In this post we talk about some security measures and responsibilities that we see in common in most of the anti-fraud law audits that we carry out and have carried out.
5 recommendations to keep in mind
In general, many of our clients, with computer developments that they market, where billing and collection functionalities are allowed, among others, usually have common concerns and needs.
Next we are going to explain the TOP 5 of situations where our audit is allowing them to comply as much as possible with the 6 letters of article 201 bis of the anti-fraud law (LGT) and with the audit dimensions that increase security regarding the chain of custody and inalterability of transactions, among others:
Point 1. What are our clients responsible for?
Most development companies come to us with many doubts about how responsibility is distributed between partner and client.
Some questions are common:
- What to do if I have installations on clients who stopped paying for maintenance or updates?
- What responsibilities fall on our clients?
- To what extent if I mark all the measures that you recommend to us but the client does not do his part, is he the responsible partner?
This and other questions are resolved in our audit process and in the event that there are other more complex ones, we have our legal advice service, very useful for all contractual matters, exceptions or particular situations with clients, etc.
However, let us only remember that temporarily the responsibility for compliance with article 201 bis falls especially on the partner.
Point 2. How to make transactions secure?
Remembering that a transaction, within the scope of the new anti-fraud law, can be defined, according to our CISA certified auditor criteria, as any economic record generated by the software oriented to parallel billing and secret account (in general). The securitization of these transactions occurs as long as we apply measures of integrity, chaining and traceability of actions. In our audit process we help our clients with implementation options that help to fully comply with the securitization of transactions.
Point 3. What if the user uses legal features to perform illegal actions?
Let us bear in mind that operations such as, for example, deleting a billing series without leaving traceability, is, in our opinion as certified auditors, an action carried out due to partner malpractice. In these cases we recommend different security actions to allow different operations on the software. In others, the client may attempt to operate with the software in a fraudulent manner with operations apparently designed to be safe, in these cases we study the best security measures that guarantee traceability, inalterability and other issues required by law.
Point 4. What happens to the new versions that our partners bring to the market once they have been audited?
From our point of view, the software fully complies with the law as long as the partner ensures that the processes and security measures that arise from our audit are implemented in a specific version. If these processes and measures are not altered in new versions, we understand that there should be no problem so that they continue to comply as much as possible with this complex law.
Point 5. How is the issue of certification as of November 22, 2021?
The certification is not published at this time. We are in contact with all kinds of public and private entities, including the tax agency and as soon as it is published we will accompany all our clients in the technical measures and update of our audit report in everything that remains pending after our recommendations, to zero cost.
Recommendation Given that technical information security measures have a non-negligible temporary cost for their implementation, we recommend that any company that develops software with billing and collection possibilities contact us to begin their audit of the new anti-fraud law in relation to secret account software and parallel billing.