To generate e-invoices, as mandated under newly ruled out guidelines by Zakat, Tax and Customs Authority (ZATCA), the taxpayers need to adopt an e-invoicing solution. An ideal e-invoicing solution should not have some prohibited functionalities, as listed below:
Access to e-invoicing solutions should be secured using a login ID and password or biometrics. This is mandatory to prevent any unauthorised person from having access to the confidential data of e-invoicing. Also, the taxpayers are advised not to share such login details with any external party and should preserve the same securely.
The e-invoicing solution can not be continued upon the default password. The user needs to set a new password after the first login. This is prohibited, again, to ensure the security and confidentiality of the data.
The e-invoicing solution must track and store all the details regarding login and invoice generating activities. This ensures that any malicious activities that a user comes to know about at a later stage can be tracked using historical data that gets trapped in the solution.
The e-invoicing solution should not permit alteration or deletion of the already generated invoices and their related Credit and Debit Notes (CDNs). In the event of the wrong issue of an e-invoice, the taxpayer is advised to cancel the same by issuing CDNs. However, deletion or alteration is strictly not allowed.
The taxpayer should ensure that their e-invoicing solution does not allow any modifications in system logs that store the data related to the system’s activities. Only access should be allowed to logs, but any alteration or modification should be prohibited in the solution.
The e-invoicing solution should not allow the user to change the time or date on the generated e-invoice as per their convenience. This may lead to e-invoices carrying false information. Thus, the solution itself should generate time and date, and users should not be given any control over the same.
The e-invoice generated by the solution should be in sequence with the previously generated e-invoice. This is ensured by making all the log entries in the system time-stamped to track the generation of e-invoices. Also, the e-invoice to be generated should be linked with the previous invoice by placing the previous invoice’s hash in the current invoice’s associated field.
The invoice counters should generate the invoices in a sequence. Resetting the invoice counter leads to a new sequence for invoices. Hence, the taxpayer’s e-invoicing solution should not contain the feature of resetting the invoice counter.
This functionality is particularly prohibited to ensure the e-invoice to be generated the hash of the previous invoice. If the taxpayer has more than one invoice generating unit, then separate invoice sequences can be followed at each unit.
Also, the e-invoicing solution generates an invalid e-invoice or its related CDNs, they should not be deleted but preserved to ensure sequence.
The e-invoicing solution must be sufficiently equipped so as to avoid any changes in time in the related software. This is to, again, prevent time changes in the generated e-invoice.
Every e-invoice needs to contain a cryptographic stamp on it. For this, every e-invoicing solution has a cryptographic private stamping key, enabling it to generate the same. The ZATCA has imposed a prohibition under which the e-invoicing solution should not share/export this stamping key.