Slashdot Mirror
Norway Tax Auditors Want To Open Source Cash Registers To Combat Fraud
Qedward writes "The Norwegian Ministry of Finance seems to be taking a bit of stick at the moment. It wants all the existing cash registers in the country thrown out and replaced with new ones. Not surprisingly, this massive upgrade is not popular. But it is apparently being pushed through in an attempt to prevent cash registers' figures being massaged downwards in use so as to reduce tax. The Norwegian association of tax auditors said: 'The source code must be opened.' 'Without source code it is not possible to determine whether or "hidden" functionality exists or not. Just knowing that the tax authorities have access to the source code of the application, will reduce the effort to implement hidden functionality in the software.'"
Releasing the source doesn't guarantee that a specific cash register is also running that code. So will this be all that helpful?
These are the requirements from the article:
Suppliers must be able to prove that the system can integrate with external software that allows changing the online journal.
It shall not be possible to change the entries in retrospect or change preset text on goods and services at registration.
It shall not be possible to record sales without a receipt is printed.
It shall not be possible to drive out more than one copy of the receipt.
It shall not be possible to mark some groups so that they are included in the reports.
I can't remember who told me when I was much younger how to spot the people running cash businesses and not declaring all their tax - they wouldn't be able to get the mortgage for an expensive house, but the inside would be overly luxuriously appointed, and they'd often have a flash car bought outright.
Nevada has rules like that for slot machines. Only tougher. Stuff like:
Provide a mechanism for keeping a record, in a form approved by the chairman, anytime a control program component is added, removed, or altered on any alterable media. The record must contain a minimum of the last 10 modifications to the media and each record must contain the date and time of the action, identification of the component affected, the reason for the modification and any pertinent authentication information.
Provide, as a minimum, a two-stage mechanism for verifying all program components on demand via a communication port and protocol approved by the chairman. The mechanism must employ a hashing algorithm which produces a messages digest output of a least 128 bits and must be designed to accept a user selected authentication key or seed to be used as part of the mechanism (i.e. HMAC SHA-1). The first stage of this mechanism must allow for verification of all control components. The second stage must allow for the verification of all program components, including graphics and data components in a maximum of 20 minutes. The mechanism for extracting the verification information must be stored on a Conventional ROM Device. [Effective 11/1/2012] All gaming devices must also provide the same two-stage mechanism for verifying all program components on demand via a gaming device user interface where the results are displayed on the gaming device.
That's just one item. There are lots of other logging and audit trail requirements. The Nevada Gaming Commission checks these regularly.
Certain core features, yes, definitely, but that would be far from sufficient for most businesses I know. As well, most businesses I know have a hard time keeping a competent IT guy on staff, let alone a team of programmers that many would need to implement the features they desire and maintain them. And since most Point of Sale software enhancements have no need to release to the general public, even if open source, you'll end up with 100s of forks (which won't work if it is supposed to be 1 master system), and most the solutions will be kept private, meaning most businesses, even if they have common needs, will still have to start from scratch every time. I just simply don't see this working at all. You either get one master system that is seriously unwieldy as it tries to cover a massive number of competing and will likely end up covering them all fairly poorly, or you get 100s of separate systems that are superficially similar which seems completely contrary to the whole point of the exercise to get 1 system.
I had a friend who installed POS systems in small businesses for a living. At restaurants, the most important feature of any POS system was the ability to make a table disappear out of the records.
The real "Libtards" are the Libertarians!
Or have functionality that's "customer customizable".
One easy way is registers that allow multiple currencies, which is common enough in Europe. Have the customer pay in "Kr" and get his receipt in "Kr" (the common symbol in Norway for Norwegian kroner, crowns), and then have the sales registered as NOK with an exchange rate of 1.5:1. Suddenly you only have to pay tax on 2/3 of your income.
Another easy way would be to split the credit between two accounts (which unlike double ledgers isn't illegal - but reporting just one of them most certainly is).
Or allow functions like deleting sales records to be accessible by anyone by running the register in a documented "test mode".
There are so many possible ways to allow the stores to game the system without being programming geniuses.
But is open source going to help? I am unsure.
Since a few years back all bussines are demanded to have a "black box" connected to the register that tracks all events. Tax authorities can come in any time and download the content to check for any irregularities. It logs everything including how many times and how often the drawer is opened.
Far from dodgy companies. This is a common feature in many (all?) cash registers used in small business, especially restaurants.
I know people who work in restaurants, and they told me that this is a public secret.
The way it works is that at the end of the day, you can make the register change the numbers by an amount or a percent. Ther register will then do the math to change the number of coffees served and muffins sold and things like that. It does this so that the numbers still make sense and correlate with expected ratios.
At that point, the business day is closed, the register is printed, and you get some money out of the till under the table. If the inspectors should come in during the day, you can just print whatever the current status is, which will then be immutable at the end of the business day to avoid discrepancies.
This functionality is not advertized in writing, but all sales persons know about it and know how they can explain this to the owners. All major registers have features like this, and I can understand why the inspectors would require open source. Because skimming money becomes an order of magnitude more difficult if you don't have a register to help you create a phony audit trail.
On the other hand business who bought and used my software found much of their income was being fudged by employees usually through cancelled transactions. When a customer pulls out cash and says no receipt necessary the transaction is cancelled an the cash pocketed.
Your'e all thinking it, I just said it for you
There's nothing in the article about FOSS. There's not even anything about "open source", just that the tax agency should have access to the source code.
c++;
being, of course, the pocket of the clerk at the register.
if this is supposed to be a new economy, how come they still want my old fashioned money?
In Portugal, for the last couple of years it is already required for every business to have a "certified" software that enforce some similar rules. Even though the software doesn't need to be open source, every invoice or receipt must include part of an hash key that is automatically generated based on key data (VAT Nr, amount, date, value), an asymmetric key given to each software manufacturer *and* the hash from the previous document. This makes it impossible to change any document after it has been printed out without invalidating every document printed after it. There was a requirement that every software had to be able to export accounting details in a standard format (SAF-T), if requested from the tax authority. Since 1-Jan-2013 every business is now forced to send monthly detailed invoce data to the tax authority.
I was an auditor for a state in the USA (posting anon). This is widely known among auditors. The hard part is proving that the place did that.
The state has in the past (at least talk at the legislative level) talked about outlawing software with this feature, but the business burrow makes excuses, like for instance I think I heard these type of "features" are required for discounts, coupon type things, if someone isn't satisfied and get's a free meal, etc.
I think it's a bunch of BS since the software does these things quietly without making an audit trail, but nothing ever happened past the initial talks that I'm aware of.
And even if it did, you could say oh it was a 15% off day or some crap, so you could still hide it unless you could prove it wasn't.
I worked in banking previously, and it was widely known that business's hide money. See small business's want it both ways. They bring their tax info to the Bank for loan or w/e then the bank denies or less then they wanted or unfavorable terms, and some people actually say well I actually make more then this. Our loan officer used to joke about it during training. You can't have it both ways.
There are many things working in Auditing I've learned about. Some is very creative and some is just very simple.
Here in Portugal, the government has mandated all cash-registers to run certified programs that regularly upload transaction data to our Tax Authority.
Tax evasion has always been blatantly huge in restaurants, bars and cafés. It's no wonder the restaurant associations are up in arms with this. They've declared war on card payments too, which is something that pisses me off. They claim the bank rates are too high, but guess what the real reason is?
Just like the constructions business, they've had practically a licence to print money during the latest decades. Now with the economic crisis, they're going down the toilet. I'm not shedding a tear for them. I just pity their poor employees that will be out of work and are certainly not finding another anytime soon. They had shit-paid, stressful, long-hour jobs, but it's better than no job.
I have interesting experiences with a new cash register on both these points. The franchise I work for was essentially ordered to install a certain franchise approved cash register to combat exactly this kind of fraud (not at our store specifically, but the fraud was rampant business wide). With many hundred stores in the country it would have cost an absolute fortune to replace all the registers.
One of the handy features of the new registers is the ability for it to automatically do analytics on sales performed by staff. They were designed to have an RFID tag before a staff member can perform sales. We don't have those at our store, but instead you insert the names of the staff working on any given day (only 2-3 out of a larger pool so the analytics works quite well). The cash register watches for key things such as when a many cancelled transactions correlate with certain staff working and sends an email. You can also pull out all sorts of records such as time the register was open, time to complete transaction etc to pinpoint staff members who may be slow / require more training on the machine.
And naturally with all such modern things it has a web interface so we can quickly log in from anywhere and check on people. Interestingly enough it reports real-time sales back to the head office and from their website we can see a ranking of all stores in the state at any given time, though just a number ranking, not the actual sales figures.