ISLAMABAD: Federal Board of Revenue (FBR) has highlighted the top hurdles in the way of installing Point of Sale (POS) system at Tier-1 Retailers, which if done successfully, would generate revenues worth billions of rupees, officials said on Wednesday.
The FBR, in an internal report, pointed out technical, legislative, and administrative loopholes that might compromise this highly important project which the board itself declared a game-changer for improving dwindling tax to GDP ratio for the country.
According to an internal FBR report, some inherent lacunas of the system have surfaced due to legislative and technical specifications. The report was prepared after some alleged violations of Sales Tax Invoicing by Tier-1 Retailers and POS integrators.
It says the cases of M/s Savemart, M/s ICC, M/s Edenrobe, M/s D Watson and their POS Integrators/Vendors were anonymously investigated and a brief report is being submitted to plug gaps in FBR’s POS System.
Some technical issues came to fore due to lack of foresight of POS System, which allowed more than three intermediaries for transmission of a fiscal transaction.
The database push-pull features are subject to on-demand inquiry and put custodianship of the access network on POS Integrators/Vendors. There is no Operating System (OS) event and Network Tracing mechanism that generates periodic reports to auto-check violations.
One of the chief features of the technical aspect of system failure is the absence of colocation of POS-SDC/VSDC/ESDC-EFD modules, which leaves POS operators with valid excuse of ‘system out-of-order/internet disconnectivity.
The poor technical input while drafting of the law, especially in Rule 150ZEB of the Sales Tax Rules, 2006, exposes the system for tempering and excuses for frequent failure.
Another issue is real-time invoice number is dependent on FBR BCS, which makes the system fragile and unreliable.
Moreover, the POS vendors are using high-level specification compliance, while low-level specifications’ compliance has not been defined in the law, which standardises the software. This feature provides the POS user with the option to enable or disable applications at the backend.
It further states the POS Systems are not working in Root-Admin, i.e. single-user with root-level privileges mode, which provides POS operators to login/use, and abuses the intent and purpose of the system.
Information Security Audit has been superficially defined under Rule 150ZED and no periodic audit has been mandated to check for violation and tempering.
Also, there is no segregation between POS system-based on Dumb Terminals or POS-based on Smart Terminals and IS Compliance needs well-defined parameters.
Application, sequencing, network, etc anomaly identification and reporting to the consumer, POS Integrator/Vendor, and FBR are missing in the specification. Legal Issues in Sales Tax Rules, 2006 Rules pertaining to compliance ignore IS/CIS Compliance Standards, which are part and parcel of the fintech initiative of organisations, especially for government bodies and authorities.
A critical view of the legislation leaves wide room for manipulation, according to the report, which adds that pertinent legal issues are presented as under PTA licensing for Internet-Service Providers, Developers, and IT Vendors is a grueling process that requires submission of IT Audit along with Compliance Audit and its subsequent submission to SECP, which is not available in the said Sales Tax Rules in force. The Rs1 audit, on the footprints of PTA service deductions may either be given to PTA or FBR.
The FBR’s access, system and application trace reports and transmission of log reports of EFDs (electronic fiscal devices) are not specified in sub-rule 7 of 150ZEB.
No use of such reports has been envisaged in the design document. POS Integrators/Vendors’ accreditation process completely misses Center for Internet Security (CIS) Standards’ pre-requisites.
Also Rule 150ZEF completely misses consequences for POS Integrators/Vendors.
Under sub-rule 10 of 150ZEB malpractice/error an inconsistency has no meaning if there is no transparent violation-count and its utilisation for blacklisting and penalisation of POS Integrators/Vendors.
The Sub-rule 9 directs the retailers to accommodate the data in Annex-C, whereas auto generation of Income Tax Return and Sales Tax Returns was possible and has been missed by PRAL.
The law also doesn’t provide for clear performance-based parameters for penalisation, blacklisting, or cancellation of POS Integrator/Vendor license. Application tracing and POS terminals network tracing and automated transmission of trace report, highlighting anomalies is missing in the legislation. A critical analysis of administrative aspect suggests that FBR, as an organisation, has not shown intent to make this high-potential system successful. As an example worth quoting, Telenor Pakistan has IS and IT Audit Compliance department comprising not more than 2 officers. This means custodianship of intent and purpose of an IT system must be maintained in order to make it successful.
Responsibility in case of failure must be placed on leaders. As accountability is to everyone, responsibility is to the leader of an enterprise. The report suggested IT-IS Audit section, independent of Chief (IT) must be established to conduct and critically analyze such proposals, designs, and functioning of IT systems. This team must be empowered to call into question various development and operations projects and procedures of PRAL and other third-party IT vendors.
It said IS Compliance measures and modification to the EFD/SDC/BDS wereurgently required to settle the issue once and for all. IRS-CSS Cadre has a recognisable number of engineers available to FBR, which is the strength of the department.
The IT-IS audit section can have matrix structure to repose additional responsibilities with IRS-Engineering degree-holders to conduct snap IT Access-audit, in-camera-visit premises, call/fetch trace reports and look into complaints in respective RTOs/LTOs etc.
Tax Asaan application must contain invoice generation mechanism, in case where the Tier-I retailers deny authentic POS invoice. The retailer may take the smart phone to punch the invoice with their login-password.
Also, the complaint registering mechanism is non-consequential for the user of the application, which should be made worthwhile for the end-user.
It further says the hotline for general public, is not known and not written on POS Invoices, which makes it impossible to report violation and get feedback with remedial measure.
The designated ADC/DCs at the moment do not respond to any complaints. Network Operations Center (NOC) with Northbound Interfacing (NBIs) must be placed in each RTO, which must have an escalation system to FBR Headquarters.
The FBR in its report said the aspects highlighted lie at the heart of the problem and were important to make the system impregnable.
The Retailers and POS Vendors, in connivance, are taking advantage of these loopholes to fail this high-potential initiative of FBR, the report concluded.
Federal Minister for Commerce Jam Kamal Khan addressing to media persons at Trade Development Authority of Pakistan in...
TRG logo can be seen on a computer screen. — TheNews Desk/file KARACHI: IBEX Limited, a US-based technology...
The representational image shows a person holding gold necklaces. — AFP/FileKARACHI: Gold prices rose by Rs800 per...
Technicians work on the assembly line in a solar manufacturing hub in Greater Noida, on the outskirts of New Delhi...
Chairperson Sindh HEC, Prof. Dr. S.M. Tariq Rafi addressing at the FPCCI Auditorium in Karachi. —...
Officials of Nutech and ABAD posing for a photo after signing MoU. — Facebook@abadpakistan/fileKARACHI: The...