Due to increased government scrutiny, tax directors have urged businesses to strengthen data security as they produce ever-increasing amounts of information.
According to tax experts, as governments push for greater digitisation, businesses run the risk of failing tax audits if they do not adequately protect their data on external platforms.
The calls come in response to an increase in data production by businesses as a result of greater tax automation and requirements for live invoicing by tax authorities.
While using technology has been a positive development for tax departments, Sabine Studer, head of group tax at metal processing company Bystronic in Zürich, says it has increased security risks around data.
"Hosting data for tax purposes must first and foremost be secure and companies may want to choose cautiously where they host their data," according to Studer.
She claims that because data privacy laws differ from nation to nation, different IT solutions may be needed to handle them and guarantee the security of corporate data.
The protection of data by outside suppliers presents another difficulty for businesses.
"You can choose your outsourcing provider, but can you determine where they store your data? Not exactly," responds Studer.
She claims that when businesses change their business models, data security risks also arise from third-party vendors and tax engines, or tax compliance software. This frequently results in the transfer of data between external entities, raising concerns about the oversight of corporate data.
"The question is, when your data travels [between outsourced entities], will these providers still fit your data security expectations?" inquires Studer.
The impact of businesses leaving Russia as a result of the conflict in the Ukraine has increased among tax director data and audits.
"TWe recently sold an entity in a country where nobody wants to do business, but the new owner took the ERP system with the data and we no longer have access to that information," Studer said.
She claims that the problem is a lack of access to tax information from sold businesses. In the event that tax authorities decide to conduct their upcoming audits, it is anticipated that this data gap could cause problems for businesses.
"We now have no hard copies, no scanned documents or filed tax returns at the time [when we owned the business]," says Studer.
This incident highlights the significance of carrying out thorough due diligence when disposing of entities, especially when it comes to the transfer of data.
It also emphasizes the necessity of having solid procedures in place for multinational corporations, including guidelines on data ownership and workflows or accountability.
Data risks include practical concerns with the storage, handling, and transfer of business information in addition to those related to mergers and acquisitions.
Companies now face the additional challenge of either updating or maintaining their current data processes as a result of the introduction of new technologies like ERP systems. This choice is typically based on how complicated and expensive such processes are.
Instead of completely overhauling processes, businesses might be compelled to keep paying for outdated ERP systems long after they are no longer necessary in order to support audits by tax authorities.
The risks to business data go beyond platform-specific issues and take into account issues with national data security as well.
For businesses, determining who has control over data in various jurisdictions can frequently be a costly and time-consuming process.
It also raises concerns about the inconsistency of e-invoicing regulations across nations, particularly those in the EU.
Companies are under a lot of pressure to comply with various regulations as a result of the lack of e-invoicing regulation harmonisation. This includes the management, storage, and transmission of data by businesses to tax authorities.
A tax expert at a multinational cosmetics company in Europe claims that due to increased digitisation and as more nations introduce their own distinct systems, there is an urgent need to harmonize data regulations between EU member states.
"We need to have some full harmonisation of those regulations because multinational companies shouldn’t be exposed to risks [due to lack of harmonisation] in different countries," he claims.
According to Gorka Echevarria, global VAT leader at Geneva-based laser printer manufacturer Lexmark, member states need to understand that it is very expensive for businesses to adapt to all these intricate individual state-level requirements.
He claims he has his doubts about the EU's ability to successfully harmonize digitisation laws across the Union. During a global economic downturn, member states are unlikely to readily give up some of the revenue boost they have received from enforcing their own national regulations.
Businesses are also troubled by the fact that governments are requesting larger and larger amounts of data from them.
Tiina Ruohola, head of VAT at the Confederation of Finnish Industries, issues a warning about the tax authorities' demand for data from businesses.
She claims there are concerns that the national tax authorities of the EU might be requesting more user and company information than is necessary.
Regulations governing e-invoicing also mandate that businesses have ERP systems that can quickly process tax information, generate invoices, and send those invoices in real time to tax authorities.
The EU has given member states until 2025 to harmonize their e-invoicing systems, so in the interim, each nation is free to put its own unique national procedures into place.
The current lack of a unified approach to live invoicing costs businesses a lot of money and resources as they attempt to meet their data needs while remaining compliant with various regulations.
Of course, businesses must stay abreast of data compliance requirements, but this is not always simple given the distance between audits and the rapidly shifting technological and legal landscape.
Any data loss poses serious risks, so businesses would be wise to implement strong security measures to protect their corporate data for the inescapable audits.
By fLEXI tEAM