The IRS Regulatory Implications of Electronic Record Keeping

By Joseph Danos and Ram S. Sriram

As companies transact business computer to computer, much of the traditional hard copy audit trail has been replaced by electronic storage. The IRS can live with this situation if its requirements are understood and met.

Electronic data interchange (EDI) is one of the fastest growing computer networks used by businesses. EDI enables vendors, customers, and shipping agents (known as trading partners) to transact and exchange data and documents through the computer network. The trading partners exchange documents such as sales invoices, purchase orders, shipping notices, etc., through electronic medium without preparing and mailing conventional paper documents. For example, in ordering inventory, the purchase order, the vendor acknowledgment with price and other terms, as well as the shipping notice and sales invoice, are all transmitted via computer. After shipment, the vendor will transmit documents such as shipping notices and sales invoices through the computer. After receiving the merchandise, the buyer will prepare the receiving report, enter the transaction in its records, and even make the final payment through the computer network. By sharing data and documents electronically, the trading partners significantly reduce their transaction time and improve the efficiency of their operations.

EDI not only changes the way organizations transact, but the way they store data and documents. EDI reduces the need to either prepare or retain hard-copy documents such as sales invoices, purchase orders, or receiving reports as they can be stored electronically. Maintaining electronic files is easy, cost effective, and with proper controls, safer than hard-copy files.

Electronic storage leads to a number of issues: 1) Are there adequate records maintained by the trading partners? 2) Are these records maintained for sufficient time? 3) Are trading partners complying with the regulations governing storage and maintenance of documents? In the last few years, the IRS has proposed several rules relating to generating and retaining electronic documents. The IRS requires EDI-type organizations to not only generate adequate electronic documents to support their transactions but to retain these documents for audit and verification purposes. Violation of the regulations applicable to EDI exposes the trading partners to possible significant cost, penalties, and loss of reputation.

Electronic Record Keeping

Most organizations are familiar with the processes of collecting, retaining, and controlling transaction-related records required for audit purposes. Organizations generally maintain records of transactions relating to payments, distribution, receipts, and income by physical evidences such as sales invoices, letters, correspondences, notes, memoranda, etc. Because transaction activity should be supported by proper records, organizations establish reasonable controls over their documents and safeguard them from being lost, mutilated, or destroyed. Most organizations, however, are less familiar with electronic record keeping. Electronic record keeping requires organizations to adapt to the electronic data processing environment and make suitable changes within the organization.

Electronic record keeping is efficient and easy to do. Unlike hard-copy record keeping, however, electronic record keeping makes it easy for records to be lost, destroyed, or altered. An untrained or careless employee can accidentally use a backup disk or tape, overwrite a historical file, and lose all transaction evidence. If controls over electronic system access, backup, and operations are inadequate or lax, the records lose their reliability. A clever programmer or another employee can change transaction data after it has been authenticated and stored.

Backup of records on a routine basis and adequate controls over transaction records are very important. Backup records allow the organization to reconstruct records in the event of accidental or intentional loss or destruction of records.

IRS Requirements

IRC Sec. 6001 gives the Secretary of the Treasury power to require the keeping of records to show whether a taxpayer is liable for tax. Treas. Reg. Sec. 1.6001-1(a) explains that permanent books of accounts or records, including inventories, should be kept that "are sufficient to establish the amount of gross income, deductions, credits, or other matters required to be shown" on a tax or information return. Reg. Sec. 1.6001-1(e) requires that taxpayers make such books or records available at all times for inspection by authorized IRS personnel and that they retain such books and records for as long as their contents may be "material in the administration of any internal revenue law." Rev. Rul. 71-20 states that "machine-sensible data media used for recording, consolidating, and summarizing accounting transactions and records within a taxpayer's automatic data processing system are records within the meaning of IRC Sec. 6001 of the Code and Reg. Sec. 1.6001-1." EDI was first mentioned in Rev. Proc. 91-59, which provides the latest guidance from the IRS for record retention in an electronic environment.

Who Must Comply

Basically, any entity that uses EDI must comply with Rev. Proc. 91-59. A taxpayer having assets of $10 million or more at the end of its taxable year falls under the record retention requirements described in Rev. Rul. 71-20 and Rev. Proc. 91-59. A taxpayer that does not have $10 million in assets must also comply with these requirements if‹

* the records required by IRC Sec. 6001 exist only in machine-readable form,

* computations based upon machine-sensible records can only be reasonably verified or recomputed by use of a computer, as in LIFO inventory valuations, or

* the district director notifies the taxpayer that machine-sensible records must be maintained to comply with IRC Sec. 6001.

Thus, per operation of the first two items, any entity that uses EDI will have to comply with the record retention requirements. These rules are applicable to both domestic and foreign entities, whether they be completely domestic, foreign corporations doing business in the U.S., controlled foreign corporations, or domestic corporations that are 25% foreign owned.

What Must Be Kept

A rule of thumb is to keep the extent of detail in electronic and other records that would provide sufficient documentation in hard-copy form. It follows, therefore, that an electronic invoice should contain the vendor's name, the invoice date, a description of the product, the quantity purchased, the price, cash discount terms, etc. The key factors in capturing EDI data are the establishment and maintenance of authenticity, integrity of the electronic records, and the audit trail.

The machine-sensible records produced by EDI may be combined with hard-copy records of other relevant information (such as price lists, price changes, or underlying contracts) to meet the requirements of IRC Sec. 6001. There is no requirement to keep hard-copy records of other information, however, if the data contained in such records are included in the EDI transaction records retained in machine-readable form. In addition, there is no need to produce a hard-copy printout of EDI records since, in the usual case, hard copy records are not produced or received in the ordinary course of EDI transactions. Of course, the IRS may request hard-copy printouts at any time.

To provide the IRS reasonable access of the retained EDI records, Rev. Proc. 91-59 also lists documentation, hardware, and maintenance requirements, as well as a threat of penalty if its provisions are not followed.

Documentation

In general, documentation for the automatic data processing (ADP) portion of the accounting system must be retained and made available to the IRS upon demand. The documentation should provide a complete description of the system, including subsystems and files that provide data to the accounting system. The level of detail considered sufficient for the description of the scope of operations would include‹

* the application performed,

* the procedures used in each application,

* accuracy and reliability controls in place, and

* security controls in place to prevent unauthorized addition, alteration, or deletion of retained records.

Specific documentation required to be kept for files should include‹

* record formats (providing the meaning of all "codes" employed to represent information),

* system and program flowcharts,

* label descriptions,

* listings of source programs that created the files,

* detailed charts of accounts for specific periods,

* evidence that periodic checks of the retained records were performed as required by Rev. Proc. 91-59, and

* evidence that the retained records reconcile to the books and the tax return.

In addition, it is necessary to document changes in the ADP system that affect the accounting system or subsystems. Changes in software, systems, and file formats are to be listed with their effective dates so as to create an accurate chronological record of the changes.

If the EDI records are kept in a database management system (DBMS), documentation on each DBMS must be retained. It should contain‹

* a description of the database,

* the record layout of each segment with respect to the fields in the segment,

* the system control language,

* the program specification block, and

* the program communication block.

All of the above obviously pertain to good documentation practices in any environment. However, it is very likely that most data processing personnel operating in an EDI environment are not aware that such documentation is required for tax purposes.

Hardware

There are no specific hardware requirements but the taxpayer must have the appropriate hardware to "process the retained records" during an IRS examination. Thus, when a new system replaces the system that generated the retained records, it is very important to convert the retained records, if necessary, to a format compatible with the new system. The retained records must be in a format the new system can handle. The taxpayer must report any decrease in ability to process retained records to the IRS district director.

During an IRS examination, the taxpayers are required to put all necessary computer resources at the disposal of the IRS so all pertinent records retained in machine-readable form may be processed. Failure to do so would be the same as failing to meet the record keeping requirements of IRC Sec. 6001.

Maintenance

Media (tape, cartridge, disk pack, diskette, etc.) used to store machine-sensible records need to be clearly labeled and kept in a "secure environment" and backup copies should be maintained at an off-site storage facility. External labels should be placed on the storage medium and contain wording such as "Tax Year 19XX Records -- Retain for IRS until 0000" or "Retain for IRS, Consult Tax Manager Before Releasing." Internal labels should contain the retention date as well.

NARA Standards

The IRS recommends taxpayers follow the National Archives and Record Administration's (NARA) standards for maintaining and storing electronic records. Rev. Proc. 91-59 specifically requires that all records retained for the IRS be checked periodically. It recommends, and paraphrases, the NARA's standard for periodic testing. On an annual basis, the taxpayer is to select and test a random sample of all reels of magnetic tape to identify occurrences of data loss and detect and rectify the causes of such loss. A random sample size of the larger of 50 units or 20% of the total units should be tested for record libraries consisting of 1,800 or fewer "storage units" (e.g., magnetic tape reels). Record libraries containing more than 1,800 units should use a sample size of 384 units for testing.

If the testing reveals some of the machine-sensible records have been lost or have deteriorated (i.e., they have been damaged, destroyed, or found to be incomplete or materially inaccurate), it is incumbent upon the taxpayer to report this to the IRS district director. In addition, the taxpayer bears the responsibility to recreate the records within a reasonable amount of time.

Safe Haven. Although the foregoing standard relates specifically to magnetic tape, its scope is broadened by the IRS to include all "retained machine-sensible media." Thus, Rev. Proc. 91-59 casts a very wide net that could ensnare the unwary in the civil and criminal penalty provisions of the IRC. Fortunately, the IRS provides a safe haven: The penalties will not apply to any taxpayer who follows the dictates of the NARA for data maintenance and loses "only a portion of the data from a particular storage unit." Of course, the taxpayer will still be required to substantiate the information included in the return.

In making reference to the NARA standards, the IRS does not simply say that anyone who follows the NARA guidelines for data storage sampling will not be subject to the penalties mentioned in Rev. Proc. 91-59. The IRS's words are much broader: A taxpayer whose "data maintenance practices" conform to those of NARA will have the threat of penalty lifted (if only a portion of the data is lost). To avail oneself of the protection provided by the NARA standards, it would seem it is necessary to comply with all of its standards that relate to maintenance of machine-sensible data.

Definitions. The NARA defines electronic records as including "numeric, graphic, and text information, which may be recorded on any medium capable of being read by a computer and which satisfies the definition of a record." The storage media for the records may be magnetic (tapes and disks) or optical, but they are not restricted to these two forms. The hardware environment may consist of micro, mini, or mainframe computers in stand-alone or networked configurations. The NARA standards leave no doubt as to the breadth of coverage of Rev. Proc. 91-59.

Security. NARA requires that a record security program be implemented and maintained. Such a program should‹

* allow only authorized personnel to access the electronic records,

* have backup and recovery routines,

* provide training in electronic data maintenance procedures to appropriate personnel,

* have controls that minimize the risk of unauthorized alteration or erasure of electronic data, and

* be included as an integral part of the entity's overall computer system security plans.

Maintenance of Storage Media. In addition to the sampling procedures paraphrased in Rev. Proc. 91-59, the NARA standards also address other storage media considerations. Magnetic tapes are to be tested within six months of their usage to determine whether they are free of permanent errors and comply with National Institute of Standards and Technology or industry standards. Temperature and relative humidity levels in magnetic tape storage and test areas are to be maintained at 62 to 68 degrees Fahrenheit and at 35% to 45% constant relative humidity. The tapes are to be rewound under controlled tension every 31*2 years. Before a tape reaches 10 years of usage, the data it contains is to be copied onto a tested and verified new tape. Smoking and eating should not be permitted in tape libraries or test areas. In the case of direct access storage media, written procedures should be issued for their care and handling, based upon the manufacturer's recommendations.

Penalties

Taxpayers who fail to follow the requirements of Rev. Proc. 91-59 for the retention and maintenance of machine-sensible records may be subject to the accuracy related civil penalty of IRC Sec. 6662(a) (for negligence or disregard of rules or regulations) and to the criminal penalty of IRC Sec. 7203. This is no empty threat: IRC Sec. 6662 provides for a penalty of 20% on the portion of any underpayment of tax due to negligence or intentional disregard of rules and regulations (which include revenue procedures) and IRC Sec. 7203 states that willful failure to keep records or supply information, as required by the IRC, is a misdemeanor that carries the potential of imprisonment for up to one year and/or a fine of $25,000 ($100,000 for corporations), plus the cost of prosecution, for those who are convicted.

Beware!

Most of the IRS's recommendations are simply good practices that should be followed, and probably are in place, in any serious information system structure. The formidable teeth of the penalty provisions for failure to follow the IRS's guidance should be enough to keep the attention, and inspire the diligence, of anyone responsible for the retention and care of electronic tax records.

In this age of increasing technological development, the usage of electronic means for data storage continues to grow. This growth is taking place in an environment of almost constant change of systems and hardware. In such a transitional setting, it is easy to overlook issues of portability of tax records when updating a system or migrating to the next generation of hardware from a different supplier. This potential problem is probably greatest in small entities where system controls may be weak to nonexistent. Such lapses in procedure, however, are dangerous, as Rev. Proc. 91-59 informs us. In the hurly-burly of everyday business, it would be good to keep in mind that the tax man cometh. *

Joseph Danos, PhD, CPA, is an assistant professor at Louisiana State University. Ram S. Sriram, PhD, CPA, is an associate professor at Georgia State University.

NOVEMBER 1995 / THE CPA JOURNAL

Conceptually, EDI is nothing more than a means of communicating between companies. All specific transactions are known as "transaction sets." Multiple transaction sets sent in the same transmission go into a "transaction envelope." Different types of transactions can go into the same transaction envelope. To maximize efficiency, companies generally utilize a translation program that interfaces between their application software and the sending and receipt of the transaction set. For example, this would allow a sender to prepare a purchase order utilizing its standard accounting programs. The translation program will convert the purchase order to a message in standard ANSI format. The receiving company will utilize its translation program to convert the ANSI message into a format that is compatible with its automated accounting system. The benefit of translation programs are that:

* They reduce the need for multiple keying of messages; hence a labor savings in the need for clerical personnel.

* The accuracy of data is increased. The reduction in the re-keying of information ensures a message will be received as sent.

Companies doing business with each other are called trading partners. As a normal practice, to maintain internal systems security, trading partners do not provide direct access to their data processing systems. In the transmission process, an electronic mailbox is used. This is normally provided by a Value-Added Network (VAN). The VAN acts as a buffer and provides a mailbox for individual trading partners where transaction sets can be delivered and received. VANs are a normal commercial service provided by companies such as AT&T, General Electric, CompuServe, or Western Union. There are many more VANs, and individual companies, such as retailers, have their own proprietary VANs. *

Stanley Weiner, CPA, is a partner with Cornick Garber & Sandler, LLP.

An article by Mr. Weiner on the business risk, internal control, and audit considerations of EDI appears in this month's auditing department.

HOW EDI WORKS

By Stanley Weiner