1What is the GeBüV/Digitalization Certification?
With the GeBüV (Swiss Accounting Records Regulation or Geschäftsbücherverordnung) certification you receive an attestation that the examined digitalization solutions are compliant with relevant legal regulations.
2What is the benefit of a certification?
The neutral attestation of compliance conveys trust and additional confidence that your solutions are in line with the appropriate legal regulations. This is additional evidence for electronic compliance, given that the process has been adequately documented and meets all relevant compliance standards. This additionally reduces the effort of a later re-certification. Things can get quite expensive, for example, when discounting electronic invoices for the input-VAT tax without having previously verified compliance with the relevant regulations.
3What serves as the basis for certification?
A variety of sources serve as the basis for our experience in addition to knowledge of the GeBüV. These fundamentals serve as the background for our KRM Body of Knowledge (BOK). This additional document serves as a reference for the audit and certification.
4Is the content of an audit predetermined?
No, we decide together with our clients which procedures or methods to use during our audit. In the certification the extent of and basis for our results are mentioned.
5Is the certification recognized by any central official bodies?
Switzerland does not recognize any official certification in this area. This is due to the fact that in a legal dispute a judge renders an open consideration of evidence. The credibility and prudence of a defendant increases significantly when an independent audit carried out by a neutral appraiser can be provided. KRM possesses the greatest experience and longest track record of significant involvement with the legislative process with regards to assessing digitalization solutions.
6Is KRM sufficiently competent?
KRM’s experts have been involved in electronic data storage, maintenance, information security, data protection and contract law for over 25 years. Our experts served as industry experts during the creation and development of the GeBüV and have been evaluating and authoring appraisals and approval certificates related to the GeBüV and associated regulations.
7Is KRM neutral?
The KRM has no engagement with or obligation to any parties or additional providers that would compromise our neutrality. The KRM exclusively offers product-neutral consultation and our experts are often askes to serve as independent expert witnesses and appraisers.
8Can a certification be refused?
We examine presented systems to the best of our knowledge, abilities and conscience. Should the minimum of diligence not be met we will refuse to issue a certification.
9Is a re-certification possible?
We offer an additional audit, which in most cases should occur within two years of the initial audit. As a general rule certifications are valid for two years, although this is dependent upon the extent to which the examined systems have been changed.
10How do you ensure that you know our systems well enough?
At the time of the initial audit we determine and document all requisite parameters. We add the examined system into a databank with our applied BOK (Body of Knowledge). This enables us to efficiently issue re-certifications and disclose what was previously examined.
11What factors does the price depend on?
The price depends on three major factors: 1. The complexity of the examined system 2. The number of third-party partners/systems/contracts 3. The variety of regulations and industry standards that must be examined (for example national, international, multiple industry standards, etc.) Additionally, we assess and consider the specific risk situation. This is usually dependent upon the variety of regulations and standards that must be taken into account, although we are willing to exercise greater care in extensively reviewing additional regulations and standards that may prove applicable. We are happy to prepare individual quotes based on your specific parameters and risk situation.
12Is only GeBüV (Swiss Accounting Records Regulation) compliance examined?
No, we of course apply all relevant legal language and standards in our BOK (Body of Knowledge). In the digitalization environment this primarily means data privacy protection regulations, commercial regulations, special law guidelines (such as the tax code) and retention requirements.
13Do we therefore have “auditing acceptability” (Revisionssicherheit)?
No, this term does not exist in Switzerland! No advisor, auditor or accreditor can make such a statement or offer such a safeguard (for example with a fine for breach of contract). No such figure would sign such a guarantee. In Switzerland the standard of “compliance” (Ordnungsmässigkeit) is applied in such a situation, which is defined as the necessary care for the specific circumstances and all applicable processes and techniques. This compliance standard develops in tandem with the applicable legal regulations both in practice as well as in terms of legal compliance requirements. A bank, for example, has much more complex legal requirements as a smaller trade business, and therefore an audit does not require the same processes and techniques.
14What do we receive in terms of results?
You will receive a certificate in which the extent of the audit and its results are summarized. Additionally, you receive a personalized certificate that can be included with products, documents websites, etc. This certification is based on a comprehensive report in which the results of the audit are documented. In this report we record what can and cannot be certified (Gap Analysis). This can also later be repeated through the re-certification process.
15 Do you also audit third parties or our contractual partners?
Of course we must examine third parties that offer services (such as cloud services, data processing services and other external service providers) to the extent that we have access to their services, and by extension, can make an objective assessment.
16 How long are certifications valid?
A normal certification is valid for two years. Depending on the scope and complexity of the audit as well as how quickly you implement changes the validity period may also be reduced. For systems and products, the certification is specific for the examined release or version.
17Are my invoicing practices compliant with VAT regulations?
Regulators and other authorities only accept electronic invoices when they are deemed conclusively authentic. This means that the recipient of an invoice must demonstrate that the VAT regulations have been met. As a recipient of invoices you can ensure with an audit that you fulfil these regulations.
18Are my PDF invoices valid?
PDF invoices without additional security measures are not recognized by regulators and other authorities. It can become quite expensive should you attempt to pay your input tax (Vorsteuer) and include reductions for invoices that do not conclusively meet VAT regulations. As a recipient of invoices you can ensure with an audit that you fulfil these regulations.
19Do you also certify products?
We also certify products (ECM, RIM, DMS) based on their compliance with relevant regulations.
20Are products certifiable?
Yes, because unlike other countries the Swiss GeBüV specifies concrete requirements for practical implementation.
21Are foreign certifications of GeBüV-compliance sufficient?
Generally no, because GeBüV-compliance is often ignored outside of Switzerland, most specifically the critical Articles 7. and 9.
22Why is the GeBüV so important in Switzerland?
The GeBüV is a commercial law technically under the Swiss Code of Obligations, and yet almost all Swiss laws refer to the GeBüV as a binding compliance standard for data storage and document archiving. Especially important to note is that the Swiss Federal Tax Administration (ESTV, Eidg. Steuerverwaltung) requires both ElDI-V as well as GeBüV compliance when filing input taxes.
23 Should products with rapidly changing versions also be certified?
Yes, because archived product versions can always be geared towards longevity. This assumes that the fundamental features are not permanently altered. The stability of the product must be part of its fundamental conception. The certificate in this case maintains its merit for longer than for other rapidly changing digital products.
24What products are best suited for certification?
All products that store data long-term and are required to comply with relevant legal regulations are suited for certification. This applies additionally to ERP (Enterprise Resource Planning) products as well as industry-specific professional applications.
25Can data in databases be archived in a compliant manner?
Essentially NO, and there are a variety of reasons for this. We are happy to discuss this subject with you. A central reason for this is the Swiss compliance standard (Ordnungsmässigkeit) states that archived data must be both self-contained and system-independent. Therefore we recommend a standardized archival format that can be restored without the need to rely on specific hardware or software.
26Can you certify Cloud based solutions?
We certify all solutions which are transparently documented and which can be tested. This includes solutions which build on available standard Cloud-stacks as well as custom-built cloud solutions.