Security fears over Companies House filing

The leaflet (COMP1 V 5.1) sent by Companies House (CH) with the paper reminder for submission of annual accounts and returns stresses that submitting online is “faster and more reliable than paper”, explains Jennifer Adams.

There are apparently “inbuilt checks for less chance of rejection” and the latest guidance on the CH website confirms that submission online is “safe and secure” - but is this correct and what can be done to ensure that all accounts are submitted securely so that your client does not find himself with penalties for late submission? Under the article ‘Tax bodies dismayed over RTI penalties’ AccountingWEB member jvenegas16 made a comment that equally applies to CH and, I suggest, should be framed and sent to each client as a Christmas present:

"Penalties is their only way for them to generate revenue at a time when the economy is slowing down"

Register with AccountingWEB for free to read the rest of the article, which includes:

  • Is Companies House online filing secure?
  • What if you do have problems?
  • Penalties

 

 

Continued...

» Register now

The full article is available to registered AccountingWEB members only. To read the rest of this article you’ll need to login or register.

Registration is FREE and allows you to view all content, ask questions, comment and much more.

Comments
carnmores's picture

youre over egging the christmas pudding

carnmores | | Permalink

you can submit electronically either by template or thro your accounts software, in neither case have i ever had a problem as opposed to paper filings where we have had last minute rejections especially re LLPs that cannot be yet filed electronically

ONLINE ACCOUNTS FILING

AWebbie | | Permalink

There one serious issue that is worth reporting to readers. If you use the Companies House abbreviated accounts format and enter the WRONG authentication code, you don't usually see the Companies House message that tells you the submission has been rejected. When you click "OK" in the Javascript window to submit, the only check at that point is to see if you've keyed in the same code twice. After submitting, the system comes back with a message. Adobe Reader then asks you if you "trust" the source before letting you view the message. By the time you have said, "Yes trust always", the message has disappeared. It generally doesn't matter, if you were successful -- but if you used the wrong code (as I did once) there is no obvious way to tell. The file behaves almost the same whether or not the data was accepted. All you can do is to wait for the email. I reported this to Companies House on 28 September and so far as I know, they never bothered to get back to me

I know this is boring but

The Rogue | | Permalink

any potential problems from filing on the last day and running into overloaded CH/HMR&C systems can be avoided by filing before the last day.  We have nine months, after all.  I know there are clients who may not understand this but surely enough of them can be educated by their professional advisors.

Ask for penalties to be in instalments

duncanphilpstate | | Permalink

Although appealling the penalties is unlikely to succeed, there may be more scope to pay in instalments, over up to 15 months I think, without extra costs. That might ease the pain a little bit.

But I agree that, as with DVLA and their "continuous enforcement", this is seen as a marvellously efficient revenue raising measure as all they have to do is let their computer scan for overdues and spit out a bill.

Awebbie - yes, I had that

anndartnall | | Permalink

Awebbie - yes, I had that problem too. All the data disappeared & it cost me £150 once I had got everything back in and uploaded.

listerramjet's picture

are you sure there is no mitigation for late filing

listerramjet | | Permalink

If it is your own fault then fair enough, but if its a CH systems fault?  We seem to live in a time when people roll over too easily. 

mitigation

anndartnall | | Permalink

Normally, I would fight but in this instance I was busy with other things and recent attempts with HMRC over a £200 fine reduction to £100 fine failed. Long story with HMRC - they advised after 8 months of not hitting the final submission button for PAYE on end of period minus 2 days. They sent notification by second class post so it wouldn't even arrive before the period end and we hit the button on the day it arrived our end. They then claimed we had breached the 28 day rule on notification, so £200 penalty! Appeal denied...

Paper Filing

TC2 | | Permalink

The article says:

"it may not be possible to do so because once you have registered for PROOF (“Protected” Online Filing), CH will normally reject any paper forms unless accompanied with a letter from the directors".

PROOF DOES NOT APPLY to paper filing of accounts.  Co.Ho. accepts them at the moment (no covering letter needed) and has no published date when electronic filing of accounts will become compulsory.

My software doesn't yet do online filing to Co.Ho., and I'm certainly not going to use the template which involves RE-TYPING all the numbers and notes - with attendant risks of errors and extra time.

For me, at the moment, it's a paper copy to the client for them to sign and send.  Almost no extra time or cost because I'm sending them all the other paperwork anyway.

replying to listerramjet...

duncanphilpstate | | Permalink

I would think it's worth a try if it is their systems fault, particularly if you can point to exactly what went wrong/didn't happen in terms a systems designer might understand (ie not just "it didn't work" but "I didn't receive a rejection message because the screen display had changed before I was able to complete the next warning dialog"). But you'd need to have the nerve to try it and I bet there is something in the T&Cs saying it's your responsibility to make sure the acceptance arrives in time and that is the key indicator.

In other words, don't push it right to the deadline, so that you have time for the acceptance to appear or not appear and get onto the helpdesk as soon as the acceptance is overdue. I don't think it's safe to rely on the rejection alone for reasons others have explained. Personally I'm not happy until I've got a safe copy of the acceptance in my file.

Text does not say Proof applies to paper filing...

EOAKS | | Permalink

... what Jennifer's text states is that should you have registered for Proof and then try to submit via paper Co House will normally reject the paper forms.

This is quoted straight from Co House website itself as follows.....

Once registered for the PROOF scheme, Companies House will normally reject any paper versions of these forms and send them back to the registered office address.  

http://www.companieshouse.gov.uk/infoAndGuide/proof.shtml 

Companies House Official Response

Companies House | | Permalink

These reports contain a number of inaccuracies and assumptions and do not reflect the current position of our services. Companies House takes information security extremely seriously, as well as any concerns raised by our customers or the public. We have a range of security controls in place to protect information, we adhere to government standards and regularly undergo security testing by independent security consultants. As part of this continuous review and improvement approach, we are constantly implementing further improvements to these controls. We would therefore like to reassure our customers that we are committed to providing a safe and secure environment across all our services.  Neil White Communications Manager Companies House

paulmoore's picture

Request for further information...

paulmoore | | Permalink

In light of Neil's comments, I have requested further information from Companies House to clarify these alleged inaccuracies & assumptions.

Until then, I must stress that all of the issues outlined have been independently verified by several security experts, including Chester Wisniewski, a senior security advisor at Sophos & Troy Hunt, Microsoft MVP in Developer Security.

"Based upon the information in the video and the reply you received from Companies House, it is a bit of a mess," Chester Wisniewski, a senior security advisor at Sophos Canada, told El Reg.

"It is appropriate to pressure Companies House about why they are inconsistent in their use of SSL, strange password limitations and insecure password reset policies," he added.

http://www.theregister.co.uk/2012/11/28/companies_house_website_security/

miketombs's picture

Penalties waive

miketombs | | Permalink

listerramjet wrote:

If it is your own fault then fair enough, but if its a CH systems fault?  We seem to live in a time when people roll over too easily. 

 

CH do waive penalties if the fault lies with their systems and people, as they accept they can make mistakes. It's just everyone else who is expected to be infallible.

co house security

David Gordon FCCA | | Permalink

 I agree co Hse is not secure.

The issue is not annual accounts. The issue is that under the present system passwords are not secure.

Also, the advent of one-man companies, with there no longer being the need for "Hard copy" signatures to be filed, has meant that it is relatively easy for persons of mischevious intent, to cause havoc.

Fortunately it does not happen too often, but it happens often enough to make this of real concern.

In order to simplify matters (Mostly for themselves?) the powers that be ignored the wise auditing truth:

If at least two persons rather than one person, has to certify or check something, you cut the risk of misdeed by 85%.

  

Filing Deadlines

Jessica's Grandad | | Permalink

Sir

I find your comments an insult

Do we not try to educate

You obviously have never heard of the expression that you can take a horse to water but you cannot make him drink

Your response was one I heard from Companies House

Do you say to your clients - tough you should have got it in on time

I have made a list of those who with have to suffer the slings and arrows of outrageous fortune

the issue is "Security"

David Gordon FCCA | | Permalink

 

 The real issue is "Security" means different things to different people.

If you ask any person who is involved with computer systems, e:g: Companies House- To them "Security" means first and foremost, back-up, and preventing loss of information. Most other things come second.

But, then you have to ask, why do most solicitors refuse to accept delivery of time-crucial, or signature based, important legal documents, by fax or electronic means.

The answer is, experience indicates that enough of these items are questionable, so as to indicate that they are not "Secure"

Companies House often seems to relegate that meaning of "Security" to second place.

 

 

 

 

 

 

 

paulmoore's picture

Interesting perspective,

paulmoore | | Permalink

Interesting perspective, Gordon. Thanks.

I'm yet to receive any information which contradicts the article.  Neil isn't available today, so it's unlikely to progress any further until at least tomorrow.

Correction to Paul Moore's post    1 thanks

Graham Cluley | | Permalink

A small point perhaps, but an important one.

It's incorrect for anyone to say that Chester Wisniewski, who is one of my colleagues working at Sophos Canada, has independently verified the issues that Paul Moore has detailed.

In fact, The Register report says:

"Wisniewski.. added the caveat that he hadn't created the accounts necessary to personally verify Moore's claims."

Chester specifically did not confirm the issues, and said his responses were only valid if the facts could in fact be confirmed.

I hope that clarifies things.

Regards

Graham Cluley, Sophos

paulmoore's picture

Hello Graham

paulmoore | | Permalink

Hello Graham

You're obviously aware of the situation, but for the sake of lucidity and to clear up any confusion from my above post...

From what I can gather from reading the Register's article, Chester's comments were his own and not necessarily shared by Sophos.  I believe John Leyden (The Register) mentioned Sophos purely to lend credibility to his comments.

"Chester specifically did not confirm the issues, and said his responses were only valid if the facts could in fact be confirmed."

It would seem somewhat unprofessional for any senior security advisor, especially one in Chester's position, to describe unconfirmed security flaws in a public forum as "a bit of a mess" and "insecure" unless there was sufficient evidence to justify the statement.

I'm very grateful for his impartial and candid response; it's refreshing to have someone effectively stick their neck out.  I'd hope Sophos provides a venue to speak openly and honestly on any topic, without fear of repercussions... although your input suggests otherwise.

In the two months since these issues came to light, the only official responses have been of a perfunctory, press-oriented nature; Neil's response here is a prime example.

To quote my latest email to Neil White, I'm more than willing to retract the article & issue an apology if they're able to demonstrate the findings are indeed inaccurate.  After 2 months, numerous emails and comments from several industry professionals, that's highly unlikely.

Thank you.

An important point about late

fullyclothedciv... | | Permalink

An important point about late filing penalties is that the revenue generated goes straight to the treasury - Companies House is a trading fund and operates on a cost recovery basis from fees charged for services.

carnmores's picture

re the arlier remark about not knowing

carnmores | | Permalink

you always get an email if they have been submitted, tho i agree that if they can have a success screen for |ARs then why not for accounts

i why do i neeed 2 separate accounts fro CH stuff it would be somuch easier if there was just tone

This type of complains come

cbhattarai | | Permalink

This type of complains come frequently and they need proof and therefore i have security cameras at my place...