Prohibited Functions in EGS

Prohibited Functions in EGS

February 24, 2024 | seedling, permanent

tags
invoicing-apis, ZATCA

Prohibited features/function in EGS #

E-Invoicing_Detailed__Guideline v2: PDF The features or capabilities that should be absent in the application:

Anonymous access #

  • Persons subject to the E-Invoicing Regulation cannot access the system without logging into the system using unique login and password or biometrics.

Ability to operate with default password #

  • Having a default password or factory password is not allowed. Each system must require the user to reset the password on first use.

Absence of user session management #

  • The system must log all user activities associated with the invoice generating process, starting with login authentication and continuing to all system functions.

Allow alteration or deletion of generated E-Invoices or their associated notes #

  • Persons subject to the E-Invoicing Regulation are not allowed to modify or delete invoices once they are issued whether these are generated by the system or outside it.
  • If a user wishes to “cancel” an invoice, this may only be done through issuing an associated credit note and reissuance of a new invoice.

Allow for log modification/deletion #

  • The system must not allow any modification on system logs that store the system’s activities.
  • All user activities can be logged and stored without any changes to the system generated logs.

Generated with inaccurate timestamps #

  • Persons subject to the E-Invoicing Regulation are not allowed to change time or date on the E-Invoice Solution in a way that would result in the generated documents to contain false information.

Non-sequential log generation #

  • All log entries of the E-Invoice Solution must be time stamped and linked by placing the hash of the previous invoice in the associated field of the next invoice in a sequence, so that their order cannot be changed.

Invoice counter reset #

  • The E-Invoice Solution must not provide a feature where the invoice counting can be reset.*

Allow ability to generate more than one invoice sequence at any given time #

  • The E-Invoice Solution unit must not generate more than one sequence so that all invoices generated by an E-Invoice Solution Unit are linked using “Previous Invoice Hash” value into a single chain.

Time changes #

  • The solution must not allow software time changes that will change or modify the timestamp value during E-Invoice or Credit/Debit Note issuing.

Export of stamping keys #

Idea to increase confidence of ZATCA auditors in system #

  1. log user activity with OpenSearch Make sure these logs are detailed, capturing every user action related to invoice creation, modification, access, and deletion. The logs should include timestamps, user IDs, actions performed, and any changes made.

  2. make data immutable after invoice submission Django Model

  3. store the pdf/a3 invoices in object storage in immutable way

  4. allow the auditors to fetch any records randomly from Object Storage and from the database

    1. ability to fetch data from both sources and match for equality to prove the correctness

    2. store the information of invoice with a hash that can be recalculated to prove the correctness of data since the invoice submission.

    3. store the hash of the record with pdf/a3 document as additional data to prove nothing changed.

  5. add Audit-Friendly Reporting and Dashboards

    • fetch 10 random records from db for the company under audit and fetch data from object storage and prove the integrity.

  6. Documentation and Training for Auditors

No notes link to this note

Calendar February 25, 2024

Go to random page

Previous Next