With more than 22 years in the consulting, auditing and computer expertise sector, we have collaborated with the Ministry of Industry, the tax agency, EOI, the collegiate medical organization, red.es and many other organizations in audits and training on this subject. In many cases, the new regulations, laws or royal decrees set the guidelines and obligations that the passive and active subjects of the same must comply with, what we call “what to comply with”, but not “how”. Sometimes these approvals or certifications last over time without strict requirements, such as the homologation audit of certified digitization of invoices before the tax agency, where, for example, it does not specify the backup retention policies, but applying the good practices of the information systems industry, we managed to have a 100% of success stories.
Billing software anti-fraud law. 7 reasons not to wait.
With all of the above, we want to show a reality, the laws on information technology sometimes lead the way but do not specify the exact guidelines, not even in the approvals or certifications. That is why when the new anti-fraud law in its article 201bis says that the software must include “… technical specifications that guarantee the integrity, conservation, accessibility, legibility, traceability and inalterability of the records,…” it does nothing more than ask the software developers that their software meets these dimensions, not saying how to meet it.
However, as CISA certified auditors by ISACA, we can ensure that the good practices to comply with each and every one of these dimensions have been known and audited for years in a very high percentage. The controls or measures applicable to comply with these dimensions are already in the good practices and information security standards, such as ISO27001 or ISO27017, being perfectly applicable to all types of billing software, both client-server, Cloud, SaaS, etc.
In this sense, most of our clients are clear about the advantages of not waiting for the detail of the law to come out to try to comply with these dimensions. Next, we would like to highlight the key reasons why we should not wait for the detail of the certification to come out from the tax agency and the advantages of starting a software audit , which is on the way of adapting the software to the controls that help us guarantee this compliance:
Reason 1. my software is safe
Some clients tell us “my software is safe”. Sometimes these statements can be questioned when we ask them “If I access the database, not from the application but directly to the SQL SERVER, MySQL, etc., can I modify the records without leaving a trace? records of a company that you had used on a temporary basis? Most of these cases realize that their system would not be complying with integrity or conservation, simply with this risk scenario.
Conclusion: Be completely sure that if you do not pass an audit and compliance consultancy like the one we do, your software does not comply 100% with the dimensions established by law.
Reason 2. I prefer to wait for certification
As we have mentioned, there are homologations or certifications, such as the certified digitization of invoices, which with more than ten years of life still does not specify all the technical requirements and yet it is homologable/certifiable. We do not know the level of detail that the certification will have regarding technical controls, but what is known is that everything we recommend in raising the levels of compliance with the dimensions required by law will be aligned with what the law will establish. , since they are based not only on the good practices of recognized standards, but also on laws such as TICKETBAI or NF525, which are already a benchmark.
Conclusion: All the work you do now to secure your software in the aforementioned dimensions will bring you closer to complying with the law even without being specified (we don’t know if they will be one day) the technical requirements. In addition, the law applies as of October 12, 2021, being yes or yes obliged to comply with it.
Reason 3. there is work to do
We understand that the audit, Consulting and adaptation of the software to the security requirements that approach regulatory compliance, require time and effort by the partner. Suppose that the client does not sign the invoices or does not have secure log mechanisms based on control mechanisms that ensure the inalterability of the records or their chain of custody before an inspection. The application of controls that resolve this situation takes time. We have named one example but there are many others, which leads us to an estimated action plan time in a standard situation of 2-3 months of development, configuration and deployment time, based on our day-to-day observations with our customers. .
Conclusion: The time and effort is not negligible, start now and at least increase the degree of compliance of your software with our audit and implementation consulting.
Reason 4. What if the law later requests controls that we have not implemented with you?
Our work does not end until all the technical requirements for future certification are met by our clients, accompanying them in the audit and updating of our report on all the controls that must be met.
Conclusion: Not only do we now help in good practices, but we close the circle of trust by ensuring that we will accompany the audit in all those technical requirements that the law requires of us at the time the certification procedure is published.
Reason 5. Your customers and distributors are at risk and therefore you are.
The law and its sanctions do not apply only to the development company, but also to distributors and customers. We help in the communication of the work that is carried out towards the clients, allowing them to be informed and confident that the development company is concerned with compliance with the new law.
Conclusion: The new law marks us a responsibility of the development company with its products towards third parties, such as its distributors and customers. Get ahead of the competition.
Reason 6. I don’t want to invest in security measures now. Business opportunity
Regardless of the legal obligation that development companies have with this new law, we must understand that most of our clients have a business opportunity to recover maintenance, open a major update version that implies some cost, speed up the transformation of certain sales opportunities, etc.
Conclusion: The costs of our audit and implementation consultancy can be quickly diluted if the development company is able to transform this regulatory compliance into a business opportunity.
Reason 7. Proactivity
In this law there is a special circumstance, the immediacy of its entry into force for the beginning of October 2021. Most development companies don’t even know what to do or haven’t come up with an action plan yet. Proactivity is always an added value in the face of a possible inspection, as it is in other frameworks such as GDPR.
Conclusion: Would there be any advantage in not improving the security of a system where we already know the good practices that apply? Obviously not, there is a way to go that marks us a mandatory law.
conclusion
At www.leyantifraude.com As CISA certified auditors by ISACA, expert members of the association of collaborating experts with justice, we help all types of development companies and end customers with their own developments to accelerate regulatory compliance and raise the security level of their software to article 201 bis Law 11/2021, of July 9, on measures to prevent and combat tax fraud, transposing Directive (EU) 2016/1164, from the point of view of recommendations, monitoring, help in communicating to their clients, accompaniment until the end of the certification, etc. If you are interested contact us here