U.A.E. VAT rates

December 9th, 2017 by Stephen Jones No comments »

The Federal Tax Authority (FTA) has announced the supplies that will be subject to Value Added Tax (VAT) as of January 1, 2018.Selected supplies in sectors such as transportation, real estate and financial services will be completely exempt from VAT, whereas certain government activities will be outside the scope of the tax system (and, therefore, not subject to tax). These include activities that are solely carried out by the government with no competition with the private sector, activities carried out by non-profit organisations.

The UAE Cabinet is expected to issue a decision to identify the government bodies and non-profit organisations that are not subject to VAT.

VAT treatment on select industries:
Education
Private and public school education (excluding higher education) and related goods and services provided by education institution 0%
Higher education provided by institution owned by government or 50% funded by government, and related goods and services 0%
Education provided by private higher educational institutions, and related goods and services 5%
Nursery education and pre-school education 0%
School uniforms 5%
Stationery 5%
Electronic equipment (tablets, laptops, etc.) 5%
Renting of school grounds for events 5%
After school activities for extra fee 5%
After school activities supplied by teachers and not for extra charge 0%
School trips where purpose is educational and within curriculum 0%
School trips for recreation or not within curriculum 5%

Healthcare:

Preventive healthcare services including vaccinations 0%
Healthcare services aimed at treatment of humans including medical services and dental services 0%
Other healthcare services that are not for treatment and are not preventive (e.g. elective, cosmetic, etc) 5%
Medicines and medical equipment as listed in Cabinet Decision 0%
Medicines and medical equipment not listed in Cabinet Decision 5%
Other medical supplies 5%

Oil and Gas:

Crude oil and natural gas 0%
Other oil and gas products including petrol at the pump 5%

Transportation:

Domestic passenger transportation (including flights within UAE) Exempt
International transportation of passengers and goods (including intra-GCC) 0%
Supply of a means of transport (air, sea and land) for the commercial transportation of goods and passengers (over 10 people) 0%
Supply of goods and services relating to these means of transport and to the transportation of goods and passengers 0%

Real Estate:

Sale and rent of commercial buildings (not residential buildings) 5%
First sale/rent of residential building after completion of construction or conversion 0%
First sale of charitable building 0%
Sale/rent of residential buildings subsequent to first supply Exempt
Hotels, motels and serviced accommodation 5%
Bare land Exempt
Land (not bare land) 5%
UAE citizen building own home 5% (recoverable)

Financial Services:

Margin based products (products not having an explicit fee, commission, rebate, discount or similar) Exempt
Products with an explicit fee, commission, rebate, discount or similar 5%
Interest on forms of lending (including loans, credit cards, finance leasing) Exempt
Issue, allotment or transfer of an equity or debt security Exempt

Insurance and Re-insurance:

Insurance and reinsurance (including health, motor, property, etc) 5%
Life insurance and life reinsurance Exempt

Food and Beverages: 5% VAT rate

Telecommunications and electronic services:

Wired and wireless telecommunications and electronic services: 5% VAT rate
Telecommunications and electronic services:
– Sovereign activities which are not in competition with the private sector undertaken by designated government bodies Considered outside VAT system
– Activities that are not sovereign or are in competition with the private sector VAT rate dependent on good/service ignoring provider

Not for Profit Organizations:

Activities of foreign governments, international organisations, diplomatic bodies and missions acting as such (if not in business in the UAE) Considered outside VAT system
Charitable activities undertaken by societies and associations of public welfare which are listed by Cabinet Decision Considered outside VAT system
Activities of other not for profit organizations (not listed in Cabinet Decision) which are not business activities Considered outside VAT system
Business activities undertaken by the above organizations VAT rate dependent on good/service ignoring provider

Free zones:

Supplies of goods between businesses in designated zones Considered outside VAT system
Supplies of services between businesses in designated zones VAT rate dependent on service ignoring location
Supplies of goods and services in non-designated zones VAT rate dependent on good/service ignoring location
Supplies of goods and services from mainland to designated zones or designated zones to mainland VAT rate dependent on good/service ignoring location

Other:

Export of goods and services to outside the GCC implementing states 0%
Activities undertaken by employees in the course of their employment, including salaries Considered outside VAT system
Supplies between members of a single tax group Considered outside VAT system
Any supplies of services or goods not mentioned above (includes any items sold in the UAE or service provided) 5%
Second hand goods (e.g. used cars sold by retailers), antiques and collectors’ items 5% of the profit margin

The UAE and Saudi Arabia are the two GCC member countries which will implement Value Added Tax (VAT) Reform from 1st January 2018 whereas the remaining member countries will implement over the coming years.

According to the UAE tax officials, it is anticipated that the new tax reform will help to generate nearly Dh12 billion (around 0.8 percent of GDP) revenue in the initial year after the introduction of the VAT. It might increase to Dh20 billion (around 1.2 percent of GDP) in the succeeding year (2019).

Data security – how secure should we be?

December 9th, 2017 by Stephen Jones No comments »

The back story to this is that a British politician (Damian Green) is presently in hot water for allegedly accessing porn on his gov PC. U.K> politician https://twitter.com/NadineDorries recently tweeted :

Nadine Dorries
✔ @NadineDorries

My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!

10:03 PM – Dec 2, 2017 “

So Nadine is implying it could have been someone else on his PC using his identity.

So should politicians share passwords? What are the problems with doing so? So what about your own staff?
Well it seems the practice is widespread -read here for example: https://www.troyhunt.com/the-trouble-with-politicians-sharing-passwords/?utm_source=DBW&utm_medium=pubemail

It’s an interesting read, and certainly points out that the expediency for users to share a workload but it has plenty of downsides in accountability and auditing of actions.

I see little excuse for sharing security credentials in UK government – there are other solutions to handle this issue.

I am more sympathetic in real time environments, like hospitals, where the login process might literally cause a death in the event of a delay.

Authentication aside we often share data among individuals inside of an organization. Outside of sysadmins, not be many people really understand or consider who should have access, let alone who does have access, to some data.

Over time organizations tend to lean towards allowing an ever-growing number of people having access to data in file shares. Knowledge gives power to take decisions- functional silos are out ….but segmentation of duty, compliance, are the other side of the argument. In these days of self serve internet access and social connectedness people expect access to information.

While we might prevent database access and grant/revoke this at times, the output from our systems also often ends up in Excel sheets or other files, fg hard copy print out, and people that do not have direct access still see the data.

People may leave data lying around on desks or tacked to a wall or on printer, or just on screen in an open plan office to be viewed by passers by. Many do not log off or shutdown their pcs at night. Why? They have never been trained or told to do so, and there is no management oversight to enforce it.
The trend to BYOD means data leaves your premises and then you have no control over it. Removable usb devices, 0r just uploads to one drive or emails to a hotmail account are all possible holes in your security defences.

Credentials on a post-it stuck only your monitor? Server rooms that are not locked?

It’s not just your co-workers, but also janitorial staff, tradespeople, and others likely wander regularly through your office spaces.

Security is a tough battle, and most of the time we don’t need much more than good passwords. Most people don’t have the time or inclination to deal with their own data, much less yours. However, when an attack is targeted on your organization, from outside or within, it’s extremely difficult to ensure your data won’t get lost or corrupted.

There is no magic bullet. There are good reasons to limit access to data on our systems, not the least of which is auditing and accountability. Beyond that, inculcate users to exercise judgment about with whom they may share or to whom they expose reports and other data.

Data breaches and what it means for a Middle East Board of Directors

December 6th, 2017 by Stephen Jones No comments »

The new wave of cyber-attacks does appear to be unstoppable. With the increase in data breaches across the world, the UAE holds the world’s highest increase in breaches. Data breaches in the region have risen by 20% from $4.12m in 2016 to $4.94m in 2017, according to a report by Ponemon Institute.

The Middle East also has the highest spend on data breach response, roughly costing $1.43m per organisation.
Early this year, approximately 15 government agencies and private institutions in the Kingdom of Saudi Arabia were attacked by the Shamoon virus. This was followed by a tidal wave of Wannacry and Petya ransomware attacks.

An IDC research states that organisations are expected to spend $101.6 billion by 2020 on security-related hardware, software, and services. Additionally, Gartner states that by 2018, 10% of all enterprise organisations will have adopted deception technologies into their security solutions. A board of directors must engage in a continuing balancing act between the cost of information security and potential risks.

Although information security is essential to corporate compliance with existing laws and regulations, directors are often required to focus less on ensuring “best security” in favour of “good enough” security. The lack of a clear definition of “best security” is largely responsible for this thinking.

What was previously viewed as good enough, will not keep up with the advanced or insider threats of today.

• Important messages that CISOs should communicate to their boards about the importance of focusing on information security:

Information security is now required, and disclosure is no longer solely at a company’s discretion. Between existing laws, insurance mandates, industry regulations, and shareholder demands, robust information security is now a corporate requirement.

• Information security is a significant corporate risk. It is nearly impossible to conduct any facet of a business today without a computer. As a result, the information that resides in an enterprise’s networks is the lifeblood of the business and if not protected, could result in financial damages and negative impact on the company’s brand. This makes information security a critical business issue. Any security strategy that does not include an adaptive security plan with in-network detection to detect attacks that have bypassed prevention solutions will result in a network breach sooner or later, if it hasn’t occurred already.

Some obvious things to consider:
- Policies, procedures, and awareness – Protection via data classification, password strengths, code reviews and usage policies
- Perimeter – Protection via firewalls, denial of service prevention, and message parsing and validation
- Internal network – Protection via transport layer security, such as encryption, and user identification and authentication
- Host/OS – Protection through OS patches and desktop malware
- Application – Protection through protocols such as single sign on (SSO) and identity propagation
- Data – Protection through database security (online storage and back up), content security, information rights management, message level security.

Do your systems still cater for the digital world of a mobile workforce with smart phones, BYOD social media, low cost, high capacity flash drives, and any time, anywhere connections?.

Data breach

December 5th, 2017 by Stephen Jones No comments »

We have been asked to assist several companies targeted by ransomware ad phishing attacks in the last year.

The moments after you have experienced a breach are of the utmost importance and can significantly impact your organization and the effectiveness of an investigation.

How prepared is your information technology (IT) department or administrator to handle security incidents?
According to the Computer Security Institute, over 20% of organizations have reported
experiencing a computer intrusion, and common sense says that many more intrusions have
gone unreported. No matter how much detail you know about the network environment, the risk of being attacked remains.

Any sensible security strategy must include details on how to respond to different types of attacks. Many organizations learn how to respond to security incidents only after suffering attacks. By this time, incidents often become much more costly than needed. Proper incident response should be an integral part of your overall security policy and risk mitigation strategy.

There are clearly direct benefits in responding to security incidents. However, there might also be indirect financial benefits. For example, your insurance company might offer discounts if you can demonstrate that your organization is able to quickly and cost-effectively handle attacks. Or, if you are a service provider, a formal incident response plan might help win business, because it shows that you take seriously the process of good information security.

If you suspect a computer systems intrusion or breach, then Immediately Contain and Limit the Exposure – Stop the breach from spreading.
• Do NOT access or alter compromised systems (e.g., do not log on or change passwords).
• Do NOT turn off the compromised machine. Instead, isolate compromised systems from the network (e.g., unplug the network cable). If for some reason it is necessary to power off the machine, unplug the power source.
• Do NOT shutdown the system or push the power button (because it can sometimes create a “soft” shutdown), which modifies system files.
• Preserve logs and electronic evidence. A forensic hard drive image will preserve the state on any suspect machines. Any other network devices (such as firewalls, IDS/IPSes, routers, etc.) that have logs in the active memory should be preserved. Keep all past backup tapes, and use new backup tapes for subsequent backups on other systems.
• Log all the actions you have taken, including composing a timeline of any knowledge related to the incident.
• If using a wireless network, change SSID on the wireless access point (WAP) and other machines that may be using this connection (with the exception of any systems believed to be compromised).
• Be on high alert and monitor all systems.

Alert All Necessary Parties Within 24 Hours
All external disclosures should be coordinated with your Legal Representative. Potential agencies include local and national law enforcement, external security agencies, and virus experts. External agencies can provide technical assistance, offer faster resolution and provide information learned from similar incidents to help you fully recover from the incident and prevent it from occurring in the future.

For particular industries and types of breaches, you might have to notify customers and the general public, particularly if customers might be affected directly by the incident.

If the event caused substantial financial impact, you might want to report the incident to law enforcement agencies.

For higher profile companies and incidents, the media might be involved. Media attention to a security incident is rarely desirable, but it is often unavoidable. Media attention can enable your organization to take a proactive stance in communicating the incident. At a minimum, the incident response procedures should clearly define the individuals authorized to speak to media representatives.

Normally the public relations department within your organization will speak to the media. You should not attempt to deny to the media that an incident has occurred, because doing so is likely to damage your reputation more than proactive admission and visible responses ever will. This does not mean that you need to notify the media for each and every incident regardless of its nature or severity. You should assess the appropriate media response on a case-by-case basis.

Be sure to notify:
• Your internal information security group and incident response team, if applicable.
• The card associations and your merchant bank if the breach is part of a cardholder data segment.
• Your legal advisor

Maybe your auditors.
Maybe your insurers.
Maybe the authorities/police.

Synergy Software Systems support desk.

Consider what message you need to give to staff, and to your trading partners.
Update your policies and procedures, and tools.

Thank those who helped you – you may need them again.

SQL Server 2017

November 22nd, 2017 by Stephen Jones No comments »

SQL Server 2017 went on general release a couple of weeks ago. This brings a whole host of benefits

Microsoft SQL Server 2017 features the much-anticipated SQL Graph, which provides new graph database capabilities for representing complex many-to-many relationships. Social media platforms like Facebook and LinkedIn use graph databases extensively, and in the era of big data, use cases are emerging across many industries.

Businesses can explore these relationships to reveal valuable information – from changes in the types of structures to the query abilities being requested of you and your teams. Whether it’s identifying similarities in customers behind trends in purchasing behavior, or mapping patterns in credit card usage to determine credit limits or risk indicators of defaulting on repayments, the introduction of graph capabilities to SQL Server makes the processes more streamlined.

Perhaps the most touted feature of the new version is that it will be available to be installed on Linux; an entirely inconceivable premise 10 years ago, which just goes to show how far Microsoft have changed in their approach to supporting non-Windows platforms as standard.

The announcement earlier this year that Power BI would be included as part of SSRS in was welcome. Previously, each tool was well suited for a specific reporting purpose – SSRS was great for designing reports that require a lot of visual tailoring and widely common formats for exporting, whereas Power BI is more geared towards real-time, dashboard views that marry together disparate data sources in a straightforward way. By being able to leverage SSRS to fully utilise Power BI reports, the application suddenly becomes a lot more versatile and the potential for combining together functionality becomes a lot more recognisable. So, for example, having the ability to drill down to an SSRS report from a Power BI report would be an excellent way of providing reporting capabilities that satisfy end-user consumption in 2 different, but wildly applicable, scenarios

The updated SSMS client for SQL Server 2017 has been given refreshed icons that bring the application more in line with how Visual Studio and other Microsoft products are looking these days

Inside a Microsoft cloud data centre with Synergy Software Systems

November 22nd, 2017 by Stephen Jones No comments »

Get the reach and local presence you need with Microsoft’s global datacenters – https://azure.microsoft.com/en-us/regions/ Azure is generally available in 36 regions around the world, with plans announced for 6 additional regions.

Go beyond the limits of your on-premises datacenter using the scalable, reliable infrastructure that powers the Microsoft Cloud.

Transform your business and reduce maintenance costs with an energy-efficient infrastructure spanning more than 100 highly secure facilities worldwide, linked by one of the largest networks on earth.

The engine that powers Microsoft’s cloud services, the is designed to support smart growth, high reliability, operational excellence, cost-effectiveness, environmental sustainability, and a trustworthy online experience for customers and partners worldwide.

Microsoft deliver the core infrastructure and foundational technologies for Microsoft’s over numerous online businesses including: Dynamics 365, Power Bi, Cortana analytics, IoT, Bing, MSN, Office 365, Xbox Live, Skype, OneDrive and the Windows Azure platform.

The infrastructure is comprised of a large global portfolio of more than 100 datacenters and 1 million servers, content distribution networks, edge computing nodes, and fiber optic networks.

The portfolio is built and managed by a team of subject matter experts working 24x7x365 to support services for more than 1 billion customers and 20 million businesses in over 90 countries worldwide

Those are 2014 figures and the Microsoft cloud has expanded greatly since then for example the acquisition of Linked in and the launch of Dynamics 365.

To help you comply with national, regional, and industry-specific requirements governing the collection and use of individuals’ data, Microsoft offers the most comprehensive set of compliance offerings of any cloud service provider. Microsoft business cloud services operate with a cloud control framework, which aligns controls with multiple regulatory standards (https://www.microsoft.com/en-us/trustcenter/guidance/risk-assessment#Audit-reports)

Argentina PDPA – Microsoft has implemented the security measures in the Argentina Personal Data Protection Act.

BIR 2012 – Agencies operating in the Netherlands government sector must comply with the Baseline Informatiebeveiliging Rijksdienst standard.

Canadian Privacy Laws – Microsoft contractually commits to implementing security that helps protect individuals’ privacy.

CCSL (IRAP) – Microsoft is accredited for the Australian Certified Cloud Services List based on an IRAP assessment.

CDSA – Azure is certified to the Content Delivery and Security Assoc. Content Protection and Security standard.

China DJCP – Azure and Office 365 operated by 21Vianet are rated at Level 3 for information security protection.

China GB 18030 – Azure and Office 365 operated by 21Vianet are certified as compliant with the Chinese character standard.

China TRUCS – Azure and Office 365 operated by 21Vianet obtained Trusted Cloud Service certification.

CJIS – Microsoft government cloud services adhere to the US Criminal Justice Information Services Security Policy.

CS Mark (Gold) – Microsoft received the CS Gold Mark in Japan for Azure (IaaS and PaaS) and Office 365 (SaaS).

CSA STAR Attestation -Azure and Intune were awarded Cloud Security Alliance STAR Attestation based on an independent audit.

CSA STAR Certification – Azure, Intune, and Power BI were awarded Cloud Security Alliance STAR Certification at the Gold level.

CSA STAR Self-Assessment – Microsoft STAR Self-Assessment details how cloud services fulfill Cloud Security Alliance requirements.

DFARS – Microsoft Azure Government supports Defense Federal Acquisition Regulation (DFARS) requirements.

DoD – Microsoft received Department of Defense (DoD) Provisional Authorizations at Impact Levels 5, 4, and 2.

EN 301 549 – Microsoft meets EU accessibility requirements for public procurement of ICT products and services.

ENISA IAF – Azure aligns with the ENISA framework requirements through the CSA CCM version 3.0.1.

EU Model Clauses – Microsoft offers EU Standard Contractual Clauses, guarantees for transfers of personal data.

EU-U.S. Privacy Shield – Microsoft complies with this framework for protecting personal data transferred from the EU to the US.

FACT – Microsoft Azure achieved certification from the Federation Against Copyright Theft in the UK.

FDA CFR Title 21 Part 11 – Microsoft helps customers comply with these US Food and Drug Administration regulations.

FedRAMP – Microsoft was granted US Federal Risk and Authorization Management Program P-ATOs and ATOs.

FERPA – Microsoft aligns with the requirements of the US Family Educational Rights and Privacy Act.

FIPS 140-2 – Microsoft certifies that its cryptographic modules comply with the US Federal Info Processing Standard.

FISC – Microsoft meets the requirements of the Financial Industry Information Systems v8 standard in Japan.

GxP – Microsoft cloud services adhere to Good Clinical, Laboratory, and Manufacturing Practices (GxP).

HIPAA/HITECH – Microsoft offers Health Insurance Portability & Accountability Act Business Associate Agreements (BAAs).

HITRUST – Azure is certified to the Health Information Trust Alliance Common Security Framework.

IRS 1075 – Microsoft has controls that meet the requirements of US Internal Revenue Service Publication 1075.

ISO 9001 – Microsoft is certified for its implementation of these quality management standards.

ISO 20000-1:2011 – Microsoft is certified for its implementation of these service management standards.

ISO 22301 – Microsoft is certified for its implementation of these business continuity management standards.

ISO 27001 – Microsoft is certified for its implementation of these information security management standards.

ISO 27017 – Microsoft cloud services have implemented this Code of Practice for Information Security Controls.

ISO 27018 – Microsoft was the first cloud provider to adhere to this code of practice for cloud privacy.

IT Grundschutz Compliance Workbook – Azure Germany published this Workbook to help our clients achieve IT Grundschutz certification.

ITAR – Azure Government supports customers building US International Traffic in Arms Regs-capable systems.

MARS-E – Microsoft complies with the US Minimum Acceptable Risk Standards for Exchanges (MARS-E).

MeitY – The Ministry of Electronics and Info Technology in India awarded Microsoft a Provisional Accreditation.

MPAA – Azure successfully completed a formal assessment by the Motion Picture Association of America.

MTCS – Microsoft received certification for the Multi-Tier Cloud Security Standard for Singapore.

My Number (Japan) – Microsoft does not have standing access to My Number data, a number unique to each resident of Japan.

NEN 7510:2011 – Organizations in the Netherlands must demonstrate control over patient health data in accordance with the NEN 7510 standard.

NHS IG Toolkit – Azure is certified to the Health Information Trust Alliance Common Security Framework.

NIST 800-171 – Microsoft DoD certifications address and exceed US NIST 800-171 security requirements.

NIST CSF – Microsoft Cloud Services meet the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)

NZ CC Framework – Microsoft NZ addresses the questions published in the New Zealand cloud computing framework.

PCI DSS – Azure complies with Payment Card Industry Data Security Standards Level 1 version 3.1.

Section 508 – Microsoft cloud services offer Voluntary Product Accessibility Templates.

Shared Assessments – Microsoft demonstrates alignment of Azure with this program through the CSA CCM version 3.0.1.

SOC 1- Microsoft cloud services comply with Service Organization Controls standards for operational security.

SOC 2 – Microsoft cloud services comply with Service Organization Controls standards for operational security.

SOC 3 – Microsoft cloud services comply with Service Organization Controls standards for operational security.

Spain ENS – Microsoft received Spain’s Esquema Nacional de Seguridad (National Security Framework) certification.

UK Cyber Essentials PLUS – Cyber Essentials PLUS is a UK government-defined scheme to help organizations protect against common cyber-security threats.

UK G-Cloud – The Crown Commercial Service renewed the Microsoft cloud services classification to Government Cloud v6.

WCAG 2.0 – Microsoft cloud services comply with the Web Content Accessibility Guidelines 2.0.

Blog registration discontinued.

November 22nd, 2017 by Stephen Jones No comments »

To the many of you who have asked for registration and not had a response, please accept our apologies. The overwhelming success of the site means we get typically 50 new registrants a day and it has been administratively difficult to keep up so with approval and review or comments from over 10000 subscribers. So much against the trend we have dropped the social media links and options to comment.

This will give us more time to add content and will also help with performance o the site.

U.A.E. Draft VAT regulations – Synergy Software Systems summary

November 20th, 2017 by Stephen Jones No comments »

The UAE Ministry of Finance announced the Executive Regulation for the Federal Decree-Law No. (8) of 2017 on Value Added Tax at a Cabinet meeting on 7 November 2017, headed by His Highness Sheikh Mohammed bin Rashid Al Maktoum, Vice President and Prime Minister of the UAE, Ruler of Dubai.

The Regulation defines VAT as the 5% tax imposed on the import and supply of goods and services at each stage of production and distribution, including:
- what is a deemed supply, with the exception of specific supplies subject to the zero rate
– what is exempted as specified in the Decree-Law.

Before reviewing the individual titles of the registration this is summary of the salient points:

VAT Registrations
It is important to note that the draft VAT executive regulations state that businesses are required to register in accordance with the timelines previously announced by the Federal Tax Authority. As a consequence, if taxpayers have not registered within these timelines, it may potentially result in late registration penalties which are AED 20,000.

The UAE’s Federal Tax Authority is urging companies subject to the value-added tax to register before December 4 to avoid paying the tax from their own pockets.

The Federal Tax Authority (FTA) requires by law 20 working days to access and process their applications, said Khalid Al Bustani at a media briefing in Dubai. Companies submitting applications after that date are not guaranteed to get their formalities completed, will not be able to charge 5 per cent VAT to their customers and may have to pay the tax from their pocket until their registrations are finished, according to FTA officials at the briefing.

– Businesses providing taxable supplies may apply for a voluntary VAT registration if their sales exceed AED 187,500 per annum
- Businesses providing exclusively zero-rated supplies may apply for an exemption from the obligation to VAT register
- The mandatory VAT registration threshold is AED 375,000 sales per annum
- A registration application must be submitted within 30 days of being obliged to register
- Tax Groups may be formed for multiple, related parties businesses to register under one number – one taxable party, the ‘representatives’, takes on the responsibility to prepare and submit the consolidated return
- De-registrations are permitted on the cessation of the taxable supplies, or on the tax authorities decision

Tax point
VAT becomes due on the earlier of:
-The invoice date
- The delivery of the goods or performance of the service
- The payment date

Place of supply rules
- For real estate, a supply is deemed to take place in UAE where the services is directly connected with UAE real estate
– Domestic transport services are deemed to be supplied from the place where the transport commences
- For goods transported to another GCC State which has implemented VAT (‘implementing state), the place of supply is the destination provided adequate proof of transportation can be obtained

Zero rating
The following goods and services shall be zero-rated for VAT purposes (note: all foods will be standard rated):
- Goods physically exported to other VAT registered businesses outside of the UAE or other implementing state provided commercial evidence of the transport is retained by the vendor
- when supplied to a customer that does not have a establishment in UAE and is outside of the country at the time of supply. The exception is real estate in UAE.
- Supply of international transportation services for passengers and goods
- The supply or import of precious metals
- New residential property supplies
- Education services if supplied by an accredited government body
- Healthcare services provided by a body linked to the state
- Approved pharmaceuticals

Exempt supplies

The following services will be exempted from VAT:
- Financial services related to dealing in money (e.g. FX, debt securities, loans, bank accounts, derivatives or similar, issuing shares and life insurance)
- Other financial services attracting a fee or commission are liable to VAT
- Residential buildings with a lease longer than 6 months
- Bare land
- Local passenger transport

VAT Free Designated Zones

Special geographical areas within the UAE, but outside of the UAE VAT regime. These are created upon a decision by the Cabinet. They have security measures and customs controls to monitor the movement of goods. The transfer of goods or provision of services within the Zones will not be subject to VAT – similar to the bonded warehouse concept.
Import VAT becomes payable when any goods leave the Zone.

Non-recoverable VAT

The following VAT is not recoverable against VAT on taxable supplies:
- Entertainment for non-employees
- Personal use vehicles and other goods for employees
- Employee-use goods not directly associated with the provision of taxable supplies

VAT invoices
VAT invoices must include the following details:
- Name and address of supplier
- VAT Number
- Unique VAT invoice number
- Date of invoice, and date of supply if different
- Description of the goods/services provided
- Unit prices, quantity or volumes of the supplies
- Any discount offered
- VAT calculation and gross amount due in AED (any rate of exchange used)

Simplified invoices may be issued to non-tax payers or when the consideration is below AED 10,000.

Electronic invoices may be issued if the vendor has secure storage facilities, and the authenticity of the invoice can be guaranteed

VAT reporting
The standard VAT reporting period is 3 months
VAT returns must be received by the 28th of the month following the reporting period.

The VAT return includes:
- Name, address and tax registration number of the tax payers
- The tax period
- Submission date
- Values of taxable supplies made, and output VAT charged
- Values of zero rated supplies made
- Values of exempt supplies made
- Value of taxable supplies consumed, and input VAT claimed
- Total value of VAT due

Transitional rules
- Goods or services provided before the implementation of VAT will be treated as having been provided on the implementation date
- A payment for the services prior to the implementation date will be disregarded for determining the time of supply after the implementation date
- The value prior to VAT implementation of any goods or services will be treated as exclusive of VAT

The Value Added Tax (VAT) to be launched on January 1 in UAE will bring many changes in the price structure of the goods and services in the country. While some basic things like school fees will be exempt from tax, many other essential items such as: water, food, and jewelry may be included in the VAT.

The VAT in UAE will be levied at a fixed rate of 5 per cent on all applicable items.

The tax will also be levied from the tourists visiting the country, however, the tax paid by tourists in the UAE will be refunded back to them at the airport.

Check out below the list of goods/services we understand will be taxed under VAT
◾Food
◾Electricity bills (Power)
◾Jewellery
◾Car rentals
◾Smartphones
◾Dining out
◾Commercial rents (Renting out for commercial purposes)
◾Plastic surgery
◾Uniforms of private and public schools
◾Water bills
◾Cars
◾Electronics
◾Watches
◾Entertainment
◾Tenancy contracts
◾Hotel
◾Service apartment
◾Private school books

Goods/services we understand to be exempt from VAT
The following items/services will be VAT exempt:
◾Medical fees
◾Air travel
◾Medicines
◾Basic and preventive surgery
◾Exam fees
◾Local transport
◾Residential rents
◾Public school books

The VAT will also be applicable to the free zone companies making supplies outside the zone. This might increase pre-financing cost for such companies.

Draft Regulation Titles:

The first title of the Regulation includes the definitions of terms used.

The second title deals with supply, which includes:
- articles regulating the supply of goods and services,
- supplies that consist of more than one component
- the exceptions related to deemed supplies.

The third title of the document tackles the subject of registration, such as:
– mandatory and voluntary registration,
– related parties,
– conditions to be met to register tax groups
– appointing a representative member,
– deregistration,
– exception from registration,
– registration on law coming into effect
– obligations to be met before deregistration.

The fourth title looks into rules relating to supply, including:
– articles on the date of supply,
– place of supply for goods,
– place of supply of services for real estate,
– transport services,
– telecommunications and electronic services,
– intra-GCC supplies,
– the market value,
– prices to be inclusive of: tax, discounts, subsidies and vouchers.

The fifth title discusses profit margins, and also explains how to calculate VAT based on profit margins,

The sixth title addresses zero-rated goods and services, including:
- telecommunications,
- international transportation of passengers or goods,
- investment grade precious metals,
- new and converted residential buildings,
- healthcare,
- education
- buildings earmarked for charity.

The seventh title clarifies provisions relating to products and services exempt from value added tax, namely:
- the supply of certain financial services as specified in the Executive Regulation,
- the supply of residential (non-zero-rated) buildings either by sale orby lease,
- the supply of bare land,
- the supply of local passenger transport.

The eighth title addresses accounting for tax on:
- specific supplies and includes articles relating to supplies with more than one component,
– general provisions in relation to import of goods
– applying a reverse charge on goods and services,
– moving goods to implementing states
– imports by non-registered persons.

The ninth title address Designated Zones in article (51),

The tenth 10 provides further detail on:
- calculating due tax,
- recovery of input tax relating to exempt supplies,
- input tax not recoverable, a
- special cases for input tax.

The eleventh includes:
- article (55) on apportioning input tax
- article (56) on adjusting input tax after recovery,

The twelfth title addresses:
- the capital asset scheme in article (57)
- adjustments within the capital asset scheme in article (58).

The thirteenth title includes:
- article (59) on tax invoices,
- article (60) on tax credit notes
- article (61) on fractions of the fils.

The fourteenth title discusses Tax Periods and Tax Returns,

The fifteenth title 15 goes into recovery of excess tax in article (65).

The sixteenth title 16 tackles recovery in other cases and includes:
- article (66) on new housing for nationals,
- article (67) on business visitors,
- article (68) on tourists
- article (69) on foreign governments.

The seventeenth title includes:
- article (70) on Transitional Rules,
- article (71) on record-keeping requirements
- article (72) on keeping records of supplies made.

The eighteenth title discusses closing provisions.

The draft text of the Executive Regulation for Federal Decree-Law No. (8) of 2017 on Value Added Tax, is to be published on the UAE Ministry of Finance’s website www.mof.gov.ae – https://www.mof.gov.ae/en/budget/pages/vatquestions.aspx
and the Federal Tax Authority’s website www.tax.gov.ae​​

https://www.tax.gov.ae/pdf/VAT-Decree-Law-No-8-of-2017.pdf

Some comments:
The Executive Regulation is clear that prices must be expressed inclusive of VAT unless something is being supplied for export or where the customer is registered for VAT i.e. for B2C retail sales

This will prevent preventing businesses from misleading consumers by adding 5 per cent to the price at the till, but it s gives rise to complexity where businesses are supplying to a combination of consumers, non-registered businesses and registered businesses, and where they make both domestic and international supplies.

There is reference to “Designated Zones” being treated as outside the UAE in the Decree-Law, but the Executive Regulation makes it clear these must be “a specific fenced geographic area [which] has security measures and customs controls in place to monitor entry and exit of individuals and movements of goods to and from the area”. It simply wasn’t permissible under the GCC Framework Agreement, or the design of VAT generally, to treat the Dubai International Financial Centre differently from anywhere else in the UAE.

Banks, will need to work through Article (42) of the Executive Regulation to determine which of their supplies are exempt and which are standard rated. For example, supplies cannot be exempt if they are “conducted in return for an explicit fee, discount, commission, and rebate or similar”.
Furthermore, in relation to Islamic finance products, the drafting is currently unclear on whether each separate part of a product will need to be certified as Sharia compliant, or whether only a product generally has to have been certified.

Challenges remain for certain sectors. Healthcare services, which are generally zero rated, are defined as a supply “that is generally accepted in the medical professions as being necessary for the treatment of the recipient of the supply including preventive treatment”. That’s not just a question for a tax lawyer. That’s a question for a doctor.

The UAE Executive Regulation now takes a more considered approach than the simpler but ultimately unsatisfactory approach taken in the Saudi legislation with regard to existing contracts. Under the Executive Regulation, when a contract is silent on VAT, the consideration will be treated as exclusive of VAT, and the recipient will be required to pay VAT in addition if, broadly speaking,
(i) the recipient of the supply is registered for VAT;
(ii) the recipient of the supply has the right to recover the VAT charged in full, or in part.

It is still unclear regarding VAT on supplies to government entities – for example, whether an entity is in fact a government entity, whether a government entity is required to be registered, and whether it has the right to recover VAT?

Security, security

November 5th, 2017 by Stephen Jones No comments »

The IRS fends off 4 million hacking attempts a day, Commissioner John Koskinen said last Tuesday

System accounts – security

October 29th, 2017 by Stephen Jones No comments »

An Office 365-focused Botnet puts the spotlight on the security of System Accounts which are commonly overlooked

A botnet it dubbed “KnockKnock” aActive since at least May, and especially active from June through August, is relatively small botnet whose attack highly targeted for both: the types of accounts it attacks and the types of organizations. GThis is interesting is because it is trying to get into system accounts, that are commonly used to connect the Exchange Online e-mail system with marketing and sales automation software. In cases where the system accounts are compromised, KnockKnock exports data from the inbox, creates a new inbox rule and starts a phishing attack from the account against the rest of the organization.

The attacks analysed averaged only five e-mail addresses per customer. Additionally, the organizational targeting was extremely specific — aimed at infrastructure and Internet of Things (IoT) departments within the manufacturing, financial services, health care and consumer products industries, as well as U.S. public sector agencies.

Non-human system accounts are less likely to be protected by multi-factor authentication or security policies, such as recurring password reset requirements. Once such accounts are provisioned, they’re easy to overlook and can prove to be the weakest link in Office 365 and in general the security infrastructure.

Bad Rabbit – a virulent wave of data-encrypting malware is sweeping through Eastern Europe

October 28th, 2017 by Stephen Jones No comments »

A new, potentially virulent wave of data-encrypting malware is sweeping through Eastern Europe and has left a wake of outages at news agencies, train stations, and airports, according to multiple security companies

A new ransomware outbreak similar to WCry is shutting down computers worldwide, Ransom:Win32/Tibbar.A or Bad Rabbit, as the outbreak is dubbed, is primarily attacking targets in Russia, but it’s also infecting computers in Ukraine, Turkey and Germany, researchers from Moscow-based Kaspersky Lab said. In a blog post, the antivirus provider reported that the malware is using hacked Russian media websites to display fake Adobe Flash installers, which when clicked infect the computer visiting the hacked site. Researchers elsewhere said the malware may use other means to infect targets.

Bad Rabbit appears to specifically target corporate networks by using methods similar to those used in a June data-wiping attack dubbed “NotPetya” that shut down computers around the world.
Bad Rabbit infects Windows computers and relies solely on targets manually clicking on the installer, Kaspersky Lab said. So far, there’s no evidence the attack uses any exploits.

The Ukrainian computer emergency agency CERT-UA posted an advisory on Tuesday morning reporting a series of cyberattacks.

Kevin Beaumont said on Twitter that Bad Rabbit uses a legitimate, digitally signed program called DiskCryptor to lock targets’ hard drives. Kaspersky Labs’ blog post said the executable file dispci.exe appears to be derived from DiskCryptor and is being used by Bad Rabbit as the disk encryption module.

Bad Rabbit relies on hard-coded credentials that are commonly used in enterprise networks for file sharing and takes aim at a particularly vulnerable portion of infected computers’ hard drives known as the master boot record. A malicious file called infpub.dat appears to be able to use the credentials to allow the Bad Rabbit to spread to other Windows computers on the same local network, The malware also uses the Mimikatz network administrative tool to harvest credentials from the affected systems.

Once Bad Rabbit infects a computer, it displays a message in orange letters on a black background. It directs users to a Dark Web site that demands about $283 in Bitcoin to decrypt data stored on the encrypted hard drive. The dark Web site also displays a ticking clock that gives victims 40 hours to pay before the price increases. It’s not yet known what happens when targets pay the ransom in an attempt to restore their data. The NotPetya malware was written in a way that made recovery just about impossible, a trait that has stoked theories that the true objectives of the attackers was to wipe data in an act of sabotage, as opposed to generate revenue from ransomware. It also remains unclear who is behind the attack.

The outbreak is the latest reminder that you should back up all their data on drives that are secured with a password or other measure to protect them from ransomware.

Windows Defender Antivirus detects and removes this threat with protection update 1.255.29.0 and higher.

This threat appears as a fake Adobe Flash Player update.

Microsoft advice:
Microsoft doesn’t recommend you pay the ransom. There is no guarantee that paying the ransom will give you access to your files. If you’ve already paid, then see our https://www.microsoft.com/en-us/mmpc/shared/ransomware.aspx for help on what to do.

Review logs and shutdown or run Windows Defender Offline.

This ransomware attempts to reboot your PC so it can encrypt your files. You might be able to stop your PC from rebooting and instead shut it down or run a Windows Defender Offline scan:
Check event logs for the following IDs: 1102 and 106
• Event 1102 indicates that the audit log has been cleared, so previous activities can’t be seen.
• Event 106 indicates that scheduled tasks “drogon” and “Rhaegel” have been registered (these are ransomware wipers)
• If events 1102 and 106 are present, then issue a shutdown with the parameter -a to prevent a reboot

You can also immediately inititate a Windows Defender Offline scan by using PowerShell or the Windows Defender Security Center app.

Run antivirus or antimalware software

Use the following free Microsoft software to detect and remove this threat:
• Windows Defender Antivirus for Windows 8.1 and Windows 10, or Microsoft Security Essentials for Windows 7 and Windows Vista
• Microsoft Safety Scanner – Run a full scan to look for anyhidden malware.

Advanced troubleshooting – To restore your PC, download and run Windows Defender Offline.

Ask us about how to use cloud protection to guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender for Windows 10. Go to All settings > Update & security > Windows Defender and make sure that your Cloud-based Protection settings is turned On.

Indicators of compromise
Presence of the following files in %SystemRoot%:
• infpub.dat
• cscc.dat
• dispci.exe
• You can’t access your files or your PC
• A ransom message in red on a black background

EdgeHTML 16 – a major update to the Edge browser.

October 25th, 2017 by Stephen Jones No comments »

Microsoft is rolling out the Windows 10 Fall Creators Update to all its customers form October 17, 2017. By the end of the year, everyone who doesn’t actively delay its installation should have the update. There are numerous new and improved features included in this update, one less publicised example, is the Edge browser major update to a new version that Microsoft calls EdgeHTML 16.

This new version of Microsoft’s Edge browser adds several features and i some subtle changes to the interface. to support a mobile-first, cloud-first world.

EdgeHTML 16 highlights

interface. The new version contains elements of the Fluent Design System, which gives it a different level of depth and transparency. The change may not be all that noticeable at first, but there are differences in title bar colors and shading that give the browser a much-needed facelift.

With EdgeHTML 16, Users can now change highlight colors and add notes on the fly using the power of the right-click and context-sensitive menus. If you are into annotation, then the EdgeHTML 16 browser is built with you in mind. You can add highlights in four colors, underline, add comments or copy text. You also have the ability to Ask Cortana to find more information about the content you are reading without leaving the reading experience. To get started, simply select some text and choose one of the annotation options from the menu that pops up!

Or, if you’re reading a PDF, you can select the “Add notes” button next to the address bar to mark the PDF up with Windows Ink.

This feature lets you take notes with a pen or highlighter right on the page – perfect for marking up a draft, signing a document, or for filling out a form.

Microsoft Edge can now read web pages, e-books, and other documents out loud to make reading accessible to more people. To hear an e-book or PDF out loud, click or tap anywhere on the page and select the “Read aloud” button from the top-right corner.

One more useful features of this new version of Edge is the ability to pin favorite websites directly to the taskbar. You no longer have to rely on jump lists to get to your most important websites. Pinning a website to your taskbar will override your default browser setting, to use Edge instead. This isuseful for loading Office 365 in Edge instead of Chrome.

A small useful feature is athe ability to edit the address for individual favorites in the Favorites Hub or on the Favorites bar.

New features like web notifications and location services mean more sites may ask for your permission to access your location, webcam, or to send notifications, among other things. To help make it easier to keep track of what permissions you’ve granted, there is a new “Show site information” pane to see the permissions you’ve granted for every website you visit.

Another useful feature for a mobile-is support for an option called Continue On Your PC. When you are reading a website on your mobile device, you can send it to your Windows 10 desktop running Edge and not miss a beat—which fits in well with Microsoft’s concept of a mobile workforce relying on collaboration to get work done.

You can also now browse in full screen.

For developers there also a lot of technical enhancements for web apps, modern layouts, payments, and more.

There are many other new and improved features to be found in the new EdgeHTML 16 that relfect Microsoft’s business strategy of helping users connect, collaborate, and produce in a mobile and dispersed working environment.

Sales in Dynamics 365 (CRM)

October 24th, 2017 by Stephen Jones No comments »


Watch this video for an overview of how Microsoft empowers sellers to drive personal engagement with customers.


Watch this video for some highlights of how sellers leverage key capabilities like actionable insights, relationship management, sales productivity, and sales performance.

Dynamics CRM Customer Hub

October 24th, 2017 by Stephen Jones No comments »

The Customer Service Hub shows you all your vital customer service information in one place, and makes it easier for reps and managers to prioritize and act on service cases.

Expertly manage your cases, engage with your customers, and create activities directly from the timeline. With full access to a customer record, as well as related cases, entitlements, and knowledge articles, the case form in the Customer Service Hub app in Dynamics 365 for Customer Service helps you quickly find and act on data as you work toward case resolution.

Use the modern and intuitive dashboards in Customer Service Hub in Dynamics 365 for Customer Service, you can filter the information that is most important and requires immediate focus, and take decisive action.
The Tier 1 dashboard helps you find your cases and the things you need to do fast. Use visual filters and tiles to decide what you want to see and work on. The Tier 2 dashboard gives team leads and managers a single place to monitor more complex or escalated cases.

October update Dynamics 365 Project Service Automation (v2.1.0.30) Enhancements

October 24th, 2017 by Stephen Jones No comments »

New capabilities enabled for this upgrade release
• Added Billing Type field on expense tax invoice line details.
•Added Role (resource category) column between Task Id and Transaction Category columns for Actual associated view.
•Improved performance by avoiding unnecessary WBS aggregation on update task.
• Localized label and better description for invalid action on MS Project label.

Below are the major bug fixes for this upgrade release
•Time entry created in the week of DST transitions to Standard time shows up on the following day. 
• Importing Estimate lines onto Quote line from Project for a 2nd time results in an error “record is unavailable”.
• Contract performance does not show milestone amount in the Billed amount for FP line.
• “Record Is Unavailable” error is shown after navigating to and deleting the cost side detail record from a quote line detail.
•WBS view UX issue with column heading width and Gantt scrollbar.
• European number formatting not respected on the quick create UI for estimated hours when creating project from template.
•In MS Project, after Find Resources and book a resource, the resource sheet is not refreshed.
• Hitting “This action is not allowed for projects linked to MS Project.” error when trying to book a team member on MSP-link project, with non-contiguous booking slots.
• Error pop-up when deactivating Resource Request.
• Generic resource is not using work hour template from project.

NOTE: This upgrade release can only be installed/upgraded for Dynamics 365 9.0+ org

Universal Resource Scheduling Enhancements
Below are the major bug fixes for this upgrade release
• Schedule board error when time zone set to GMT-3 Brasilia.
• Schedule board shows no resources available until switching from Hours view to Day view.
• Map pins are not refreshed when moving to next page of resources while in RM.
• Requirement map pin loses focus when searching for availability.
• Handle escaping requirement name on Schedule Board.
• Maintain Bookings not opening in the correct view.
• Cancel bookings route also showing in the mini map in schedule board.
• Hide inactive resource characteristics from resource fly out.
• Booking duration and percentage is not changing when cancel the booking after the moved bookings to different day. Cannot sort or filter fields added to requirement view on schedule board from other entities.
• Changing territory filter on board does not take immediate effect on the requirement tabs when Apply Territory Filter is enabled.
• On Schedule board, inconsistency in calculating the available capacity between hourly and daily view.
• Duration value is not updated when the requirement detail is deleted.
• Incorrect duration time on view details tooltip template in RM mode.
• On click of “Load Default filter” not clearing all controls in Filter control.
• Resource driving directions print window, print icon is missing next to print label.
• Add Fulfilled/Remaining Duration fields to the Requirement form.

NOTE: Enhancements and bug fixes for Universal Resource Scheduling apply for Field Service and Project Service Automation as well as other schedulable entities.