Disclosure LibraryPractitioner guidance for every reporting disclosure
Home Disclosure Library GRI GRI 207 GRI 207-2
GRI 207: Tax · 2019
Disclosure GRI 207-2

Tax governance, control, and risk management

Practical guidance for preparing this disclosure. Use this card to identify datapoints, verify claims and organise supporting evidence. For exact requirements, always refer to the official GRI source.

Dr Ross Kurinko, GRI Certified Trainer
Reviewed by Dr Ross Kurinko · GRI Certified Trainer LRA educational guidance · Not issued or endorsed by GRI
To prepare this disclosure
Disclosure focus

This disclosure asks an organisation to explain how it oversees tax matters in practice. The focus is on the systems, controls and responsibilities that shape tax decision-making, including who is accountable, how tax risks are identified and managed, and how tax governance is embedded in the organisation’s wider control environment.

In practical terms, the report should describe the approach across the organisation as a whole, not just a few well-known sites or a single business unit. The useful question is whether the tax governance framework applies consistently across operations, and how it helps the organisation manage tax-related risk in a structured way.

This LRA educational guidance supports disclosure preparation. For the exact requirements, always refer to the official GRI source.

Before you start

A quick mental checklist before you prepare this disclosure — tick each as you settle it.

Preparation

Key datapoints to prepare

Datapoint What to capture Evidence hint Owner
Tax control framework A plain summary of how tax is governed and controlled across the organisation, covering the main rules, oversight lines and control points that shape tax decisions. Tax policy, governance map, control framework document, committee terms of reference, internal control descriptions. Tax / Finance / Legal / Governance
Tax accountability lead The board-level body or senior executive role that carries responsibility for compliance with the tax strategy, named clearly and consistently with internal governance records. Board charter, committee papers, role descriptions, delegated authority matrix, governance register. Tax / Company Secretariat / Legal
Tax embedded in business How tax responsibilities and considerations are built into day-to-day business processes, decision-making and oversight, rather than treated as a standalone topic. Process maps, policy manuals, training records, approval workflows, operating procedures, internal communications. Tax / Finance / Operations / HR
Tax risk management How tax risks are spotted, assessed, tracked and reviewed, including the practical controls and monitoring routines used to keep them under watch. Risk register, control testing results, monitoring reports, issue logs, committee packs, escalation procedures. Tax / Risk / Internal Control / Internal Audit
Tax control review How the organisation checks whether its tax governance and control arrangements are working as intended, including the review methods and who performs them. Control testing plans, internal audit reports, compliance reviews, management assurance papers, remediation trackers. Tax / Internal Audit / Risk / Finance
Tax concern channels The routes people can use to raise concerns about business conduct or integrity issues linked to tax, including internal reporting channels and any escalation route. Speak-up policy, whistleblowing procedure, ethics hotline materials, intranet pages, investigation process documents. Legal / Compliance / HR / Ethics / Tax
Tax assurance process How the tax disclosures were checked by an external or internal assurance process, and where relevant the reference details for the related assurance report or statement. Assurance engagement letter, assurance statement, external report, auditor correspondence, disclosure sign-off pack. Finance / Tax / External Assurance / Internal Audit
+ Show GRI 207-2 sub-elements (LRA working checklist)

How to prepare it

1Set the reporting boundary first: decide which parts of the business, and which control arrangements, you will describe for tax governance. Make sure the scope matches the organisation you are reporting on, and keep that boundary consistent across the whole disclosure.
2List the core elements you need to cover in plain business language. Include who is responsible for tax compliance, how tax is built into day-to-day operations, how tax risks are spotted and handled, and how the organisation checks that the framework is working.
3Gather support for each part of the narrative. Pull together policy documents, committee papers, role descriptions, risk logs, monitoring records, review notes, whistleblowing or speak-up routes, and any other internal material that shows the process in practice.
4Draft the disclosure as a clear narrative, or a mix of narrative and figures where relevant, using the evidence you have collected. Cover the accountability line, the way tax is embedded in the organisation, the risk management approach, the evaluation method, the concern-raising channels, and the assurance process.
5Record any exclusions, assumptions, or changes in approach. If something is not covered, or if the reporting basis has changed from the prior period, explain that clearly so readers can understand the limits of the information provided.
6Check the final wording against the official source and your underlying evidence. Confirm that each required element is present, the descriptions are consistent with the documents, and any external assurance reference is included where applicable.
Request the data

Request the tax governance and control evidence

Translate the disclosure into an internal business question — then adapt it to your organisation's own language.

Who owns tax oversight, how is tax handled in day-to-day processes, how are tax risks tracked and checked, how can concerns be raised, and what external assurance exists for tax disclosures?

Use your organisation’s own labels first (for example, tax policy, control map, risk register, speak-up route, assurance pack), then map them to the disclosure wording during drafting. Keep the request in the language your tax, finance, legal, and governance teams already use.

Weak request

Please provide the GRI 207-2 evidence for tax governance, control, risk management, concerns mechanisms, and assurance.

Why it fails: It uses framework language only, so the owner has to translate the ask before they can act. It also does not say which internal records, systems, or named roles to pull, so the response is likely to be incomplete or inconsistent.

Better request

Please send the current tax policy or equivalent, the named person or committee that oversees tax, the way tax is built into business processes, the tax risk log and review cadence, the check used to confirm controls are working, the route for raising tax-related concerns, and any external assurance note for tax disclosures. Use your team’s own terms and include document name, version/date, owner, and file link.

Formal email template
Subject: Request for tax governance, control, risk, and assurance evidence for [reporting period]\n\nHello [name/team],\n\nWe are preparing the sustainability reporting pack and need a short evidence set covering how tax is governed, controlled, monitored, and reviewed across [group boundary].\n\nPlease share, for [reporting period]:\n- the current tax policy or equivalent summary\n- who has oversight responsibility for tax matters\n- how tax is built into day-to-day processes and decision-making\n- how tax risks are identified, tracked, and reviewed\n- how compliance with the control approach is checked\n- how colleagues can raise concerns about tax-related conduct or integrity\n- any external assurance material linked to tax disclosures, if available\n\nPlease include the source document name, version/date, owner, and any link or file reference. If the wording in your team differs from the terms above, please use your own internal labels and note the mapping for us.\n\nA possible LRA training template only — please adapt this to your organisation and check the official source before sign-off.\n\nMany thanks,\n[preparer name]
Short Teams / Slack version
Hi [name/team] — could you send the tax governance / control / risk evidence for [period] across [boundary]? We need: owner for tax oversight, how tax is embedded in the business, how risks are tracked, how controls are checked, speak-up route for tax concerns, and any assurance note/report. Please use your team’s own labels and add the source/version/date. Thanks.
Industry examples
Retail

Context. A multi-country retailer with a central tax team and local finance leads.

Adapted request. Please share the tax governance pack for [period]: the board or executive owner for tax, the group tax policy, how tax checks are built into store, online, and payroll processes, the tax risk register, the review and testing routine, the speak-up route for tax concerns, and any assurance statement linked to tax reporting. Use your internal names for these items and include the document version/date and owner.

Example response. Tax policy v4.0; CFO named as oversight owner; quarterly tax risk review log; control testing summary for VAT, payroll, and corporation tax; ethics hotline route; external assurance statement dated [date].

Manufacturing

Context. A manufacturer with a shared services finance function and site-level operations.

Adapted request. Please provide the tax governance and control evidence for [period] covering the group and sites: who oversees tax, how tax is embedded in purchase-to-pay and payroll processes, how tax risks are identified and monitored, how control checks are performed, how staff can raise tax-related concerns, and any assurance report or statement for tax disclosures. Please use the terms your finance and compliance teams already use.

Example response. Tax control framework note; Audit Committee oversight; process map showing tax checks in procurement and payroll; tax risk register with monthly review; compliance testing results; speak-up policy excerpt; assurance statement from external reviewer.

Draft your disclosure

Notes that turn data into a disclosure

LRA training templates — adapt them to your organisation, and check the official source before sign-off.

Method note

Explain the basis used to describe the tax governance setup, including how roles, controls, risk handling, concern-raising routes and any external assurance were identified and summarised.

Context note

Set out what the disclosure tells readers about how tax is overseen, who is accountable, how tax is embedded in the organisation, and how confidence in the information is supported.

Fluctuation statement

If the description changes from one period to the next, note whether that reflects a change in governance, control design, risk handling, reporting routes or the scope of assurance rather than a change in tax outcomes.

Content index entry
GRI 207-2 Tax governance, control, and risk management — [location / page] / [notes]
Download Centre

Preparation tools & forms

Professional preparation tools for GRI 207-2 — free with an LRA Community membership. Register once (it's free) and every download unlocks, together with the Disclosure Library, templates and the LRA AI-assistant.

Free · Community members
Assurance readiness

For each claim, check the evidence

ClaimRiskEvidence to check
We set out, in our own words, how the tax control set-up works, who does what, and how the main checks are organised.The narrative is too generic, or it does not match the actual control structure used in the business.Tax policy documents, governance charts, role descriptions, committee terms of reference, and internal process maps showing the control set-up described in the report.
We identified the board member or senior leader who is responsible for making sure the tax approach is followed.The named accountable person is unclear, outdated, or not supported by formal delegation.Board papers, delegation letters, executive role profiles, committee minutes, and current organisation charts showing the named accountable person.
We explained how tax responsibilities are built into day-to-day management rather than left as a standalone topic.The description overstates how embedded the approach is, or there is no evidence that tax is integrated into normal business processes.Policies, training records, approval workflows, finance and legal process documents, and examples showing tax considerations built into routine decision-making.
We described how tax exposures are spotted, handled, and kept under review across the reporting period.The account is incomplete, or the controls described do not cover identification, response, and monitoring in practice.Risk registers, issue logs, monitoring reports, escalation records, control testing results, and meeting packs showing how tax matters were tracked.
We explained how we checked whether the control set-up was working as described before the report went out.The reported evaluation process is not evidenced, or the checks were too limited to support the statement made.Internal review notes, control testing outputs, audit findings, management sign-off, remediation trackers, and evidence of follow-up on any weaknesses.
We described the routes people can use to raise concerns about conduct or integrity issues linked to tax.The disclosure suggests a channel exists, but the organisation cannot show that the route is available, communicated, or suitable for tax-related concerns.Speak-up policy, whistleblowing procedure, hotline details, intranet pages, training materials, case logs, and communications showing how concerns can be raised.

Evidence pack to prepare

Common reporting gaps

The information is presented without a date or as-at point.The scope or boundary of the statement is left undefined.Key terms are used inconsistently across the report.Material changes since the previous period are not disclosed.Assertions are made without supporting detail or a source record.Boilerplate is used that does not actually answer what is asked.
Common gaps

Mistakes to avoid when collecting the data

Wrong owner
The request goes to Finance or Tax by default, even though the real source sits with the board secretary, risk team, internal audit, or the executive who owns the tax policy.
Framework language only
People ask for answers in disclosure terms instead of the organisation’s own words, so teams cannot map the evidence back to how they actually run tax oversight.
No clear boundary
The data pull mixes group, subsidiary, and joint-venture material without first fixing which entities, functions, and controls are in scope.
Wrong reporting period
Teams collect a current snapshot or a calendar-year view when the source evidence was prepared on a different cycle, so the dates do not line up.
Mixed counting basis
One source is captured as a headcount, another as named roles, and a third as committee seats, which makes the final set impossible to compare cleanly.
Source labels lost
Original file names, version marks, and system tags are stripped off during consolidation, so nobody can trace each statement back to the document it came from.
Merged populations
Controls for the parent company and controls for local entities are blended into one file even though they should be checked and reported separately.
Missing evidence trail
The team saves the narrative but not the supporting note, date, owner, or approval record, so the source cannot be verified later.
No sign-off path
Draft inputs move straight into the disclosure pack without a named reviewer and approver, leaving no record that the underlying data was checked before use.

Where judgement is often needed

What counts as the tax control perimeter after a deal closes or a business is sold
Set out whether the description covers only the current group at the reporting date or also parts added or removed during the year, and explain any cut-off used for newly acquired or disposed operations.
When local tax rules or internal labels do not line up across countries
Use one group-wide way of describing the tax set-up, then note where country-level practices differ and explain the basis for translating those local differences into a single narrative.
Whether to include low-risk or small entities near the edge of the reporting scope
State the inclusion rule for entities, branches, joint arrangements, or other units that sit close to the boundary, and explain any exclusions or simplifications applied.
Choosing the time basis for describing controls and oversight
Make clear whether the account reflects the position at year-end, the full year, or another period basis, and explain if the control story changed during the period.
Deciding how far to rely on estimates where records are incomplete
Where the organisation cannot measure a point directly, disclose the estimate basis, the main assumptions used, and whether the figure or description is provisional or based on direct evidence.
How much detail to give on concern-raising channels without exposing individuals
Describe the routes people can use to raise tax-related conduct concerns in a way that protects confidentiality, and aggregate or generalise the information where naming or small numbers could identify someone.
How to present assurance when only part of the tax information has been checked
If external review covers only some tax disclosures or only part of the reporting set, identify the covered items, the assurance provider, and any limits or exclusions in the review scope.
How to round or summarise control information without changing the message
Apply one consistent rounding or summarising approach across the disclosure, and explain it if the presentation could affect how readers understand the strength or coverage of the tax controls.
Examples

Illustrative examples

Synthetic, written by LRA — not from a company report, not text from any standard.

Illustrative (synthetic) example — Retail and consumer goods

*Synthetic example for training only.* We describe a tax control set that sits under our finance policy, with board oversight through the audit committee and day-to-day ownership by the group tax lead, who reports into the chief financial officer. Tax thinking is built into budgeting, pricing, acquisitions, and country filings through written procedures, staff training, and quarterly reviews; we track risks by jurisdiction, log issues in a register, and test controls through internal review and periodic management checks. - We assess whether the control set is working through self-assessments, internal audit testing, and sign-off from finance leaders, while staff can raise tax-related conduct concerns through our ethics line, whistleblowing route, and direct escalation to the audit committee chair. - For this disclosure, an external firm reviewed the tax narrative and selected data points, and its limited assurance statement is referenced in our annual report appendix.

This example shows how a reporter can explain who owns tax oversight, how tax is built into operations, how risks and controls are monitored, how concerns can be raised, and how the disclosure was externally checked, without using the standard’s wording.

Illustrative (synthetic) example — Infrastructure and utilities

*Synthetic example for training only.* Our tax approach is set out in a group policy that the board approves, with the finance director responsible for delivery and the risk committee receiving regular updates. We embed that approach through approval limits, project-stage tax reviews, country-by-country filing calendars, and training for finance and commercial teams; tax exposures are identified through a risk map, monitored through monthly dashboards, and escalated where controls or filings fall behind. - We check compliance by combining control testing, internal audit work, and management review of exceptions, and people may report concerns about conduct or integrity through our speak-up channel, the ethics mailbox, or direct contact with the chair of the risk committee. - An independent assurance provider reviewed the disclosure package and issued a separate assurance statement, which we refer to in the sustainability section of our annual report.

This example illustrates a different reporting style and governance set-up, while still covering the same required points: control design, ownership, embedding, risk management, compliance checks, speak-up routes, and external assurance.

Company reports

How companies report GRI 207-2

Real reports where this topic is disclosed. These are report practice, not exact disclosure templates to copy.

Zydus Lifesciences Limited
Pharmaceuticals / Biotech / Life Sciences · India · 2025
Open report →
Zydus Lifesciences Limited’s ESG Report FY24-25 provides coverage on its tax strategy and governance on page 2, detailing tax reporting and effective tax measures. The report also addresses identified risks and mitigation measures related to limited wild flora and fauna availability on page 86, and includes a description of risk governance and management processes on pages 2 and 148. However, the report lacks clear narrative or methodology for some disclosure items, such as narrative item (a-ii), (a-iv), (b), and (c), where no quotable evidence was found.
Firstsource Solutions Limited
Professional Services · India · 2025
Open report →
Firstsource Solutions Limited’s ESG Report FY 2024-25 provides coverage on governance aspects related to tax transparency and accountability, referencing GRI 207: Tax 2019 on page 216. The report also addresses risks and controls linked to financial reporting and key performance metrics on page 56, and outlines its overall approach and governance framework on page 205. However, there is only partial context on emerging risks without a headline value on page 54, and no clear evidence or quotable information was found for certain narrative items, including methodology details and some specific disclosures.
Amadeus IT Group, S.A.
Hotels, Restaurants, Leisure, Tourism Services · Spain · 2025
Open report →
Amadeus IT Group’s 2025 Non-Financial Report provides coverage on governance related to tax functions (p.3) and describes policies adopted to manage tax practices, including a Corporate Tax Policy and related approaches (pp.165, 209). The report partially addresses risk mitigation related to suppliers, noting that suppliers are not onboarded if risks cannot be mitigated (p.159). However, there is no clear evidence found for narrative items (a-iv), (b), or (c), indicating gaps in the disclosure of certain aspects or methodologies.
✓ LRA AI Assistant · Human-in-the-loop
Dr Ross Kurinko
Ask Study Studio AI assistant about this disclosure
Get a practical answer for your reporting context. Your first answer is free — create a free account to continue the conversation.
TryHow do I prepare GRI 207-2?What data do I need to collect?Where can I see a real-report example?What mistakes should I avoid?
1 free answer
Check your understanding

Scenarios to work through

A group has a written tax policy, but the finance team says the board only sees tax matters when a problem has already escalated. The tax lead also cannot point to any named person who owns oversight of the tax approach.

QWhat should the preparer check before describing the tax governance set-up?
Reveal model answer →

A business has a tax risk register, but it was last updated 18 months ago and only lists transfer pricing. Local teams handle VAT and payroll tax issues informally, with no common method for spotting or tracking them.

QHow should the preparer judge whether the risk narrative is complete enough?
Reveal model answer →

The company has annual internal audit testing of tax controls, but the tax team cannot explain how the results are used, and there is no evidence that failures lead to action plans or reporting to leadership.

QWhat decision should the preparer make about the control-evaluation description?
Reveal model answer →

Employees can raise ethics concerns through a general whistleblowing line, but the tax team has never publicised that route for tax-related conduct issues. An external assurance provider has reviewed the tax disclosures, but the draft report does not mention the assurance statement anywhere.

QWhat should the preparer include to make the disclosure complete?
Reveal model answer →
Framework references

Related framework references

How this disclosure maps across the major reporting frameworks.

GRI
GRI 207-2
within GRI 207: Tax
Open official source →
Primary
Related & explore
FAQ

Questions this page answers

What do I need to gather before drafting GRI 207-2 (Tax) on this page?+
How should I set the scope for GRI 207-2 (Tax) using this page?+
Who should own the GRI 207-2 (Tax) data collection in practice?+
What evidence do I need for GRI 207-2 (Tax) to be assurance-ready?+
How do I use the GRI 207-2 (Tax) evidence pack on this page?+
What are the common mistakes to avoid when reporting GRI 207-2 (Tax)?+
How can I turn the GRI 207-2 (Tax) page into a draft disclosure?+
What should I put in the GRI 207-2 (Tax) narrative if I only have partial data?+
How do the synthetic example disclosures on the GRI 207-2 (Tax) page help me?+
Can I reuse my GRI 207-2 (Tax) data for ESRS G1 Business Conduct reporting?+
Where do I find the GRI 207-2 (Tax) workbook and printable card on this page?+
More questions this page can help with
GRI 207-2 Tax checklist for sustainability manager: what data points should I request?GRI 207-2 Tax assurance evidence pack: what should be in it?How to prepare a draft GRI 207-2 Tax disclosure from internal tax controls and risk dataGRI 207-2 Tax common reporting gaps and mistakes to check before submissionHow to use the GRI 207-2 Tax Prep & Assurance workbookGRI 207-2 Tax narrative starters and content index line examplesWho should be the tax accountability lead for GRI 207-2 Tax?What is the closest ESRS correspondence for GRI 207-2 Tax and can data be reused?GRI 207-2 Tax step-by-step preparation guidance for ESG teamsWhat evidence do assurance reviewers expect for GRI 207-2 Tax?How to map tax concern channels and tax control review data into GRI 207-2 TaxGRI 207-2 Tax example disclosure with quantitative table