Extended Events – Security Issue – SQL Server 2019, 2017, 2016, 2014

January 13th, 2021 by Stephen Jones No comments »

Microsoft has fixed vulnerabilities in Extended Events that “may cause code to run against the SQL Server process if a certain extended event is enabled.”

-KB 4583468 https://support.microsoft.com/en-us/help/4583468/kb4583468-microsoft-sql-server-elevation-of-privilege-vulnerability
and
– CVE 2021 1636, https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1636
Lots of patching to do :
• SQL Server 2019 CU8 GDR
• SQL Server 2017 CU22 GDR
• SQL Server 2016 SP2 CU15 GDR
• SQL Server 2014 SP3 CU4 GDR
And there are GDRs for other patch levels too, like if you’re on 2016 but not on SP2 yet.

D365 Supply Chain Management: Customer Portal is Available

January 13th, 2021 by Stephen Jones No comments »

D365 Supply Chain Management: Customer Portal is now in Generally Available.

The Customer portal acts as a starting point for organizations to use Power Apps portals to build an externally facing website that uses data from their Supply Chain Management installation. It helps organizations connect dual-write, Supply Chain Management, and Power Apps portals.

What is the Customer portal?
Modern supply chain systems rely on integration. They require that inventory, customer demand, and sales departments be integrated instead of residing in separate silos. The Customer portal helps organizations that run Microsoft Dynamics 365 Supply Chain Management enhance this integration and more effectively keep their customers informed.
The Customer portal template has all the customization capabilities that the portals feature of Power Apps offers. The template can easily be modified to represent the company’s brand, add increased functionality, and change the user experience. All the functionality that the template offers out of the box can be modified as desired.By itself, the template isn’t expected to be completely functional. It just serves as an enabler for customers who want to create an externally facing website so that enterprise customers can engage with data from Supply Chain Management.

The Customer portal documentation is directed at admins, customizers, and system integrators who will set up the Customer portal for a Supply Chain Management installation. It uses the terms customer and user to describe people who are customers of the organization that is running Supply Chain Management, and who will use the final portal itself.

Who should use it?
The Customer portal is designed for companies that run Supply Chain Management and have these characteristics:
• They want to build an externally facing website that communicates order processing information (such as order status or account information) directly from their Supply Chain Management system to their enterprise customers.
• They are transitioning from Dynamics AX 2012 to Supply Chain Management and previously used the AX 2012 Customer self-service portal.
The following types of organizations are not good candidates for implementing the Customer portal:
• Companies that want to build a website for non-enterprise customers. These companies should consider creating a Dynamics 365 Commerce e-commerce website.
• Companies that are already using an existing Power Apps portals website for a similar purpose. These companies won’t receive any additional benefits from the Customer portal. The Customer portal is delivered as a template that acts as a guide and a starting point for customers who want to “connect the dots” between dual-write, Supply Chain Management, and Power Apps portals.

If you’ve already set up a website that serves this purpose, then you might not gain much value from using the Customer portal template to re-provision that website.

The Customer portal is provided as a Power Apps portals template. It depends on Power Apps portals and dual-write.

Power Apps portals is a feature that lets users create an externally facing website into which people from outside the organization can sign in . Little to no coding is required to make portals. The Customer portal is one of many Dynamics 365 portal templates that are available from Microsoft.

Dual-write is an out-of-box infrastructure product that provides near-real-time interaction between customer engagements apps and Finance and Operations apps. Dual-write provides bidirectional integration between Finance and Operations apps and Microsoft Dataverse. Therefore, it provides an integrated user experience across the apps. The Customer portal depends on tables that are synced with dual-write. Before data from Supply Chain Management can be surfaced in the Customer portal, dual-write must be enabled for all the appropriate tables.

(The Common Data Service was renamed to Microsoft Dataverse in November 2020)

What is the true cost of software development?

January 9th, 2021 by Stephen Jones No comments »

There ahs been much talk of both devops and citizen developers.
While these new paradigms are welcome and bring many benefits that does not mean that they replace other proven systems of software development.

There are reason why some consultancies quote significantly lower times to develop than other- usually tis lack of knowledge/awareness of what needs to be considered or they deliberately cut corners in areas like security, validation, documentation, testing, and so on.

If that sounds harsh then take a look a this recent post:
A report published last week by the Consortium for Information & Software Quality (CISQ) estimates poor software quality collectively cost companies in the U.S. an estimated $2.08 trillion in 2020.

Wi-Fi-6E is coming in 2021

January 9th, 2021 by Stephen Jones No comments »

Many of this year’s new phones, laptops, TVs, routers, and more will come with support for Wi-Fi 6E,

Wi-Fi 6 and previous generations of Wi-Fi use the 2.4 GHz and 5 GHz radio bands. A “Wi-Fi 6E” device is one that is capable of also operating on the 6 GHz band,

This new upgrade to Wi-Fi is like expanding your wireless connection from a two-lane road to an eight-lane highway. It’s the biggest upgrade to Wi-Fi in 20 years, and connections should be faster and a lot more reliable because of it.

The Wi-Fi Alliance, is starting to certify the first wave of products with support for Wi-Fi 6E. Phones, PCs, and laptops with support should reach the market in the first months of 2021, according to the IDC research group, and TVs and VR devices with support are expected to arrive by the middle of the year. Intel announced that it will have WI-Fi 6E chips available in January 2021, The new Snapdragon 888 processor chip includes support for Wi-Fi 6E so it should be present in many of this year’s top Android phones. It’ll be some time before most new devices are shipping with Wi-Fi 6E, even by the start of 2022, IDC only expects 20 percent of shipping Wi-Fi 6 products to also support Wi-Fi 6E.

Wi-Fi 6E devices will be backward compatible with Wi-Fi 6 and previous Wi-Fi standards. But, to take advantage of those new 6 GHz channels in Wi-Fi 6E, you’ll need to be using devices that support it. In other words, you’ll be using Wi-Fi 6E once you pair a Wi-Fi 6E-enabled client device (like a laptop or smartphone) and a WI-Fi 6E-enabled access point. With Wi-Fi 6 devices and a Wi-Fi 6E-enabled router, none of your devices will communicate over Wi-FI 6E. They’ll all be using Wi-Fi 6 on the typical 5 GHz or 2.4 GHz channels.

Wi-Fi 6E relies on a huge expansion of the wireless airwaves available to consumer devices .Existing Wi-Fi devices operate on two spectrum bands, 2.4GHz and 5GHz. Wi-Fi 6E adds a third — 6GHz — and there’s a lot more of it, thus quadrupling the total amount of airwaves used for typical Wi-Fi. We can have larger, higher-speed connections, and the airwaves are less likely to be congested. In an apartment building, for instance, your neighbors’ Wi-Fi networks might interfere with your own. With Wi-Fi 6E, there’s a lot more bandwidth to go around, so there’s less of fighting over the exact same airwaves.

Though the US has approved use of 6GHz airwaves, communications regulators in other countries also need to approve the spectrum for Wi-Fi use, The UK, EU, South Korea, Chile, and United Arab Emirates have all given a green light on allowing 6GHz usage for Wi-Fi, while regulators in Brazil, Canada, Mexico, and Japan are among others where progress is being made.

Ransomware that is Devastating MySQL Servers – be aware

December 29th, 2020 by Stephen Jones No comments »

PLEASE_READ_ME is an active ransomware campaign that has been targeting MySQL database servers and dates back to at least the start of this year. The attack chain is extremely simple and exploits weak credentials on internet-facing MySQL servers. There are close to 5M internet-facing MySQL servers worldwide.

MySQL servers have often been used as a low cost alternative for applications like Dynamics Ax Retail store databases.

250,000 databases are offered for sale in the attackers’ dashboard, from 83,000 successfully-breached victims.

If you are using MySQl databases then we strongly recommend that you immediately review your credentials security and reference the link above.

Happy Christmas and New Year

December 25th, 2020 by Stephen Jones No comments »

Happy Holidays to all, for whichever holiday you celebrate this time of year.

It’s been a long, hard year, and I hope you are healthy and happy as we close out 2020.

Lets pray that next year is more enjoyable for all of us.

Rampant security attacks – be aware

December 18th, 2020 by Stephen Jones No comments »

Cyber criminals have been relentless this year. Data breaches, network infiltrations, bulk data theft and sale, identity theft, and ransomware outbreaks all occurred over 2020. Remote workers account for up to 20% of cybersecurity incidents, and ransomware is on the rise,

This month alone ahs seen amjor breaches:
Leonardo SpA: Italian police arrested suspects believed to have stolen up to 10GB in sensitive corporate and military data from the defense contractor.
Flight Centre: A 2017 hackathon launched by the company was found to be the source of a leak involving credit card records and passport numbers belonging to close to 7,000 people.
Vancouver TransLink: A ransomware attack disrupted Compass metro cards and Compass ticketing kiosks for two days.
Absa: A rogue employee at the South Africa-based bank is thought to be responsible for the leak of personally identifiable information belonging to customers.
HMRC: The UK tax office was branded ‘incompetent’ due to 11 serious data breaches impacting close to 24,000 people.

Microsoft Warns Of New Malware That Wants To Infect Your Browser: Security experts at Microsoft have been tracking a new malware campaign that’s targeting Windows computers. It’s already claimed tens of thousands of victims and hijacked their web browsers.
Earlier this month Microsoft issued its final batch of security updates for Windows PCs in 2020, ending the year with a relatively light patch load. Nine of the 58 security vulnerabilities addressed this month earned Microsoft’s most-dire “critical” label, meaning they can be abused by malware or miscreants to seize remote control over PCs without any help from users

On December 8, 2020, FireEye disclosed theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the security posture of their customers. According to FireEye, the hackers now have an influential collection of new techniques to draw upon.

FireEye, last week also said it had discovered a “global intrusion campaign” that it called “widespread” in a blog post published Sunday evening. “The actors behind this campaign gained access to numerous public and private organizations around the world,” FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.
The attacker’s post compromise activity leverages multiple techniques to evade detection and obscure their activity, but these efforts also offer some opportunities for detection.”

The U.S. Commerce Department on Sunday confirmed a security “breach” at one of its bureaus, and said federal authorities are investigating.
Reuters, the news agency first reported the hack, and cited sources who said the U.S. Treasury Department was also breached, and that hackers may have broken into other government agencies as well. The sources told Reuters that hackers may have been able to monitor staff emails at the agencies for months. And also Reuters reported that the affected bureau at the Commerce Department was the National Telecommunications and Information Administration. Subsequently the US issued an emergency warning that “nation-state” hackers hijacked software used by almost all Fortune 500 companies and multiple federal agencies to gain entry to secure IT systems.”

On Sunday the Washington Post reported that the attack had been traced to Russian state-backed hacking groups.

Its important that organisations are aware of the threats and have appropriate safeguards, polices and training. in the event of a breach its also important to have clearly defined policies of how to respond -its not just about dealing with the threat but also the consequences. For example Ireland’s Data Protection Commission fined Twitter €450,000 (~$550,000) for failing to notify the DPC of a breach within the 72-hour timeframe imposed by European Union’s General Data Protection Regulation (GDPR) and to adequately document it.

To cap it all Avast announced this week that more than three million Internet users have installed 15 Chrome plug-ins and 13 Edge plug-ins that contain malicious code, .

These add-ons contain code that can redirect user traffic to ads and phishing sites, collect personal information such as birth dates, email addresses, and active devices, collect search history, and download other malware to the user device., Avast researchers believe that the primary goal of this campaign is to redirect user traffic for money.

Avast said that it discovered the add-ons last month and found evidence that some of these have been active at least since December 2018, when users first started reporting problems with redirection to other websites.

Jan Rubin, a malware researcher at Avast, said they could not determine if the extensions contained malicious code from the beginning or if the code was added by an update when each of them reached a certain level of popularity. Many add-ons have become very popular, with tens of thousands of installations. In the case of most , this is achieved by presenting these as add-ons that can help users download multimedia content from various social networks, such as Facebook, Instagram, Vimeo or Spotify. Avast said that both Google and Microsoft reported their findings and that both companies are still checking the add-ons.

Two days after Avast released its findings,: Google has removed all 15 Chrome add-ons that Avast has found to contain malicious code, while most Edge add-ons are still available for download. Only Pretty Kitty, The Cat Pet and SoundCloud Music Downloader have been removed.

Below is a list of Chrome add-ons that Avast said contain malicious code:

Direct Message for Instagram

DM for Instagram

Invisible mode for Instagram Direct Message

Downloader for Instagram

App Phone for Instagram

Stories for Instagram

Universal Video Downloader

Video Downloader for FaceBook™

Vimeo™ Video Downloader

Zoomer for Instagram and FaceBook

VK UnBlock. Works fast.

Odnoklassniki UnBlock. Works quickly.

Upload photo to Instagram™

Spotify Music Downloader

The New York Times News

Here’s a list of Edge plug-ins that contain malicious code:

Direct Message for Instagram™

Instagram Download Video & Image

App Phone for Instagram

Universal Video Downloader

Video Downloader for FaceBook™

Vimeo™ Video Downloader

Volume Controller

Stories for Instagram

Upload photo to Instagram™

Pretty Kitty, The Cat Pet

Video Downloader for YouTube

SoundCloud Music Downloader

Instagram App with Direct Message DM

Endpoint security against cybercrime – 7 key questions

December 17th, 2020 by Stephen Jones No comments »

7 Vital Questions to Ask

Endpoint security has never been more important, more complex—or more challenging— than it is today. Given the multitude of solutions and of vendors , it is very difficult to sort through all of the competing claims to find what’s truly effective.

1. Will this solution run on all the devices in my environment?
2. How long will deployment take?
3. What will the members of my team need to know or learn in order to work with this platform
4. What types of preventative controls are in place?
5.From where does the vendor get its threat intelligence?
6. How does this solution integrate with incident response workflows? 7 Is 24×7 professional support available from the vendor?
7. Can this solution be integrated with other security services, products, or platforms from the same vendor to reduce costs and complexity?

Why Comodo?- Zero Percent Infection and Breaches for Customers

Comodo offers the only cybersecurity that stops undetectable threats.
Cloud-native cybersecurity with auto-containment stops ro-day threats that AI, ML, & other technologies miss.


Historical s scores and statistics from millions of endpoints on thousands of different networks of enterprise customers. It shows zero percent infection and breaches.

With Comodo you can “Protect without Detection.” The cloud-native framework delivers you zero day protection against undetectable threats while defending your endpoints from known threat signatures. Automatic signature updates simplifies deployment across your entire environment to lower operational costs

Contact us about Advanced Endpoint Protection 0097143365589

Dynamics 365 Supply Chain – Ask Synergy Software Systems – Dubai

December 16th, 2020 by Stephen Jones No comments »

“Supply Chain Management” is one of the “Dynamics 365” business applications.
It is known as part of “Microsoft Dynamics 365 for Finance and Operations” which was separated into two different applications to achieve more flexible pricing and licensing.

To learn more about how to build resilience with an agile supply chain see more videos here:
https://dynamics.microsoft.com/en-us/supply-chain-management/overview/ e.g.
Resolve product quality issues and accelerate time to market
Accelerate innovation and respond quickly to quality issues, changing customer specifications, and obsolete parts to ensure compliance and mitigate delays.

Gain planning agility to fulfill customer demand
Predict demand using AI and deliver products on time by planning supply and production in near real time, ensuring the right resources are in the right place.

Optimize inventory and logistics
Improve delivery by using predictive analytics to optimize and automate inventory, warehousing, fulfillment, material sourcing, and supply chain logistics.

Maximize asset uptime and lifespan

Reduce equipment downtime, improve overall equipment effectiveness (OEE), and maximize longevity by performing proactive maintenance.

Innovate with intelligent manufacturing operations
Build agile factories and manufacturing processes with predictive technologies, IoT, and mixed reality to improve throughput, quality, and delivery while reducing costs.

OMAN VAT update November 2020 -ask Synergy Software Systems

November 27th, 2020 by Stephen Jones No comments »

The International Monetary Fund, Oman’s economy is expected to shrink by 10 percent this year, the biggest contraction in the Gulf, and its fiscal deficit could widen to 18.3 percent of GDP from 7.1 percent last year.

Last year Oman enacted on June 15 an electronic system for registering excise taxpayers, setting the stage for residents to be taxed on products deemed harmful to public health and the environment after a 90-day grace period. The Omani “sin tax” involves a 100% levy on tobacco, pork, alcohol and energy drinks and a 50% tax on carbonated drinks. This year it increased the tax on alcohol to 100%

Oman announced that it expects to introduce an income tax on high earners in 2022, the finance ministry said in a 2020-2024 economic plan, new details of which were published late on Sunday, as the Gulf state seeks to restore finances battered by low oil prices.

The plan also aims to redirect state subsidies to those groups who need it, rather than subsidize all users. Electricity and water tariffs will be changed gradually in the coming years, the document said.

Meanwhile Oman Royal Decree No. 121/2020 was passed, and the VAT Law was published by the Official Gazette of Oman on 18 October 2020. The date of implementation is expected to be 16 April 2021 (i.e. 180 days from the date of publication of the VAT Law). The Executive Regulations will clarify certain aspects of the VAT Law and those are expected to be published soon by the Official Gazette.
In the next 4-5 months’ time, businesses in Oman should consider the implementation impacts on the entire business, operations, procurement, sales, administration, human resources, information technology, etc. We advise an internal steering committee with a representative from each function.

The VAT Law published is exhaustive with the benefit of the experience of other GCC VAT Laws.

Registration
Muscat has set a voluntary registration threshold of 19,250 Omani riyals and mandatory registration for businesses and individuals with turnover of at least 38,500 riyals.
Non-resident businesses that provide taxable supplies will be required to VAT register. Unlike resident businesses, there will be no minimum threshold that needs to be met before nonresident businesses must register for VAT with Omani authorities. A non-resident business will probably have an option to appoint an agent in Oman – that does not have to be jointly and severally liable, nor a fiscal representative of the principal. More detail is expected in the executive regulations.
Rules for digital service providers based outside of Oman are still in development. Digital service providers based outside of Oman, as well as e-commerce services, will need to pay careful attention to regulations over the coming months to ensure compliance.

VAT impact assessment,
Administration:

• VAT registration and gathering information from customers
• VAT recovery issues and VAT grouping
• VAT litigation avoidance strategies

The VAT fiscal impact,
• budgets, cash-flow, working capital, etc. Financial record keeping it is to be expected, that any company found to have kept inadequate records or issued incomplete invoices may be subject to potentially severe fines.
IT impact,
Ascertain the impact on the accounting system software and hardware such as gathering and loading data, developing statutory reports, amending other financial reports.
• The law sets out rules for proper record keeping and invoicing. All VAT-registered entities must keep specified records, including customs and invoicing documentation, and retain these records for at least 10 years. Archive storage space/cost and the impact of future planned system upgrades needs to be considered.
• The law specifies mandatory filing requirements, including documentation required when filing VAT returns. Now might be a good time to look at both document management systems and RPA e.g. for data entry validation, or VAT reconciliation or for data entry to government websites.

Process and documentation impact,
Redefine the processes under VAT – quotes, contracts and terms and conditions will need revision. Update your process documents for audit purposes.
VAT is a transaction-based tax, so the underlying legal documentation (ie, the contract or terms) detailing the supply of a good or service is the start of the review process. Review your contracts to determine the Omani VAT impact. Does the contract account for VAT (and/or other taxes)? When a contract is ‘silent on VAT’, this could well mean that the amounts specified therein are treated as inclusive of VAT. To avoid misunderstanding, such “silent” contracts should ideally be updated. Parties may need to (re)negotiate the considerations to account for non-recoverable VAT.
Businesses should also review the contracts to determine whether they reflect economic reality. Are the parties to the contracts the actual supplier and recipient of the service or goods? This is important in relation to the invoices issued by the supplier and, the right of the recipient to potentially recover VAT.
To apply the correct VAT treatment of the supply of a service or good, the supplier may need to obtain additional information from the recipient.
Contracts and/or terms and conditions may need to be revised in order to collect or store such information and to ascertain the correct Omani VAT treatment of the services or goods supplied.

Invoicing
Chapter 8 of the law outlines invoicing requirements. Any person making a taxable supply of goods or services will be required to issue a tax invoice, which may be in the form of an e-invoice rather than in paper format.
The details required to be disclosed on a tax invoice, the language in which invoices must be issued, rules for simplified tax invoices, and other similar requirements are expected to be set out in the executive regulations. Currently, it is expected that invoicing will be permitted in English and that use of Arabic will not be compulsory. The executive regulations are expected to specify when a business will be exempt from issuing tax invoices.
The requirement to issue tax invoices is also triggered in other circumstances, e.g., the receipt of advance payments that generate a requirement to account for VAT, or the making of deemed supplies.
For businesses issuing invoices in a foreign currency, the VAT amount must be stated in Omani Rials (OMR) and be converted using the average purchase and sale price of the relevant currency published by the Central Bank of Oman on the date on which the VAT is due. The tax authorities are expected to clarify whether any other conversion methods will be permitted.
This may affect your accounting system because you may sue different rates contractually or for corporate budgets or period end revaluation.
User training
e.g.
– how to add a customer TRN,
– how file a return,
– how to draft anew quote or contract.
– system changes

Transition management
Based on the VAT implementation in other GCC countries, there are challenges to be expected during the process. Complacency is a major risk, as is starting the implementation and transition activity late, and not allowing adequate time to test system and process changes.
Consider for example instances in which goods or services are paid for prior to the law coming into effect, but are only delivered once the law is in place?
The regulations indicate that VAT will have to be paid in such circumstances. However, further questions are raised in terms of invoicing and filing. More details are expected to be provided on precisely how compliance will function under these transitional circumstances
Appoint a proven implementation expert, to walk you through each type of business transaction and its treatment to avoid penal consequences.

Place of Supply
Understanding the concepts of “Supply”, “Place of Supply” and “Time of Supply” is critically important for effective implementation of Oman VAT. The place of supply shall be determined on the basis of the final consumption place of the supply, regardless of the product originating place,. When the supplies are consumed within Oman, they shall be levied to VAT. Services supplied outside of Oman to its residents will be treated as supplies in Oman. Some exemptions will apply to certain services provided to end-users outside of Oman.

For services, the place of supply depends on (i) the type of recipient (is the service business-to-business or business-to-consumer?) and (ii) the type of service. Special rules may apply to certain services such as real estate related services or electronically supplied services (or e-services). Real estate related services and e-services are always deemed to be supplied where the real estate is located respectively where the recipient is located. Particularly, overseas business-to-consumer suppliers of e-services should be aware that they will need to charge, collect and remit Omani VAT to the tax authorities.

Businesses in Oman which import services or goods may need to account for Omani VAT by means of a reverse charge mechanism. Such VAT would in principle be recoverable if and to the extent the business renders VAT taxable activities.
e-services are subject to VAT when the recipient of such services is located or residing in Oman. A reverse charge mechanism applies in case of business-to-business supplies of e-services, under which the burden of VAT is shifted from an overseas supplier to the Omani recipient. As of April 1, 2021, foreign and domestic e-service suppliers should obtain customer information (ie, verified VAT number) to determine their customers’ status (business or consumer).

Free zones
Businesses operating within free zones, special economic zones and duty free zones are likely to be subject to special VAT rules. Concessional VAT treatments are likely to be applicable for supplies within, to and from the customs duty suspension zones, free zones or special zones. Importers, who avail themselves of customs duty suspension benefits under the GCC Common Customs Law, would also likely be eligible for similar benefits under VAT. Dealing with this may require your accounting system to be able to handle a ‘reverse charge’ process.
Responsible person
All businesses will be required to have a responsible person who oversees VAT compliance. This person is liable to any penalties for failures to comply. This is similar to the UK’s Senior Accounting Officer concept, where a person can be fined up to £5,000 for not taking appropriate actions to stay compliant.
In Oman, the responsible person can personally be fined up to 10,000 OMR (nearly £20,000) with a prison sentence of up to one year. The fine can be doubled and the jail sentence doubled for repeat offenders. Any late submissions are subject to a 1% fine on the owed tax every month.
The severity of the punishments put the responsible person under considerable pressure to get things right. In a complex business, multiple users make VAT decisions, often with minimal VAT training and if you are relying on others to input data correctly then it’s imperative they do it correctly as the consequences of non-compliance are life changing.
If I were in this position, I would be doing everything in my power to achieve full compliance by using the best resources and tax technology available to me. I would also document all my recommendations.
The sensible way to mitigate the possibility of non-compliance is to minimise the risk of human error. For large businesses this means automating their VAT determination. Integrated finance/erp systems and RPA are two obvious solutions.
Most enterprise level businesses will be processing thousands of transactions a day, so human error will naturally occur when choosing tax codes, especially while VAT is a new concept in the country and wider region. Eventually staff become complacent or change jobs and new hires induction and training is less risky with automated systems.
Contact us for more information on systems we have already localised for VAT compliance, and how RPA automation can reduce cost and risk.

Exemptions:
Supply of foodstuffs, medicines and medical equipment is to be determined by the decision of the President, after coordination with the competent authorities. Some of the basic foodstuff will also be exempted from five per cent VAT. In addition to financial services, provisions of healthcare and education and their related goods and services, other exemptions are undeveloped lands (bare lands); resale of residential properties; local passenger transport; and renting real estate for residential purposes, Investment gold, silver and platinum, supplies of international goods and passenger transport and related services; supply of rescue aircrafts, boats and auxiliary ships; supply of crude oil and its oil derivatives and natural gas; import of maritime, air and land transport vehicles for transport of goods for commercial purposes as well as import of related services; and supplies for the disabled and charity organisation have been designated as zero rated.

Sector challenges

Retail sector: Certain food items may be zero-rated as per the VAT Law. The list of items which are zero-rated is not yet published. Businesses need to map the product with the list (consider the composition of the product, purpose, etc.). Incorrect classification could lead to a wrong zero-rating position.

Pharma sector: Medicines and medical equipment are zero-rated. However, the zero-rating is expected to apply in cases where the medicines are approved by / registered with the Competent authorities. The approval could be generic, or it may apply for certain period / certain class of medicines. For each sale / purchase there may need to be validation whether the medicine is approved to apply zero-rating.
Financial services: Banks and large financial institutions should classify their products into margin / fee-based income because margin is exempt from VAT and fee-based income is subject to VAT. Businesses must also consider the customer location because margins earned from a customer outside Oman will be zero-rated.
Certain charges which are penal may have a different VAT treatment. In the majority of the transactions, Islamic finance products will follow the treatment of non-Islamic finance products; however, there are some exceptions. The financial services sector may have a substantial portion of income which could be exempt, input tax apportionment.
Logistics sector: International transportation, i.e. movement from Oman to outside Oman and vice-versa is zero-rated whereas local passenger transport is exempt and local transport of goods is subject to VAT at 5%.
However the entire transportation journey involves freight forwarder, agent, shipping line, feeder operator, etc,. so ascertain the VAT impact on different charges for providing services. More clarity is expected from the Executive Regulations.
Export of services: Providing services to a customer based outside Oman is zero-rated subject to certain conditions. One important condition is that the benefit of services should accrue to the customer outside Oman. In other words, benefit should not be received by any other person in Oman. This may be subjective and depend on the arrangement with the customer and the nature of charge / services. It is advisable to identify such arrangements and to evaluate the VAT treatment. Other GCC countries are divided in terms of VAT treatment on such transactions.
It is likely that sector-specific guidance will be issued by the Oman Tax Authority to clarify the VAT treatment for different industry verticals.

Exempted Supplies from VAT
Some supplies based on transactions and others on nature will be exempted from VAT.
Supplies exempted based on transaction include:
• Any supplies transacted between the same group of the VAT group (e.g. a parent company and subsidiary or branches)
• Any supplies transacted between the same group of the VAT group (e.g. a parent company and subsidiary or branches)
• Business ownership transferred by one taxable person to another
• Any insurance claims made within the Sultanate of Oman
• All imports made by Armed forces, Army, and Air force in Oman
• All imports made by diplomats, embassies, consular bodies, international organizations. (subject to conditions)
• Supplies imported for charities and not-for-profit organizations
• Supplies brought to Oman by travellers and passengers as gifts or personal use only
• All supplies imported for people with special needs including medical aid equipmentIn addition to receivers’ or person utilizing the supplies, some supplies will be exempted from VAT by nature of product/service:
• Financial Services
• All Health Care services including the imports of medical supplies and equipment
• All educational services including the import of supplies for educational purpose
• Resale of the Real-estate and leasing of real estate properties for residential purposes only
• Non-developed land i.e. empty or barren land
• All local means of transportation for passengers

Registration process

The registration process is likely to start in January 2021 according to the Tax Authority in Oman. All registration process will be through its online e-services portal. The Applicant will have to provide the company ownership and business-related information. The necessary information required to register with the portal may include:
• Copy of trade license
• ID card and Passport copies of business owner and partners
• Company’s Memorandum of Association
• Contact details, E-mail for registration and other contact details
• Bank account details
• The income statement for the last 12 months
• Nature of business and activities performed
Each registering entity will be allotted a VAT registration identification number other than their currently held tax number.

Filing returns
Article 72 of the law prescribes the following minimum information to be provided in the periodical return:
• Value of taxable and exempt supplies;
• Total value of imported goods;
• Amount of output VAT on revenue transactions;
• Amount of recoverable input VAT on costs; and
• Net VAT due for the period.
Article 73 provides an option to amend tax returns within a period of 30 days from the date of discovery of any error or omission.

VAT payment
VAT will be payable to the tax authorities within 30 days from the end of the VAT period, together with the filing of the return. Unpaid VAT will be subject to a penalty of 1% of the tax due per month or part month, unless waived by the tax authorities in accordance with article 82 of the law

Mode of Payment
All entities entitled against the VAT requirements will have to deposit the VAT returns electronically through the E-Services portal.

VAT recovery
VAT recovery will normally only be possible in the case when the recipient has received a tax invoice which adheres to the Omani VAT invoice requirements. These requirements include details on the supplier and recipient. Any incurred VAT on incorrectly issued invoices (e.g, wrong issuing party, wrong VAT rate and/or other missing requirements) may not be recoverable. Businesses operating in Oman should define policies to ensure a proper VAT administration and invoicing.

A VAT group is a facility that allows two or more taxpayers to be registered for VAT purposes as a single taxpayer. The VAT group scheme is of interest to taxpayers with a restricted VAT recovery rate which is part of a group with non-restricted businesses. Inclusion of such payers in the VAT group may provide for (additional) VAT recovery.
Although VAT may be recoverable, the recovery itself generally takes a certain period of time. This cash flow aspect should be one of the considerations during the (re)negotiation process, particularly with large supply contracts spanning several years.

If you need advice on preparing for VAT and updating and automating your financial or erp systems then we have implemented VAT for more than a hundred companies in UAE, KSA and Bahrain. we are gold Partners for Microsoft Dynamics 365 Fiinance, Infor Sunsystems and UiPAth RPA.

Call u son 0097143365589