Notary Form Certificate to Authenticate Documents

Document Sample
Notary Form Certificate to Authenticate Documents Powered By Docstoc
					Working Draft              CEN
CWA NNNNN
WORKSHOP             28th May
2009 (Draft v0.90)
AGREEMENT


e-Invoicing Compliance
Guidelines Matrix
DRAFT Version
Introduction
This eInvoicing Compliance Guidelines Matrix (The Guidelines) is made available as an integral part of this CEN Worksho
The content is not to be considered as exhaustive and although some of the original source material is from the Netherlan
Customs Administration (Belastingdienst), great care has been taken to ensure that content and recommendations are val
Member States and not specific to any Member State requirement.

You will find more background in the Commentary accompanying this Matrix (available at http://www.e-invoice-
gateway.net/knowledgebase/eInvoiceBestPractice/)
Process model Diagram
The extended process model represents the different steps in the information flow from Supplier, on the left, to the Buyer o



                                                                      Service Provider


                                          2

                                M   ile                                                                               La
                                                                                                                        st
                           st                                                                                                Mi
                       Fir                                                                                                     le



      Prepare                                                   Send or               Receipt and
                                              Create                                                   Formal
      invoice      1                                    3       make         4        technical    5                  6
                                              invoice                                                  verification
      data                                                      available             verification




                                                                        Master Data                     B


                                                                  Archiving and auditability            C

                                                            Integrity and authenticity management       D
                 Supplier



                                                 A           Trading partner on- and off-boarding           E
on
cing Compliance Guidelines Matrix (The Guidelines) is made available as an integral part of this CEN Workshop Agreement.
 t is not to be considered as exhaustive and although some of the original source material is from the Netherlands Tax and
dministration (Belastingdienst), great care has been taken to ensure that content and recommendations are valid for most
ates and not specific to any Member State requirement.

d more background in the Commentary accompanying this Matrix (available at http://www.e-invoice-
 t/knowledgebase/eInvoiceBestPractice/)
odel Diagram
ed process model represents the different steps in the information flow from Supplier, on the left, to the Buyer on the right.



                                                           Service Provider


                               2

                     M   ile                                                                                La
                                                                                                              st
                st                                                                                                 Mi
            Fir                                                                                                      le
                                                                                                                            7


are                                                  Send or               Receipt and                                            Material
                                   Create                                                    Formal
ce      1                                    3       make         4        technical    5                   6                     verification 8
                                   invoice                                                   verification
                                                     available             verification                                           & processing




                                                             Master Data                      B


                                                       Archiving and auditability             C

                                                 Integrity and authenticity management        D
      Supplier                                                                                                            Buyer



                                      A           Trading partner on- and off-boarding            E
7


     Material
     verification 8
     & processing




er
 How to use the DRAFT Compliance Guidelines matrix, Draft_e-Invoicing_Complian
 Filters are provided in the Excel spreadsheet to help the user select his area of interest, e.g. EDI and Self-Billing, Service Pro
 and Integrity and Authenticity options. To get familiar with the guidelines it is in any case recommended to read the Exc
 once from top to bottom. Users are also encouraged to consult the Commentary prior to reviewing this matrix.


 Excel Spreadsheet Filter Columns A-G
 The first columns provide the possibility of using the „Filter options‟ to make a selective search. The key arguments are given
 no filter is set (to reset all filter use Data -> Filter -> “Show A

Col A       Who
Col B       Process Step
Col C-E     Business
            implementation
            class
Col F       Intermediated
Col G       Self-Billing

 Excel Spreadsheet Process Step Details
Col H       Why (Risk)

Col I       What (Requirements)
Col J       How (Controls)
Col K       Reference Examples
Col L       Further guidance
Col M       Your Implementation /
            applicability
Col N       Your comments'




            Terms and abbreviations in the Guidelines
            - RFC Request for Comment http://www.rfc-editor.org/rfc.html
            - ITU International Telecommunications Union http://www.itu.int/library/
            - S/MIME Secure/Multipurpose Internet Mail Extensions
            - ETSI TS European Telecommunications Standards Institute Technical Specifications http://www.etsi.org/webs
            - AICPA The American Institute of Certified Public Accountants
            - CICA Canadian Institute of Chartered Accountants
            - SSL Secure Sockets Layer (SSL) v2 and v3
            - TLS    Transport Layer Security
e DRAFT Compliance Guidelines matrix, Draft_e-Invoicing_ComplianceGuidelines_v080
the Excel spreadsheet to help the user select his area of interest, e.g. EDI and Self-Billing, Service Provider for the Supplier
enticity options. To get familiar with the guidelines it is in any case recommended to read the Excel worksheet at least
tom. Users are also encouraged to consult the Commentary prior to reviewing this matrix.


ilter Columns A-G
ide the possibility of using the „Filter options‟ to make a selective search. The key arguments are given below. Make sure that
 all filter use Data -> Filter -> “Show A

             Invoicing process applies to: S = Supplier, B = Buyer, All = Supplier and Buyer
             Process steps with number
             Classification of business implementation methods as described in the Commentary. Class A is not included in
             the Matrix. Class B is "controlled data exchange"; Class C is "data level controls"; Class D is "outsourced safe-
             keeping"
             e-Invoicing process carried out by a Service Provider (O = optional/possible, M = Must)
             e-Invoicing issue carried out by the Buyer. process applies to: S = Supplier, B = Buyer, All = Supplier and Buyer

rocess Step Details
             Refers to tax risks that form the rationale for the existence of legal requirements in this process step. It answers
             the question “what are the inherent risks from a tax perspective in this process step?”
             Refers to the tax requirement addressing the risk.
             Control (solution) should be used to ensure the risk is avoided
             The examples listed are non exhaustive and provided only to illustrate the kind of measures envisaged as being
             used.
             Cross-references sections of the Commentary where further technical guidance is provided.
             To be used for your self-assessment: short description and reference to your solution documentation, if process
             step is not applicable use "n/a" + reason
             please add your name and a date (30/6 - Your Name: text…)
             You are encouraged to provide feedback, please upload the form with your feedback at http://www.e-
             invoice-gateway.net. Your feedback will be managed anonymously, but we encourage you to provide
             your name and email for follow-up questions.”
  abbreviations in the Guidelines
quest for Comment http://www.rfc-editor.org/rfc.html
ernational Telecommunications Union http://www.itu.int/library/
Secure/Multipurpose Internet Mail Extensions
   European Telecommunications Standards Institute Technical Specifications http://www.etsi.org/website/homepage.aspx
 he American Institute of Certified Public Accountants
 anadian Institute of Chartered Accountants
 cure Sockets Layer (SSL) v2 and v3
 ransport Layer Security
V0.90
                                                                                                                                                                 57408c06-4059-4cb6-9421-20771632b4e7.xls




     A                       B                     C       D       E   F               G                         H                            I                                            J                                                         K                                               L




                                                                       Intermediated

                                                                                       Self-Billing
                                                                                                                                                                                                                                            Reference Examples.
                                                   Business                                                                                                                                                                                                                                  Further Guidance
     Who




                        Process step                                                                                                                                                                                    N.B. The examples listed are non exhaustive and provided
                                               implementation                                               WHY (RISK)           WHAT (REQUIREMENTS)                             HOW (CONTROLS)                                                                                        [See reference sub-section for
                 (the order can be adjusted)                                                                                                                                                                            only to illustrate the kind of measures envisaged as being
                                                 classes B-D                                                                                                                                                                                                                                  further guidance]
                                                                                                                                                                                                                                                     used.


1
2                                                  B       C       D
3 All (Supplier and Buyer Side)
     All 0 - Generic                           x       x       x       O               All General risks on IT                 Support general commercial        Implement recognised standards based good              Taking into account the size and nature of the organisation,   7.3.1
                                                                                           systems                             good security practices           practices for the security, continuity and integrity   appropriate (general IT) controls should be implemented        7.3.7
                                                                                                                                                                 of the business system. These practices shall be
                                                                                                                                                                 applied and audited in line with the requirements
                                                                                                                                                                 of recognised good practices so as to provide a
                                                                                                                                                                 robust control framework.

4
     All 0 - Generic                           x       x       x       O               All Service provider has         The responsibilities of each             The processes implementing the supplier and        Clearly document on whose behalf functions are
                                                                                           responsibilities to both the party must be clearly                    buyer requirements shall be clearly separable with implemented
                                                                                           supplier and the buyer,      delineated.                              separate audit records, separate archives,
                                                                                           with potential for conflicts                                          separate management control parameters and
                                                                                           of interest.                                                          operated under separate management
                                                                                                                                                                 roles. Separation must be procedural and can also
                                                                                                                                                                 be physical or logical.
5
           0 - Generic                         x               x       O                              The process and           Documentation of processes       Process and system documentation should be
                                                                                                      procedures applied        and procedures should be in      maintained using good practices in document
                                                                                                      cannot be audited as they place.                           management including version control systems
                                                                                                      are undocumented                                           with date references so as to enable auditors to
                                                                                                                                                                 understand which processes were in force within
                                                                                                                                                                 the corporate environment for all invoices during
                                                                                                                                                                 the storage period.
6
     All A - Trading partner onboarding        x       x       x       O               All Trading partners use the The trading partners must                    Trading partners must accept and know each             DUNS lookup, trade register or Chamber of Commerce etc
                                                                                           e-invoicing system           ensure proper trading partner            other. Identification and clearance can be             checks - these processes can be performed by a service
                                                                                           without prior identification identification and clearance.            performed through e.g. trade registers and/or          provider for the trading partners
                                                                                           and clearance.                                                        commercially available supporting data.
7
     All A - Trading partner onboarding        x       x       x       O               All e-invoices are sent to a            The decision to send and          Rules in agreement (e.g. general terms and
                                                                                           trading partner that does           accept e-invoices is              conditions)
8                                                                                          not accept them.                    auditable.
     All A - Trading partner onboarding        x       x       x       O               All Trading partners are                The trading partner should        There shall be a proces to make sure that there is [Model agreements for this purpose should be developed]
                                                                                           given access to the e-              ensure that other trading         an agreement as a result of the onboarding phase.
                                                                                           invoicing system without a          partners sign a
                                                                                           sufficient contract                 comprehensive and
                                                                                           regulating rights and               enforceable agreement
                                                                                           responsibilities, including         before providing access to
                                                                                           as regards taxes and                the trading partners's system.
9                                                                                          change management, of               There must be an explicit
     All A - Trading partner onboarding        x       x       x       O               All both parties.
                                                                                           Trading partners are                agreement if tax relevant
                                                                                                                               The trading partners/ service     The trading partner/service provider must make         Online documentation and tool tips, multi-lingual support,
                                                                                           given access to the e-              providers should ensure that      documentation or other appropriate learning tools      clearly mark user IDs to indicate and separate test and
                                                                                           invoicing system without            the trading partner in question   available that allow the trading partner to            production accounts (that no test account message can be
                                                                                           sufficient training of key          is trained to perform the         effectively train relevant staff. A minimum skill      sent to production accounts).
                                                                                           staff.                              required system activities,       level must be verifiably obtained by key staff.
                                                                                                                               including processes for error
                                                                                                                               and exception handling.


10
     All A - Trading partner onboarding        x       x       x       O               All Inconsistent application of         Security mechanisms               Parties involved in exchanging electronic invoices placeholder for: Expert Group on e-Invoicing: EEI
                                                                                           security of information             employed across parties           shall agree security mechanisms or controls        (electronic invoice agreement)
                                                                                           exchange between parties            involved with exchange of e-      applied to address identified threats to the
                                                                                           leaving vulnerabilities.            Invoice shall address             exchange of information.
                                                                                                                               identified risks in a coherent
                                                                                                                               manner.
11
                                                                                                                                                                57408c06-4059-4cb6-9421-20771632b4e7.xls




     A                     B                     C       D       E   F               G                          H                               I                                        J                                                           K                                               L




                                                                     Intermediated

                                                                                     Self-Billing
                                                                                                                                                                                                                                           Reference Examples.
                                                 Business                                                                                                                                                                                                                                    Further Guidance
     Who




                      Process step                                                                                                                                                                                     N.B. The examples listed are non exhaustive and provided
                                             implementation                                                WHY (RISK)             WHAT (REQUIREMENTS)                          HOW (CONTROLS)                                                                                          [See reference sub-section for
               (the order can be adjusted)                                                                                                                                                                             only to illustrate the kind of measures envisaged as being
                                               classes B-D                                                                                                                                                                                                                                    further guidance]
                                                                                                                                                                                                                                                    used.


1
     All A - Trading partner onboarding      x       x       x       O               All Trading partners are                    The proper technical           The trading partners/service providers test plans Online testing and tight controls; separated testing and
2
                                                                                         given access to the e-                  functioning of the trading     and test results should be agreed by both parties. production accounts; self service facilities to create test
                                                                                         Invoicing system without                partner's access to the e-                                                        invoices.
                                                                                         successful testing the                  Invoicing system should be
                                                                                         communication based on                  ensured prior to production.
                                                                                         pre-agreed criteria.
12
     All A - Trading partner onboarding      x                       O               All EDI invoices are issued to An interchange agreement is Address this risk in the procedure for initiating                     Model-agreement                                                  7.2.1.1
                                                                                         buyers without an          required if EDI invoices are  sending EDI-invoices.
                                                                                         interchange agreement.     sent and recieved, otherwise
                                                                                                                    the invoice is not valid (VAT
13                                                                                                                  law).
     All A - Trading partner onboarding                      x       O               All Trading partners use                    The proper technical           The trading partner's test plans and test results     Online testers and tight controls; separated testing and
                                                                                         different EDI-structures                functioning of the trading     shall be agreed.                                      production accounts; self service facilities to create test
                                                                                                                                 partner's EDI-structures                                                             invoices.
                                                                                                                                 should be ensured prior to
                                                                                                                                 production.
14
15 S   Supplier Side
     S 1 - Prepare invoice data              x       x       x                       B              Invoice data is not          It must be ensured that an     Application audits and internal control actions.      System shows invoice balance per Purchase Order +
                                                                                                    prepared for a supply        invoice is raised for all      Audit trail from supply to invoiced supply.           supplier's ERP (Enterprise Resource Planning) system
                                                                                                    requiring an invoice         supplies                                                                             control. Reports of unfulfilled orders and un-invoiced
16                                                                                                                                                                                                                    deliveries
     S 1 - Prepare invoice data              x       x       x                       B              Supply is invoiced but not Audit trail from supply to       Segregation of duties must fit with the size of the   Mapping of defined user roles to user names and
                                                                                                    reported in general        reported revenue enabled by      company. Logical access controls must map to an       passwords, with permissions giving access to data and
                                                                                                    ledger/VAT declaration     segregation of duties            appropriate segregation of duties, which is           functionality appropriate to the role; and preventing access
                                                                                                                               between preparing the            evidenced by the end-to-end audit trail.              to data and functionality inappropriate to the role.
                                                                                                                               invoice and the receiving of
                                                                                                                               the payment.
17
     S 1 - Prepare invoice data              x       x       x                       B              Unauthorized persons can The supplier must take steps       Segregation of duties must fit with the size of the   Mapping of defined user roles to user names and
                                                                                                    add, alter or delete     to prevent unauthorised            company. Logical access controls must map to an       passwords, with permissions giving access to data and
                                                                                                    invoice data.            changes to the content of the      appropriate segregation of duties, which is           functionality appropriate to the role; and preventing access
                                                                                                                             invoice data.                      evidenced by the end-to-end audit trail.              to data and functionality inappropriate to the role.
18
     S 1 - Prepare invoice data              x       x       x                       B              The invoice data do not      The invoice data contain at    Controls are used to check required data before       Online and [XML/EDI] syntax controls validate required data,
                                                                                                    contain all mandatory        least the data prescribed by   invoice creation (eSigning as the last step of        conditional fields like buyer VAT ID are validated based on
                                                                                                    information                  the applicable law.            creation) + constrains are used for conditional       range and format checking, including validation algorithms
                                                                                                                                                                fields to ensure that the invoice shows all           where appropriate.
                                                                                                                                                                mandatory data. The completion of data fields
                                                                                                                                                                must be ensured in the application.
19
     S 1 - Prepare invoice data              x       x       x                       B              The invoice data are not     The issue of invoice must be Application audits and internal control actions.
                                                                                                    prepared on time             within the time prescribed by Audit trail from service to invoice turnover.
                                                                                                                                 applicable law.
20
     S 1 - Prepare invoice data              x       x       x                       B              The person accountable       A person must be acountable Audit trail identifying the accountable person.          Keeping an audit log of access and activity in the application
                                                                                                    for preparing the dataset    for each invoice (whether                                                            or DBMS (Data Base Management System), including the
                                                                                                    cannot be identified after   prepared manually or                                                                 identity of the user (or process). Keep record of accountable
                                                                                                    the event                    automatically)                                                                       persons
21
     S 1 - Prepare invoice data              x       x       x                       B              Changes to invoice data, The invoice data must at all       The technical design of the application must          In the ERP (Enterprise Resource Planning) system, the
                                                                                                    resulting in a break in the times be consistent with the    ensure this; the dataflow must be clear.              quotation, order, delivery and invoice are cross referenced
                                                                                                    audit trail between the     source transaction data.                                                              to each other..
                                                                                                    source transaction data
                                                                                                    and the invoice data.
22
                                                                                                                                                                          57408c06-4059-4cb6-9421-20771632b4e7.xls




     A                       B                        C       D        E   F               G                           H                               I                                            J                                                           K                                                L




                                                                           Intermediated

                                                                                           Self-Billing
                                                                                                                                                                                                                                                      Reference Examples.
                                                      Business                                                                                                                                                                                                                                           Further Guidance
     Who




                        Process step                                                                                                                                                                                              N.B. The examples listed are non exhaustive and provided
                                                  implementation                                                 WHY (RISK)              WHAT (REQUIREMENTS)                              HOW (CONTROLS)                                                                                           [See reference sub-section for
                 (the order can be adjusted)                                                                                                                                                                                      only to illustrate the kind of measures envisaged as being
                                                    classes B-D                                                                                                                                                                                                                                           further guidance]
                                                                                                                                                                                                                                                               used.


1
     S 1 - Prepare invoice data                   x       x        x                       B              A corrective invoice data     The corrective invoice data      Application controls and internal control actions.       E.g. by means of reference of original invoice number and
2
                                                                                                          set (including credit note)   set includes a reference to      It is advised to at least have reference to the          original invoice date.
           Prepare corrective invoice data                                                                without reference to an       identify the original invoice    original invoice number.                                 Seperate serie of invoice numbers for corrective invoices.
                                                                                                          original invoice is           data set. It should be possible                                                           Audit trail.
                                                                                                          prepared.                     to identify corrective invoices.
23
     S 2 - First mile                             x       x        x       M               B              The invoice data            Ensure authencity and               The invoice data shall be transferred in a way that     i) Transport Layer Security (RFC 4346) with passwords.           7.3.8
                                                                                                          transferred by the supplier integrity of invoice data whilst    :                                                       ii) Business Data Interchange over the Internet Applicability
                                                                                                          to the service provider     being sent.                         a) Protects the integrity of the data communicated,     Statement 1, 2, 3 with signatures (RFC3335, RFC 4130,
                                                                                                          can be altered or added to                                      b) Authenticates the source of the data.                RFC 4823)
                                                                                                          during the transmission .                                                                                               iii) Secure network service provided by Value Add Network
                                                                                                                                                                                                                                  service provider.
                                                                                                                                                                                                                                  iv) Secure messaging services such as ITU-T X.400 or
                                                                                                                                                                                                                                  S/MIME (RFC 3851) .
                                                                                                                                                                                                                                  v) Integrity measures, such as hash totals or reconciliation
                                                                                                                                                                                                                                  overviews
                                                                                                                                                                                                                                  vi) Registered email such as defined in TS 102 640

24
     S D - Integrity and authenticity                     x                O               B              Invoice signer does not       The invoice signer must           The invoice signer shall comply with its obligations    All trading partners that may be recipients of invoices should
       management                                                                                         carry out obligations         ensure sole control of the        regarding security of the private keys and              be informed of any suspected compromise of the signing
                                                                                                          regarding security of keys    private key and comply with       reporting potential compromises.                        key employed, and
                                                                                                          and certificates.             its obligations regarding         In addition, the signature shall be created using       a) a cryptographic device conforming to an internationally
                                                                                                          Private (signing) key is      security and reporting of         mechanisms commensurate with identified risk            recognised standard that assures sole control over the
                                                                                                          not held in a manner          potential compromises.            relating to fraud to assure protection of keys.         private key (e.g. FIPS 140-2 level at least 2 or 3 , Common
                                                                                                          which ensures sole                                                                                                      criteria EAL at least 4) or
                                                                                                          control                                                                                                                 b) Software keys held on a system that is held in an
                                                                                                                                                                                                                                  environment which is protected such that the key is under
                                                                                                                                                                                                                                  sole control of the business entity issuing the invoicing.

25
     S D - Integrity and authenticity                     x                O               B              Certificate used for AdES The CA must operate under             The signature shall be supported by certificates        Examples of recognized good practices: ETSI TS 102 042,          7.3.3
       management                                                                                         on e-invoices is issued by good practice for PKI (Public        issued by a certification authority operating to        TS 101 456 or AICPA/CICA Webtrust.
                                                                                                          a CA (Certification        Key Infrastructure) systems          recognised good practices. The certifcate should
           Certificate management (CA Issued)                                                             Authority) which does not                                       include the identity of the legal entity applying the
                                                                                                          properly manage its                                             signature
                                                                                                          operations.
26
     S D - Integrity and authenticity             x                x       O               All Certificate used to protect              CA issuing any certificates Data shall be protected by certificates issued by a           Examples of recognized good practices: ETSI TS 102 042,          7.3.3
       management                                                                              invoice data exchanges is                used to protect data        certification authority operating to recognised good          TS 101 456 or AICPA/CICA Webtrust, Extended Validity
                                                                                               issued by a CA which                     exchange must operate under practices.                                                    certificates (for SSL / TLS certificates) as defined by the
           Certificate management (CA Issued)                                                  does not properly manage                 good practice for PKI                                                                     CA/Browser Forum.
                                                                                               its operations.                          systems
27
     S D - Integrity and authenticity                     x                O               B              Certificate created           Before using the self-signed      The private key associated with a self-signed          Examples of recognized good practices for CA's: ETSI TS
       management                                         (self-                                          fraudulently by someone       certificate, it must be           certificate should be tied to a proof of identity that 102 042, TS 101 456 or AICPA/CICA Webtrust.
                                                          sign                                            impersonating the identity    authenticated to all trading      has been obtained in the onboarding process at a
           Certificate management (self-signed)           ed)                                             of the signer                 partners as coming from           level comparable to recognised good practices for
                                                                                                                                        trusted source.                   CA's (Certification Authority). Certificates shall be
                                                                                                                                        The use of self-signed            previously exchanged between parties in a way
                                                                                                                                        certificates is not accepted in   that authenticates the identity of the source.
                                                                                                                                        all EU-memberstates.
28
     S 3 - Create invoice                         x       x        x       O               B              Invoice contains             Ensure invoice does not            The creator of the invoice shall take steps to          Disable any use of macros within the invoice.                    7.3.6
                                                                                                          executable code; the         contain executable code.           ensure that there is no executable code in the          Scan invoice for virus and other malicious codes.
                                                                                                          integrity of the invoice can                                    invoice. The contract with tradingpartner should        Do not use document formats capable of carrying hidden
                                                                                                          no longer be guaranteed.                                        state that no executable code will be part of an        code and macros.
29                                                                                                                                                                        invoice.
                                                                                                                                                                     57408c06-4059-4cb6-9421-20771632b4e7.xls




     A                      B                        C       D       E   F               G                          H                              I                                           J                                                        K                                                L




                                                                         Intermediated

                                                                                         Self-Billing
                                                                                                                                                                                                                                               Reference Examples.
                                                     Business                                                                                                                                                                                                                                   Further Guidance
     Who




                       Process step                                                                                                                                                                                        N.B. The examples listed are non exhaustive and provided
                                                 implementation                                               WHY (RISK)              WHAT (REQUIREMENTS)                            HOW (CONTROLS)                                                                                       [See reference sub-section for
                (the order can be adjusted)                                                                                                                                                                                only to illustrate the kind of measures envisaged as being
                                                   classes B-D                                                                                                                                                                                                                                   further guidance]
                                                                                                                                                                                                                                                        used.


1
     S 3 - Create invoice                        x       x       x       O               B              An invoice is created        It must be ensured that an     The workflow must ensure that invoices are
2
                                                                                                        more than once as being      invoice can only be created    created once, wether electronic or on paper.
                                                                                                        'original'.                  once without “copy” written on
                                                                                                                                     it. It must be clear between
                                                                                                                                     the parties what constitutes a
                                                                                                                                     the original invoice.
30
     S 3 - Create invoice                        x       x       x       O               B              Not all invoices issued in Method to verify the issued       In contract and internal control measures. Reports
                                                                                                        name and on behalf of the invoices                           of issued invoices to the supplier.
                                                                                                        supplier are reported in
                                                                                                        General Ledger by the
31                                                                                                      supplier
     S 3 - Create invoice                        x       x       x       M               B              Service provider adds       Service provider shall not add   Measures must be in place to prevent and detect Audit reports and/or access to service provider-stored
                                                                                                        invoice data that does not invoice data (outside of an       any creation of invoices that were not prepared or invoices to make sure that only invoices have been issued
           Invoice created by service provider                                                          originate from the          agreed enrichment service)       agreed by the supplier.                             that originate from the prepared invoice data by the supplier.
                                                                                                        prepared invoice data by                                     The contract between service provider and
                                                                                                        the supplier (outside of an                                  supplier must prevent it. Logical access control at
                                                                                                        agreed enrichment                                            the service providers system.
                                                                                                        service).                                                    Logical access controls must map to an
                                                                                                                                                                     appropriate segregation of duties, which is
                                                                                                                                                                     evidenced by the end-to-end audit trail.
32
     S 3 - Create invoice                        x       x       x       M               B              The invoice as created by The invoice as created by the Control conversion process, audit trail, rules in          Substantive tests of a number of invoices
                                                                                                        the service provider does service provider must contain contract.
           Invoice created by service provider                                                          not contain all agreed    all agreed upon data.
33                                                                                                      upon data.
     S 3 - Create invoice                        x       x       x       M               B              The service provider does The service provider must          Control conversion process, audit trail, rules in     Generate totals to audit complete issue of invoices.
                                                                                                        not create all invoices   create all of the invoices         contract.
           Invoice created by service provider                                                                                    provided by the supplier.
34
     S 3 - Create invoice                        x       x       x       M               B              The service provider adds    The supplier is still           Control conversion process, audit trail, rules in  Substantive tests of a number of invoices
                                                                                                        data to the invoice or       responsible for the accuracy    contract. The supplier shall always have access to
           Invoice created by service provider                                                          modifies it, the supplier    and completeness of the         the issued invoices.
                                                                                                        does not have this           content of the invoices. The
                                                                                                        information.                 supplier must (be able to)
                                                                                                                                     access all data of his
                                                                                                                                     invoices.
35
     S 3 - Create invoice                                x               O               B              Signature is not created.    The invoice is provided with    The application should ensure that signatures are     - CAdES-T s defined in ETSI TS 101 733 & profiled in TS        7.2.3.1 & 7.2.3.4, 7.2.3.5
                                                                                                                                     an advanced electronic          applied. The signature shall be created in            102 734
                                                                                                                                     signature to protect its        accordance to an internationally recognised           - XAdES T as defined in ETSI TS 101 903 & profiled in TS
                                                                                                                                     integrity and authenticity.     standard signature format. Verify signature on a      102 904
                                                                                                                                                                     number of invoices.                                   - PDF Signature as specified in ISO 32000 and profiled in
                                                                                                                                                                                                                           ETSI TS 102 788
36
     S 3 - Create invoice                                x               O               B              Signature is created with                              In order for the supplier to provide easy evidence
                                                                                                                                     The invoice must be provided                                                          See process step archiving and auditability for (subprocess) 7.2.2.8
                                                                                                        an invalid or expired                                  of CA-issued certificate validity at the time of
                                                                                                                                     with an advanced electronic                                                           AdES.
                                                                                                        certificate                  signature with a valid    signing, the signing party should timely validate           Modern applications and standards will handle this
                                                                                                                                     certificate.              the signature to ensure that the information                automaticly.
37                                                                                                                                                             required to re-verify the signature is readily
                                                                                                                                                               available.
     S 3 - Create invoice                                x               O               B              Not all mandatory invoice All mandatory data according The application must ensure that all mandatory
                                                                                                        data are signed.          to applicable law must be    invoice data is signed.
38                                                                                                                                signed.
     S 3 - Create invoice                        x                       O               B              Structure of the invoice     Structure of the invoice must   A correct validation mechanism must be
                                                                                                        differs from the structure   comply with the structure of    maintained in order automatically to validate the
                                                                                                        of the invoice as agreed     the invoice as agreed in the    structure against the interchange agreement. See
                                                                                                        in the current interchange   current interchange             also the requirements for testing in the onboarding
                                                                                                        agreement                    agreement.                      process step (A) in section 5 in Commentary
                                                                                                                                                                     report, figures 1 & 2.
39
                                                                                                                                                                      57408c06-4059-4cb6-9421-20771632b4e7.xls




     A                      B                        C       D       E   F               G                          H                               I                                             J                                                        K                                                L




                                                                         Intermediated

                                                                                         Self-Billing
                                                                                                                                                                                                                                                 Reference Examples.
                                                     Business                                                                                                                                                                                                                                       Further Guidance
     Who




                       Process step                                                                                                                                                                                          N.B. The examples listed are non exhaustive and provided
                                                 implementation                                               WHY (RISK)              WHAT (REQUIREMENTS)                              HOW (CONTROLS)                                                                                         [See reference sub-section for
                (the order can be adjusted)                                                                                                                                                                                  only to illustrate the kind of measures envisaged as being
                                                   classes B-D                                                                                                                                                                                                                                       further guidance]
                                                                                                                                                                                                                                                          used.


1
     S 3 - Create invoice                        x                       O               B              The integrity and            To the extent that a summary Measures should ensure integrity and authenticity Advanced Electronic Signature applied to summary                          7.2.1.3
2
                                                                                                        authenticity of a summary    document is used for          of summary documents.                            documents.
                                                                                                        document might not be        evidencing completeness, the                                                   Summary document printed on the suppliers stationary.
                                                                                                        guaranteed. Regardless       integrity and authenticity of
                                                                                                        of its form; paper or        the summary document
                                                                                                        electronic                   (paper report) must be
                                                                                                                                     guaranteed.
40
     S 3 - Create invoice                        x       x       x       M               B              An invoice is created by     It must be ensured that an       The workflow must ensure that invoices are
                                                                                                        both the supplier and the    invoice can only be created      created/issued once.
           Invoice created by service provider                                                          service provider (not        by the designated issuer in
                                                                                                        according to agreement)      the contract. It must be clear
                                                                                                                                     between the parties who
                                                                                                                                     issues an invoice.
41
     S 4 - Send or make available                x       x       x       O               B              Created invoices are not The supplier must ensure that Action of internal control, included in application or
                                                                                                        sent or made available on invoices are sent or made      agreement with service provider, if appropriate.
                                                                                                        time.                     available, timely according to
42                                                                                                                                applicable law
     S 4 - Send or make available                x       x       x       O               B              Dispute over whether an      Invoices have to be              Maintain audit records of sending / retrieving        The sending or retrieval of the invoice, and any associated
                                                                                                        invoice has been             sent/made available.             invoices.                                             acknowledgement, will be recorded.
                                                                                                        sent/made available.                                                                                                Preferably make use, where available, of systems that
                                                                                                                                                                                                                            produce trusted evidence of sending and, where applicable,
                                                                                                                                                                                                                            of delivery. ETSI will issue in second half of 2008 TS 102
                                                                                                                                                                                                                            640 that is a multi - part Technical Specification laying down
                                                                                                                                                                                                                            provisions for a Registered E-Mail (REM) mechanism
                                                                                                                                                                                                                            suitable to provide the said evidences for sent eInvoices.

43
     S 4 - Send or make available                x                       O               B              Authenticity is based on     When a certificate is used to    Internal control of certificate validity.             See process step archiving and auditability for (subprocess) 7.2.2.8
                                                                                                        an invalid or expired        protect the transport of an                                                            AdES.
                                                                                                        certificate.                 unsigned invoice, the                                                                  Modern applications and standards will handle this
44                                                                                                                                   certificate must be valid.                                                             automaticly.
     S 4 - Send or make available                x                       O               B              False invoice data is sent   Authenticity and integrity of    The invoice data shall be transferred in a way that   i) Transport Layer Security (RFC 4346) with passwords.            7.3.8
                                                                                                        by party masquerading as     the invoice must be              :                                                     ii) Business Data Interchange over the Internet Applicability
                                                                                                        supplier or modified         guaranteed within the EDI-       a) Protects the integrity of the data communicated,   Statement 1, 2, 3 with signatures (RFC3335, RFC 4130,
                                                                                                        during transport             proces                           b) Authenticates the source of the data.              RFC 4823)
                                                                                                                                                                                                                            iii) Secure network service provided by Value Add Network
                                                                                                                                                                                                                            service provider.
                                                                                                                                                                                                                            iv) Secure messaging services such as ITU-T X.400 or
                                                                                                                                                                                                                            S/MIME (RFC 3851) .
                                                                                                                                                                                                                            v) Integrity measures, such as hash totals or reconciliation
                                                                                                                                                                                                                            overviews
                                                                                                                                                                                                                            vi) Registered email such as defined in TS 102 640

45
     S 4 - Send or make available                x               x       O               B              The buyer is unaware of a There must be an                    Send notifications; It is good practice to address    If email is used for the notification, request delivery receipt
                                                                                                        presented invoice.        understanding between               this risk in the application; record when and to      by email from recipient.
                                                                                                                                  tradingpartners when an             whom the notifications were sent.
                                                                                                                                  invoice is sent or made             Rules in contract.
46                                                                                                                                available.
     S 4 - Send or make available                                x       O               B              Presented invoices are       In order to correctly perform It is good practice to have a clear understanding        Within the web environment the audit trail of viewing the
                                                                                                        not reviewed by buyer        the receipt process, the buyer with the buyer that it is his resposibility to review   invoices can be made visible. Alert in the application if the
                                                                                                                                     must review the invoices.      the invoice.                                            invoice is not accessed within a specific time period.
47                                                                                                                                                                  Log access to the invoice.
                                                                                                                                                                      57408c06-4059-4cb6-9421-20771632b4e7.xls




     A                      B                        C       D       E   F               G                           H                              I                                          J                                                           K                                                  L




                                                                         Intermediated

                                                                                         Self-Billing
                                                                                                                                                                                                                                                 Reference Examples.
                                                     Business                                                                                                                                                                                                                                      Further Guidance
     Who




                       Process step                                                                                                                                                                                          N.B. The examples listed are non exhaustive and provided
                                                 implementation                                                WHY (RISK)             WHAT (REQUIREMENTS)                            HOW (CONTROLS)                                                                                          [See reference sub-section for
                (the order can be adjusted)                                                                                                                                                                                  only to illustrate the kind of measures envisaged as being
                                                   classes B-D                                                                                                                                                                                                                                      further guidance]
                                                                                                                                                                                                                                                          used.


1
     S 4 - Send or make available                                x       O               B              Invoices are presented       Invoices may only be             The workflow must ensure that invoices are
2
                                                                                                        twice with the result that   presented once and must be       presented once and that the transaction is
                                                                                                        the buyer may claim the      uniquely identifiable.           processed correctly. The presented invoice is the
                                                                                                        VAT twice, whereas the                                        original invoice. Presented invoices must
                                                                                                        supplier only reports the                                     therefore be uniquely identifiable, e.g. from the
                                                                                                        VAT once.                                                     document name and unique number.
48
     S 4 - Send or make available                                x       O               B              Not all invoices are         All invoices must be             Application audits and internal control actions.
                                                                                                        presented. Special           presented. Special attention
                                                                                                        attention for corrective     for corrective invoices.
49                                                                                                      invoices.
     S 4 - Send or make available                                x       O               B              The wrong web server is      The server on which the          A mechanism shall be in place to authenticate the      Authentication by SSL/TLS with a sufficiently strong server     7.3.5
                                                                                                        consulted (spoofing)         invoices are accessible must     web server. See also requirements for Integrity        certificate.
                                                                                                                                     authenticate itself verifiably   and authenticity management (Process step D in         The server on which invoices are held must be made
                                                                                                                                     towards the buyer                section 5 in Commentary report, figures 1 & 2).        available by buyer with a link in an email (legal requirement
                                                                                                                                                                                                                             in some Member States).
                                                                                                                                                                                                                             Use of extended validation certificates as defined by CA
                                                                                                                                                                                                                             Browser forum is recommended.
50
     S 4 - Send or make available                                x       O               B              The invoice is modified      Invoice cannot be changed in Web system operates under recognised good
                                                                                                        whilst being held on web     authorised manner whilst on practices for security of web servers and controls
51                                                                                                      server                       web server.                  access to invoice.
     S 4 - Send or make available                x       x       x       M               B              It is not clear who issues   It must be ensured that an       Rules in the contract between the trading partner
                                                                                                        the invoice                  invoice can only be issued by    and service provider, must clarify on who issues
           Invoice created by service provider                                                                                       the designated issuer in the     the invoices. The invoice can contain a statement
                                                                                                                                     contract. It must be clear       that it was issued by a third party in name and on
                                                                                                                                     between the parties who          behalf of the supplier (this is mandatory in some
                                                                                                                                     issues an invoice.               Member States).
52
53 All (Supplier and Buyer Side)
     All Generic - Data/Message Transport        x               x       M               All The invoice data or        Ensure authencity and                         The data shall be transferred in a way that :       i) Transport Layer Security (RFC 4346) with passwords.         7.3.8
                                                                                             invoice transferred        integrity of data whilst being                a) Protects the integrity of the data communicated, ii) Business Data Interchange over the Internet Applicability
           This process step applies to any                                                  between chain              sent.                                         b) Authenticates the source of the data.            Statement 1, 2, 3 with signatures (RFC3335, RFC 4130,
           exchange of data between parties of                                               participants can be                                                                                                          RFC 4823)
           the invoice transport chain                                                       altered or added to during                                                                                                   iii) Secure network service provided by Value Add Network
                                                                                             the transmission                                                                                                             service provider.
                                                                                                                                                                                                                          iv) Secure messaging services such as ITU-T X.400 or
                                                                                                                                                                                                                          S/MIME (RFC 3851) .
                                                                                                                                                                                                                          v) Integrity measures, such as hash totals or reconciliation
                                                                                                                                                                                                                          overviews
                                                                                                                                                                                                                          vi) Registered email such as defined in TS 102 640
                                                                                                                                                                                                                          vii) If AdES was applied integrity can be validate at receiver


54
     All C - Archiving and auditability                  x               O               All It is not possible to verify            Advanced electronic              When issuing an invoice the signature used             - recording certificates and revocation information             7.2.2.8, 7.3.4
                                                                                             that the certificate was                signatures must remain           should be verified (see above process step Create      - CAdES-C, CAdES-A or CAdES-X in ETSI TS 101 733 &
                                                                                             valid at the time of signing            verifiable during the storage    invoice; step 3 in section 5 in Commentary report,     profiled in TS 102 734
                                                                                             or receipt of the invoice               period.                          figures 1 & 2.) and all the information necessary to   - XAdES-C, XAdES-A or XAdES-X as defined in ETSI TS
                                                                                                                                                                      re-verify the validity of the signature at or around   101 903 & profiled in TS 102 904
                                                                                                                                                                      the signing time shall be readily available.           Note: Equivalent forms to CAdES/XAdES -C to -A for long
                                                                                                                                                                                                                             term validation of PDF Signatures (PAdES) is due to be
                                                                                                                                                                                                                             published by ETSI Q3 2009.
55
                                                                                                                                                       57408c06-4059-4cb6-9421-20771632b4e7.xls




     A                      B                    C       D       E   F               G                  H                            I                                          J                                                          K                                                  L




                                                                     Intermediated

                                                                                     Self-Billing
                                                                                                                                                                                                                                 Reference Examples.
                                                 Business                                                                                                                                                                                                                          Further Guidance
     Who




                      Process step                                                                                                                                                                           N.B. The examples listed are non exhaustive and provided
                                             implementation                                         WHY (RISK)         WHAT (REQUIREMENTS)                            HOW (CONTROLS)                                                                                         [See reference sub-section for
               (the order can be adjusted)                                                                                                                                                                   only to illustrate the kind of measures envisaged as being
                                               classes B-D                                                                                                                                                                                                                          further guidance]
                                                                                                                                                                                                                                          used.


1
     All C - Archiving and auditability              x               O               All It is not possible to verify Advanced electronic              The integrity of the signed invoice, including        1) Applying archive timestamp to signature as in CAdES-A 7.2.2.8, 7.3.4
2
                                                                                         the integrity of the invoice signatures must remain           information used to reverify the signature (see       as defined in ETSI TS 101 733 & profiled in TS 102 734
                                                                                                                      verifiable during the storage    above process step Create invoice; 3 in section 5     2) Applying archive timestamp to signature as in XAdES-A
                                                                                                                      period.                          in Commentary report, figures 1 & 2.), shall be       as defined in ETSI TS 101 903 & profiled in TS 102 904
                                                                                                                                                       maintained beyond the lifetime of the signature       3) Employing WORM devices within an auditable archive
                                                                                                                                                       algorithm and certificates.                           process.
                                                                                                                                                                                                             4) Using third party service trusted to archive data (e.g.
                                                                                                                                                                                                             notary)
                                                                                                                                                                                                             5) Employing archive system whichmaintains the integrity of
                                                                                                                                                                                                             data
                                                                                                                                                                                                             Note: Equivalent forms to CAdES/XAdES -XL and -A for
                                                                                                                                                                                                             long term validation of PDF Signatures (PAdES) is due to be
                                                                                                                                                                                                             published by ETSI Q3 2009.


56
     All C - Archiving and auditability      x       x       x       O               All Invoices are not archived The issued and received        This needs to be addressed in fit for purpose
                                                                                         for statutory archiving   invoices must be archived for archiving procedures.
                                                                                         period.                   the statutory archiving period
                                                                                                                   under the applicable law(s).
57
     All C - Archiving and auditability      x       x       x       O               All Invoices are not available At the request of the tax      Inquiry can be executed within a reasonable               Online access can be used and provides prompt access,
                                                                                         within a reasonable period inspector, the invoice must be period of time.                                           access by invoice number, trading partner and date range
                                                                                                                    made available promptly over
                                                                                                                    the full mandatory period.
58
     All C - Archiving and auditability      x               x       O               All Archived invoices can be     The authenticity and integrity   The invoice and audit records regarding handling      - the use of WORM (Write Once Read Many) type devices           7.2.1.3, 7.3.4
                                                                                         modified or removed          of the content of the invoices   of the invoice, including information on              - secure archive storage.
                                                                                         within the agreed            stored must be guaranteed        authentication checks carried out, shall be           - a summary document or time-stamp which indicate a
                                                                                         archiving period             throughout the storage           protected by mechanisms that assure the integrity     broken integrity
                                                                                                                      period.                          of data throughout the storage period.
59
     All C - Archiving and auditability      x       x       x       O               All Invoices cannot be           Invoices must be capable of      Measures must be implemented to ensure that the Online available viewer e.g. in the UN layout key. Use a
                                                                                         audited.                     being audited within a           invoice can be readable to the competent tax    format that can be interpeted by a competent tax authority's
                                                                                                                      reasonable time upon             administration.                                 audit software.
60                                                                                                                    request.
     All C - Archiving and auditability      x       x       x       O               All Human readable form is       It must be demonstrable that     It shall be demonstrable that the mapping from        Using a reliable style sheet in conjuction with online viewer
                                                                                         not same as machine          the human readable form is       electronic invoice to visible form is correct. It
                                                                                         processed.                   the same as the encoded          should be possible to reproduce the identical
                                                                                                                      form.                            readable form.
                                                                                                                                                       It shall be demonstrable that any codes used are
                                                                                                                                                       correct. Any codes used should either be:
                                                                                                                                                       - standardised in a formal or publicly available
                                                                                                                                                       specification.
                                                                                                                                                       - or specified in an internal document where the
                                                                                                                                                       authenticity and integrity is protected to the same
                                                                                                                                                       security level as for the storage of invoices.


61
     All C - Archiving and auditability      x       x       x       O               All The invoices are not         The invoices must be             Keep all data separate from the billing application Single file is used to store all invoice data (XML or PDF with
                                                                                         correctly and fully          available, accurate and          or accurate data storage including history.         structured data) - invoice history stored as a separate file
                                                                                         reproducible due to          complete, throughout the                                                             with reference to invoice + yearly history reports are created
                                                                                         historically incorrect       storage period.                                                                      and stored
                                                                                         retention of e.g. master
                                                                                         data including
                                                                                         parameters, code-tables
                                                                                         and calculation rules.

62
                                                                                                                                                                     57408c06-4059-4cb6-9421-20771632b4e7.xls




     A                      B                       C       D       E   F               G                          H                               I                                          J                                                       K                                             L




                                                                        Intermediated

                                                                                        Self-Billing
                                                                                                                                                                                                                                             Reference Examples.
                                                    Business                                                                                                                                                                                                                                Further Guidance
     Who




                      Process step                                                                                                                                                                                       N.B. The examples listed are non exhaustive and provided
                                                implementation                                                WHY (RISK)             WHAT (REQUIREMENTS)                             HOW (CONTROLS)                                                                                   [See reference sub-section for
               (the order can be adjusted)                                                                                                                                                                               only to illustrate the kind of measures envisaged as being
                                                  classes B-D                                                                                                                                                                                                                                further guidance]
                                                                                                                                                                                                                                                      used.


1
     All C - Archiving and auditability         x       x       x       O               All Audit trail is not correctly            Adequate audit trail must be     Retain the audit trail                              Retain key process information such as mappings, date        7.3.7
2
                                                                                            maintained                              available throughout the                                                             recordings, logs etc. In addition, retain documents like
                                                                                                                                    storage period                                                                       Purchase Orders, Dispatch Advise, …
63
64 B Buyer Side
     B 5 - Receipt and technical verification   x       x       x       O               S              The buyer's environment      The technical availability for   See also process steps Generic (0) and On-
                                                                                                       is not available for         receiving invoices must be       boarding (A) in section 5 in Commentary report,
                                                                                                       receiving invoices.          ensured. The accurate,           figures 1 & 2.. Procedure or application check on
                                                                                                                                    complete and prompt receipt      the completeness of the received invoices and
                                                                                                                                    of invoices must be              credit notes.
                                                                                                                                    adequately ensured.
65
     B 5 - Receipt and technical verification   x       x       x       O               S              Invoices are received        Multiple receipt of invoices     Application checks to detect invoices received
                                                                                                       multiple times               must be detected. Multiple       multiple times and exclude them from further
                                                                                                                                    invoices must be removed         processing after thorough analysis of the cause.
                                                                                                                                    and eliminated from further
66                                                                                                                                  processing.
     B 5 - Receipt and technical verification   x       x       x       O               S              Invoices are rejected for    Invoice must be technically      Thorough agreements about the technical
                                                                                                       technical reasons            correct before being further     standards of the invoices must be present and
                                                                                                                                    processed. The rejected          adequately tested.
                                                                                                                                    invoices must be separately      Mechanism for promptly detecting technical
                                                                                                                                    identifiable.                    inaccuracy and reporting to the sender.
                                                                                                                                                                     Processing of the received invoice must be
                                                                                                                                                                     stopped. The sender must send the correct
                                                                                                                                                                     invoice again or issue a credit note and a
                                                                                                                                                                     corrective invoice.
67
     B 5 - Receipt and technical verification   x       x       x       O               S              The buyer or the service     The buyer or the service         There shall be proper procedures in place to        Handshake or confirmation of recieved invoices where
                                                                                                       provider on his behalf       provider on his behalf must      ensure that all invoices are properly received.     possible.
                                                                                                       does not receive all         receive all invoices sent.       Register all incoming invoices
                                                                                                       invoices (including credit
                                                                                                       notes)


68
     B 5 - Receipt and technical verification   x       x       x       O               S              Dispute over whether an      Maintain audit records of        The receipt or retrieval of the invoice, and any    Handshake or confirmation of recieved invoices where
                                                                                                       invoice has been             receiving / retrieving invocies. associated acknowledgement, will be recorded.       possible.
                                                                                                       received.                                                                                                         ETSI TS 102 640 (REM) provides a mechanism that
                                                                                                                                                                                                                         provides evidence of delivery of a message and of who sent
69                                                                                                                                                                                                                       it.
     B 5 - Receipt and technical verification   x       x       x       O               S              Invoice contains             Ensure invoice does not          The receiver shall verify that there is no          Disable any use of macros in invoice encoding;               7.3.6
                                                                                                       executable code.             contain executable code          executable code in the invoice. The contract with   Scan invoice for virus and other malicious codes.
                                                                                                                                                                     the trading partner should state that no
70                                                                                                                                                                   executiable code will be part of an invoice.
     B 5 - Receipt and technical verification   x       x       x       O               S              The moment of formal         Measures of authenticity and Rules in contract                                       ETSI TS 102 640 (REM) provides evidence also of the
                                                                                                       receipt is unclear.          integrity in transport should                                                        moment of delivery.
                                                                                                                                    be in place until the moment
                                                                                                                                    of formal receipt. From the
                                                                                                                                    moment of formal receipt of
                                                                                                                                    the invoice, integrity and
                                                                                                                                    authenticity must rather be
                                                                                                                                    ensured by preventing
                                                                                                                                    changes to the original
                                                                                                                                    invoice.
71
                                                                                                                                                                    57408c06-4059-4cb6-9421-20771632b4e7.xls




     A                      B                       C       D       E   F               G                          H                              I                                            J                                                      K                                                L




                                                                        Intermediated

                                                                                        Self-Billing
                                                                                                                                                                                                                                            Reference Examples.
                                                    Business                                                                                                                                                                                                                                 Further Guidance
     Who




                       Process step                                                                                                                                                                                     N.B. The examples listed are non exhaustive and provided
                                                implementation                                                WHY (RISK)            WHAT (REQUIREMENTS)                             HOW (CONTROLS)                                                                                     [See reference sub-section for
                (the order can be adjusted)                                                                                                                                                                             only to illustrate the kind of measures envisaged as being
                                                  classes B-D                                                                                                                                                                                                                                 further guidance]
                                                                                                                                                                                                                                                     used.


1
     B 5 - Receipt and technical verification           x               O               S              Invoice has no (or invalid) The authenticity and integrity   Procedure or check in the application. Ensure                                                                      7.2.2.1 to 7.2.2.8
2
                                                                                                       signature and/or issuer     of the invoice must be           that invoice or e-mail is provided with an
                                                                                                       cannot be identified        ensured by means of an           advanced digital signature. Otherwise reject
                                                                                                                                   advanced electronic              invoice.
                                                                                                                                   signature. The authentication
                                                                                                                                   mechanism (at the buyer)
                                                                                                                                   must ensure the clear
                                                                                                                                   identification of the issuer.

72
     B 5 - Receipt and technical verification           x               O               S              Uncertainty over the time   Record time that the        Have assurance that the correct time is recorded        If the signature does not already include a time-stamp or       7.2.2.8
                                                                                                       which the signature was     advanced electronic         of the verification                                     trusted time-mark then a trusted time-mark or time-stamp
                                                                                                       verified and hence          signature is verified.                                                              can be applied.
                                                                                                       possible ambiguity over     (Different EU-member states                                                         (e.g. as specified in long term forms of CAdES, XAdES or
                                                                                                       the status of the           have different rules.)                                                              PAdES)
                                                                                                       certificate.
73
     B 5 - Receipt and technical verification           x               O               S              Uncertainty over the rules The process/software applied      Records should be maintained of the                Include signature policy identifier as in EPES forms of         7.2.2.1
                                                                                                       applied in verifying a     to verify the advanced            process/software employed in validating the        CAdES, XAdES and PAdES.
                                                                                                       signature.                 electronic signature should       signature (for software including version and
                                                                                                                                  be identifable and reliable.      patches).
74
     B 5 - Receipt and technical verification   x                       O               S              Invoice cannot be           Invoice must comply with the Invoices are tested during Processtep A                Requirements may relate for example to the protection,
                                                                                                       processed by the            (technical) requirements of  Tradingpartner Onboarding in section 5 in              registration of the invoices in a register, mandatory fields,
                                                                                                       application.                the current interchange      Commentary report, figures 1 & 2.                      acceptability of an EDI report as evidence e.g. See
75                                                                                                                                 agreement                                                                           Recommendation 94/820/EC
     B 5 - Receipt and technical verification   x               x       O               S              The content or format of    It must be possible to detect    Within the proces of the buyer, there must be a    i) Transport Layer Security (RFC 4346) with passwords.          7.3.8
                                                                                                       the original invoice is     whether issued invoices are      verification/check that the agreed secure          ii) Business Data Interchange over the Internet Applicability
                                                                                                       changed during transfer     modified during transfer         mecanisms are applied                              Statement 1, 2, 3 with signatures (RFC3335, RFC 4130,
                                                                                                                                                                                                                       RFC 4823)
                                                                                                                                                                                                                       iii) Secure network service provided by Value Add Network
                                                                                                                                                                                                                       service provider.
                                                                                                                                                                                                                       iv) Secure messaging services such as ITU-T X.400 or
                                                                                                                                                                                                                       S/MIME (RFC 3851) .
                                                                                                                                                                                                                       v) Integrity measures, such as hash totals or reconciliation
                                                                                                                                                                                                                       overviews
                                                                                                                                                                                                                       vi) Registered email such as defined in TS 102 640
                                                                                                                                                                                                                       For EDI this can also be protected using summary
                                                                                                                                                                                                                       statements

76
     B 5 - Receipt and technical verification   x       x       x       O               S              The original invoice is     There can only be one            Archive the original invoice. Audit trail.         Substantive test of a number of invoices
                                                                                                       converted and treated as    original invoice and an audit
           Conversion of invoice-data                                                                  a new instance of the       trail must be maintained
                                                                                                       original invoice.           between the original and any
                                                                                                                                   sets of invoice data derived
                                                                                                                                   from it.
77
     B 5 - Receipt and technical verification   x       x       x       O               S              The invoice data is       Conversion of invoice data         Detailed process steps and mapping have to be
                                                                                                       converted incompletely or must not modify the original       defined and traced in an audit trail.
           Conversion of invoice-data                                                                  incorrectly.              invoice content. Authenticity
                                                                                                                                 and intergity measures
                                                                                                                                 should remain verifiable.
78
     B 5 - Receipt and technical verification   x       x       x       O               S              New data is added to the    Only data already available in   Archive the original invoice. Make sure conversion Substantive test of a number of invoices
                                                                                                       invoice data                or from the invoice must be      is correct and complete. Audit trail.
           Conversion of invoice-data                                                                                              converted to the system of       It is possible to add internal business data to the
                                                                                                                                   the buyer.                       invoice; this will not compromise the existing
                                                                                                                                                                    mandatory data.
79
                                                                                                                                                                            57408c06-4059-4cb6-9421-20771632b4e7.xls




     A                      B                         C       D        E   F               G                           H                                I                                            J                                                          K                                             L




                                                                           Intermediated

                                                                                           Self-Billing
                                                                                                                                                                                                                                                      Reference Examples.
                                                      Business                                                                                                                                                                                                                                       Further Guidance
     Who




                       Process step                                                                                                                                                                                               N.B. The examples listed are non exhaustive and provided
                                                  implementation                                                 WHY (RISK)               WHAT (REQUIREMENTS)                              HOW (CONTROLS)                                                                                      [See reference sub-section for
                (the order can be adjusted)                                                                                                                                                                                       only to illustrate the kind of measures envisaged as being
                                                    classes B-D                                                                                                                                                                                                                                       further guidance]
                                                                                                                                                                                                                                                               used.


1
     B 5 - Receipt and technical verification                      x       O               S              Invoices cannot be             Invoices must be accessible        Agreements and general conditions of supply.
2
                                                                                                          accessed e.g.                                                     Post-contract conditions, see also process step
                                                                                                          supplier/presenter                                                Off-boarding E in section 5 in Commentary report,
                                                                                                          environment is not                                                figures 1 & 2.
                                                                                                          available for checking
                                                                                                          presented invoices
80
     B 5 - Receipt and technical verification                      x       O               S              Invoice is not (promptly)      All notifications must lead to     Procedures and guidelines.                           Online solution to offer audit trail of access
                                                                                                          accessed after receiving       accessing the invoice
                                                                                                          a notification in case of
81                                                                                                        Web access
     B 5 - Receipt and technical verification                      x       O               S              It is not possible to verify   On-line invoices may only be Check in application/web browser                           Authentication by SSL/TLS with a sufficiently strong server 7.3.5
                                                                                                          who made the invoice           consulted on websites whose                                                             certificate. Use of Extended Validation certificate as defined
                                                                                                          available.                     identity and authenticity can                                                           by CAB Forum is recommended.
                                                                                                                                         be verified.
82
     B D - Integrity and authenticity                     x                O               S              The self signed certificate    Signature verification must        The self-signed certificate should be tied to a      Good practices for CA's may include ETSI TS 102 042, TS
       management                                         (self-                                          required to verify a           use only self-signed               proof of identity that has been obtained in the      101 456 or AICPA/CICA Webtrust
                                                          sign                                            advanced electronic            certificates authenticated as      onboarding process at a level comparable to
           Certificate management (Self signed)           ed)                                             signature is not               coming from known and              recognised good practices for CAs .
                                                                                                          trustworthy.                   trusted trading partners.          Certificates shall be previously exchanged
                                                                                                                                         (The use of self signed            between parties in a way that authenticates the
                                                                                                                                         certificates is not accepted in    identity of the source.
                                                                                                                                         all EU Member States.)
83
     B D - Integrity and authenticity                     x                O               S              The CA Certification           Signature verification must        Only certificates from a certification authority     Good practices for CA's may include ETSI TS 102 042, TS       7.3.3
       management                                                                                         Authority certificate          use certificates issued by a       operating to recognised good practices shall be      101 456 or AICPA/CICA Webtrust.
                                                                                                          required to verify             CA which does properly             configured into the signature verification system.
           Certificate management (CA Issued)                                                             signature is not trusted.      manage its operations.
84
     B D - Integrity and authenticity                     x                O               S              The revocation status of       Signature verification must        There should be a contractual commitment from
       management                                         (self-                                          the signing certificate is     check the status of                the signer to notify the buyer in case of key
                                                          sign                                            unknown.                       certificates.                      compromise or other reasons to consider the
           Certificate management (Self signed)           ed)                                                                            (The use of self signed            certificate to be invalid.
                                                                                                                                         certificates is not accepted in
                                                                                                                                         all EU Member States.)
85
     B D - Integrity and authenticity                     x                O               S              The revocation status of       Signature verification must        The signature verification software should check     Check validity period and Certificate Revocation Lists (as    7.2.2.6 & 7.2.2.7
       management                                                                                         the signing certificate is     check the status of                the status of the signing certificate.               defined in X.509 and IETF RFC 3280) or an OCSP server
                                                                                                          unknown.                       certificates.                                                                           (IETF RFC 2560)
           Certificate management (CA Issued)
86
     B D - Integrity and authenticity             x                x       O               S              Certificate used to protect    Data exchanges must be             Data shall be protected by certificates issued by a CA good practices include e.g. ETSI TS 102 042, TS 101
       management                                                                                         invoice data exchanges is      protected using certificates       trusted supplier operating to practices comparable 456 or AICPA/CICA Webtrust, Extended Validity certificates
                                                                                                          not from the self-signed       from trusted certificate issuer.   to recognised good practices for CAs. Certificates as defined by the CA/Browser Forum.
           Certificate management (Self signed)                                                           issuer                         (The use of self signed            shall be previously exchanged between parties in
                                                                                                                                         certificates is not accepted in    a way that authenticates the identity of the source.
                                                                                                                                         all EU Member States.)
87
     B B - Master Data                            x                        O               S              The invoices are not           It must be possible to        Retain history of master data changes
                                                                                                          correctly and fully            reproduce the correct invoice
                                                                                                          reproducible due to            including referenced data
                                                                                                          historically incorrect
                                                                                                          retention of master data
                                                                                                          including parameters,
                                                                                                          code-tables and
                                                                                                          calculation rules.
88
     B 6 - Formal verification                    x       x        x       O               S              Electronic invoice does   Invoice must comply with the The application must ensure that the invoice
                                                                                                          not contain all mandatory country specific mandatory   contains all mandatory data according to the VAT
                                                                                                          data or adressed to the   data.                        Law before the invoice can be processed.
                                                                                                          wrong legal person.
89
                                                                                                                                                                     57408c06-4059-4cb6-9421-20771632b4e7.xls




     A                     B                        C       D       E   F               G                           H                             I                                             J                                                          K                                               L




                                                                        Intermediated

                                                                                        Self-Billing
                                                                                                                                                                                                                                                 Reference Examples.
                                                    Business                                                                                                                                                                                                                                       Further Guidance
     Who




                     Process step                                                                                                                                                                                            N.B. The examples listed are non exhaustive and provided
                                                implementation                                                WHY (RISK)            WHAT (REQUIREMENTS)                              HOW (CONTROLS)                                                                                          [See reference sub-section for
              (the order can be adjusted)                                                                                                                                                                                    only to illustrate the kind of measures envisaged as being
                                                  classes B-D                                                                                                                                                                                                                                       further guidance]
                                                                                                                                                                                                                                                          used.


 1
     B 6 - Formal Verification                          x               O               S              Invoice may be modified     The authentication of origin      The validity of the AdES signature shall be             If possible, the verifier should wait for a grace period before 7.2.2.6
 2
                                                                                                       or another party may be     and integrity of the invoice      checked and the results recorded including              confirming signatures are valid, to ensure that revocations
                                                                                                       masquerading as the         must be verified by verifying     verification time and information (e.g. CRLs or         have been reported. However, where this is not practical
                                                                                                       issuer.                     the advanced electronic           OCSP and certificates) used to verify the               due to the automated business process, there should be an
                                                                                                                                   signature.                        signature.                                              agreement between the invoice issuer and the recipient that
                                                                                                                                                                                                                             potential compromises to the signing key are reported
                                                                                                                                                                                                                             immediately the recipient.
90
     B 6 - Formal Verification                          x               O               S              Invoice has a signature     Integrity of all mandatory data Procedure or application check.
                                                                                                       that does not protect all   shall be protected by
                                                                                                       mandatory data.             advanced electronic
                                                                                                                                   signature. The buyer shall
91                                                                                                                                 verify this.
     B 6 - Formal verification                 x                        O               S              Invoice may be modified     The authentication of origin of   The authenticated identity of the invoice issuer,
                                                                                                       or another party may be     the invoice must be verified      and any integrity check codes, shall be checked
                                                                                                       masquerading as the         by verifying the channel          and the results recorded including the time of
                                                                                                       supplier                    trough which the invoice is       authentication.
92                                                                                                                                 received.
     B 6 - Formal Verification                 x                        O               S              Buyer accepts invoice       Invoice must come from a          Application check; is the supplier known as an EDI
                                                                                                       from a supplier without     supplier with whom there is       biller. Procedure for entering and modifying fixed
                                                                                                       interchange agreement       an interchange agreement          data. See also Process step On-boarding A
93
     B 6 - Formal verification                                  x       O               B              Invoice may be modified     The authentication of origin of  Web system operates under recognised good                i) Transport Layer Security (RFC 4346) with passwords.          7.3.8
                                                                                                       or another party may be     the invoice must be verified     practices for security of web servers and controls       ii) Business Data Interchange over the Internet Applicability
                                                                                                       masquerading as the         by verifying the channel         access to invoice. The invoice shall be sent             Statement 1, 2, 3 with signatures (RFC3335, RFC 4130,
                                                                                                       issuer.                     trough which the web server      through a secure channel which:                          RFC 4823)
                                                                                                                                   is accessed                      a) Protects the integrity of the invoice up to the       iii) Secure network service provided by Value Add Network
                                                                                                                                                                    buyer or the buyer‟s service provider.                   service provider.
                                                                                                                                                                    b) Authenticates the invoice issuer to the buyer or      iv) Secure messaging services such as ITU-T X.400 or
                                                                                                                                                                    the buyer‟s service provider. This can be either:        S/MIME (RFC 3851) .
                                                                                                                                                                    o Authentication information confirmed by a              v) Integrity measures, such as hash totals or reconciliation
94
                                                                                                                                                                    trusted third party (e.g. certificate issued by          overviews
     B 7 - Last mile                           x        x       x       M               S              The invoice data            Ensure authentity and            The invoice data shall be transferred in a way that      i) Transport Layer Security (RFC 4346) with passwords.          7.3.8
                                                                                                       transferred to the buyer    integrity of invoice data whilst :                                                        ii) Business Data Interchange over the Internet Applicability
                                                                                                       by the service provider     being sent.                      a) Protects the integrity of the data communicated,      Statement 1, 2, 3 with signatures (RFC3335, RFC 4130,
                                                                                                       can be altered or added                                      b) Authenticates the source of the data.                 RFC 4823)
                                                                                                       during the transmission .                                                                                             iii) Secure network service provided by Value Add Network
                                                                                                                                                                                                                             service provider.
                                                                                                                                                                                                                             iv) Secure messaging services such as ITU-T X.400 or
95                                                                                                                                                                                                                           S/MIME (RFC 3851) .
     B 8 - Material verification and processing x       x       x       O               S              Invoices occur twice        Each invoice shall only be        (Application) Controls to detect duplicated
                                                                                                                                   booked once                       invoices and prevent them from being proccessed
96
     B 8 - Material verification and processing x       x       x       O               S              Invoices are not checked The consistency of each              (Application) Controls and reconciliation with e.g.
                                                                                                       timely for content and   transaction and the content          orders, goods receipt.
                                                                                                       processed                must be checked within an
                                                                                                                                appropriate time on receipt
97                                                                                                                              for processing.
     B 8 - Material verification and processing x       x       x       O               S              Incorrect or fraudulent     Only process invoices that        Invoice content can be valididated against buyer's
                                                                                                       Invoice is processed        correspond to business            in-house accounts payable master data - in case
                                                                                                                                   expectation                       of substantial differences do not further process
                                                                                                                                                                     and run an approval workflow. Application checks
                                                                                                                                                                     and procedures for modifying master data of the
                                                                                                                                                                     supplier.
98
     B 8 - Material verification and processing x       x       x       O               S              The person accountable The accountable person                 All internal control records relating to the receipt,
                                                                                                       for processing the invoice needs to be identifiable           audit and processing of the invoices must be
                                                                                                       cannot be identified                                          retained.
99
100 All (Supplier and Buyer Side)
                                                                                                                                                               57408c06-4059-4cb6-9421-20771632b4e7.xls




      A                      B                    C       D       E   F               G                          H                            I                                        J                                                        K                                              L




                                                                      Intermediated

                                                                                      Self-Billing
                                                                                                                                                                                                                                        Reference Examples.
                                                  Business                                                                                                                                                                                                                             Further Guidance
      Who




                       Process step                                                                                                                                                                                 N.B. The examples listed are non exhaustive and provided
                                              implementation                                               WHY (RISK)            WHAT (REQUIREMENTS)                          HOW (CONTROLS)                                                                                     [See reference sub-section for
                (the order can be adjusted)                                                                                                                                                                         only to illustrate the kind of measures envisaged as being
                                                classes B-D                                                                                                                                                                                                                             further guidance]
                                                                                                                                                                                                                                                 used.


1
      All E - Trading partner offboarding     x       x       x       M               All Transactions and stored              The trading partners must       Trading partners must agree on minimum               These issues should be regulated in an explicit agreement
2
                                                                                          invoices are lost,                   ensure proper termination of    procedures for an appropriate transition should      between the trading partners, and between each trading
                                                                                          duplicated, or processed             the relationships from a tax    there be a need to move invoices from one            partner and their service provider(s), concluded prior to
                                                                                          without sufficient controls.         control and auditability        transactional or storage service/environment to      starting the e-invoicing process.
                                                                                          Required system or                   perspective. Authenticity and   another during their life cycle. Equally, trading
                                                                                          process auditabilty                  integrity must remain           partners must ensure that critical audit trail and
                                                                                          becomes legally                      verifiable during the storage   documentary evidence of past transactions and
                                                                                          unavailable; audit trails            period                          storage processes is retained, irrespective of
                                                                                          and descriptive                                                      invoices/invoice processes having been moved,
                                                                                          documents can no longer                                              for the remainder of the mandatory storage period
                                                                                          be accessed by                                                       of invoices under applicable law.
                                                                                          competent authorities.

101
      All E - Trading partner offboarding                     x       M               B              The buyer cannot access If the physical connection is Must be agreed in a contract, see also process
                                                                                                     the 'original' presented not available due to contract step Archiving an auditability C in section 5 in
                                                                                                     invoice.                 termination, the invoices must Commentary report, figures 1 & 2.
                                                                                                                              still be available for the entire
                                                                                                                              retention period. This must
                                                                                                                              include authenticity and
                                                                                                                              integrity characteristics.
102



103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
                                                     57408c06-4059-4cb6-9421-20771632b4e7.xls




                  M                       N




     Implementation Applicablility   YOUR COMMENTS




1
2
3




4




5




6




7


8




9




10




11
                                                     57408c06-4059-4cb6-9421-20771632b4e7.xls




                  M                       N




     Implementation Applicablility   YOUR COMMENTS




1
2




12




13




14
15



16




17




18




19



20




21




22
                                                     57408c06-4059-4cb6-9421-20771632b4e7.xls




                  M                       N




     Implementation Applicablility   YOUR COMMENTS




1
2




23




24




25




26




27




28




29
                                                     57408c06-4059-4cb6-9421-20771632b4e7.xls




                  M                       N




     Implementation Applicablility   YOUR COMMENTS




1
2




30




31




32



33



34




35




36




37


38




39
                                                     57408c06-4059-4cb6-9421-20771632b4e7.xls




                  M                       N




     Implementation Applicablility   YOUR COMMENTS




1
2




40




41



42




43



44




45




46



47
                                                     57408c06-4059-4cb6-9421-20771632b4e7.xls




                  M                       N




     Implementation Applicablility   YOUR COMMENTS




1
2




48



49




50


51




52
53




54




55
                                                     57408c06-4059-4cb6-9421-20771632b4e7.xls




                  M                       N




     Implementation Applicablility   YOUR COMMENTS




1
2




56




57




58




59



60




61




62
                                                     57408c06-4059-4cb6-9421-20771632b4e7.xls




                  M                       N




     Implementation Applicablility   YOUR COMMENTS




1
2

63
64




65




66




67




68




69



70




71
                                                     57408c06-4059-4cb6-9421-20771632b4e7.xls




                  M                       N




     Implementation Applicablility   YOUR COMMENTS




1
2




72




73




74



75




76




77




78




79
                                                     57408c06-4059-4cb6-9421-20771632b4e7.xls




                  M                       N




     Implementation Applicablility   YOUR COMMENTS




1
2




80



81




82




83




84




85




86




87




88




89
                                                      57408c06-4059-4cb6-9421-20771632b4e7.xls




                   M                       N




      Implementation Applicablility   YOUR COMMENTS




1
2




90




91




92



93




94




95


96




97




98



99
100
                                                      57408c06-4059-4cb6-9421-20771632b4e7.xls




                   M                       N




      Implementation Applicablility   YOUR COMMENTS




1
2




101




102



103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135

				
DOCUMENT INFO
Description: Notary Form Certificate to Authenticate Documents document sample