Ariba helps trading partners ensure invoice authenticity and integrity

Electronic signing is one of many important and effective business controls that work together to assure the authenticity and integrity of invoices.

Ariba continues to support e-signatures for authentication despite the European community's shift towards other business controls, because the rules and processes for e-signatures are clear and well understood by customers and regulating tax authorities.

Also, Ariba feels it's important to use country-specific certificates, unlike e-invoicing solutions from vendors that use their own certificates across many countries. In fact, in the case of cross-border trade, the Ariba Network might apply two e-signatures using certificates for the originating and destination countries.

For authentication, it's necessary to validate that both parties involved are who they claim to be. To ensure data integrity both parties must maintain data accuracy and consistency over a transaction's entire lifecycle.

Ariba customers and auditors familiar with the Ariba Network find that our controls go well beyond what's possible with traditional paper- or imaging-based processes.

The following list describes business controls within the Ariba solution and ERP systems that ensure the data, transactions, communications, and documents are genuine and authentic, and prevent the modification of data in an unauthorized or undetected manner.

Establishing trading relationships

Buyers receive invoices from only known suppliers.
Buyers can delegate the responsibility for creating trading relationships to personnel dedicated to that task.
Suppliers accept Ariba Network's Terms of Use and contractually take responsibility for their data and conformance to laws related to invoicing.
Public suppliers trade with public buyers in the Ariba community.

Invoice submission

Only users known by the supplier and established by the supplier's Ariba Network administrator can submit invoices.
Suppliers submit electronic invoices using either a shared secret or a valid digital certificate.
When suppliers submit electronic invoices they can validate the identity of the Ariba Network by authenticating its public certificate.
The Ariba Network enforces a minimum of 128-bit encryption for all HTTPS connections, which is the current encryption-strength standard for financial transactions.
Electronic transactions must conform to the cXML standard.

Data integrity

Buyers can establish detailed business rules that maintain the integrity of source data, such as:
- Do not allow non-PO invoices.
- Suppliers cannot add additional line items in PO invoices.
- Credit memos must be created from the original invoice.

e-signatures

After transmission and validation, the Ariba Network electronically signs invoices on behalf of the supplier using the appropriate country-specific certificate in the following countries: Austria (AT), Belgium (BE), Bulgaria (BG), Czech Republic (CZ), Denmark (DK), Estonia (EE), Finland (FI), France (FR), Germany (DE), Greece (GR), Hungary (HU), Ireland (IE), Italy (IT), Latvia (LV), Lithuania (LT), Luxembourg (LU), Netherlands (NL), Norway (NO), Poland (PL), Portugal (PT), Romania (RO), Singapore (SG), Slovakia (SK), Slovenia (SI), South Africa (ZA), Spain (ES), Sweden (SE), Switzerland (CH), and United Kingdom (GB).
Ariba solutions such as Ariba Procure-to-Pay, Ariba Invoice Professional, or Ariba Buyer perform an integrity check of incoming invoices.

Validation with tax authorities

The Ariba Network verifies that Brazilian e-invoices are registered with the tax authority, Secretaria da Fazenda (SEFAZ).
For Mexican e-invoices, an authorized PAC performs the e-invoicing creation and validation processes mandated by the tax administration (SAT).

Buyers and suppliers can find a more comprehensive definition of the Ariba process and the controls to review with their systems auditor and tax advisor in the Ariba Network Guide to Invoicing.

ERP Controls

The above business controls establish a line of defense before buyers apply additional controls in subsequent middleware, ERP, or business processes. Because buyers and suppliers must assure the integrity of data over its entire life-cycle, it's important that the customer's tax auditor not only understand the Ariba controls but how those control work with those within the buyer's financial and archiving systems, such as the following:

Buyers can confirm integrity of the data through a cryptographic verification of the signature upon the receipt of the invoice from the Ariba platform.
Buyers can develop business controls associated with the establishment of ERP vendor masters to ensure the vendor is genuine.
Buyers can match Ariba invoices to the ERP vendor master and either block posting or fail transactions from unknown, invalid, or blocked vendors.
Buyers can establish vendor-specific approval rules to review transactions when the vendor is in question.
Buyers can confirm integrity of the data through a cryptographic verification of the signature regardless of the validity of the certificate at the time of audit.

Ariba publishes easy-to-understand technical invoicing information for customers, tax advisors, and systems auditors in the Ariba Network Guide to Invoicing, available here.