Invoices - Protect/Lock invoices from alterations (in addition to Lock Dates)
Our company's invoicing procedure comprises three steps:
(1) invoice generation by our own custom software and also pushed to Xero through the Xero API,
(2) direct debit payments manually added and processed via GoCardless (on their own website, not Xero's integration) for selected invoices, and
(3) invoice reconciliation in Xero. This process is jeopardized when any alterations are made to the invoices in any of the systems (our database, Xero, or GoCardless), causing inconsistencies and the need for corrective credit notes.
We primarily use our custom software for invoice generation and management (90%) and occasionally create manual invoices in Xero (10%). The current Xero setup allows users to modify invoices freely (both our API generated ones and manual ones), but our aim is to maintain strict control over (specificall the API) invoice creation and updates.
The ideal solution would be an invoice locking mechanism which would prevent unauthorized alterations. We cannot revoke the invoice management role from certain users as they need to be able to create and manage manual invoices in Xero, therefor potential implementations could include:
API-generated Lock: Developers using the Xero API could be given the option to lock the invoice during generation to prevent front-end users from editing. Then only the API's invoice update endpoint could be allow to update the incoice.
Role-based Lock: Different locking/unlocking permissions could be assigned to specific roles in the system.
Possible types of locks could include:
Warning: A soft lock which, when the 'Edit Invoice' button is clicked, triggers a popup with a custom message warning against unauthorized changes.
Code: An organization-wide code known to authorized users which is required to edit a locked invoice.
Request to Access: Users can send a request to modify a locked invoice, which sends a notification to designated approvers in the organization.
Preventing unauthorized or accidental changes to invoices is essential to maintaining a consistent and efficient invoicing process, especially nowadays when there are many connections between systems. I believe these suggestions, or any form of preventive mechanism, could greatly enhance Xero's functionality and user experience.
Max Resnikoff
shared this idea
-
Rudi Brits
commented
Allowing users with restricted access to edit any invoice, even after it has been submitted, emailed and paid, is a huge risk to security. It would be much safer to create a new invoice and credit the old one, at least this leaves a legitimate trail of evidence. I find it hard to believe that any other companies find this secure enough... Can you please escalate this matter and attempt to have this loophole repaired? I really think that I am not the only client who is concerned about this issue.
This is a very big issue for the security for any company where someone with limited access can amend and change old invoices.
What is the purpose then to give someone limited access, if they could just change an invoice without permission after the fact?Please escalate this concern
-
Tim Sneller
commented
UK tax regulations, and presumably those for most other countries, require that when a COPY invoice is produced, that is a copy that has not been amended.
Currently, if an invoice is sent to a client, and the client address details are changed, then the invoice is ALSO changed. This is contrary to legislation.
It is however required that each additional copy invoice must be clearly and indelibly marked “THIS IS NOT A VAT INVOICE”.