales, human resources and IT. At the same time, the workspace is set up, the directory structure follows the seven building blocks according to IDW PS 980. In this phase, the management's statement of principles is also formulated and communicated. The appointment certificate, signed, filed, verifiable. Without this initial status, there is no formal basis for all further steps.

Days 15 to 45 are risk analysis and program design. A responsible person is assigned to each tax type, the main risks are assessed in the matrix, the compliance program is designed with controls and threshold values ​​and coordinated with those responsible for operations. Days 46 to 75 are implementation: training courses are planned and carried out, the four-eye protocols are introduced, the report formats are determined and tested at the first pre-registration. Days 76 to 90 are used for the first effectiveness sample and the preparation of the annual report to management. If there is no capacity for the tax compliance representative internally, CIVAC takes on the role as an external representative with an SLA of two working days for each request, instead of the classic two to six weeks for external consultants. Licence the workspace for your internal representatives or have our representatives order it. Both models lead to the same documented maturity, which contributes to the external audit appointment and can be scaled without disruption if necessary.

Interfaces: Tax CMS, general CMS, money laundering, data protection

A tax CMS rarely stands alone. Most companies already have a general compliance management system, a data protection officer in accordance with Article 37 of the GDPR and, if necessary, a money laundering officer in accordance with Section 7 of the GwG, as well as other mandatory representatives from occupational safety, environmental and whistleblower law. The interfaces must be clarified, otherwise there will be gaps and duplication of work or, in the worst case, contradictory instructions to the operational employees. An integrated compliance map is recommended that shows which officer is responsible for which topic and where the handovers are. Payroll tax issues involving cross-border employee leasing affect both tax and data protection because master data and compensation information are processed. Suspicious activity reports according to Section 43 of the GwG can trigger criminal tax consequences and must be coordinated accordingly with the tax compliance officer without violating the strict confidentiality obligations and the tipping-off ban of the Money Laundering Act.

The whistleblower office according to the Whistleblower Protection Act also plays a role in the Tax CMS. If a whistleblower reports a tax issue, it must be clear who will receive the report, who will check it, who will decide and how the whistleblower will be informed within the statutory period of seven days for confirmation of receipt and three months for follow-up action. In the CIVAC workspace, the reporting lines of all representatives can be mapped in one platform, with separate rights and joint reporting to management. You use 25 representative roles, 93 controls according to ISO/IEC 27001:2022 and 490 audit templates in an integrated environment with EU data residency. This turns parallel silos into a consistent compliance function. Others run compliance like a filing cabinet. We run it like software. Anyone who does not carry out this integration risks contradictions between the commissioner's reports in the criminal proceedings, which the public prosecutor will use to construct an intention or to justify a breach of supervisory duty.

Turn reading into a mandate.: next steps with CIVAC

A Tax CMS is not a project with an end date, but an ongoing function. If you are just starting out today, the next steps are concrete: written policy statement from management with measurable protection goals, appointment of the tax compliance officer with an appointment document and clear reporting line, setting up the workspace with risk matrix and program document, planning the first wave of training for accounting, purchasing and sales. An initial verifiable status can be achieved within 14 days, which, in the event of a short-term external audit, already provides an indication within the meaning of the BMF letter on Section 153 AO. Within 90 days you will achieve documented maturity with all seven building blocks, which will serve as a basis for defence in criminal proceedings and will be convincing to the auditor.

CIVAC accompanies this structure in two models that can be used in parallel or in combination. In the workspace model, you licence the compliance platform for your internal representatives and use the 490 audit templates, the appointment certificate templates, the risk matrix and the report formats as an immediately usable framework with EU data residency. In the officer-as-a-service model, we provide the external tax compliance officer within two working days, instead of the traditional two to six weeks for traditional law firms or consulting firms. Both models use the same workspace, reporting line and templates, allowing for later switching without data migration. If you would like to know what level of maturity is appropriate for your company size and how the 90-day plan is tailored to your industry, write to info@civac.de or use the contact form on civac.de/faq. Within one working day you will receive an initial assessment with concrete next steps and a suggestion for the right model. Turn reading into an assignment.

FAQ

At what size company is a tax CMS mandatory?

There is no explicit legal obligation to set up a tax CMS in Germany. However, the BMF letter on Section 153 AO recognises an existing system as an indication of intent, which has a decisive effect in criminal proceedings. In practice, the tax authorities and the IDW recommend a documented tax CMS for around 50 employees or for internationally active structures, regardless of the number of employees, because the tax complexity then increases dramatically.

What evidentiary value does a non-certified Tax CMS have?

A documented and implemented Tax CMS acts as an indication of intent or carelessness, even without external certification, as long as the appointment certificate, risk matrix, proof of control and training documents are available. Certification according to IDW PS 980 increases the evidentiary value because an independent auditor confirms appropriateness and effectiveness. For medium-sized companies, an internal effectiveness sample with audit-proof documentation in the workspace is often sufficient.

What role does the tax advisor play in a tax CMS?

The tax advisor advises and examines individual matters, but does not assume the compliance function of the tax compliance officer and does not take responsibility for the system. System responsibility remains with the management. The tax advisor can be involved as an external specialist responsible for special topics such as transfer pricing, restructuring or unity, but does not replace the ongoing monitoring by the tax compliance officer.

How long does it realistically take to set up a tax CMS?

With a dedicated platform and external representative, an audit-proof starting status can be achieved in 90 days, which already acts as an indication during the external audit appointment. A complete effectiveness test with meaningful sample results requires at least twelve months because the system has to go through a full tax cycle. A certifying exam according to IDW PS 980 typically takes another three to six months of preparation time.

What distinguishes a tax CMS from the general compliance system?

A general compliance management system addresses all types of legal violations, such as antitrust law, corruption, data protection or supply chain. A tax CMS focuses exclusively on compliance with tax obligations according to AO, UStG, EStG, KStG and GewStG. Both systems follow the same structure according to IDW PS 980, but differ in risk content, controls and reporting obligations. Integration into a common platform is expressly recommended because topics such as wage tax and labour law are intertwined.

What sanctions threaten without a documented Tax CMS?

Without a documented system, management bears the full burden of proof in criminal proceedings that there was no intent or recklessness. Proceedings under Section 370 or Section 378 AO are subject to fines or imprisonment, as well as a breach of supervisory duty under Section 130 OWiG with fines of up to one million euros per violation. In addition, there are interest on arrears in accordance with Section 235 AO, skimming of profits and damage to reputation upon publication.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles