Get documents about "E Invoices Web Service
Description
E Invoices Web Service document sample
Document Sample
Working Draft CEN
CWA NNNNN
WORKSHOP 28th May
2009 (Draft v0.90)
AGREEMENT
e-Invoicing Compliance
Guidelines Matrix
DRAFT Version
Introduction
This eInvoicing Compliance Guidelines Matrix (The Guidelines) is made available as an integral part of this CEN Worksho
The content is not to be considered as exhaustive and although some of the original source material is from the Netherlan
Customs Administration (Belastingdienst), great care has been taken to ensure that content and recommendations are val
Member States and not specific to any Member State requirement.
You will find more background in the Commentary accompanying this Matrix (available at http://www.e-invoice-
gateway.net/knowledgebase/eInvoiceBestPractice/)
Process model Diagram
The extended process model represents the different steps in the information flow from Supplier, on the left, to the Buyer o
Service Provider
2
M ile La
st
st Mi
Fir le
Prepare Send or Receipt and
Create Formal
invoice 1 3 make 4 technical 5 6
invoice verification
data available verification
Master Data B
Archiving and auditability C
Integrity and authenticity management D
Supplier
A Trading partner on- and off-boarding E
on
cing Compliance Guidelines Matrix (The Guidelines) is made available as an integral part of this CEN Workshop Agreement.
t is not to be considered as exhaustive and although some of the original source material is from the Netherlands Tax and
dministration (Belastingdienst), great care has been taken to ensure that content and recommendations are valid for most
ates and not specific to any Member State requirement.
d more background in the Commentary accompanying this Matrix (available at http://www.e-invoice-
t/knowledgebase/eInvoiceBestPractice/)
odel Diagram
ed process model represents the different steps in the information flow from Supplier, on the left, to the Buyer on the right.
Service Provider
2
M ile La
st
st Mi
Fir le
7
are Send or Receipt and Material
Create Formal
ce 1 3 make 4 technical 5 6 verification 8
invoice verification
available verification & processing
Master Data B
Archiving and auditability C
Integrity and authenticity management D
Supplier Buyer
A Trading partner on- and off-boarding E
7
Material
verification 8
& processing
er
How to use the DRAFT Compliance Guidelines matrix, Draft_e-Invoicing_Complian
Filters are provided in the Excel spreadsheet to help the user select his area of interest, e.g. EDI and Self-Billing, Service Pro
and Integrity and Authenticity options. To get familiar with the guidelines it is in any case recommended to read the Exc
once from top to bottom. Users are also encouraged to consult the Commentary prior to reviewing this matrix.
Excel Spreadsheet Filter Columns A-G
The first columns provide the possibility of using the „Filter options‟ to make a selective search. The key arguments are given
no filter is set (to reset all filter use Data -> Filter -> “Show A
Col A Who
Col B Process Step
Col C-E Business
implementation
class
Col F Intermediated
Col G Self-Billing
Excel Spreadsheet Process Step Details
Col H Why (Risk)
Col I What (Requirements)
Col J How (Controls)
Col K Reference Examples
Col L Further guidance
Col M Your Implementation /
applicability
Col N Your comments'
Terms and abbreviations in the Guidelines
- RFC Request for Comment http://www.rfc-editor.org/rfc.html
- ITU International Telecommunications Union http://www.itu.int/library/
- S/MIME Secure/Multipurpose Internet Mail Extensions
- ETSI TS European Telecommunications Standards Institute Technical Specifications http://www.etsi.org/webs
- AICPA The American Institute of Certified Public Accountants
- CICA Canadian Institute of Chartered Accountants
- SSL Secure Sockets Layer (SSL) v2 and v3
- TLS Transport Layer Security
e DRAFT Compliance Guidelines matrix, Draft_e-Invoicing_ComplianceGuidelines_v080
the Excel spreadsheet to help the user select his area of interest, e.g. EDI and Self-Billing, Service Provider for the Supplier
enticity options. To get familiar with the guidelines it is in any case recommended to read the Excel worksheet at least
tom. Users are also encouraged to consult the Commentary prior to reviewing this matrix.
ilter Columns A-G
ide the possibility of using the „Filter options‟ to make a selective search. The key arguments are given below. Make sure that
all filter use Data -> Filter -> “Show A
Invoicing process applies to: S = Supplier, B = Buyer, All = Supplier and Buyer
Process steps with number
Classification of business implementation methods as described in the Commentary. Class A is not included in
the Matrix. Class B is "controlled data exchange"; Class C is "data level controls"; Class D is "outsourced safe-
keeping"
e-Invoicing process carried out by a Service Provider (O = optional/possible, M = Must)
e-Invoicing issue carried out by the Buyer. process applies to: S = Supplier, B = Buyer, All = Supplier and Buyer
rocess Step Details
Refers to tax risks that form the rationale for the existence of legal requirements in this process step. It answers
the question “what are the inherent risks from a tax perspective in this process step?”
Refers to the tax requirement addressing the risk.
Control (solution) should be used to ensure the risk is avoided
The examples listed are non exhaustive and provided only to illustrate the kind of measures envisaged as being
used.
Cross-references sections of the Commentary where further technical guidance is provided.
To be used for your self-assessment: short description and reference to your solution documentation, if process
step is not applicable use "n/a" + reason
please add your name and a date (30/6 - Your Name: text…)
You are encouraged to provide feedback, please upload the form with your feedback at http://www.e-
invoice-gateway.net. Your feedback will be managed anonymously, but we encourage you to provide
your name and email for follow-up questions.”
abbreviations in the Guidelines
quest for Comment http://www.rfc-editor.org/rfc.html
ernational Telecommunications Union http://www.itu.int/library/
Secure/Multipurpose Internet Mail Extensions
European Telecommunications Standards Institute Technical Specifications http://www.etsi.org/website/homepage.aspx
he American Institute of Certified Public Accountants
anadian Institute of Chartered Accountants
cure Sockets Layer (SSL) v2 and v3
ransport Layer Security
V0.90
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
A B C D E F G H I J K L
Intermediated
Self-Billing
Reference Examples.
Business Further Guidance
Who
Process step N.B. The examples listed are non exhaustive and provided
implementation WHY (RISK) WHAT (REQUIREMENTS) HOW (CONTROLS) [See reference sub-section for
(the order can be adjusted) only to illustrate the kind of measures envisaged as being
classes B-D further guidance]
used.
1
2 B C D
3 All (Supplier and Buyer Side)
All 0 - Generic x x x O All General risks on IT Support general commercial Implement recognised standards based good Taking into account the size and nature of the organisation, 7.3.1
systems good security practices practices for the security, continuity and integrity appropriate (general IT) controls should be implemented 7.3.7
of the business system. These practices shall be
applied and audited in line with the requirements
of recognised good practices so as to provide a
robust control framework.
4
All 0 - Generic x x x O All Service provider has The responsibilities of each The processes implementing the supplier and Clearly document on whose behalf functions are
responsibilities to both the party must be clearly buyer requirements shall be clearly separable with implemented
supplier and the buyer, delineated. separate audit records, separate archives,
with potential for conflicts separate management control parameters and
of interest. operated under separate management
roles. Separation must be procedural and can also
be physical or logical.
5
0 - Generic x x O The process and Documentation of processes Process and system documentation should be
procedures applied and procedures should be in maintained using good practices in document
cannot be audited as they place. management including version control systems
are undocumented with date references so as to enable auditors to
understand which processes were in force within
the corporate environment for all invoices during
the storage period.
6
All A - Trading partner onboarding x x x O All Trading partners use the The trading partners must Trading partners must accept and know each DUNS lookup, trade register or Chamber of Commerce etc
e-invoicing system ensure proper trading partner other. Identification and clearance can be checks - these processes can be performed by a service
without prior identification identification and clearance. performed through e.g. trade registers and/or provider for the trading partners
and clearance. commercially available supporting data.
7
All A - Trading partner onboarding x x x O All e-invoices are sent to a The decision to send and Rules in agreement (e.g. general terms and
trading partner that does accept e-invoices is conditions)
8 not accept them. auditable.
All A - Trading partner onboarding x x x O All Trading partners are The trading partner should There shall be a proces to make sure that there is [Model agreements for this purpose should be developed]
given access to the e- ensure that other trading an agreement as a result of the onboarding phase.
invoicing system without a partners sign a
sufficient contract comprehensive and
regulating rights and enforceable agreement
responsibilities, including before providing access to
as regards taxes and the trading partners's system.
9 change management, of There must be an explicit
All A - Trading partner onboarding x x x O All both parties.
Trading partners are agreement if tax relevant
The trading partners/ service The trading partner/service provider must make Online documentation and tool tips, multi-lingual support,
given access to the e- providers should ensure that documentation or other appropriate learning tools clearly mark user IDs to indicate and separate test and
invoicing system without the trading partner in question available that allow the trading partner to production accounts (that no test account message can be
sufficient training of key is trained to perform the effectively train relevant staff. A minimum skill sent to production accounts).
staff. required system activities, level must be verifiably obtained by key staff.
including processes for error
and exception handling.
10
All A - Trading partner onboarding x x x O All Inconsistent application of Security mechanisms Parties involved in exchanging electronic invoices placeholder for: Expert Group on e-Invoicing: EEI
security of information employed across parties shall agree security mechanisms or controls (electronic invoice agreement)
exchange between parties involved with exchange of e- applied to address identified threats to the
leaving vulnerabilities. Invoice shall address exchange of information.
identified risks in a coherent
manner.
11
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
A B C D E F G H I J K L
Intermediated
Self-Billing
Reference Examples.
Business Further Guidance
Who
Process step N.B. The examples listed are non exhaustive and provided
implementation WHY (RISK) WHAT (REQUIREMENTS) HOW (CONTROLS) [See reference sub-section for
(the order can be adjusted) only to illustrate the kind of measures envisaged as being
classes B-D further guidance]
used.
1
All A - Trading partner onboarding x x x O All Trading partners are The proper technical The trading partners/service providers test plans Online testing and tight controls; separated testing and
2
given access to the e- functioning of the trading and test results should be agreed by both parties. production accounts; self service facilities to create test
Invoicing system without partner's access to the e- invoices.
successful testing the Invoicing system should be
communication based on ensured prior to production.
pre-agreed criteria.
12
All A - Trading partner onboarding x O All EDI invoices are issued to An interchange agreement is Address this risk in the procedure for initiating Model-agreement 7.2.1.1
buyers without an required if EDI invoices are sending EDI-invoices.
interchange agreement. sent and recieved, otherwise
the invoice is not valid (VAT
13 law).
All A - Trading partner onboarding x O All Trading partners use The proper technical The trading partner's test plans and test results Online testers and tight controls; separated testing and
different EDI-structures functioning of the trading shall be agreed. production accounts; self service facilities to create test
partner's EDI-structures invoices.
should be ensured prior to
production.
14
15 S Supplier Side
S 1 - Prepare invoice data x x x B Invoice data is not It must be ensured that an Application audits and internal control actions. System shows invoice balance per Purchase Order +
prepared for a supply invoice is raised for all Audit trail from supply to invoiced supply. supplier's ERP (Enterprise Resource Planning) system
requiring an invoice supplies control. Reports of unfulfilled orders and un-invoiced
16 deliveries
S 1 - Prepare invoice data x x x B Supply is invoiced but not Audit trail from supply to Segregation of duties must fit with the size of the Mapping of defined user roles to user names and
reported in general reported revenue enabled by company. Logical access controls must map to an passwords, with permissions giving access to data and
ledger/VAT declaration segregation of duties appropriate segregation of duties, which is functionality appropriate to the role; and preventing access
between preparing the evidenced by the end-to-end audit trail. to data and functionality inappropriate to the role.
invoice and the receiving of
the payment.
17
S 1 - Prepare invoice data x x x B Unauthorized persons can The supplier must take steps Segregation of duties must fit with the size of the Mapping of defined user roles to user names and
add, alter or delete to prevent unauthorised company. Logical access controls must map to an passwords, with permissions giving access to data and
invoice data. changes to the content of the appropriate segregation of duties, which is functionality appropriate to the role; and preventing access
invoice data. evidenced by the end-to-end audit trail. to data and functionality inappropriate to the role.
18
S 1 - Prepare invoice data x x x B The invoice data do not The invoice data contain at Controls are used to check required data before Online and [XML/EDI] syntax controls validate required data,
contain all mandatory least the data prescribed by invoice creation (eSigning as the last step of conditional fields like buyer VAT ID are validated based on
information the applicable law. creation) + constrains are used for conditional range and format checking, including validation algorithms
fields to ensure that the invoice shows all where appropriate.
mandatory data. The completion of data fields
must be ensured in the application.
19
S 1 - Prepare invoice data x x x B The invoice data are not The issue of invoice must be Application audits and internal control actions.
prepared on time within the time prescribed by Audit trail from service to invoice turnover.
applicable law.
20
S 1 - Prepare invoice data x x x B The person accountable A person must be acountable Audit trail identifying the accountable person. Keeping an audit log of access and activity in the application
for preparing the dataset for each invoice (whether or DBMS (Data Base Management System), including the
cannot be identified after prepared manually or identity of the user (or process). Keep record of accountable
the event automatically) persons
21
S 1 - Prepare invoice data x x x B Changes to invoice data, The invoice data must at all The technical design of the application must In the ERP (Enterprise Resource Planning) system, the
resulting in a break in the times be consistent with the ensure this; the dataflow must be clear. quotation, order, delivery and invoice are cross referenced
audit trail between the source transaction data. to each other..
source transaction data
and the invoice data.
22
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
A B C D E F G H I J K L
Intermediated
Self-Billing
Reference Examples.
Business Further Guidance
Who
Process step N.B. The examples listed are non exhaustive and provided
implementation WHY (RISK) WHAT (REQUIREMENTS) HOW (CONTROLS) [See reference sub-section for
(the order can be adjusted) only to illustrate the kind of measures envisaged as being
classes B-D further guidance]
used.
1
S 1 - Prepare invoice data x x x B A corrective invoice data The corrective invoice data Application controls and internal control actions. E.g. by means of reference of original invoice number and
2
set (including credit note) set includes a reference to It is advised to at least have reference to the original invoice date.
Prepare corrective invoice data without reference to an identify the original invoice original invoice number. Seperate serie of invoice numbers for corrective invoices.
original invoice is data set. It should be possible Audit trail.
prepared. to identify corrective invoices.
23
S 2 - First mile x x x M B The invoice data Ensure authencity and The invoice data shall be transferred in a way that i) Transport Layer Security (RFC 4346) with passwords. 7.3.8
transferred by the supplier integrity of invoice data whilst : ii) Business Data Interchange over the Internet Applicability
to the service provider being sent. a) Protects the integrity of the data communicated, Statement 1, 2, 3 with signatures (RFC3335, RFC 4130,
can be altered or added to b) Authenticates the source of the data. RFC 4823)
during the transmission . iii) Secure network service provided by Value Add Network
service provider.
iv) Secure messaging services such as ITU-T X.400 or
S/MIME (RFC 3851) .
v) Integrity measures, such as hash totals or reconciliation
overviews
vi) Registered email such as defined in TS 102 640
24
S D - Integrity and authenticity x O B Invoice signer does not The invoice signer must The invoice signer shall comply with its obligations All trading partners that may be recipients of invoices should
management carry out obligations ensure sole control of the regarding security of the private keys and be informed of any suspected compromise of the signing
regarding security of keys private key and comply with reporting potential compromises. key employed, and
and certificates. its obligations regarding In addition, the signature shall be created using a) a cryptographic device conforming to an internationally
Private (signing) key is security and reporting of mechanisms commensurate with identified risk recognised standard that assures sole control over the
not held in a manner potential compromises. relating to fraud to assure protection of keys. private key (e.g. FIPS 140-2 level at least 2 or 3 , Common
which ensures sole criteria EAL at least 4) or
control b) Software keys held on a system that is held in an
environment which is protected such that the key is under
sole control of the business entity issuing the invoicing.
25
S D - Integrity and authenticity x O B Certificate used for AdES The CA must operate under The signature shall be supported by certificates Examples of recognized good practices: ETSI TS 102 042, 7.3.3
management on e-invoices is issued by good practice for PKI (Public issued by a certification authority operating to TS 101 456 or AICPA/CICA Webtrust.
a CA (Certification Key Infrastructure) systems recognised good practices. The certifcate should
Certificate management (CA Issued) Authority) which does not include the identity of the legal entity applying the
properly manage its signature
operations.
26
S D - Integrity and authenticity x x O All Certificate used to protect CA issuing any certificates Data shall be protected by certificates issued by a Examples of recognized good practices: ETSI TS 102 042, 7.3.3
management invoice data exchanges is used to protect data certification authority operating to recognised good TS 101 456 or AICPA/CICA Webtrust, Extended Validity
issued by a CA which exchange must operate under practices. certificates (for SSL / TLS certificates) as defined by the
Certificate management (CA Issued) does not properly manage good practice for PKI CA/Browser Forum.
its operations. systems
27
S D - Integrity and authenticity x O B Certificate created Before using the self-signed The private key associated with a self-signed Examples of recognized good practices for CA's: ETSI TS
management (self- fraudulently by someone certificate, it must be certificate should be tied to a proof of identity that 102 042, TS 101 456 or AICPA/CICA Webtrust.
sign impersonating the identity authenticated to all trading has been obtained in the onboarding process at a
Certificate management (self-signed) ed) of the signer partners as coming from level comparable to recognised good practices for
trusted source. CA's (Certification Authority). Certificates shall be
The use of self-signed previously exchanged between parties in a way
certificates is not accepted in that authenticates the identity of the source.
all EU-memberstates.
28
S 3 - Create invoice x x x O B Invoice contains Ensure invoice does not The creator of the invoice shall take steps to Disable any use of macros within the invoice. 7.3.6
executable code; the contain executable code. ensure that there is no executable code in the Scan invoice for virus and other malicious codes.
integrity of the invoice can invoice. The contract with tradingpartner should Do not use document formats capable of carrying hidden
no longer be guaranteed. state that no executable code will be part of an code and macros.
29 invoice.
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
A B C D E F G H I J K L
Intermediated
Self-Billing
Reference Examples.
Business Further Guidance
Who
Process step N.B. The examples listed are non exhaustive and provided
implementation WHY (RISK) WHAT (REQUIREMENTS) HOW (CONTROLS) [See reference sub-section for
(the order can be adjusted) only to illustrate the kind of measures envisaged as being
classes B-D further guidance]
used.
1
S 3 - Create invoice x x x O B An invoice is created It must be ensured that an The workflow must ensure that invoices are
2
more than once as being invoice can only be created created once, wether electronic or on paper.
'original'. once without “copy” written on
it. It must be clear between
the parties what constitutes a
the original invoice.
30
S 3 - Create invoice x x x O B Not all invoices issued in Method to verify the issued In contract and internal control measures. Reports
name and on behalf of the invoices of issued invoices to the supplier.
supplier are reported in
General Ledger by the
31 supplier
S 3 - Create invoice x x x M B Service provider adds Service provider shall not add Measures must be in place to prevent and detect Audit reports and/or access to service provider-stored
invoice data that does not invoice data (outside of an any creation of invoices that were not prepared or invoices to make sure that only invoices have been issued
Invoice created by service provider originate from the agreed enrichment service) agreed by the supplier. that originate from the prepared invoice data by the supplier.
prepared invoice data by The contract between service provider and
the supplier (outside of an supplier must prevent it. Logical access control at
agreed enrichment the service providers system.
service). Logical access controls must map to an
appropriate segregation of duties, which is
evidenced by the end-to-end audit trail.
32
S 3 - Create invoice x x x M B The invoice as created by The invoice as created by the Control conversion process, audit trail, rules in Substantive tests of a number of invoices
the service provider does service provider must contain contract.
Invoice created by service provider not contain all agreed all agreed upon data.
33 upon data.
S 3 - Create invoice x x x M B The service provider does The service provider must Control conversion process, audit trail, rules in Generate totals to audit complete issue of invoices.
not create all invoices create all of the invoices contract.
Invoice created by service provider provided by the supplier.
34
S 3 - Create invoice x x x M B The service provider adds The supplier is still Control conversion process, audit trail, rules in Substantive tests of a number of invoices
data to the invoice or responsible for the accuracy contract. The supplier shall always have access to
Invoice created by service provider modifies it, the supplier and completeness of the the issued invoices.
does not have this content of the invoices. The
information. supplier must (be able to)
access all data of his
invoices.
35
S 3 - Create invoice x O B Signature is not created. The invoice is provided with The application should ensure that signatures are - CAdES-T s defined in ETSI TS 101 733 & profiled in TS 7.2.3.1 & 7.2.3.4, 7.2.3.5
an advanced electronic applied. The signature shall be created in 102 734
signature to protect its accordance to an internationally recognised - XAdES T as defined in ETSI TS 101 903 & profiled in TS
integrity and authenticity. standard signature format. Verify signature on a 102 904
number of invoices. - PDF Signature as specified in ISO 32000 and profiled in
ETSI TS 102 788
36
S 3 - Create invoice x O B Signature is created with In order for the supplier to provide easy evidence
The invoice must be provided See process step archiving and auditability for (subprocess) 7.2.2.8
an invalid or expired of CA-issued certificate validity at the time of
with an advanced electronic AdES.
certificate signature with a valid signing, the signing party should timely validate Modern applications and standards will handle this
certificate. the signature to ensure that the information automaticly.
37 required to re-verify the signature is readily
available.
S 3 - Create invoice x O B Not all mandatory invoice All mandatory data according The application must ensure that all mandatory
data are signed. to applicable law must be invoice data is signed.
38 signed.
S 3 - Create invoice x O B Structure of the invoice Structure of the invoice must A correct validation mechanism must be
differs from the structure comply with the structure of maintained in order automatically to validate the
of the invoice as agreed the invoice as agreed in the structure against the interchange agreement. See
in the current interchange current interchange also the requirements for testing in the onboarding
agreement agreement. process step (A) in section 5 in Commentary
report, figures 1 & 2.
39
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
A B C D E F G H I J K L
Intermediated
Self-Billing
Reference Examples.
Business Further Guidance
Who
Process step N.B. The examples listed are non exhaustive and provided
implementation WHY (RISK) WHAT (REQUIREMENTS) HOW (CONTROLS) [See reference sub-section for
(the order can be adjusted) only to illustrate the kind of measures envisaged as being
classes B-D further guidance]
used.
1
S 3 - Create invoice x O B The integrity and To the extent that a summary Measures should ensure integrity and authenticity Advanced Electronic Signature applied to summary 7.2.1.3
2
authenticity of a summary document is used for of summary documents. documents.
document might not be evidencing completeness, the Summary document printed on the suppliers stationary.
guaranteed. Regardless integrity and authenticity of
of its form; paper or the summary document
electronic (paper report) must be
guaranteed.
40
S 3 - Create invoice x x x M B An invoice is created by It must be ensured that an The workflow must ensure that invoices are
both the supplier and the invoice can only be created created/issued once.
Invoice created by service provider service provider (not by the designated issuer in
according to agreement) the contract. It must be clear
between the parties who
issues an invoice.
41
S 4 - Send or make available x x x O B Created invoices are not The supplier must ensure that Action of internal control, included in application or
sent or made available on invoices are sent or made agreement with service provider, if appropriate.
time. available, timely according to
42 applicable law
S 4 - Send or make available x x x O B Dispute over whether an Invoices have to be Maintain audit records of sending / retrieving The sending or retrieval of the invoice, and any associated
invoice has been sent/made available. invoices. acknowledgement, will be recorded.
sent/made available. Preferably make use, where available, of systems that
produce trusted evidence of sending and, where applicable,
of delivery. ETSI will issue in second half of 2008 TS 102
640 that is a multi - part Technical Specification laying down
provisions for a Registered E-Mail (REM) mechanism
suitable to provide the said evidences for sent eInvoices.
43
S 4 - Send or make available x O B Authenticity is based on When a certificate is used to Internal control of certificate validity. See process step archiving and auditability for (subprocess) 7.2.2.8
an invalid or expired protect the transport of an AdES.
certificate. unsigned invoice, the Modern applications and standards will handle this
44 certificate must be valid. automaticly.
S 4 - Send or make available x O B False invoice data is sent Authenticity and integrity of The invoice data shall be transferred in a way that i) Transport Layer Security (RFC 4346) with passwords. 7.3.8
by party masquerading as the invoice must be : ii) Business Data Interchange over the Internet Applicability
supplier or modified guaranteed within the EDI- a) Protects the integrity of the data communicated, Statement 1, 2, 3 with signatures (RFC3335, RFC 4130,
during transport proces b) Authenticates the source of the data. RFC 4823)
iii) Secure network service provided by Value Add Network
service provider.
iv) Secure messaging services such as ITU-T X.400 or
S/MIME (RFC 3851) .
v) Integrity measures, such as hash totals or reconciliation
overviews
vi) Registered email such as defined in TS 102 640
45
S 4 - Send or make available x x O B The buyer is unaware of a There must be an Send notifications; It is good practice to address If email is used for the notification, request delivery receipt
presented invoice. understanding between this risk in the application; record when and to by email from recipient.
tradingpartners when an whom the notifications were sent.
invoice is sent or made Rules in contract.
46 available.
S 4 - Send or make available x O B Presented invoices are In order to correctly perform It is good practice to have a clear understanding Within the web environment the audit trail of viewing the
not reviewed by buyer the receipt process, the buyer with the buyer that it is his resposibility to review invoices can be made visible. Alert in the application if the
must review the invoices. the invoice. invoice is not accessed within a specific time period.
47 Log access to the invoice.
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
A B C D E F G H I J K L
Intermediated
Self-Billing
Reference Examples.
Business Further Guidance
Who
Process step N.B. The examples listed are non exhaustive and provided
implementation WHY (RISK) WHAT (REQUIREMENTS) HOW (CONTROLS) [See reference sub-section for
(the order can be adjusted) only to illustrate the kind of measures envisaged as being
classes B-D further guidance]
used.
1
S 4 - Send or make available x O B Invoices are presented Invoices may only be The workflow must ensure that invoices are
2
twice with the result that presented once and must be presented once and that the transaction is
the buyer may claim the uniquely identifiable. processed correctly. The presented invoice is the
VAT twice, whereas the original invoice. Presented invoices must
supplier only reports the therefore be uniquely identifiable, e.g. from the
VAT once. document name and unique number.
48
S 4 - Send or make available x O B Not all invoices are All invoices must be Application audits and internal control actions.
presented. Special presented. Special attention
attention for corrective for corrective invoices.
49 invoices.
S 4 - Send or make available x O B The wrong web server is The server on which the A mechanism shall be in place to authenticate the Authentication by SSL/TLS with a sufficiently strong server 7.3.5
consulted (spoofing) invoices are accessible must web server. See also requirements for Integrity certificate.
authenticate itself verifiably and authenticity management (Process step D in The server on which invoices are held must be made
towards the buyer section 5 in Commentary report, figures 1 & 2). available by buyer with a link in an email (legal requirement
in some Member States).
Use of extended validation certificates as defined by CA
Browser forum is recommended.
50
S 4 - Send or make available x O B The invoice is modified Invoice cannot be changed in Web system operates under recognised good
whilst being held on web authorised manner whilst on practices for security of web servers and controls
51 server web server. access to invoice.
S 4 - Send or make available x x x M B It is not clear who issues It must be ensured that an Rules in the contract between the trading partner
the invoice invoice can only be issued by and service provider, must clarify on who issues
Invoice created by service provider the designated issuer in the the invoices. The invoice can contain a statement
contract. It must be clear that it was issued by a third party in name and on
between the parties who behalf of the supplier (this is mandatory in some
issues an invoice. Member States).
52
53 All (Supplier and Buyer Side)
All Generic - Data/Message Transport x x M All The invoice data or Ensure authencity and The data shall be transferred in a way that : i) Transport Layer Security (RFC 4346) with passwords. 7.3.8
invoice transferred integrity of data whilst being a) Protects the integrity of the data communicated, ii) Business Data Interchange over the Internet Applicability
This process step applies to any between chain sent. b) Authenticates the source of the data. Statement 1, 2, 3 with signatures (RFC3335, RFC 4130,
exchange of data between parties of participants can be RFC 4823)
the invoice transport chain altered or added to during iii) Secure network service provided by Value Add Network
the transmission service provider.
iv) Secure messaging services such as ITU-T X.400 or
S/MIME (RFC 3851) .
v) Integrity measures, such as hash totals or reconciliation
overviews
vi) Registered email such as defined in TS 102 640
vii) If AdES was applied integrity can be validate at receiver
54
All C - Archiving and auditability x O All It is not possible to verify Advanced electronic When issuing an invoice the signature used - recording certificates and revocation information 7.2.2.8, 7.3.4
that the certificate was signatures must remain should be verified (see above process step Create - CAdES-C, CAdES-A or CAdES-X in ETSI TS 101 733 &
valid at the time of signing verifiable during the storage invoice; step 3 in section 5 in Commentary report, profiled in TS 102 734
or receipt of the invoice period. figures 1 & 2.) and all the information necessary to - XAdES-C, XAdES-A or XAdES-X as defined in ETSI TS
re-verify the validity of the signature at or around 101 903 & profiled in TS 102 904
the signing time shall be readily available. Note: Equivalent forms to CAdES/XAdES -C to -A for long
term validation of PDF Signatures (PAdES) is due to be
published by ETSI Q3 2009.
55
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
A B C D E F G H I J K L
Intermediated
Self-Billing
Reference Examples.
Business Further Guidance
Who
Process step N.B. The examples listed are non exhaustive and provided
implementation WHY (RISK) WHAT (REQUIREMENTS) HOW (CONTROLS) [See reference sub-section for
(the order can be adjusted) only to illustrate the kind of measures envisaged as being
classes B-D further guidance]
used.
1
All C - Archiving and auditability x O All It is not possible to verify Advanced electronic The integrity of the signed invoice, including 1) Applying archive timestamp to signature as in CAdES-A 7.2.2.8, 7.3.4
2
the integrity of the invoice signatures must remain information used to reverify the signature (see as defined in ETSI TS 101 733 & profiled in TS 102 734
verifiable during the storage above process step Create invoice; 3 in section 5 2) Applying archive timestamp to signature as in XAdES-A
period. in Commentary report, figures 1 & 2.), shall be as defined in ETSI TS 101 903 & profiled in TS 102 904
maintained beyond the lifetime of the signature 3) Employing WORM devices within an auditable archive
algorithm and certificates. process.
4) Using third party service trusted to archive data (e.g.
notary)
5) Employing archive system whichmaintains the integrity of
data
Note: Equivalent forms to CAdES/XAdES -XL and -A for
long term validation of PDF Signatures (PAdES) is due to be
published by ETSI Q3 2009.
56
All C - Archiving and auditability x x x O All Invoices are not archived The issued and received This needs to be addressed in fit for purpose
for statutory archiving invoices must be archived for archiving procedures.
period. the statutory archiving period
under the applicable law(s).
57
All C - Archiving and auditability x x x O All Invoices are not available At the request of the tax Inquiry can be executed within a reasonable Online access can be used and provides prompt access,
within a reasonable period inspector, the invoice must be period of time. access by invoice number, trading partner and date range
made available promptly over
the full mandatory period.
58
All C - Archiving and auditability x x O All Archived invoices can be The authenticity and integrity The invoice and audit records regarding handling - the use of WORM (Write Once Read Many) type devices 7.2.1.3, 7.3.4
modified or removed of the content of the invoices of the invoice, including information on - secure archive storage.
within the agreed stored must be guaranteed authentication checks carried out, shall be - a summary document or time-stamp which indicate a
archiving period throughout the storage protected by mechanisms that assure the integrity broken integrity
period. of data throughout the storage period.
59
All C - Archiving and auditability x x x O All Invoices cannot be Invoices must be capable of Measures must be implemented to ensure that the Online available viewer e.g. in the UN layout key. Use a
audited. being audited within a invoice can be readable to the competent tax format that can be interpeted by a competent tax authority's
reasonable time upon administration. audit software.
60 request.
All C - Archiving and auditability x x x O All Human readable form is It must be demonstrable that It shall be demonstrable that the mapping from Using a reliable style sheet in conjuction with online viewer
not same as machine the human readable form is electronic invoice to visible form is correct. It
processed. the same as the encoded should be possible to reproduce the identical
form. readable form.
It shall be demonstrable that any codes used are
correct. Any codes used should either be:
- standardised in a formal or publicly available
specification.
- or specified in an internal document where the
authenticity and integrity is protected to the same
security level as for the storage of invoices.
61
All C - Archiving and auditability x x x O All The invoices are not The invoices must be Keep all data separate from the billing application Single file is used to store all invoice data (XML or PDF with
correctly and fully available, accurate and or accurate data storage including history. structured data) - invoice history stored as a separate file
reproducible due to complete, throughout the with reference to invoice + yearly history reports are created
historically incorrect storage period. and stored
retention of e.g. master
data including
parameters, code-tables
and calculation rules.
62
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
A B C D E F G H I J K L
Intermediated
Self-Billing
Reference Examples.
Business Further Guidance
Who
Process step N.B. The examples listed are non exhaustive and provided
implementation WHY (RISK) WHAT (REQUIREMENTS) HOW (CONTROLS) [See reference sub-section for
(the order can be adjusted) only to illustrate the kind of measures envisaged as being
classes B-D further guidance]
used.
1
All C - Archiving and auditability x x x O All Audit trail is not correctly Adequate audit trail must be Retain the audit trail Retain key process information such as mappings, date 7.3.7
2
maintained available throughout the recordings, logs etc. In addition, retain documents like
storage period Purchase Orders, Dispatch Advise, …
63
64 B Buyer Side
B 5 - Receipt and technical verification x x x O S The buyer's environment The technical availability for See also process steps Generic (0) and On-
is not available for receiving invoices must be boarding (A) in section 5 in Commentary report,
receiving invoices. ensured. The accurate, figures 1 & 2.. Procedure or application check on
complete and prompt receipt the completeness of the received invoices and
of invoices must be credit notes.
adequately ensured.
65
B 5 - Receipt and technical verification x x x O S Invoices are received Multiple receipt of invoices Application checks to detect invoices received
multiple times must be detected. Multiple multiple times and exclude them from further
invoices must be removed processing after thorough analysis of the cause.
and eliminated from further
66 processing.
B 5 - Receipt and technical verification x x x O S Invoices are rejected for Invoice must be technically Thorough agreements about the technical
technical reasons correct before being further standards of the invoices must be present and
processed. The rejected adequately tested.
invoices must be separately Mechanism for promptly detecting technical
identifiable. inaccuracy and reporting to the sender.
Processing of the received invoice must be
stopped. The sender must send the correct
invoice again or issue a credit note and a
corrective invoice.
67
B 5 - Receipt and technical verification x x x O S The buyer or the service The buyer or the service There shall be proper procedures in place to Handshake or confirmation of recieved invoices where
provider on his behalf provider on his behalf must ensure that all invoices are properly received. possible.
does not receive all receive all invoices sent. Register all incoming invoices
invoices (including credit
notes)
68
B 5 - Receipt and technical verification x x x O S Dispute over whether an Maintain audit records of The receipt or retrieval of the invoice, and any Handshake or confirmation of recieved invoices where
invoice has been receiving / retrieving invocies. associated acknowledgement, will be recorded. possible.
received. ETSI TS 102 640 (REM) provides a mechanism that
provides evidence of delivery of a message and of who sent
69 it.
B 5 - Receipt and technical verification x x x O S Invoice contains Ensure invoice does not The receiver shall verify that there is no Disable any use of macros in invoice encoding; 7.3.6
executable code. contain executable code executable code in the invoice. The contract with Scan invoice for virus and other malicious codes.
the trading partner should state that no
70 executiable code will be part of an invoice.
B 5 - Receipt and technical verification x x x O S The moment of formal Measures of authenticity and Rules in contract ETSI TS 102 640 (REM) provides evidence also of the
receipt is unclear. integrity in transport should moment of delivery.
be in place until the moment
of formal receipt. From the
moment of formal receipt of
the invoice, integrity and
authenticity must rather be
ensured by preventing
changes to the original
invoice.
71
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
A B C D E F G H I J K L
Intermediated
Self-Billing
Reference Examples.
Business Further Guidance
Who
Process step N.B. The examples listed are non exhaustive and provided
implementation WHY (RISK) WHAT (REQUIREMENTS) HOW (CONTROLS) [See reference sub-section for
(the order can be adjusted) only to illustrate the kind of measures envisaged as being
classes B-D further guidance]
used.
1
B 5 - Receipt and technical verification x O S Invoice has no (or invalid) The authenticity and integrity Procedure or check in the application. Ensure 7.2.2.1 to 7.2.2.8
2
signature and/or issuer of the invoice must be that invoice or e-mail is provided with an
cannot be identified ensured by means of an advanced digital signature. Otherwise reject
advanced electronic invoice.
signature. The authentication
mechanism (at the buyer)
must ensure the clear
identification of the issuer.
72
B 5 - Receipt and technical verification x O S Uncertainty over the time Record time that the Have assurance that the correct time is recorded If the signature does not already include a time-stamp or 7.2.2.8
which the signature was advanced electronic of the verification trusted time-mark then a trusted time-mark or time-stamp
verified and hence signature is verified. can be applied.
possible ambiguity over (Different EU-member states (e.g. as specified in long term forms of CAdES, XAdES or
the status of the have different rules.) PAdES)
certificate.
73
B 5 - Receipt and technical verification x O S Uncertainty over the rules The process/software applied Records should be maintained of the Include signature policy identifier as in EPES forms of 7.2.2.1
applied in verifying a to verify the advanced process/software employed in validating the CAdES, XAdES and PAdES.
signature. electronic signature should signature (for software including version and
be identifable and reliable. patches).
74
B 5 - Receipt and technical verification x O S Invoice cannot be Invoice must comply with the Invoices are tested during Processtep A Requirements may relate for example to the protection,
processed by the (technical) requirements of Tradingpartner Onboarding in section 5 in registration of the invoices in a register, mandatory fields,
application. the current interchange Commentary report, figures 1 & 2. acceptability of an EDI report as evidence e.g. See
75 agreement Recommendation 94/820/EC
B 5 - Receipt and technical verification x x O S The content or format of It must be possible to detect Within the proces of the buyer, there must be a i) Transport Layer Security (RFC 4346) with passwords. 7.3.8
the original invoice is whether issued invoices are verification/check that the agreed secure ii) Business Data Interchange over the Internet Applicability
changed during transfer modified during transfer mecanisms are applied Statement 1, 2, 3 with signatures (RFC3335, RFC 4130,
RFC 4823)
iii) Secure network service provided by Value Add Network
service provider.
iv) Secure messaging services such as ITU-T X.400 or
S/MIME (RFC 3851) .
v) Integrity measures, such as hash totals or reconciliation
overviews
vi) Registered email such as defined in TS 102 640
For EDI this can also be protected using summary
statements
76
B 5 - Receipt and technical verification x x x O S The original invoice is There can only be one Archive the original invoice. Audit trail. Substantive test of a number of invoices
converted and treated as original invoice and an audit
Conversion of invoice-data a new instance of the trail must be maintained
original invoice. between the original and any
sets of invoice data derived
from it.
77
B 5 - Receipt and technical verification x x x O S The invoice data is Conversion of invoice data Detailed process steps and mapping have to be
converted incompletely or must not modify the original defined and traced in an audit trail.
Conversion of invoice-data incorrectly. invoice content. Authenticity
and intergity measures
should remain verifiable.
78
B 5 - Receipt and technical verification x x x O S New data is added to the Only data already available in Archive the original invoice. Make sure conversion Substantive test of a number of invoices
invoice data or from the invoice must be is correct and complete. Audit trail.
Conversion of invoice-data converted to the system of It is possible to add internal business data to the
the buyer. invoice; this will not compromise the existing
mandatory data.
79
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
A B C D E F G H I J K L
Intermediated
Self-Billing
Reference Examples.
Business Further Guidance
Who
Process step N.B. The examples listed are non exhaustive and provided
implementation WHY (RISK) WHAT (REQUIREMENTS) HOW (CONTROLS) [See reference sub-section for
(the order can be adjusted) only to illustrate the kind of measures envisaged as being
classes B-D further guidance]
used.
1
B 5 - Receipt and technical verification x O S Invoices cannot be Invoices must be accessible Agreements and general conditions of supply.
2
accessed e.g. Post-contract conditions, see also process step
supplier/presenter Off-boarding E in section 5 in Commentary report,
environment is not figures 1 & 2.
available for checking
presented invoices
80
B 5 - Receipt and technical verification x O S Invoice is not (promptly) All notifications must lead to Procedures and guidelines. Online solution to offer audit trail of access
accessed after receiving accessing the invoice
a notification in case of
81 Web access
B 5 - Receipt and technical verification x O S It is not possible to verify On-line invoices may only be Check in application/web browser Authentication by SSL/TLS with a sufficiently strong server 7.3.5
who made the invoice consulted on websites whose certificate. Use of Extended Validation certificate as defined
available. identity and authenticity can by CAB Forum is recommended.
be verified.
82
B D - Integrity and authenticity x O S The self signed certificate Signature verification must The self-signed certificate should be tied to a Good practices for CA's may include ETSI TS 102 042, TS
management (self- required to verify a use only self-signed proof of identity that has been obtained in the 101 456 or AICPA/CICA Webtrust
sign advanced electronic certificates authenticated as onboarding process at a level comparable to
Certificate management (Self signed) ed) signature is not coming from known and recognised good practices for CAs .
trustworthy. trusted trading partners. Certificates shall be previously exchanged
(The use of self signed between parties in a way that authenticates the
certificates is not accepted in identity of the source.
all EU Member States.)
83
B D - Integrity and authenticity x O S The CA Certification Signature verification must Only certificates from a certification authority Good practices for CA's may include ETSI TS 102 042, TS 7.3.3
management Authority certificate use certificates issued by a operating to recognised good practices shall be 101 456 or AICPA/CICA Webtrust.
required to verify CA which does properly configured into the signature verification system.
Certificate management (CA Issued) signature is not trusted. manage its operations.
84
B D - Integrity and authenticity x O S The revocation status of Signature verification must There should be a contractual commitment from
management (self- the signing certificate is check the status of the signer to notify the buyer in case of key
sign unknown. certificates. compromise or other reasons to consider the
Certificate management (Self signed) ed) (The use of self signed certificate to be invalid.
certificates is not accepted in
all EU Member States.)
85
B D - Integrity and authenticity x O S The revocation status of Signature verification must The signature verification software should check Check validity period and Certificate Revocation Lists (as 7.2.2.6 & 7.2.2.7
management the signing certificate is check the status of the status of the signing certificate. defined in X.509 and IETF RFC 3280) or an OCSP server
unknown. certificates. (IETF RFC 2560)
Certificate management (CA Issued)
86
B D - Integrity and authenticity x x O S Certificate used to protect Data exchanges must be Data shall be protected by certificates issued by a CA good practices include e.g. ETSI TS 102 042, TS 101
management invoice data exchanges is protected using certificates trusted supplier operating to practices comparable 456 or AICPA/CICA Webtrust, Extended Validity certificates
not from the self-signed from trusted certificate issuer. to recognised good practices for CAs. Certificates as defined by the CA/Browser Forum.
Certificate management (Self signed) issuer (The use of self signed shall be previously exchanged between parties in
certificates is not accepted in a way that authenticates the identity of the source.
all EU Member States.)
87
B B - Master Data x O S The invoices are not It must be possible to Retain history of master data changes
correctly and fully reproduce the correct invoice
reproducible due to including referenced data
historically incorrect
retention of master data
including parameters,
code-tables and
calculation rules.
88
B 6 - Formal verification x x x O S Electronic invoice does Invoice must comply with the The application must ensure that the invoice
not contain all mandatory country specific mandatory contains all mandatory data according to the VAT
data or adressed to the data. Law before the invoice can be processed.
wrong legal person.
89
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
A B C D E F G H I J K L
Intermediated
Self-Billing
Reference Examples.
Business Further Guidance
Who
Process step N.B. The examples listed are non exhaustive and provided
implementation WHY (RISK) WHAT (REQUIREMENTS) HOW (CONTROLS) [See reference sub-section for
(the order can be adjusted) only to illustrate the kind of measures envisaged as being
classes B-D further guidance]
used.
1
B 6 - Formal Verification x O S Invoice may be modified The authentication of origin The validity of the AdES signature shall be If possible, the verifier should wait for a grace period before 7.2.2.6
2
or another party may be and integrity of the invoice checked and the results recorded including confirming signatures are valid, to ensure that revocations
masquerading as the must be verified by verifying verification time and information (e.g. CRLs or have been reported. However, where this is not practical
issuer. the advanced electronic OCSP and certificates) used to verify the due to the automated business process, there should be an
signature. signature. agreement between the invoice issuer and the recipient that
potential compromises to the signing key are reported
immediately the recipient.
90
B 6 - Formal Verification x O S Invoice has a signature Integrity of all mandatory data Procedure or application check.
that does not protect all shall be protected by
mandatory data. advanced electronic
signature. The buyer shall
91 verify this.
B 6 - Formal verification x O S Invoice may be modified The authentication of origin of The authenticated identity of the invoice issuer,
or another party may be the invoice must be verified and any integrity check codes, shall be checked
masquerading as the by verifying the channel and the results recorded including the time of
supplier trough which the invoice is authentication.
92 received.
B 6 - Formal Verification x O S Buyer accepts invoice Invoice must come from a Application check; is the supplier known as an EDI
from a supplier without supplier with whom there is biller. Procedure for entering and modifying fixed
interchange agreement an interchange agreement data. See also Process step On-boarding A
93
B 6 - Formal verification x O B Invoice may be modified The authentication of origin of Web system operates under recognised good i) Transport Layer Security (RFC 4346) with passwords. 7.3.8
or another party may be the invoice must be verified practices for security of web servers and controls ii) Business Data Interchange over the Internet Applicability
masquerading as the by verifying the channel access to invoice. The invoice shall be sent Statement 1, 2, 3 with signatures (RFC3335, RFC 4130,
issuer. trough which the web server through a secure channel which: RFC 4823)
is accessed a) Protects the integrity of the invoice up to the iii) Secure network service provided by Value Add Network
buyer or the buyer‟s service provider. service provider.
b) Authenticates the invoice issuer to the buyer or iv) Secure messaging services such as ITU-T X.400 or
the buyer‟s service provider. This can be either: S/MIME (RFC 3851) .
o Authentication information confirmed by a v) Integrity measures, such as hash totals or reconciliation
94
trusted third party (e.g. certificate issued by overviews
B 7 - Last mile x x x M S The invoice data Ensure authentity and The invoice data shall be transferred in a way that i) Transport Layer Security (RFC 4346) with passwords. 7.3.8
transferred to the buyer integrity of invoice data whilst : ii) Business Data Interchange over the Internet Applicability
by the service provider being sent. a) Protects the integrity of the data communicated, Statement 1, 2, 3 with signatures (RFC3335, RFC 4130,
can be altered or added b) Authenticates the source of the data. RFC 4823)
during the transmission . iii) Secure network service provided by Value Add Network
service provider.
iv) Secure messaging services such as ITU-T X.400 or
95 S/MIME (RFC 3851) .
B 8 - Material verification and processing x x x O S Invoices occur twice Each invoice shall only be (Application) Controls to detect duplicated
booked once invoices and prevent them from being proccessed
96
B 8 - Material verification and processing x x x O S Invoices are not checked The consistency of each (Application) Controls and reconciliation with e.g.
timely for content and transaction and the content orders, goods receipt.
processed must be checked within an
appropriate time on receipt
97 for processing.
B 8 - Material verification and processing x x x O S Incorrect or fraudulent Only process invoices that Invoice content can be valididated against buyer's
Invoice is processed correspond to business in-house accounts payable master data - in case
expectation of substantial differences do not further process
and run an approval workflow. Application checks
and procedures for modifying master data of the
supplier.
98
B 8 - Material verification and processing x x x O S The person accountable The accountable person All internal control records relating to the receipt,
for processing the invoice needs to be identifiable audit and processing of the invoices must be
cannot be identified retained.
99
100 All (Supplier and Buyer Side)
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
A B C D E F G H I J K L
Intermediated
Self-Billing
Reference Examples.
Business Further Guidance
Who
Process step N.B. The examples listed are non exhaustive and provided
implementation WHY (RISK) WHAT (REQUIREMENTS) HOW (CONTROLS) [See reference sub-section for
(the order can be adjusted) only to illustrate the kind of measures envisaged as being
classes B-D further guidance]
used.
1
All E - Trading partner offboarding x x x M All Transactions and stored The trading partners must Trading partners must agree on minimum These issues should be regulated in an explicit agreement
2
invoices are lost, ensure proper termination of procedures for an appropriate transition should between the trading partners, and between each trading
duplicated, or processed the relationships from a tax there be a need to move invoices from one partner and their service provider(s), concluded prior to
without sufficient controls. control and auditability transactional or storage service/environment to starting the e-invoicing process.
Required system or perspective. Authenticity and another during their life cycle. Equally, trading
process auditabilty integrity must remain partners must ensure that critical audit trail and
becomes legally verifiable during the storage documentary evidence of past transactions and
unavailable; audit trails period storage processes is retained, irrespective of
and descriptive invoices/invoice processes having been moved,
documents can no longer for the remainder of the mandatory storage period
be accessed by of invoices under applicable law.
competent authorities.
101
All E - Trading partner offboarding x M B The buyer cannot access If the physical connection is Must be agreed in a contract, see also process
the 'original' presented not available due to contract step Archiving an auditability C in section 5 in
invoice. termination, the invoices must Commentary report, figures 1 & 2.
still be available for the entire
retention period. This must
include authenticity and
integrity characteristics.
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
M N
Implementation Applicablility YOUR COMMENTS
1
2
3
4
5
6
7
8
9
10
11
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
M N
Implementation Applicablility YOUR COMMENTS
1
2
12
13
14
15
16
17
18
19
20
21
22
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
M N
Implementation Applicablility YOUR COMMENTS
1
2
23
24
25
26
27
28
29
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
M N
Implementation Applicablility YOUR COMMENTS
1
2
30
31
32
33
34
35
36
37
38
39
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
M N
Implementation Applicablility YOUR COMMENTS
1
2
40
41
42
43
44
45
46
47
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
M N
Implementation Applicablility YOUR COMMENTS
1
2
48
49
50
51
52
53
54
55
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
M N
Implementation Applicablility YOUR COMMENTS
1
2
56
57
58
59
60
61
62
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
M N
Implementation Applicablility YOUR COMMENTS
1
2
63
64
65
66
67
68
69
70
71
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
M N
Implementation Applicablility YOUR COMMENTS
1
2
72
73
74
75
76
77
78
79
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
M N
Implementation Applicablility YOUR COMMENTS
1
2
80
81
82
83
84
85
86
87
88
89
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
M N
Implementation Applicablility YOUR COMMENTS
1
2
90
91
92
93
94
95
96
97
98
99
100
d449dc1a-fb76-4c3b-ac76-4d1fca9dd8f0.xls
M N
Implementation Applicablility YOUR COMMENTS
1
2
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
Related docs
Other docs by nmz20276
E Business Market Relationships Customer Based Intangibles and Market Based Assets - Excel
Views: 43 | Downloads: 0
