Norway Tax Auditors Want To Open Source Cash Registers To Combat Fraud

Qedward writes "The Norwegian Ministry of Finance seems to be taking a bit of stick at the moment. It wants all the existing cash registers in the country thrown out and replaced with new ones. Not surprisingly, this massive upgrade is not popular. But it is apparently being pushed through in an attempt to prevent cash registers' figures being massaged downwards in use so as to reduce tax. The Norwegian association of tax auditors said: 'The source code must be opened.' 'Without source code it is not possible to determine whether or "hidden" functionality exists or not. Just knowing that the tax authorities have access to the source code of the application, will reduce the effort to implement hidden functionality in the software.'"

Just releasing the source may not fix it

[phaunt]

Releasing the source doesn't guarantee that a specific cash register is also running that code. So will this be all that helpful?

Re:Just releasing the source may not fix it

Are there examples of cash registers which are running code which have illegal, hidden functionality?

Oh yes; here in Sweden there was registers that had hidden features that could be activated in order to reduce the reported sums/amount of transactions by the users choice. Typically used in restaurants/bars. Since a couple of years all registers have to certified and connected to a 'black box' supplied by our equivalent to the IRS.
There was also frequent manipulation of the meters in taxis.

Re:Just releasing the source may not fix it

[bogjobber]

Where to begin......

The Laffer curve, while an inarguable *concept*, doesn't actual help us in any way set tax policy because nobody knows where the tax rate that most efficiently produces revenue actually lies. Knowing that the graph is of a quadratic shape doesn't help at all if you don't know what the formula looks like.

You'll notice that the Laffer curve is always used to argue for lower tax rates, not higher, but the US individual tax rate is actually significantly *lower* than the most optimal tax rates predicted by most academic studies. Most of those studies put it in the 65-70% range, and I don't see many people that love to use the Laffer curve in arguments saying we should raise tax rates.

Secondly, this is talking about sales tax and VAT, *not* income tax. The Laffer curve has little to do with consumption taxes. Having a high taxation rate for different sorts of consumption taxes can actually have substantial benefits depending on what you're trying to do. Norway does have an extraordinarily high sales tax. AFAIK it is one of the highest in the world, which leads to lots of interesting behavior from their citizens as they try to avoid those taxes. It also leads to decreased consumption and more judicious use of resources.

Either way, Norway is usually at or near the top of the list for everything from education, health care, income equality, poverty, corruption and most everything else by just about any sort of metric that measures the effectiveness of government, so they're obviously doing something right.

Like the Nevada rules for slot machines

[Animats]

Nevada has rules like that for slot machines. Only tougher. Stuff like:

Provide a mechanism for keeping a record, in a form approved by the chairman, anytime a control program component is added, removed, or altered on any alterable media. The record must contain a minimum of the last 10 modifications to the media and each record must contain the date and time of the action, identification of the component affected, the reason for the modification and any pertinent authentication information.

Provide, as a minimum, a two-stage mechanism for verifying all program components on demand via a communication port and protocol approved by the chairman. The mechanism must employ a hashing algorithm which produces a messages digest output of a least 128 bits and must be designed to accept a user selected authentication key or seed to be used as part of the mechanism (i.e. HMAC SHA-1). The first stage of this mechanism must allow for verification of all control components. The second stage must allow for the verification of all program components, including graphics and data components in a maximum of 20 minutes. The mechanism for extracting the verification information must be stored on a Conventional ROM Device. [Effective 11/1/2012] All gaming devices must also provide the same two-stage mechanism for verifying all program components on demand via a gaming device user interface where the results are displayed on the gaming device.

That's just one item. There are lots of other logging and audit trail requirements. The Nevada Gaming Commission checks these regularly.

Allready done in Sweden

[Kottie]

Since a few years back all bussines are demanded to have a "black box" connected to the register that tracks all events. Tax authorities can come in any time and download the content to check for any irregularities. It logs everything including how many times and how often the drawer is opened.

Re:Of course, It begs the question...

[Interfacer]

Far from dodgy companies. This is a common feature in many (all?) cash registers used in small business, especially restaurants.
I know people who work in restaurants, and they told me that this is a public secret.

The way it works is that at the end of the day, you can make the register change the numbers by an amount or a percent. Ther register will then do the math to change the number of coffees served and muffins sold and things like that. It does this so that the numbers still make sense and correlate with expected ratios.
At that point, the business day is closed, the register is printed, and you get some money out of the till under the table. If the inspectors should come in during the day, you can just print whatever the current status is, which will then be immutable at the end of the business day to avoid discrepancies.

This functionality is not advertized in writing, but all sales persons know about it and know how they can explain this to the owners. All major registers have features like this, and I can understand why the inspectors would require open source. Because skimming money becomes an order of magnitude more difficult if you don't have a register to help you create a phony audit trail.

Re:Of course, It begs the question...

I was an auditor for a state in the USA (posting anon). This is widely known among auditors. The hard part is proving that the place did that.

The state has in the past (at least talk at the legislative level) talked about outlawing software with this feature, but the business burrow makes excuses, like for instance I think I heard these type of "features" are required for discounts, coupon type things, if someone isn't satisfied and get's a free meal, etc.

I think it's a bunch of BS since the software does these things quietly without making an audit trail, but nothing ever happened past the initial talks that I'm aware of.

And even if it did, you could say oh it was a 15% off day or some crap, so you could still hide it unless you could prove it wasn't.

I worked in banking previously, and it was widely known that business's hide money. See small business's want it both ways. They bring their tax info to the Bank for loan or w/e then the bank denies or less then they wanted or unfavorable terms, and some people actually say well I actually make more then this. Our loan officer used to joke about it during training. You can't have it both ways.

There are many things working in Auditing I've learned about. Some is very creative and some is just very simple.