Decision 98/QD-TCT, issued in 2024, completely changed the way the General Department of Taxation selects businesses for inspection. No longer a random selection, the "Risk Management Application" system now automatically analyzes thousands of tax declaration files based on Big Data and assigns risk scores periodically on the 25th of each month.
In that context, Risk management in tax audits and inspections. It's no longer a reactive response to an inspection decision, but rather a proactive approach to simulating a score before the tax authorities. This article deciphers the ranking mechanism. Decision 98/QD-TCT and Circular 31/2021/TT-BTCIt also provides a set of key formulas for CFOs to independently calculate HSKT risk scores, combining Bizzi's RPA solution to build a "data shield" before an inspection order is issued.
How does the taxpayer "scoring" mechanism work according to Circular 31 and Decision 98?
To properly understand the nature of current tax risk management, CFOs need to recognize that tax authorities have shifted from a "post-audit" approach to a "risk-based audit selection" model. Every audit decision is now based on databases and algorithms.
Core operating mechanism
The risk management system operates on a centralized "Risk Management Application" platform at the General Department of Taxation. Data is collected from VAT, corporate income tax, special consumption tax declarations, electronic invoices, and third-party information, and then fed into a scoring model.
The process consists of three main steps:
- Gathering information
- Analysis and scoring based on a set of criteria indicators.
- Risk assessment and alert list generation
Notably, the analysis process is automated, minimizing subjective intervention. This leads to Risk management in tax audits and inspections. It has become a quantitative problem, rather than relying on the "intuition" of managers.
The "golden opportunity" that CFOs need to pay special attention to.
The VAT and Special Consumption Tax (SCT) analysis system is conducted periodically on the 25th of each month. The Corporate Income Tax (CIT) analysis, however, is conducted on April 25th, July 25th, and October 25th.
This means that if the business wants to do it. tax risk management Proactively, all reconciliation and simulation of metrics should be completed before these deadlines. Once the system is running, "firefighting" will have little strategic significance.
Once the system completes the scoring, businesses will be placed into specific categories.
The HSKT risk classification system has 5 risk tiers and 3 risk levels.
Many CFOs confuse a company's compliance rating with the risk level of individual tax returns. This distinction is crucial for risk management during tax audits and inspections.
Two parallel frames of reference
According to Circular 31, taxpayers are categorized into four levels of compliance: high, medium, low, and non-compliant. This is an overall assessment.
According to Decision 98, each tax return is classified into three risk levels: high, medium, and low. A business with a good compliance rating can still have a tax filing period that receives a high risk score.
Risk threshold determination mechanism
Risk thresholds can be determined by absolute numbers (fixed scores) or relative numbers (percentage of businesses with the highest scores). When the threshold is exceeded, the HSKT (Higher Risk Assessment and Verification) will be placed on a priority inspection list.
For a CFO, this means tax risk management It's necessary to track each tax filing period individually, rather than just looking at the overall picture.
To assess their own position, CFOs need to have a thorough understanding of the set of metrics and criteria that the system is using.
The set of criteria and formulas for calculating HSKT risk scores according to Decision 98.
This is a core element of the risk management strategy in tax audits and inspections. The system does not score based on common financial indicators such as ROA or ROE, but rather on specific formulas stipulated in written documents.
Value Added Index Group
One of the key indicators is the difference between goods purchased and sales revenue for the current period compared to the average of the previous 12 months. Unusual fluctuations may be considered a sign of short selling or misrecording.
The ratio of revenue subject to tax rate 0% to total revenue is also a sensitive indicator, especially for export businesses, as it is directly related to tax refunds. In addition, the ratio of output VAT to sales revenue between consecutive periods is compared to detect unusual changes in revenue structure.
Corporate Income Tax Indicators Group
The ratio of total sales deductions to sales revenue is an important indicator, as it can reflect behavior in adjusting taxable revenue. The ratio of end-of-period provisions to total expenses is also analyzed to identify the possibility of over-provisioning that could reduce taxable profit.
| Index | Recipe | Significance of risk |
| Buy-Sell Fluctuations | (This period – 12-month average) | Detection of short selling |
| Revenue 0% / Total Revenue | Ratio % | Tax refund risk |
| Output VAT / Revenue | Compare periods | Revenue structure mismatch |
| Deductions / Revenue | Ratio % | Adjust revenue |
| Contingency / Total cost | Ratio % | Reduce taxable profit |
3 Operational "Achilles' Heel" Flaws That Lead to High-Risk Business Ratings and Tax Collection
In consulting practice, most high-risk points don't stem from intentional fraud but from process loopholes. This is why CFOs need to consider this. tax risk management as part of internal control.
- Firstly, there are discrepancies between tax returns and accounting records. When comparing manually, small differences are easily overlooked and accumulate into systemic risks.
- Secondly, there is the risk of input invoices. A supplier that is operating normally may suddenly disappear, turning a previously valid invoice into a risky one.
- Thirdly, there is the "Tax Notification Blind Spot" – businesses miss notifications from tax authorities, leading to outstanding tax debts and forced invoice collection without timely resolution.
These gaps directly impact scores in the risk management system and increase audit risk. Manual processes are insufficient for effective resolution. Businesses need automation.
Applying RPA & EPM to automate tax risk control.
In the era of Taxation 4.0, Risk management in tax audits and inspections. It needs to be digitized in accordance with how the tax authorities are currently operating. An effective solution is a combination. RPA and EPM.
The Bizzi x Finevo system implements a four-step automation process. The robot automatically logs into the General Department of Taxation's portal, uploads declarations and notifications, and then compares the data with the internal ERP system. Discrepancies are immediately alerted to the CFO and Tax Manager. All records are stored in a structured manner on the Cloud for ready-to-use explanations.
An important point in tax risk management This involves tracking outstanding tax obligations. The Outstanding Liability Monitoring feature helps to immediately detect overpayments, underpayments, or incorrect sub-items – factors that often lead to enforcement actions.
When combined with the EPM platform, CFOs can simulate "what-if" scenarios before finalizing figures, thereby adjusting indicators to avoid exceeding risk thresholds.
Procedures for coordination and explanation when an inspection decision is issued at the headquarters.
When receiving an inspection notice, businesses need to respond according to the principle of "quick response - concise explanation". The documentation should be prepared based on internal risk assessment forms similar to those used by the tax authorities.
Using digital archives allows for searching XML invoices in seconds instead of sifting through paper records. Before the inspection team arrives, businesses should rescan their incoming invoices to detect any retroactive risks.
From the CFO's perspective, this is the final step in the chain. Risk management in tax audits and inspections. – Transforming data into compelling evidence.
Frequently Asked Questions about Tax Risk Management (FAQ)
Tax risk management (FAQ – Frequently Asked Questions) is the process of identifying, assessing, controlling, and mitigating the risks of non-compliance with tax laws. This helps businesses avoid penalties, back taxes, or being placed on a high-risk list for audits. It includes reviewing invoices, accounting data, and ensuring compliance with regulations.
Below are frequently asked questions (FAQs) about tax risk management:
Are Category 1 (very low risk) businesses subject to inspection?
Yes, but infrequently and usually in the form of sample or thematic audits. Maintaining a stable tax risk management system helps businesses reduce the likelihood of being subjected to a full audit.
How can you tell if a business is in arrears on taxes due to an incorrect tax sub-item?
CFOs should use an automated tax liability lookup tool to reconcile data on Etax with internal payment documents. Continuous monitoring helps detect discrepancies early and avoid late payment interest charges.
Does the risk calculation formula in Decision 98 apply to all industries?
In principle, the criteria are widely applied, but the weighting and risk thresholds can be adjusted according to industry and size. Therefore, risk management in tax audits and inspections needs to be flexibly designed to suit the specific characteristics of each business.
Does accounting software automatically warn you about tax risks?
Most accounting software only records transaction data without directly connecting to the tax authority's system. Businesses need specialized RPA solutions like Bizzi to perform periodic tax health checks and proactively receive alerts.
Conclusion: From "Reactive" to "Proactive Risk Simulation"
Tax 4.0 has changed the game. With tax authorities using algorithms to score businesses, companies also need automated systems to self-assess their performance before the 25th of each month.
For CFOs, managing risk during tax audits and inspections is not just about avoiding back taxes, but also about protecting cash flow, reputation, and the ability to issue invoices continuously. Implementing RPA solutions like Bizzi combined with Finevo's governance framework helps businesses build a "data shield"—where every tax return is reconciled, every tax obligation is tracked, and every risk indicator is simulated before the tax authorities score the data.
In this context, tax risk management is no longer a supporting function, but has become a strategic capability of the Finance and Accounting department in the digital age.
Register to schedule a 1:1 consultation with Bizzi's team of experts to find the right solution for your business: https://bizzi.vn/dat-lich-demo/
