Tax governance, control, and risk management
Practical guidance for preparing this disclosure. Use this card to identify datapoints, verify claims and organise supporting evidence. For exact requirements, always refer to the official GRI source.
↗ Share
This disclosure asks an organisation to explain how it oversees tax matters in practice. The focus is on the systems, controls and responsibilities that shape tax decision-making, including who is accountable, how tax risks are identified and managed, and how tax governance is embedded in the organisation’s wider control environment.
In practical terms, the report should describe the approach across the organisation as a whole, not just a few well-known sites or a single business unit. The useful question is whether the tax governance framework applies consistently across operations, and how it helps the organisation manage tax-related risk in a structured way.
* This LRA educational guidance supports disclosure preparation. For the exact requirements, always refer to the official GRI source.
A quick mental checklist before you prepare this disclosure — tick each as you settle it.
| Datapoint | What to capture | Evidence hint | Owner |
|---|---|---|---|
| Tax control framework | A plain summary of how tax is governed and controlled across the organisation, covering the main rules, oversight lines and control points that shape tax decisions. | Tax policy, governance map, control framework document, committee terms of reference, internal control descriptions. | Tax / Finance / Legal / Governance |
| Tax accountability lead | The board-level body or senior executive role that carries responsibility for compliance with the tax strategy, named clearly and consistently with internal governance records. | Board charter, committee papers, role descriptions, delegated authority matrix, governance register. | Tax / Company Secretariat / Legal |
| Tax embedded in business | How tax responsibilities and considerations are built into day-to-day business processes, decision-making and oversight, rather than treated as a standalone topic. | Process maps, policy manuals, training records, approval workflows, operating procedures, internal communications. | Tax / Finance / Operations / HR |
| Tax risk management | How tax risks are spotted, assessed, tracked and reviewed, including the practical controls and monitoring routines used to keep them under watch. | Risk register, control testing results, monitoring reports, issue logs, committee packs, escalation procedures. | Tax / Risk / Internal Control / Internal Audit |
| Tax control review | How the organisation checks whether its tax governance and control arrangements are working as intended, including the review methods and who performs them. | Control testing plans, internal audit reports, compliance reviews, management assurance papers, remediation trackers. | Tax / Internal Audit / Risk / Finance |
| Tax concern channels | The routes people can use to raise concerns about business conduct or integrity issues linked to tax, including internal reporting channels and any escalation route. | Speak-up policy, whistleblowing procedure, ethics hotline materials, intranet pages, investigation process documents. | Legal / Compliance / HR / Ethics / Tax |
| Tax assurance process | How the tax disclosures were checked by an external or internal assurance process, and where relevant the reference details for the related assurance report or statement. | Assurance engagement letter, assurance statement, external report, auditor correspondence, disclosure sign-off pack. | Finance / Tax / External Assurance / Internal Audit |
Show GRI 207-2 sub-elements (LRA working checklist)
- Set out how you check whether the tax governance and control framework is being followed.
- Explain how the organisation’s tax approach is built into day-to-day operations.
- Describe how tax risks are spotted, handled and kept under review.
- Explain the assurance process for tax-related disclosures, and include a link or reference to any external assurance report or statement where relevant.
- Describe the channels people can use to raise concerns about the organisation’s conduct or integrity in relation to tax.
- Set out the tax governance and control framework in plain terms.
- Identify which board-level body or senior executive is responsible for making sure the tax strategy is complied with.
LRA working checklist - paraphrased; see official source
- Set the reporting boundary first: decide which parts of the business, and which control arrangements, you will describe for tax governance. Make sure the scope matches the organisation you are reporting on, and keep that boundary consistent across the whole disclosure.
- List the core elements you need to cover in plain business language. Include who is responsible for tax compliance, how tax is built into day-to-day operations, how tax risks are spotted and handled, and how the organisation checks that the framework is working.
- Gather support for each part of the narrative. Pull together policy documents, committee papers, role descriptions, risk logs, monitoring records, review notes, whistleblowing or speak-up routes, and any other internal material that shows the process in practice.
- Draft the disclosure as a clear narrative, or a mix of narrative and figures where relevant, using the evidence you have collected. Cover the accountability line, the way tax is embedded in the organisation, the risk management approach, the evaluation method, the concern-raising channels, and the assurance process.
- Record any exclusions, assumptions, or changes in approach. If something is not covered, or if the reporting basis has changed from the prior period, explain that clearly so readers can understand the limits of the information provided.
- Check the final wording against the official source and your underlying evidence. Confirm that each required element is present, the descriptions are consistent with the documents, and any external assurance reference is included where applicable.
Translate the disclosure into an internal business question — then adapt it to your organisation's own language.
Use your organisation’s own labels first (for example, tax policy, control map, risk register, speak-up route, assurance pack), then map them to the disclosure wording during drafting. Keep the request in the language your tax, finance, legal, and governance teams already use.
Please provide the GRI 207-2 evidence for tax governance, control, risk management, concerns mechanisms, and assurance.
Please send the current tax policy or equivalent, the named person or committee that oversees tax, the way tax is built into business processes, the tax risk log and review cadence, the check used to confirm controls are working, the route for raising tax-related concerns, and any external assurance note for tax disclosures. Use your team’s own terms and include document name, version/date, owner, and file link.
Formal email template
Subject: Request for tax governance, control, risk, and assurance evidence for [reporting period]\n\nHello [name/team],\n\nWe are preparing the sustainability reporting pack and need a short evidence set covering how tax is governed, controlled, monitored, and reviewed across [group boundary].\n\nPlease share, for [reporting period]:\n- the current tax policy or equivalent summary\n- who has oversight responsibility for tax matters\n- how tax is built into day-to-day processes and decision-making\n- how tax risks are identified, tracked, and reviewed\n- how compliance with the control approach is checked\n- how colleagues can raise concerns about tax-related conduct or integrity\n- any external assurance material linked to tax disclosures, if available\n\nPlease include the source document name, version/date, owner, and any link or file reference. If the wording in your team differs from the terms above, please use your own internal labels and note the mapping for us.\n\nA possible LRA training template only — please adapt this to your organisation and check the official source before sign-off.\n\nMany thanks,\n[preparer name]
Short Teams / Slack version
Hi [name/team] — could you send the tax governance / control / risk evidence for [period] across [boundary]? We need: owner for tax oversight, how tax is embedded in the business, how risks are tracked, how controls are checked, speak-up route for tax concerns, and any assurance note/report. Please use your team’s own labels and add the source/version/date. Thanks.
Retail
Context. A multi-country retailer with a central tax team and local finance leads.
Adapted request. Please share the tax governance pack for [period]: the board or executive owner for tax, the group tax policy, how tax checks are built into store, online, and payroll processes, the tax risk register, the review and testing routine, the speak-up route for tax concerns, and any assurance statement linked to tax reporting. Use your internal names for these items and include the document version/date and owner.
Example response. Tax policy v4.0; CFO named as oversight owner; quarterly tax risk review log; control testing summary for VAT, payroll, and corporation tax; ethics hotline route; external assurance statement dated [date].
Manufacturing
Context. A manufacturer with a shared services finance function and site-level operations.
Adapted request. Please provide the tax governance and control evidence for [period] covering the group and sites: who oversees tax, how tax is embedded in purchase-to-pay and payroll processes, how tax risks are identified and monitored, how control checks are performed, how staff can raise tax-related concerns, and any assurance report or statement for tax disclosures. Please use the terms your finance and compliance teams already use.
Example response. Tax control framework note; Audit Committee oversight; process map showing tax checks in procurement and payroll; tax risk register with monthly review; compliance testing results; speak-up policy excerpt; assurance statement from external reviewer.
The full request pack — response form, data table, evidence metadata and sign-off — is in the Download Centre.
LRA training templates — adapt them to your organisation, and check the official source before sign-off.
Explain the basis used to describe the tax governance setup, including how roles, controls, risk handling, concern-raising routes and any external assurance were identified and summarised.
Set out what the disclosure tells readers about how tax is overseen, who is accountable, how tax is embedded in the organisation, and how confidence in the information is supported.
If the description changes from one period to the next, note whether that reflects a change in governance, control design, risk handling, reporting routes or the scope of assurance rather than a change in tax outcomes.
GRI 207-2 Tax governance, control, and risk management — [location / page] / [notes]
Professional preparation tools and forms for GRI 207-2. Each download includes a concise “How to use” guide.
| Claim | Risk | Evidence to check |
|---|---|---|
| We set out, in our own words, how the tax control set-up works, who does what, and how the main checks are organised. | The narrative is too generic, or it does not match the actual control structure used in the business. | Tax policy documents, governance charts, role descriptions, committee terms of reference, and internal process maps showing the control set-up described in the report. |
| We identified the board member or senior leader who is responsible for making sure the tax approach is followed. | The named accountable person is unclear, outdated, or not supported by formal delegation. | Board papers, delegation letters, executive role profiles, committee minutes, and current organisation charts showing the named accountable person. |
| We explained how tax responsibilities are built into day-to-day management rather than left as a standalone topic. | The description overstates how embedded the approach is, or there is no evidence that tax is integrated into normal business processes. | Policies, training records, approval workflows, finance and legal process documents, and examples showing tax considerations built into routine decision-making. |
| We described how tax exposures are spotted, handled, and kept under review across the reporting period. | The account is incomplete, or the controls described do not cover identification, response, and monitoring in practice. | Risk registers, issue logs, monitoring reports, escalation records, control testing results, and meeting packs showing how tax matters were tracked. |
| We explained how we checked whether the control set-up was working as described before the report went out. | The reported evaluation process is not evidenced, or the checks were too limited to support the statement made. | Internal review notes, control testing outputs, audit findings, management sign-off, remediation trackers, and evidence of follow-up on any weaknesses. |
| We described the routes people can use to raise concerns about conduct or integrity issues linked to tax. | The disclosure suggests a channel exists, but the organisation cannot show that the route is available, communicated, or suitable for tax-related concerns. | Speak-up policy, whistleblowing procedure, hotline details, intranet pages, training materials, case logs, and communications showing how concerns can be raised. |
- The governing policy or written commitment behind this disclosure
- A methodology / definition note setting out how the disclosure was scoped and prepared
- Source-system exports the figures or facts were drawn from
- The internal approval / sign-off record for the disclosure before publication
- Minutes or records evidencing the relevant engagement or consultation
- The information is presented without a date or as-at point.
- The scope or boundary of the statement is left undefined.
- Key terms are used inconsistently across the report.
- Material changes since the previous period are not disclosed.
- Assertions are made without supporting detail or a source record.
- Boilerplate is used that does not actually answer what is asked.
- Wrong owner
The request goes to Finance or Tax by default, even though the real source sits with the board secretary, risk team, internal audit, or the executive who owns the tax policy.
- Framework language only
People ask for answers in disclosure terms instead of the organisation’s own words, so teams cannot map the evidence back to how they actually run tax oversight.
- No clear boundary
The data pull mixes group, subsidiary, and joint-venture material without first fixing which entities, functions, and controls are in scope.
- Wrong reporting period
Teams collect a current snapshot or a calendar-year view when the source evidence was prepared on a different cycle, so the dates do not line up.
- Mixed counting basis
One source is captured as a headcount, another as named roles, and a third as committee seats, which makes the final set impossible to compare cleanly.
- Source labels lost
Original file names, version marks, and system tags are stripped off during consolidation, so nobody can trace each statement back to the document it came from.
- Merged populations
Controls for the parent company and controls for local entities are blended into one file even though they should be checked and reported separately.
- Missing evidence trail
The team saves the narrative but not the supporting note, date, owner, or approval record, so the source cannot be verified later.
- No sign-off path
Draft inputs move straight into the disclosure pack without a named reviewer and approver, leaving no record that the underlying data was checked before use.
- What counts as the tax control perimeter after a deal closes or a business is sold
Set out whether the description covers only the current group at the reporting date or also parts added or removed during the year, and explain any cut-off used for newly acquired or disposed operations.
- When local tax rules or internal labels do not line up across countries
Use one group-wide way of describing the tax set-up, then note where country-level practices differ and explain the basis for translating those local differences into a single narrative.
- Whether to include low-risk or small entities near the edge of the reporting scope
State the inclusion rule for entities, branches, joint arrangements, or other units that sit close to the boundary, and explain any exclusions or simplifications applied.
- Choosing the time basis for describing controls and oversight
Make clear whether the account reflects the position at year-end, the full year, or another period basis, and explain if the control story changed during the period.
- Deciding how far to rely on estimates where records are incomplete
Where the organisation cannot measure a point directly, disclose the estimate basis, the main assumptions used, and whether the figure or description is provisional or based on direct evidence.
- How much detail to give on concern-raising channels without exposing individuals
Describe the routes people can use to raise tax-related conduct concerns in a way that protects confidentiality, and aggregate or generalise the information where naming or small numbers could identify someone.
- How to present assurance when only part of the tax information has been checked
If external review covers only some tax disclosures or only part of the reporting set, identify the covered items, the assurance provider, and any limits or exclusions in the review scope.
- How to round or summarise control information without changing the message
Apply one consistent rounding or summarising approach across the disclosure, and explain it if the presentation could affect how readers understand the strength or coverage of the tax controls.
Synthetic, written by LRA — not from a company report, not text from any standard.
Synthetic example for training only. We describe a tax control set that sits under our finance policy, with board oversight through the audit committee and day-to-day ownership by the group tax lead, who reports into the chief financial officer. Tax thinking is built into budgeting, pricing, acquisitions, and country filings through written procedures, staff training, and quarterly reviews; we track risks by jurisdiction, log issues in a register, and test controls through internal review and periodic management checks.
- We assess whether the control set is working through self-assessments, internal audit testing, and sign-off from finance leaders, while staff can raise tax-related conduct concerns through our ethics line, whistleblowing route, and direct escalation to the audit committee chair.
- For this disclosure, an external firm reviewed the tax narrative and selected data points, and its limited assurance statement is referenced in our annual report appendix.
Synthetic example for training only. Our tax approach is set out in a group policy that the board approves, with the finance director responsible for delivery and the risk committee receiving regular updates. We embed that approach through approval limits, project-stage tax reviews, country-by-country filing calendars, and training for finance and commercial teams; tax exposures are identified through a risk map, monitored through monthly dashboards, and escalated where controls or filings fall behind.
- We check compliance by combining control testing, internal audit work, and management review of exceptions, and people may report concerns about conduct or integrity through our speak-up channel, the ethics mailbox, or direct contact with the chair of the risk committee.
- An independent assurance provider reviewed the disclosure package and issued a separate assurance statement, which we refer to in the sustainability section of our annual report.
How to turn the collected data into a draft disclosure. Suggested visuals and a GRI content-index line generated from this disclosure's datapoints.
Suggested visuals
- Tax governance and control framework overview — table: A concise summary of the organisation’s tax oversight model, including the main controls, review points and responsible roles.
- Accountability for tax strategy — bar: Which board-level or senior leader role carries responsibility for tax strategy compliance and oversight.
- How tax is built into the business — table: Where tax responsibilities sit across the organisation and how tax considerations are embedded into day-to-day processes.
- Tax risk management cycle — stacked bar: How tax risks are identified, handled and tracked over time, with the different stages shown side by side.
- Channels for raising tax-related concerns — bar: The main routes available for staff or others to raise concerns about conduct or integrity issues linked to tax.
- Assurance coverage for tax disclosures — table: What parts of the tax disclosure set were checked independently, and whether there is a linked external assurance statement or report.
What separates a figure from a disclosure.
We have a tax control framework, with the finance director accountable for tax compliance.
We run tax through our group policy, with the finance director accountable, quarterly risk reviews, a whistleblowing route for tax concerns, and an annual internal check of the controls.
For the year ended 31 December 2025, we applied our group tax policy across all subsidiaries, with the finance director accountable; we identified and tracked tax risks through quarterly reviews, used our speak-up channel for tax concerns, and completed an annual internal review of the controls, with the slight rise in issues raised this year mainly due to staff training on the new reporting process.
Real reports where this topic is disclosed. The confidence label shows how closely each match maps to GRI 207-2 — these are report practice, not exact disclosure examples.
| Company | Sector · Country | Year | Match | Page | Report | Assurance | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Zydus Lifesciences Limited | Pharmaceuticals / Biotech / Life Sciences · India | 2025 | Partial | p. 149 →p. 29 →p. 79 → | ESG Report FY24-25 → | — | |||||||||||||||||||||||||
Evidence in Zydus Lifesciences Limited’s reportWhat the report shows Zydus Lifesciences Limited’s ESG Report FY24-25 provides coverage on its tax strategy and governance on page 2, detailing tax reporting and effective tax measures. The report also addresses identified risks and mitigation measures related to limited wild flora and fauna availability on page 86, and includes a description of risk governance and management processes on pages 2 and 148. However, the report lacks clear narrative or methodology for some disclosure items, such as narrative item (a-ii), (a-iv), (b), and (c), where no quotable evidence was found.
Evidence-based summary of this company’s own report — not a disclosure template to copy, and not a compliance verdict. Datapoint coverage
Source trail
|
|||||||||||||||||||||||||||||||
| Firstsource Solutions Limited | Professional Services · India | 2025 | Partial | p. 86 →p. 216 →p. 63 → | ESG Report FY 2024-25 → | BSI | |||||||||||||||||||||||||
Evidence in Firstsource Solutions Limited’s reportWhat the report shows Firstsource Solutions Limited’s ESG Report FY 2024-25 provides coverage on governance aspects related to tax transparency and accountability, referencing GRI 207: Tax 2019 on page 216. The report also addresses risks and controls linked to financial reporting and key performance metrics on page 56, and outlines its overall approach and governance framework on page 205. However, there is only partial context on emerging risks without a headline value on page 54, and no clear evidence or quotable information was found for certain narrative items, including methodology details and some specific disclosures.
Evidence-based summary of this company’s own report — not a disclosure template to copy, and not a compliance verdict. Datapoint coverage
Source trail
|
|||||||||||||||||||||||||||||||
| Amadeus IT Group, S.A. | Hotels, Restaurants, Leisure, Tourism Services · Spain | 2025 | Partial | p. 161 →p. 162 →p. 164 → | Amadeus Non-Financial Report 2025 → | Deloitte | |||||||||||||||||||||||||
Evidence in Amadeus IT Group, S.A.’s reportWhat the report shows Amadeus IT Group’s 2025 Non-Financial Report provides coverage on governance related to tax functions (p.3) and describes policies adopted to manage tax practices, including a Corporate Tax Policy and related approaches (pp.165, 209). The report partially addresses risk mitigation related to suppliers, noting that suppliers are not onboarded if risks cannot be mitigated (p.159). However, there is no clear evidence found for narrative items (a-iv), (b), or (c), indicating gaps in the disclosure of certain aspects or methodologies.
Evidence-based summary of this company’s own report — not a disclosure template to copy, and not a compliance verdict. Datapoint coverage
Source trail
|
|||||||||||||||||||||||||||||||
A group has a written tax policy, but the finance team says the board only sees tax matters when a problem has already escalated. The tax lead also cannot point to any named person who owns oversight of the tax approach.What should the preparer check before describing the tax governance set-up?
A business has a tax risk register, but it was last updated 18 months ago and only lists transfer pricing. Local teams handle VAT and payroll tax issues informally, with no common method for spotting or tracking them.How should the preparer judge whether the risk narrative is complete enough?
The company has annual internal audit testing of tax controls, but the tax team cannot explain how the results are used, and there is no evidence that failures lead to action plans or reporting to leadership.What decision should the preparer make about the control-evaluation description?
Employees can raise ethics concerns through a general whistleblowing line, but the tax team has never publicised that route for tax-related conduct issues. An external assurance provider has reviewed the tax disclosures, but the draft report does not mention the assurance statement anywhere.What should the preparer include to make the disclosure complete?
See how companies actually report GRI 207-2 — drawn from their own published reports, with the exact pages, and an LRA AI-assistant that works through it with you. Available to LRA Community members and to students throughout their platform access.
How this disclosure maps across the major reporting frameworks.
What do I need to gather before drafting GRI 207-2 (Tax) on this page?
Start with the datapoints listed on the page: tax control framework, tax accountability lead, how tax is embedded in the business, tax risk management, tax control review, tax concern channels, and the tax assurance process. The page also gives a step-by-step preparation section to help you turn those inputs into a draft. ↑ section
How should I set the scope for GRI 207-2 (Tax) using this page?
Use the page’s plain-language explainer and the listed datapoints to decide what your organisation can evidence for the disclosure. The page is designed to help you define the scope and methodology before you write the draft. ↑ section
Who should own the GRI 207-2 (Tax) data collection in practice?
The page points you to a tax accountability lead and to tax being embedded in the business, so ownership may sit with tax but need input from other functions. Use the preparation section to assign responsibilities before you start collecting evidence. ↑ section
What evidence do I need for GRI 207-2 (Tax) to be assurance-ready?
The page includes six assurance claims to verify, each with claim, risk and evidence prompts, plus an evidence pack with five items. Use those sections to build a file that shows what was claimed, what could go wrong, and what supports the disclosure. ↑ section
How do I use the GRI 207-2 (Tax) evidence pack on this page?
The evidence pack is there to help you assemble the core documents and records needed for assurance readiness. It sits alongside the assurance claims so you can check that the evidence matches the claim and the risk being addressed. ↑ section
What are the common mistakes to avoid when reporting GRI 207-2 (Tax)?
The page lists common reporting gaps and mistakes so you can spot weak points before finalising the disclosure. Use that section as a pre-submission check against your draft and evidence pack. ↑ section
How can I turn the GRI 207-2 (Tax) page into a draft disclosure?
The page includes draft-output support with visualisation ideas, narrative starters and a GRI content-index line. Use those to move from collected data and evidence into a short draft narrative and a structured index entry. ↑ section
What should I put in the GRI 207-2 (Tax) narrative if I only have partial data?
The page’s narrative starters are meant to help you write from the data you do have, while the common gaps section helps you identify what is still missing. Keep the draft aligned to the evidence you can actually support. ↑ section
How do the synthetic example disclosures on the GRI 207-2 (Tax) page help me?
They show how a disclosure can be presented in practice, including a quantitative table where relevant. Treat them as illustrative only and use them to shape your own wording and layout, not as a template to copy. ↑ section
Can I reuse my GRI 207-2 (Tax) data for ESRS G1 Business Conduct reporting?
The page says ESRS G1 (Business Conduct) is the closest correspondence, so the same data may be reusable across both. Check the specific reporting needs separately, but use the page to organise the underlying tax data and evidence once. ↑ section
Where do I find the GRI 207-2 (Tax) workbook and printable card on this page?
The Download Centre includes a Prep & Assurance workbook in .xlsx format and a printable Library Card in .pdf format. Use the workbook to organise preparation and assurance, and the card for a quick reference copy. ↑ section
- GRI 207-2 Tax checklist for sustainability manager: what data points should I request?
- GRI 207-2 Tax assurance evidence pack: what should be in it?
- How to prepare a draft GRI 207-2 Tax disclosure from internal tax controls and risk data
- GRI 207-2 Tax common reporting gaps and mistakes to check before submission
- How to use the GRI 207-2 Tax Prep & Assurance workbook
- GRI 207-2 Tax narrative starters and content index line examples
- Who should be the tax accountability lead for GRI 207-2 Tax?
- What is the closest ESRS correspondence for GRI 207-2 Tax and can data be reused?
- GRI 207-2 Tax step-by-step preparation guidance for ESG teams
- What evidence do assurance reviewers expect for GRI 207-2 Tax?
- How to map tax concern channels and tax control review data into GRI 207-2 Tax
- GRI 207-2 Tax example disclosure with quantitative table
Get a practical answer for your reporting context. Your first answer is free — create a free account to continue the conversation.
Sources, status and disclaimer
This LRA assistance tool is designed for educational and internal data-collection purposes. It is not an official interpretation of the GRI Standards, IFRS Sustainability Disclosure Standards or EU CSRD/ESRS requirements. When applying these frameworks in professional practice, users should consult and double-check the official standards, guidance and applicable regulatory sources.