Updated Analysis of Business Continuity Issues Underlying the Certification of Invoicing Software, Considering a Pandemic Scenario

Article history: Received: 06 October, 2020 Accepted: 11 November, 2020 Online: 27 November, 2020 Portuguese organizations that have invoicing software, certified by the Tax and Customs Authority, need to comply with technical requirements that involve business continuity and disaster recovery. The recent tax legislative changes created conditions for the dematerialization of documents, allowing waiving invoice printing, encouraging the adoption of an electronic invoicing and document archiving system. The pandemic situation boosted the need for organizations to integrate this paradigm in their business processes. However, there are some constraints in the implementation of these requirements, due to technical issues, interpretation of tax legislation or the selection of frameworks or good practices for Information and Communication Technologies. The objective of the work is to present a set of concerns underlying the design of a business continuity plan, supported by current tax legislation, by standards and codes of good practice. In view of the constraints of Portuguese business capacity, it is also presented a minimum solution that meets the legal, regulatory, good practices and conceptual requirements of Information and Communication Technologies for initiating the design of a Business Continuity Plan. The method used in this investigation was based on the analysis of international standards ITIL, ISO, CMMI, COBIT through the assertive interconnection with the subject under study with the dispositions stated in the Portuguese legal framework in the field of invoicing. The main result was the conception of a decision support process for designing a guide, concerning the optimization of the business continuity plan design process. In face of the problematic in study, it is considered that the main expected results were achieved, by fostering the design of Business Continuity Plan in Portuguese organizations, in order to reduce the gap between the practices currently in place and the requirements underlying certification, as a way to prepare organizations to deal with disruptive events in invoicing business processes.


Introduction
This work is an extended version of the paper [1] originally presented in 2019 at the 14th Iberian Conference on Information Systems and Technologies (CISTI), where some guidelines for the conception of o Business Continuity Plan (BCP) were presented, having in consideration the organization capabilities and the tax and legal obligations.
Since this is a new study, there are limited implementation results to present. Nevertheless, the companies questioned referred to the need to implement electronic archive to reduce costs, optimize business process and archiving procedures and find information faster. This extended version attends those concerns and goes a step further by integrating those requirements in the analysis, providing a new tool to cope with constraints during the pandemic situation.
The above direction presents further the Business Continuity (BC) components and updates the guidelines for the BCP. Now it is induced a key perspective in the development of the guidelines, including the forced paradigm of remote work and the constraints for business operations, consequence of a pandemic situation. Organizations must endeavor and adapt to resist the changes or ASTESJ ISSN: 2415-6698 thrive with the opportunities and continue the digital transformation.
Adding to this situation, in recent years, the software development industry has been faced with legislative changes, which include more functional, and tax or fiscal requirements. By legal imposition, there was an expansion on the range of organizations covered by the obligation to have Invoicing Software (ISw) certified by the Autoridade Tributária e Aduaneira (AT), the Portuguese Tax and Customs Authority.
The resulting legislative simplifications created conditions for the dematerialization of documents, providing for the possibility of dismissing invoice printing, encouraging the adoption of an electronic invoicing and electronic document archiving system.
Thus, measures of sustainability and cost reduction were incorporated, namely, the reduction of file space, reduction of paper, consumables and printing hardware, allowing also to expand the optimization and automation of invoicing and archive procedures. These measures may be a stimulus for organizations to invest in the development and use of new technological instruments, incorporating a philosophy of innovation and sustainability.
In this sense, having in mind that ISw are one of the components of Information Systems (IS), they are subject to a specific framework in the tax area and to a set of functional requirements that aim to ensure data integrity, security of information and business continuity. In this work, the diplomas that frame and describe the technical requirements that the ISw must observe to obtain a certificate of conformity will be presented.
Whether due to the investment capacity, the integrated knowledge of the requirements involved, the interpretation of the diversity of existing standards and good practices, the perception of imminent risk or simply the definition of priorities, some organizations have not yet started designing the BCP or have the notion that technology will simply solve problems during, and after, a disruptive event in their activity. A BCP does not necessarily need to have a high degree of complexity, in the case of small organizations. It is commonly discussed that the pertinence of analyzing risks, understanding how to continue the business in the event of a disaster and to recover from that disaster are crucial activities in business continuity and that should be understood as adding value to organizations and not just as a requirement to meet to be compliant. However, the failure to define a BCP makes it difficult to comply with tax legislation in the context of the certification of ISw, increasing the duration in time of the certification process, usually in scenarios where organizations, for commercial reasons, need quickly to obtain the certificate issued by AT. In addition, the present pandemic situation triggered the need for organizations to transform digitally and to integrate their business software with electronic invoicing capabilities, especially for online sales.
Thus, the need arose to create a guide for the design of a BCP, to reduce the gap in organizations, between the perception of business continuity requirements and the requirements underlying the certification of an ISw, translating them into concrete proposals with due legal and fiscal justification, standards and good practices in the area of Information and Communication Technologies (ICT).

Literature review
The accomplished literature review presents business continuity as a program to be followed by organizations that intend to be prepared. It included the review of regulations in the field of the thematic, as well as the analysis of Data Centers and legislative needs underlying the certification of ISw.

Business Continuity
Organizations can be thought of as a set of value chains or business processes transversal to the various organic units that compose them [2]. Economic, technological and human uncertainties have long presented organizations with the possibility of crises arising, impeding their ability to operate and maintain their business processes and, finally, survive [3].
Organizations increasingly realize the importance of adopting proactive approaches, it is essential to safeguard business processes and the relationship between them, in order to achieve business objectives [4]. Thus, organizations must prepare themselves in the event of disruptions to their productivity and competitive capacity, especially in business processes, supported by ICT services, made available to the organization.
With this in mind, organizations must develop a set of policies and procedures to minimize the impact of these disturbances. The importance of these measures is emphasized, whose impact may affect productivity and competitive capacity, especially in the case of organizations whose dependence on ICT services is marked. This is the concept underlying the BC, in which an organization must have the strategic and tactical capacity, to plan and respond to business incidents and interruptions [5], in order to continue business operations, at an acceptable level predetermined.
One of the accepted responses in BC is Disaster Recovery (DR), defined as the process performed by an organization, to resume business services, after a disruptive event [6]. In this sense, the authors advocate a DR planning approach [7], favoring the recovery of business processes, especially those supported by ICT service.
However, organizational resilience can be understood, as the ability to increase the probability of continuity of any system against disruptive incidents, whether are internal or external variations, changes, disturbances, disruptions and surprises [4]. This concept of resilience also covers effective planning for the relaunch of business processes in the short term, with the BCP, in addition to the long-term restoration, with the Disaster Recovery Plan (DRP) of interrupted operations, following disruptive events.
Being prepared for these events requires proactive planning of the organization's resources so that it can deal with disasters effectively and efficiently [8]. Therefore, the organization must plan its actions before a disaster occurs, taking into account the crisis management phases, resulting from a disaster, as proposed in Figure 1.
Thus, a BCP tries to eliminate or reduce the impact of a disaster and is designed to avoid or mitigate risks and reduce the time necessary to restore conditions to a state of normal operation [10], aiming to preserve the assets of an organization [11]. Some vital activities are identified by Hiles [11], who considers the development of the BCP as a project, with a defined scope, with the analysis of risks and identification of the organization's specific key threats. Through the systematic process of Business Impact Analysis (BIA), vulnerabilities are revealed and it is determined and evaluate the potential effects, or impact on business, of an interruption. The definition of the strategy and requirements for technological resources is a success factor and it is essential to test, exercise and provide training on the BCP [11].   Figure 2 presents a sequence of action and interrelationship of the components of the BCM. It also presents the time phasing, in the methodological approach for the design and maintenance of a BCP [12], suggesting the set of components that must be completed, to start another phase.

Data Center
The Data Center infrastructures must be seen as a guarantee of fail-proof and insurance of business continuity, but if there is a disruptive event, it should be at least as short as possible. The Uptime Institute created the Tier Classification System standard, which is the global language of Data Center performance [13] as a means of effectively evaluating it in terms of business requirements for system availability. It offers a consistent method of comparing unique and customized installations based on the expected performance or uptime of the site's infrastructure.

Standards
A set of standards was reviewed in order to incorporate good practices on the business continuity topic.

NFPA 1600 2019
Widely used by entities, NFPA 1600 2019 was adopted by the United States Department of Homeland Security as a voluntary consensual standard for emergency preparedness [14].
The standard consists of 10 chapters and 13 annexes in which a common set of criteria for all hazards is established in disaster, crisis and emergency management and business or operations continuity programs. It follows the Plan-Do-Check-Act approach, providing the fundamental criteria of preparation and resilience, including the planning, implementation, execution, evaluation and maintenance of programs for prevention, mitigation, response, continuity and recovery [15]. The standard may be applicable to public, private, non-profit and non-governmental entities.

ISO 22301:2019
The ISO 22301:2019, on the theme "Security and resilience -Business continuity management systems -Requirements", is a standard for implementing a BC Management System and continuously improving the BC resources based on priorities and feedback management. It specifies the requirements for implementing, maintaining and improving a management system to protect against, reduce the likelihood of, prepare for, respond to and recover from disruptions when they arise [16].

ISO 22313:2020
The ISO 22313:2020 standard, with the theme "Security and resilience -Business continuity management systems -Guidelines on the use of ISO 22301", provides guidelines and recommendations for the application of the requirements of the Business Continuity Management System (BCMS) indicated in ISO 22301. The guidelines and recommendations are based on international good practices. This standard is applicable to organizations that implement, maintain and improve a BCMS [17], who seek to ensure compliance with the stated business continuity policy, who need to be able to continue delivery of products and services, at acceptable predefined capacities following a disruption and who seek to improve their resilience through the effective application of the BCMS.

ISO/IEC 27031:2011
The International Standard ISO/IEC 27031:2011 entitled "Information technology -Security techniques -Guidelines for information and communication technology readiness for business continuity". This standard describes the concepts and principles of ICT readiness for business continuity, and provides a framework of methods and processes to identify and specify all aspects (such as performance criteria, design, and implementation) for improving an organization's ICT readiness to ensure business continuity [18].

Reference Standards and Good Practices
Within the scope of standardization and improvement of business processes, there is a concern with the application of good practices. Thus, due to its relevance, this chapter presents the set of frameworks and good practices ITIL, COBIT and CMMI.

ITIL
ITIL 4 brings ITIL up to date by re-shaping much of the established ITSM practices in the wider context of customer experience, value streams, and digital transformation, as well as embracing new ways of working, such as Lean, Agile, and DevOps. ITIL 4 provides the guidance organizations need to address new service management challenges and utilize the potential of modern technology. The guidance provided can be adopted and adapted for all types of organization and service. It is designed to ensure a flexible, coordinated and integrated system for the effective governance and management of Information Technology-enabled services [19].
One to the Service management practices, under ITIL management practices, is Service continuity management. Its purpose is to ensure that the availability and performance of a service are maintained at sufficient levels in case of a disaster [19].

COBIT
COBIT 2019 was designed and created by Information Systems Audit and Control Association (ISACA). Is a framework for the governance and management of information and technology, aimed at the whole enterprise. COBIT 2019 is composed of 40 ICT processes in two fundamental areas, Governance and Management, divided into four domains. COBIT describes how an enterprise can design a customized and tailored governance solution for enterprise Information and Technology (IT) and should build its governance system for enterprise ICT [20].
COBIT defines the components to build and sustain a governance system: processes, organizational structures, policies and procedures, information flows, culture and behaviors, skills, and infrastructure. It defines the design factors that should be considered by the enterprise to build a best-fit governance system and addresses governance issues by grouping relevant governance components into governance and management objectives that can be managed to the required capability levels [20].
It was important in this work to characterize the focus on strategic alignment between ICT and business solutions; in the generation of value, but optimizing costs and ICT services; risk management, disaster recovery and continuity of operations.

CMMI
CMMI V2.0 is an integrated set of best practices that enable business to improve performance of their key business processes. It helps a business to understand its current level of capability and performance and its practices can guide improvement [21]. CMMI deals with various Capability Areas like "Managing Business Resilience", that addresses the ability to anticipate, prepare for, and respond to interruptions in order to continue operations. Incorporates Practice Areas namely "Incident Resolution and Prevention" to resolve and prevent disruptions to sustains service delivery levels. "Risk and Opportunity Management" in order to identify, record, analyze, and manage risks and opportunities and "Continuity" to plan mitigation activities for disruptions to operations so that work can continue or resume [21].

Tax legislation
Portuguese tax legislation defines technical requirements for ISw [22] to guarantee data integrity, information security or business continuity and are described, briefly, in the legislation presented below. Some requirements establish the conditions to be observed when scanning and archiving in electronic format, intended to replace the respective paper archive. It also regulates the technical conditions for the issue, upon acceptance by the recipient, of invoices issued electronically and for their conservation and archiving, as well as for the existence and conservation of backup copies of the data supporting the ISw [23].

Decree Law No. 28/2019
The main objectives of Decree Law no. 28/2019, of February 15, of the Presidency of the Council of Ministers, are to promote legislative simplification and harmonize divergent rules on the conservation of documents for tax purposes. In this context, Decree Law no. 28/2019 created the conditions for the "Paperless invoice" and apposition of Quick Response (QR) code.
It provided for the possibility of waiving the printing of invoices and also strengthened the conditions for the dematerialization of documents, encouraging the adoption of an electronic invoicing system and electronic document archive, being an asset for the development of a more ecological vision, based on reducing the use of paper, inks and printing toners. The conditions created allow organizations to reduce costs with the fulfillment of tax obligations, stimulating the development and use by organizations of new technological instruments, incorporating a philosophy of innovation and debureaucratisation. For this purpose, a substantial reform of the rules applicable to the archiving of books, records, databases and supporting documents of accounting was introduced [23].

SAF-T (PT)
The Standard Audit File for Tax Purposes -Portuguese Version Its objective is to allow an easy export, at any time, of a predefined set of accounting, invoicing records, and relevant tax documents, in a legible and common format, regardless of the ISw used, without affecting the internal structure of the ISw database or its functionality [24]. The SAF-T (PT) file is intended to facilitate the collection and processing, in electronic format, of the relevant tax data. It allows simplifying procedures and boosting the use of new technologies [24], which may be the file that contains the list of the relevant tax documents registered on archive. The most current SAF-T (PT) data structure is set out in Annex I to Ordinance No. 302/2016, of December 2, of Finance.

Decree Law No. 198/2012
The Decree Law no. 198/2012, of 24 August, of the Ministry of Finance, the starting point for the known E-Fatura service, creates a regime that regulates, namely, the electronic transmission of data elements of invoices and other documents with tax relevance, including printing of transport documents, to AT. Establishes measures to control the issuance of invoices and other documents of tax relevance, defines the means for its communication to AT and creates a tax incentive when the acquirer requires such documents [23].
It should be noted that this communication can be made through electronic transmission in real-time integrated with a certified ISw using a web service provided by AT or by sending the summary file, based on the file SAF-T (PT), exported periodically (usually monthly) by a certified ISw.

Invoicing Software Certification
Compliance with the provisions of Ordinance No. 363/2010, of 23 June, allows obtaining the title of an ISw certified by AT [25]. AT certification is important to foster compliance with the law and legal technical requirements and good ICT practices.
Taxable persons, whose obligation to issue an invoice is subject to the rules established in Value Added Tax Code (VATC), are obliged to use, exclusively, ISw that have been subject to prior certification by AT, whenever have had, in the previous calendar year, a total turnover exceeding 50,000 euros or are using an ISw or have organized accounting.
Thus, if organizations do not choose to use an ISw that have already been certified and intend to use those that they have produced, they should request their certification. To start the certification process, organizations must submit, on the Finance Portal, an official "Modelo 24" form.
The issuance of the certificate may be preceded by compliance tests to observe the requirements resulting from Portuguese tax legislation and a set of defined technical requirements [25]. It should be noted that the certified version of an ISw must comply with the corresponding requirements, which is the responsibility of the ISw producer, even after the compliance tests and throughout the life of the ISw [23].
The compliance tests are conducted by AT, being responsible for analyzing, clarifying and conducting the face-to-face compliance testing meeting an AT Inspector, with functions assigned to certification of ISw.
Since the beginning of the COVID-19 pandemic declaration, faced with the impossibility of free movement and other restrictions, AT has prepared a videoconference solution that would allow to give support to software producers and to safely perform compliance tests. After all the relevant requirements have been verified by videoconference, a meeting would be scheduled to conduct compliance tests, in a face-to-face meeting. Thus, it was possible to keep the certification process active.
AT maintains, on the Finance Portal, an updated list of programs and respective certified versions, as well as the identification of the software producers, proving that during the COVID-19 confinement months, several ISw were certified.

Ordinance No. 363/2010
The preamble to Ordinance No. 363/2010, of 23 June, states that the increasing use of ISw has undeniable advantages in terms of the speed of information processing. However, it introduces new risks in terms of fiscal control, due to the possibility of subsequent adulteration of recorded data, enhancing situations of tax evasion [25].
In this perspective, the aforementioned ordinance defines rules so that the ISw observe the requirements that guarantee the inviolability of the information initially registered, allowing, consequently, that only the ISw that respect such requirements can be used, after certification by AT. The certification of ISw depends on the cumulative verification of several requirements, among them must be able to export the SAF-T (PT) file, have access control to ISw and respect the technical requirements defined in Order No. 8632/2014.

Order No. º 8632/2014
Order No. 8632/2014, of July 3, from the Ministry of Finance, was published to comply with the provisions of Ordinance No. 363/2010, which states that one of the requirements for obtaining ISw certification is to observe the technical requirements approved by the AT. Thus, ISw even if already certified, must comply with its approximately 100 technical requirements in different areas, including backup policies, data recovery, access controls or document signing and security [22].

Methodology
The research-action methodology in the realistic perspective was the main axis of the investigation protocol. It helped to reduce the complexity of the problem, due to the variety of categories of organizations and their ICT strategies [26], as well as business specificities. It would be a hindrance to integrate the requirements and the hypotheses for solving the problem in a single approach [27]. Thus, a questionnaire was created for ICT managers as a way of capturing relevant information about the invoicing solution implemented in the organization. From the data analysis, it's inferred a BCP proposal that integrates the researcher's knowledge about the problem, the applicable legal and normative requirements, the constraints and the various conceptual technological alternatives of resolution in order to outline a sufficiently comprehensive guide for most of the organizations in Portugal.

Results
The guide for the design of a BCP is outlined, starting with a questionnaire with the main questions, structured in specific knowledge areas that the ICT managers must ask in the analysis of the problem, as shown in Figure 3. It culminates in a better understanding of the business processes and procedures involved that will be the target of the BCP, regarding procedures to be designed for disaster recovery and business continuity of the ISw. It enhances the understanding of ISw's data backup policies and approaches to the implementation of a technological conceptual solution capable of eliminating vulnerabilities and mitigating the effects of a disruptive event in the invoicing business processes.
Structurally, the questionnaire contains a set of multiple-choice questions, each contributing to the perception of the organization invoicing solution and to the compliance with specific requirements defined in the tax legislation, standards and good practices researched. Figure 3 shows the decision support process with the questions that make up the questionnaire. The word "invoice" refers to all relevant tax documents, including, for example "orders" or, "credit note". The order in which the questions are answered is not important, since the software that supports the guide adapts to each new question answered. Three questions allow diverting the flow of the program, as its answer invalidates the following interconnected questions: All other questions follow a common reasoning flow and are positioned according to the theme of the question, which may be important to request answers to the questionnaire from another employee of the organization. It is important to note that the guide was specially designed for organizations that have an ISw, and it is not an objective to find proposals outside this scope. The questions areas are: • Organization: Allows the organization to be classified according to the criteria of Small and Medium Enterprises (SME) [28], to know the sector of activity in order to understand the investment capacity [29] and the total turnover to infer, and also about the obligation to have an ISw certified by AT; • Invoicing volume: Allows to verify the invoicing issuance days; whether the organization has continuous invoicing (for example for scheduling jobs in periods of less activity) or only during normal working hours, as well as the average number of documents issued per day. It aims to reveal the periodicity of backup copies and more appropriate techniques, taking into account the conclusions about investment inferred in the "Organization" area; • Printing: The objective is to understand whether organizations print the documents issued and keep the accounting archive in paper, in order to suggest scanning and archiving in electronic format, as well as the possibility of recovering documents in case of corruption of the database; • Invoicing Software: Find out if the organization uses an ISw, even if not required, inferred by the conclusions in "Organization". Know if the ISw was developed in-house or acquired in order to understand the decision-making capability on requirements and technical capability on the ISw. It is important to understand if the ISw is desktop-based, web-based or a terminal application in order to infer the technological infrastructure associated with the physical location of the database; • Electronic issuance: It aims to infer the processing of the documentation produced and propose the electronic issuance according to the technique used and with the conclusions in "Invoicing volume"; • Manual issuance: Intends to assess the need to comply with the requirements set out in point 2.4 of Order 8632/2014 [22]. Propose business continuity in case the ISw is inoperable, taking into account the conclusions in "Invoicing volume".
• Electronic Archive: Intends to assess the need to comply with the requirements set out in Decree Law No. 28/2019. Aims to propose a reduction of archiving costs, the efficiency of archiving procedures, especially those supported on remote work business processes and improve business continuance readiness.
The flow of decisional process and the questions that are part of the questionnaire are presented in Figure 3. The questionnaire presented in Figure 3 has the basic or relevant questions to ask, and the multiple-choice answer will drive the decisional process conclusions. For example, when questioned about the connection to a central software, the answer will have a variety of options to try to determine the architectural solution implemented.

Discussion
Stablished or entrepreneurial entities, when starting or reformulating their commercial activity and business processes, should take into account the potential of legislative considerations mentioned in this work. The focus on online businesses, amplified by the increased use of telework, resulting from the measures to contain this recent pandemic, allows some management, optimization and control functions to be performed remotely. The effects are reflected in the need to optimize business processes, the time spent on activities, but above all in technological innovation that mitigates the gaps underlying this new vision of the business and digital world. This new vision will depend on the dynamization of ICT in business processes and the quick response to this desire, where there is a need to make quick and effective decisions, but with the necessary efficiency so that the change is adequate.

Future work
The aim is to design an approach that allows the questionnaire to be published online and to obtain more data for treatment, in order to refine the design of a BCP supported by technological solutions.
Nevertheless, for questionnaire evolution, some other requirements need to be addressed, especially the ones who improve the security of the software system and some other ones that enhance business continuity and disaster recovery.
Another research direction is to design a case study, to evaluate the business processes dynamization or optimization and obtain the return on investment achieved. The study should occur before and after the implementation of electronic invoicing and/or electronic archiving in the organization, in a set of preselected business processes. The target organization is one that intents to transform its business processes for telework, triggered for example, by restrictions due to pandemic situations.

Conclusions
The previous identification of the constraints felt by the organizations in the design of a BC solution allowed to conduct the literature review and the identification of the issues, considered relevant, in the context of supporting the design of a guide for the design of BCP. The review of the literature on the theme of BC, including standards and good practices, and the relevant applicable tax legislation was important in this work. The systematization of information in this field adds value to the scientific community, as well as to users who are part of this type of problem.
On the other hand, the change in the paradigm of issuing and communicating invoices and tax relevant documents triggered the need for organizations to prepare for the challenge of innovation or technological adequacy for electronic invoice issuing, as well as for the electronic archive. The current pandemic situation has accelerated this need for digital transformation.
The tax legislation points to the requirements to be met and provides for the possibility of issuing documents by electronic means, the possibility of their electronic transmission to AT, and the possibility of their electronic archive. Understanding what are the correct procedures and what are the requirements involved in the certification of an ISw in Portugal it is considered relevant for organizations that develop the software, as well as for organizations that decide to purchase a solution. This work aimed to help the identification of the main regulatory documents in the thematic, as well as the legal characterization of invoicing in Portugal, in order to support organizations in the design or adaptation of the ISw. The implementation of electronic invoicing and electronic archiving procedures can enhance business continuity and boost the innovation that leads to new software products, digital transformation, marketing approaches, or new ways of making business.
The questionnaire made it possible to systematize the variables involved underlying the tax requirements, the existing technological infrastructures, and the invoicing and archiving procedures implemented. Through a process of analysis of the answers, vulnerabilities can be perceived, as well as the needs for business continuity and disaster recovery. It is considered that the constraints perceived by organizations were reduced by improving the understanding of the variables that they must observe, the areas in the legislation and regulations that they must integrate, as well as the needs of human and technological resources, according to their investment capacity.
This work encourages the adoption of concrete strategies and procedures for business continuity, where invoicing and electronic archiving may be relevant, for organizations with an ISw, certified or not by AT.