To Ensure e-Invoicing Compliance, Look Beyond Comfort Letters
Any conversation about global electronic invoicing quickly leads to compliance with regulatory requirements--VAT (Value Added Tax) rules as well as laws around accounting, trade, customs and data protection. The rules are different in every country, and achieving global compliance is central to the business case for an e-invoicing solution. But, even with an e-invoicing solution in place, the ultimate responsibility for compliance always lies with each company. So how can you be sure your solution will help you achieve it?
E-invoicing vendors have traditionally relied on “comfort letters” – official letters from tax advisory and audit firms saying that they’ve reviewed the technical solution and “assume” it to meet the legal requirements of the country or countries where the customer is doing business.
An opinion letter from a Big 4 accounting firm can provide some initial guidance on whether or not a vendor has started doing their homework and is somewhat serious about investing in their compliance work. However, it’s important to understand the limitations of comfort letters, and place them in their proper context in your overall due diligence when considering an e-invoicing solution. Assurance of an ongoing investment in compliance, along with an audit of the actual solution are also needed.
Reassurance to go forward
The comfort letter concept was first introduced in 2001. It was still early days for e-invoicing, and at the time Switzerland was the only country that had legislation setting out standards for replacing paper with e-invoices. Early customers were keen to understand whether these new solutions would help make them compliant. They wanted to be sure they would not end up in a mess when an audit took place.
They wanted this confirmation from a trusted third party, rather than from vendors. Tax and audit firms with global reach were the natural choice to compare these new solutions with each country’s tax codes and provide opinions about compliance, of course with the caveat that the solution provider has implemented what was written down on paper.
These so-called comfort letters provided the needed reassurance for projects to go forward, and they became a staple of the industry.
The limits of comfort
Comfort letters remain relevant today, but it’s important to understand that they don’t guarantee or define anything. The advisory firm is looking at a hypothetical deployment, not at your actual deployment and use of the solution.
There’s also a potential conflict of interest. Each country requires a separate comfort letter, and when you consider how many countries’ regulations vendors must comply with, that can add up to a lot of money.
That’s not to say advisory firms are biased, but there is revenue in comfort letters, and firms that provide them aren’t necessarily assuming any of the risk. If you mess up, you can’t point the finger at the advisory firm that gave you the comfort letter and say it was their fault. Their risk department will have made sure to protect them from potential claims.
Another reason you can’t rely solely on comfort letters is that they only offer a point-in-time assessment of a regulatory landscape that is always changing. Are all the vendors going to go back and get their comfort letters updated every time a country changes a rule? Probably not. In fact, I recently saw a vendor offering a comfort letter from 2010.
Broader due diligence
The only thing that is guaranteed in all of this is that there will be regulatory changes. There always are. That’s why your due diligence should not focus so much on comfort letters, but on what processes the vendor has in place to manage change and keep your solution current, as well as performing an actual system audit. There are five key areas you should look at:
- Areas of responsibility: Make sure you have a clear understanding of who is responsible for what. What information do suppliers need to provide on their invoices to you? What compliance responsibilities do you have as the buyer? What information does the solution validate, safeguard and retain?
- Monitoring infrastructure: What kind of infrastructure does the vendor have for monitoring changes in these areas across different markets? This might include partnerships or subscriptions. But, in general, the most reliable service providers will own compliance and manage it in-house
- Change management: How will you be advised of regulatory changes? What will you need to do to keep your solution up to date? Is it something you can handle internally, or will you need assistance from the vendor or outside consultants?
- Product architecture: Cloud solutions have a definite advantage over on-premise or customized solutions designed to meet the needs of individual clients. Cloud providers can more easily keep the solution up to date from their end with little or no effort on the part of the customer.
- System validation: In addition to comfort letters, is the provider able to provide proper system validation performed by a neutral auditor to confirm actual compliance with country requirements? The cloud also allows audit and advisory firms relatively easy access to be able to perform this kind of validation, and we are shifting to an environment where this is the new standard.
When selecting an e-invoicing solution, comfort letters are not bad to have, because they demonstrate an upfront investment in compliance. However, they’re extremely limited in what they do. To be really comfortable, you need evidence of an ongoing investment.
When you’re doing business in 10 or 20 countries, staying on top of tax and trade regulations is a huge challenge. The main focus of your due diligence efforts should be on establishing a long-term relationship with a vendor that’s planning and architecting for continual change, and for minimizing its impact on you.
Best in class vendors will have the intelligence infrastructure in place to stay on top of rule changes, and the capability to notify you and update the system for you. Most importantly, they are willing to have the solution tested by an external auditor. That´s not just comforting, it´s better assurance of compliance.