LHDN Tax Audit Malaysia Guide 2026: Common Triggers, What to Expect, How to Prepare, and How to Reduce Penalties

An LHDN audit letter in the mailbox is not automatically a crisis — but most taxpayers who receive one treat it as one because they have no idea what comes next.

Tax audits in Malaysia are a routine compliance activity. LHDN audits approximately 2-3% of returns each year, targeting both individuals and businesses. The vast majority of audits conclude with a modest adjustment and a manageable payment. A small proportion escalate to full investigations, and a smaller subset still result in significant penalties.

The difference between a routine audit and a painful one is preparation: knowing what triggers an audit, what the auditor will ask for, what your rights are, and how to respond.

This guide covers the audit process for individuals and SMEs in Malaysia. Use the DuitTools PCB calculator to verify your monthly tax deductions are correct — a mismatch between your reported income and your employer's EA Form submission to LHDN is one of the most common audit triggers for employees.

Audit vs Investigation: Know the Difference

Not every letter from LHDN means the same thing. The terminology matters because the powers and potential outcomes are different.

Desk audit

A desk audit is the most common and least formal. LHDN sends a letter requesting specific documents — usually receipts for claimed reliefs or clarification of specific income items. You respond by post or through the e-filing portal. No visit, no interview. The auditor reviews your documents at their desk, issues an adjustment letter if they find discrepancies, and the audit closes.

Most desk audits are resolved within 2-4 weeks and produce a tax adjustment of a few hundred to a few thousand ringgit.

Field audit

A field audit means an auditor visits your premises (or your tax agent's office) to inspect records in person. For individuals, this is usually triggered by larger discrepancies — under-reported income, unusually high relief claims, or a business showing persistent losses. For businesses, field audits are routine and may cover multiple tax years.

A field audit typically takes 1-3 days on-site, with follow-up queries over 2-6 months before the auditor issues their findings.

Investigation

An investigation is different in kind, not just degree. It is triggered by suspicion of deliberate tax evasion, fraud, or wilful neglect. LHDN's investigation division has broader powers — they can search premises, seize records, interview witnesses, and freeze assets pending the outcome. Investigations can take years and produce penalties of 100% to 300% of the tax undercharged.

This guide focuses on audits. If you receive an investigation notice, engage a tax lawyer immediately — do not respond to the investigator without legal counsel present.

What Triggers an LHDN Audit

Audit selection is not random. LHDN's system scores returns against risk parameters. Understanding what raises the risk score helps you file in a way that does not invite unnecessary scrutiny.

Individual audit triggers

1. Mismatch between Form EA and your tax return. Your employer submits your salary, allowances, and deductions to LHDN. If your declared income differs from the EA Form, the system flags it automatically. This is the single most common trigger — and the easiest to avoid. Use the salary calculator to verify your monthly figures match what your employer is reporting.

2. Sudden spike or drop in declared income. A RM20,000 jump in income from one year to the next without a corresponding change in employer or a new income source attracts review. Similarly, a sharp income drop — often seen when a taxpayer tries to reduce reported business income — is equally suspicious.

3. Relief claims that are high relative to income. Claiming RM8,000 in medical expenses and RM7,000 in education fees on a RM48,000 salary is inconsistent with normal spending patterns at that income level and raises the audit probability.

4. Consistent business losses. A sole proprietor reporting a loss for the third consecutive year is almost guaranteed an audit. LHDN's position: a business that consistently loses money is either deliberately under-reporting income or is not genuinely a business — it is a hobby being used to offset employment income.

5. Property transactions. LHDN cross-references stamp duty records with tax returns. If you bought a RM600,000 property but your declared income is RM4,000 per month, the system flags the discrepancy. The same applies to disposal of property — capital gains from property sales are taxable and LHDN receives transaction data directly from the land office and banks.

6. Industry benchmarking. LHDN maintains income benchmarks by industry. A freelance graphic designer reporting RM18,000 annual profit when the industry benchmark for full-time freelance designers is RM36,000-RM48,000 will be flagged for review.

SME and business audit triggers

1. Declared profit below industry benchmark — the same benchmarking system applies to businesses with greater granularity
2. High expenses relative to revenue — a restaurant reporting food costs at 45% of revenue when the industry norm is 30-35%
3. Related-party transactions — payments to directors, shareholders, or their family members that appear to shift profit out of the business
4. Discrepancy between GST/SST returns and income tax returns — sales declared for SST purposes must reconcile with revenue declared for income tax
5. Large cash deposits or unexplained credits in bank accounts — LHDN has access to banking data and can compare deposits with declared revenue
6. Consistently filing returns late or requesting repeated extensions — signals poor record-keeping, which usually means poor tax compliance

The Audit Process: Step by Step

Step 1: Notification letter

LHDN sends a formal audit notification letter to the address on your tax file. The letter states:

• The specific year(s) of assessment under audit (usually 2-3 years, but up to 6)
• The nature of the audit (desk or field)
• The documents required
• The date by which you must respond

The standard response window is 14-30 days from the letter date. Do not ignore the deadline — failure to respond within the stated period escalates the case and can move it from desk audit to field audit.

Step 2: Document preparation

Gather every document listed in the notification letter. Organised, indexed, and cross-referenced records signal to the auditor that you are cooperative and your affairs are in order. A shoebox of unsorted receipts signals the opposite and invites deeper scrutiny.

At minimum, prepare:

• Tax returns for the years under audit
• Form EA (for employees) or financial statements (for business)
• Receipts for every relief claimed
• Bank statements for the relevant periods
• Any supporting correspondence with LHDN

Step 3: Respond to the auditor

For a desk audit, compile documents into a structured response. Number each document, create a cover letter listing each item, and submit by registered post or through the e-filing portal if the option is available.

For a field audit, confirm the appointment date and prepare a dedicated space for the auditor — a meeting room or desk with the documents organised and accessible. Have the person who prepared the returns present, or your tax agent if you used one.

Step 4: Audit findings

After reviewing the documents, the auditor issues a letter of findings:

• No adjustment: The return is accepted as filed — case closed
• Adjustment proposed: The auditor identifies discrepancies and proposes additional tax

If an adjustment is proposed, you have 21 days to agree or dispute the findings. If you agree, the additional tax plus any penalty becomes payable. If you dispute, you can request a review by a more senior officer and, if unresolved, appeal to the Special Commissioners of Income Tax (SCIT).

Step 5: Settlement

Once you agree to the adjustment (or it is upheld on review or appeal), LHDN issues a notice of assessment for the additional tax. Payment is due within 30 days. You can request an instalment arrangement if the amount is significant.

How Far Back Can LHDN Audit?

The Income Tax Act 1967 allows LHDN to raise additional assessments:

• Within 5 years from the end of the year of assessment — for returns filed on time and in good faith, without evidence of negligence or fraud
• Within 6 years — in practice, LHDN commonly audits the most recent 2-3 years but can go back further if discrepancies are found
• Indefinitely — if there is evidence of fraud, wilful default, or negligence

For most compliant taxpayers, the practical audit window is 2-3 years. If you filed your YA 2023 return in April 2024, LHDN can audit it until at least April 2029 under the 5-year rule.

The Penalty Framework

Penalties increase with the severity and deliberateness of the non-compliance:

Ordinary negligence

If the under-declaration resulted from careless record-keeping or honest mistake, the penalty is typically 15-25% of the additional tax, often negotiable downward during the audit if you are cooperative and the amounts are modest.

Negligence (no fraud)

For under-declaration that results from a failure to exercise reasonable care, the penalty is 25-45% of the additional tax. This applies to taxpayers who claimed reliefs they knew or should have known were ineligible, or who failed to report income they should have known was taxable.

Fraud or wilful default

Where under-declaration is deliberate — falsified invoices, hidden income, deliberately inflated expenses — the penalty is 100% of the undercharged tax, and the case may be referred to the investigation division for potential prosecution.

Voluntary disclosure

If you discover an error in a previously filed return and disclose it to LHDN before they notify you of an audit, the penalty is typically reduced or waived. The voluntary disclosure programme (which LHDN has run in various forms over the years) can reduce penalties to 5-15% of the additional tax. Timing is everything: once the audit notification arrives, you can no longer make a voluntary disclosure for that year.

How to Prepare Now (Before the Letter Arrives)

Organise your records annually

After filing your return each year, take 30 minutes to:

• Scan or photograph every receipt supporting a relief claim
• Save them in a folder labelled with the year of assessment
• Create a one-page summary listing each relief claimed and the total amount, matched to receipts
• Store the folder in Google Drive, iCloud, or a dedicated USB drive — not just on a laptop that might fail

Reconcile your EA Form

When your employer issues your EA Form in February, compare it against your own records:

• Does the total salary match your 12 months of payslips?
• Are bonuses and allowances included correctly?
• Are EPF and SOCSO deductions accurate?

If the EA Form is wrong, ask your employer to correct it before you file your return. Filing a return that disagrees with the EA Form guarantees an LHDN query.

Benchmark your business

If you are self-employed or run a small business, compare your declared profit margin against industry norms. If your margins are significantly below the norm, ensure you have documentation that explains why — and not just an explanation, but proof.

Keep tax records for 7 years

The statutory retention period is 7 years from the end of the year of assessment. Destroying records before 7 years is itself a compliance breach. For a taxpayer filing YA 2023 returns in 2024, the records must be kept until at least the end of calendar year 2031.

FAQ

Can LHDN audit me more than once for the same year?

Generally, no — once LHDN issues a final assessment and you pay the determined tax, the matter is settled for that year. However, if new evidence of fraud or wilful default emerges after the assessment was finalised, LHDN can reopen the year under the anti-fraud provisions of the Income Tax Act.

Do I need a tax agent or lawyer for an audit?

For a desk audit involving straightforward relief claims on an employment-only return, a tax agent is useful but not essential — you can respond yourself. For a field audit involving business income, property transactions, or international income, engage a licensed tax agent. If the audit escalates to an investigation, engage a tax lawyer — a tax agent can handle the numbers, but an investigation involves legal arguments about intent and culpability.

What if I cannot find receipts for a relief claimed 3 years ago?

The relief will be disallowed for that year, and you will owe the additional tax. If the missing receipts are substantial, the auditor may expand the scope of the audit to other years on the assumption that if records are missing for one year, they may be missing more broadly.

How long does an audit take?

A desk audit typically concludes within 1-3 months from the notification letter to the final adjustment. A field audit can take 3-12 months depending on complexity. If you dispute the findings and appeal to the SCIT, the process can extend to 2-3 years.

Can I negotiate the penalty percentage?

Yes, in most cases. Penalties for ordinary negligence are discretionary and auditors have a range. Being organised, cooperative, and prompt in your responses consistently leads to lower penalty percentages. Aggressive, evasive, or obstructive behaviour during the audit produces the opposite.

What happens if I ignore the audit letter?

The audit proceeds without your input. LHDN makes its own determination based on the information available to it — which means your returns are assessed without the supporting evidence you could have provided. The result is typically a maximum-deficit assessment against you. The additional tax becomes payable within 30 days, and LHDN can commence recovery action including garnishing bank accounts, issuing a travel restriction, and filing a civil suit for the unpaid amount. Never ignore an audit letter.