A message from concerned accountants for anyone using Cloud Accounting Software...
e-invoicing, The new Way to Send Invoices!
In the event you are a business owner or responsible for clients using Cloud Accounting Software? Take note, 13th November is D-Day for your financial data privacy. As a concerned professional we have chosen to investigate this new policy to assess the risk to our clients and our own business practice
In July 2022 the ATO implemented a new “policy”. This policy did not go through Parliament; as such, we could not locate in the timeframe , any Legislative Act, or relative law. It appears to be purely ATO policy:
The move is to mandate e-invoicing with cloud-based accounting software organisations for every government agency and influencing all businesses into the mix. An effort to push more digital operation under the banner of “Efficiency of payments to improve cashflow.” review here>>>>ATO - Tax Agents and Professionl Advisors - benefits?
We have found the promotion over the past two years, has been confined to soft marketing to software users by the software company, with subtle random pop-ups as you logged in. More recently an increase in notices and size of the notice, with a 90% discount if you sign up for an account before 31st October. Most bookkeepers and CFO’s may dismiss the notice and get on with their daily account recording. BUT, they were notified.
Our organisation has numerous clients we work with using Xero, MYOB, et.al. On Oct 23rd, an email from Xero software organisation was received in our office, announcing “On 13 November 2024 your Xero accounts will be automatically registered for free with the Peppol network so that you can access e-Invoicing for your businesses. To opt out, [ Complete this Form ] before 13 November 2024 ”. That means any account which has our email as the principal contact wil be automatically registered.
So we thought it was time to investigate how e-invoicing actually worked. As an accountant and restructuring specialist, both within and without the insolvency arena, we consider client data privacy is of high importance. Sections of this document are highlighted to bring your attention to areas you may consider to investigate the level of potential risk, to your financial data privacy.
Following is one of the ATO announcements promoting the benefits of e-invoicing.
"Whether you are private business a public organisation, e-invoicing is your gateway to fast, secure, and borderless trade. The Australian Taxation Office is mandating federal government agencies to have e-invoicing in place by July 2022, while other government agencies and private businesses across Australia and New Zealand are strongly encouraged to adopt electronic invoicing to return cashflow faster. With more businesses committing to e-invoicing, its important that your business is ready."
Sending invoices electronically does not mean they will be paid faster. As such, terminolgy used in the PR promoting the new policy as a cashflow benefit, is misleading!
There is a link below to provide you with an understanding of how Application Programming Interface (“API”) works in software communication. E-invoicing and Singtle Touch Payroll (“ STP”) require API to function! While you are reviewing this article there are some key questions to keep in mind about protection of your financial data and safty:
Those questions are following and think seriously about point 10 as you read through how API works:
-
What access has your software company granted to the parties involved in the setup of e-invoicing?
-
What instructons did the ATO provide to Peppol as the scope of engagement works for data access?
-
What paremeters did the software company agree with the ATO to provide data from client accounts, without
your knowledge or consent?
-
Has your software company breached privacy laws?
-
Can you locate your software supply contract and has it been breached
-
Given our investigations into the Peppol organisation, (later in this document,) why would the ATO negotiate
with a Europen Union entity, direct access to Australian businesses financial data?
-
According to the ATO website, Peppol has been granted exclusive rights and/or control of this API system
across Australia, and, New Zealand, and every country that their cloud software operates in?
-
What parties working with Peppol have authorisation and access to the gateway controls of API?
-
Given the ATO is not a legal entity (confirmed by the High Court of Australia), how can Peppol, Xero and
-
With Peppol being a European Union organisation, what liability sits with the business owner or Accounting/Legal firm if client data is accessed?
-
What recourse would a business and/or Accounting or Law firm have to remedy on breach of confidentiality they may have with their client.
-
What are the cyber security risks to the business and or Professional firm?
-
Can the ATO expand the scope of works with Peppol for access to more transactional data from individualbusiness software accounts without the account holder’s knowledge?
In the interests of the privacy risk to your business and credibility to your Brand, the following article is an extensive Question and Answer on how API will work with e-invoicing and we’ve included STP in the process. While STP maybe one way data access (implemented and mandated in Australia in 2018), e-invoicing is two-way, and subject to the scope of works negotiated between the ATO, Peppol (API Owner/Controller – gateway keeper) and software companies, with risk being potentilly expanded, once that door is opened.
With STP once registered, there is not option to opt out. We could not find an option to opt out of e-invoicing , once registered!
Download the following Q&A on this sample API specifically with e-invoicing [How API works connecting to your Software]
-
Following is the ATO link for you to review
https://www.ato.gov.au/businesses-and-organisations/einvoicing
What is the PEPPOL e-Invoicing standard????
-
The Peppol eInvoicing standard can be used to issue an invoice that complies with the requirements of a tax invoice. For record keeping purposes, an eInvoice is no different to other digital records. Make sure you follow the digital record keeping rules for business. For more information about eInvoicing for your business, see:
-
eInvoices are exchanged securely through the Peppol network by approved access points, using the buyer's and supplier's ABNs. The risks of fake or compromised invoices, email scams and ransomware attacks are lower compared with posted or emailed invoices. There is no risk of lost invoices. You keep control of invoice processing.
-
Following is the ATO link to Peppol:
https://www.ato.gov.au/businesses-and-organisations/einvoicing/peppol
-
Following is more on Peppol - https://peppol.org/ Peppol is a set of specifications for establishing and also the primary implementation of a federated electronic procurement system for use across different jurisdictions. (perhaps a bit over the top for the mum and dad farmer or small business. This appears to be pushing businesses into the global market without knowledge or experience.
In the case of Xero, they have an Australian location in Hawthorn, Vic with no office contact. Xero is a foreign company based in Wellington New Zealand, i.e. out of Australian jursdiction in the event of any claim for breach of contract.
ASIC records reveal EY I Xero Holding company’s auditor. Which could mean, if/as EY maybe registered as a government agency. Inthe event your organisation has done work with EY and is also registered , your financial data may be at risk, shoul Poppel’s scope of engagement increases, your financil data and reputation maybe at further risk.
We have chosen to take the safe route and opt out at this stage
Concerned Accountant.
PS. We are looking into remedies for the businesses we work with.
-
How API works connecting to your Software.