Automatic Extraction Audit for Real-Time Reporting as proposed by EC/France

European_Commission

There is a lurking issue in many real-time reporting systems that depend on either trusted parties or trusting the government with all the invoice data. We believe neither approach is ideal, so we came up with a better alternative. We developed a tool that can automatically audit all e-Invoice extractions and conversions, and attach a cryptographic signature to the extraction. This signature is then sent either to the Tax Administration or any other system managing the real-time reporting. By doing so, we close the loophole of fraud, making the audit automatic and eliminating the need for manual checks, thereby improving efficiency.

Introduction

Governments seem to be increasingly including businesses in discussions around real-time reporting. In this way, governments can make sure that real-time reporting does not only increase the VAT revenue, but also provides benefits to companies. An example of a country where businesses have been actively consulted regarding the implementation of real-time reporting is France and the European Commission. One of the results is that the upcoming mandatory e-invoicing regime does not only allow for one e-invoicing standard, but multiple. This makes it easier for companies to comply, because many companies will be able to use the same standards that they are already using today. However, as there is no one-single standard, many conversions will be the result. And this creates a whole new problem: what is the legal invoice and how can you trust conversions or extracts? In the case of the European Commission’s proposal there is the problem of the missing audit trail from the extract of the information of the e-Invoice to the reported information to the tax administration.

E-invoicing mandate France

In the following we will focus on the French e-invoicing case, but the same arguments can be applied to any e-invoicing regime that allows for multiple standards and/or uses a decentralised clearance model or the system proposed by the EC.

From July 2024 onwards every company in France is required to accept e-invoices. The reform does not follow previously implemented models in the EU as France is implementing the so-called “Y-model” (see Figure 1). There are many different flows of information and many different ways of sending an invoice to your buyer. Together with the fact that three e-invoicing standards (UBL, CII and Factur-X) are accepted and that there is the possibility to send EDI invoices, it is considered as a flexible model. Although the exact role of EDI still needs to be defined, businesses are generally positive about how the French government wants to implement real-time reporting. However, when multiple standards are allowed, then invoices will be converted on a large scale because most companies will choose to only be able to accept one of the different standards. That means that many conversions will take place which will create a new problem: what is the legal invoice that gives you the right to deduct VAT?

Figure 1: The Y-model

Figure 1: the Y-modelSource: DGFiP (2021)

Having a closer look at the invoicing legislation of France shows why this can become a problem. According to Article 289 of the Code général des impôts, “the authenticity of the origin, the integrity of the content and the readability of the invoice need to be assured from the moment of issuance until the end of the archiving period”. So when an invoice is converted from UBL to CII, it needs to be proven that the UBL and the CII are actually the same invoice for the CII to be legal. Therefore, companies are required to “set up an audit trail.” But how can companies set up and maintain this audit trail if the invoice issued by the supplier has a completely different format than the invoice received by the buyer?

Certification is not the solution

It looks like the French Tax Authority is planning to solve the problem by certifying the third party service providers (PDPs in French). The idea is that in this way, the PDPs can be “trusted” to perform the conversion in a correct fashion. There are two main issues with this theory.

First, certification often takes place only once or a couple of times per year, while conversions are happening on a continuous basis. It means that the moment of certification is only a snapshot, after which there is no guarantee that the invoice is actually correctly converted. Secondly, the conversion does not only happen at the PDPs. Namely, at the public portal another conversion takes place as only an extract of the actual invoice will be sent to the tax authority for control purposes. The tax authority can only be sure that the received extract of the invoice corresponds to the original invoice if continuous conversion controls can be performed along the supply chain. This would create an actual trusted audit trail, going beyond a snapshot certification process.

Continuous conversion controls by using modern cryptography

As with other problems related to VAT, modern cryptography can help to tackle this complex problem. This technology allows companies to prove that a certain conversion has been used to create a certain output, without making the input and output public. In order to explain this further, let’s have a look at a simple example.

In this example, Company A (supplier) has a Factur-X. This is sent to the PDP of Company A. The PDP of Company A forwards it to the PDP of Company B (buyer). As Company B only accepts CII, the invoice needs to be converted to CII. In short, the invoice has been converted from Factur-X to CII. The issue is: how to prove that the Factur-X is the same invoice as the CII.

Another example is the proposed system by the European Commission. In this proposal, it is defined to only receive an extract of the e-Invoice for confidentiality reasons. While we applaud the initiative to not receive the complete invoice, a new problem arises, namely, how do you prove or know that the information that is “extracted” is actually from an actual e-Invoice?

A tool that can help to prove that an invoice in a certain format originates from an invoice in a different format while maintaining its integrity is zero-knowledge proofs/modern cryptography. By using this technology, a proof can be generated of the usage of a certain conversion tool. The tool should also be used by the tax authority in order to prove that the extract sent to the tax authority is actually the same as the invoice used for business purposes.

Summitto has already developed a Proof of Concept for the tool explained above. As you can see in Figure 2, the conversion will provide you with both a converted invoice and the proof that provides the authenticity and integrity of the invoice.

Figure 2: Conversion & Extract Audit Tool

Hash function

Conclusion

As we are slowly moving towards the implementation of e-invoicing in France, it’s time to also have a look at the details. One of these details relates to the question: what is the legal invoice. Because of the flexibility of the French real-time reporting model, many conversions will be made which creates problems relating to providing proof of the authenticity and integrity of the invoice. Certifications are not the solution as that only offers a snapshot of the authenticity and integrity. In order to actually perform continuous conversion controls modern cryptography can be leveraged. For the European Commission the question is still open on how to provide an audit trail for the flow of information. The tool developed by summitto, allows companies to generate a proof of conversion & extraction, offering a real-time automatic audit trail.

In case you want to experience a demo of our solution, please send us a message to info@summitto.com.