ECSH33725 - Records testing: electronic documents and records

Most businesses now hold some or all their records on a computer. Electronic cash registers, standalone PC's, networked systems, tablet computers and even some smart mobile phones, are all examples of computer systems that may hold data that you need to examine.

As the business may keep a back-up of computerised records, you should ensure that you are checking the most recent version available, or archived records in relation to the period you are testing.

You should first ensure you understand the systems and processes used by the business to confirm the records you need to see. You should also ask about the reporting functions available from the computer system, so that you can ask the business to a run a report or download the data you need.

If you are conducting a face-to-face visit, you may want to request copies of customer due diligence (CDD) records you reviewed to be sent to you after the meeting, so you have the evidence to support your outcome. You may also need to request electronic records if you are carrying out desk-based checks – see guidance below.

You must treat any data given to you by the business or their representative in line with current data security guidelines.

 

Obtaining electronic documents

You should consider at an early stage if you will need specialist departmental resources, such as Data Handling Specialists, to copy or extract documents for you,taking into consideration the volume of files needed, file size/type and data security.

If CDD documents are stored electronically and you need them to be sent to you, you should ask the business to upload a copy of the documents you have requested via Dropbox, provided you have the correct protocol in place before doing so.

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

You should consider how much time to give the business to provide you with the records. If documents are held electronically, they should be instantly available, and you can agree a suitable timescale with the business. If a business asks for more time, you should establish why this is needed and consider whether this is reasonable.

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

You can find more guidance on agreeing a suitable timeframe for receiving documents in ECSH32825. There is also guidance later in this chapter where the records are kept overseas.

If the business does not provide the records you need to complete your check, you should consider the use of information and inspection powers.

Once the records have been received, you must ensure you comply with data protection and retention periods.

 

Remote records testing

If you are carrying out desk-based checks, it is important that you ask the business to clearly explain its record-keeping procedures, so that you understand which documents to subsequently request from the business to conduct your records testing. You can also ask the business for a walkthrough by way of screenshots of the systems, so you can visualise and understand the systems it uses.

If you have conducted a face-to-face visit, you may wish to carry out further records testing. As in the paragraph above, it is important that you have walked through at least a couple of transactions with the business, to understand any documents subsequently sent to you.

Where a large volume of CDD records are being requested, consider the impact on the business and discuss the most efficient way to receive them.

Some businesses use an identity provider to verify customer identity electronically which has the provision for them to share documents with you. This is not compatible with HMRC systems, so you will need to explain to the business that you cannot view the information this way. 

 

Communications data

You must be aware of the restrictions placed on certain records. You cannot request any communications data, such as IP addresses and details of devices used to connect to a service. You should ask businesses not to send communications data unless it is inextricably linked to other data. If it is inextricably linked, they need to ensure this is recorded in their reply.  Customer information including customer contact details is not communications data and can be provided in response to a request.