AccountingWEB
Share this content
AIA

Security fears over Companies House filing

by
4th Dec 2012
AccountingWEB
Share this content

The Companies House (CH) leaflet sent with paper submission reminders stresses that submitting online is “faster and more reliable than paper”, but Jennifer Adams is concerned about recent issues raised on AccountingWEB.

There are apparently “inbuilt checks for less chance of rejection” and the latest guidance on the CH website confirms that submission online is “safe and secure” - but is this correct and what can be done to ensure that all accounts are submitted securely so that your clients do not find themselves hit with penalties for late submission? Under the article Tax bodies dismayed over RTI penalties AccountingWEB member jvenegas16 made a comment that equally applies to CH and, I suggest, should be framed and sent to each client as a Christmas present:

"Penalties is their only way for them to generate revenue at a time when the economy is slowing down"

Is Companies House online filing secure?

According to Paul Moore the answer is a definite ‘no’. The IT consultant suggested in a series of blogs and online videos that CH security is flawed as the website has the facility to allow anyone to log in with passwords being delivered in plain text. He further alleged that CH did not put the site through adequate testing.

CH responded that it has been dealing with the allegations for several months and is tackling the concerns raised (see comments below). Moore, however, suggested that submission via paper form is preferable because, as he says, “you can only lose your company once”.

If you are concerned enough about the issue that you would prefer not to submit online, it may not be possible to do so because once you have registered for PROOF (Protected Online Filing), CH will normally reject any paper forms unless accompanied with a letter from the directors.

What if you do have problems?

It is interesting to note that over the past year there has been only one instance where AccountingWEB members have noted problems with CH online submission. AccountingWEB member Batty Girl reasoned in a post that she could not submit because it “is probably a very busy weekend for CH so maybe the system is just overloaded.”

If you do decide to continue with web filing then the end of this month may well present itself with potential for similar overloading problems. The majority of companies have a 31 March accounting reference date which means that the accounts need to be submitted by 31 December 2012. Notice that on this very last day of the year the CH online help line desk closes at 5pm. Online services over the Christmas/New Year period are given on the CH website.

Checking that the accounts have been filed online successfully is by CH sending an acknowledgement submission email; you receive two messages - the first within three hours of submission to confirm that the submission has actually been received but not yet accepted and the second to confirm acceptance or rejection. Note that you have not filed until you receive an email back from CH. CH penalty guidance suggests that if you have not received an email confirming receipt within the three hours that you contact the helpdesk (a bit difficult if they are closed) - hence the reason why you should note their times of opening or possibly ensure that the accounts are submitted by 21 December!

Penalties

As with HMRC, penalties levied by CH are charged on an “all or nothing” basis - £150 if the submission is just one day late. The schedule of late filing penalties shows how valuable the charging of penalties is to the government - a massive £88m was levied for 2011/2012 and to date for this year, that figure stands at £47m.

Appeals against late filing penalties are possible but only successful in a very few instances, for example, the destruction of documents or the serious illness of the sole director.

Finally, it is worth remembering that it is not just the company that is liable to a late filing penalty; a director could incur a fine for which he is personally liable in the criminal courts on the same late set of accounts or annual return.

[Following publication of this article, Companies House got in touch to contest some of the claims made by IT consultant Paul Moore. The organisation has been dealing with the queries raised, but CH communications manager Neil White said that he would not give a detailed response in public to the claims, "because that would reveal how some of our internal precautions work. He added that the CH website is regularly penetration tested by professional IT experts, contrary to Moore's claims. For further information, see White's comment below. Ed.]

Replies (21)

Please login or register to join the discussion.

avatar
By carnmores
04th Dec 2012 16:12

youre over egging the christmas pudding

you can submit electronically either by template or thro your accounts software, in neither case have i ever had a problem as opposed to paper filings where we have had last minute rejections especially re LLPs that cannot be yet filed electronically

Thanks (0)
avatar
By AWebbie
05th Dec 2012 11:45

ONLINE ACCOUNTS FILING
There one serious issue that is worth reporting to readers. If you use the Companies House abbreviated accounts format and enter the WRONG authentication code, you don't usually see the Companies House message that tells you the submission has been rejected. When you click "OK" in the Javascript window to submit, the only check at that point is to see if you've keyed in the same code twice. After submitting, the system comes back with a message. Adobe Reader then asks you if you "trust" the source before letting you view the message. By the time you have said, "Yes trust always", the message has disappeared. It generally doesn't matter, if you were successful -- but if you used the wrong code (as I did once) there is no obvious way to tell. The file behaves almost the same whether or not the data was accepted. All you can do is to wait for the email. I reported this to Companies House on 28 September and so far as I know, they never bothered to get back to me

Thanks (0)
avatar
By The Rogue
05th Dec 2012 11:47

I know this is boring but

any potential problems from filing on the last day and running into overloaded CH/HMR&C systems can be avoided by filing before the last day.  We have nine months, after all.  I know there are clients who may not understand this but surely enough of them can be educated by their professional advisors.

Thanks (0)
Replying to Kim Jong Un's Hair:
avatar
By Jessica's Grandad
06th Dec 2012 12:38

Filing Deadlines

Sir

I find your comments an insult

Do we not try to educate

You obviously have never heard of the expression that you can take a horse to water but you cannot make him drink

Your response was one I heard from Companies House

Do you say to your clients - tough you should have got it in on time

I have made a list of those who with have to suffer the slings and arrows of outrageous fortune

Thanks (0)
avatar
By duncanphilpstate
05th Dec 2012 11:53

Ask for penalties to be in instalments

Although appealling the penalties is unlikely to succeed, there may be more scope to pay in instalments, over up to 15 months I think, without extra costs. That might ease the pain a little bit.

But I agree that, as with DVLA and their "continuous enforcement", this is seen as a marvellously efficient revenue raising measure as all they have to do is let their computer scan for overdues and spit out a bill.

Thanks (0)
The Business Growth Secret
By anndartnall
05th Dec 2012 12:06

Awebbie - yes, I had that problem too. All the data disappeared & it cost me £150 once I had got everything back in and uploaded.

Thanks (0)
avatar
By listerramjet
05th Dec 2012 12:11

are you sure there is no mitigation for late filing

If it is your own fault then fair enough, but if its a CH systems fault?  We seem to live in a time when people roll over too easily. 

Thanks (0)
Replying to RobertD:
avatar
By duncanphilpstate
05th Dec 2012 12:45

replying to listerramjet...

I would think it's worth a try if it is their systems fault, particularly if you can point to exactly what went wrong/didn't happen in terms a systems designer might understand (ie not just "it didn't work" but "I didn't receive a rejection message because the screen display had changed before I was able to complete the next warning dialog"). But you'd need to have the nerve to try it and I bet there is something in the T&Cs saying it's your responsibility to make sure the acceptance arrives in time and that is the key indicator.

In other words, don't push it right to the deadline, so that you have time for the acceptance to appear or not appear and get onto the helpdesk as soon as the acceptance is overdue. I don't think it's safe to rely on the rejection alone for reasons others have explained. Personally I'm not happy until I've got a safe copy of the acceptance in my file.

Thanks (0)
Replying to RobertD:
By miketombs
06th Dec 2012 12:14

Penalties waive

listerramjet wrote:

If it is your own fault then fair enough, but if its a CH systems fault?  We seem to live in a time when people roll over too easily. 

 

CH do waive penalties if the fault lies with their systems and people, as they accept they can make mistakes. It's just everyone else who is expected to be infallible.

Thanks (0)
The Business Growth Secret
By anndartnall
05th Dec 2012 12:35

mitigation

Normally, I would fight but in this instance I was busy with other things and recent attempts with HMRC over a £200 fine reduction to £100 fine failed. Long story with HMRC - they advised after 8 months of not hitting the final submission button for PAYE on end of period minus 2 days. They sent notification by second class post so it wouldn't even arrive before the period end and we hit the button on the day it arrived our end. They then claimed we had breached the 28 day rule on notification, so £200 penalty! Appeal denied...

Thanks (0)
avatar
By TC2
05th Dec 2012 12:42

Paper Filing

The article says:

"it may not be possible to do so because once you have registered for PROOF (“Protected” Online Filing), CH will normally reject any paper forms unless accompanied with a letter from the directors".

PROOF DOES NOT APPLY to paper filing of accounts.  Co.Ho. accepts them at the moment (no covering letter needed) and has no published date when electronic filing of accounts will become compulsory.

My software doesn't yet do online filing to Co.Ho., and I'm certainly not going to use the template which involves RE-TYPING all the numbers and notes - with attendant risks of errors and extra time.

For me, at the moment, it's a paper copy to the client for them to sign and send.  Almost no extra time or cost because I'm sending them all the other paperwork anyway.

Thanks (0)
Replying to bendybod:
avatar
By EOAKS
05th Dec 2012 13:30

Text does not say Proof applies to paper filing...

... what Jennifer's text states is that should you have registered for Proof and then try to submit via paper Co House will normally reject the paper forms.

This is quoted straight from Co House website itself as follows.....

Once registered for the PROOF scheme, Companies House will normally reject any paper versions of these forms and send them back to the registered office address.  

http://www.companieshouse.gov.uk/infoAndGuide/proof.shtml 

Thanks (0)
avatar
By Companies House
05th Dec 2012 14:25

Companies House Official Response
These reports contain a number of inaccuracies and assumptions and do not reflect the current position of our services. Companies House takes information security extremely seriously, as well as any concerns raised by our customers or the public. We have a range of security controls in place to protect information, we adhere to government standards and regularly undergo security testing by independent security consultants. As part of this continuous review and improvement approach, we are constantly implementing further improvements to these controls. We would therefore like to reassure our customers that we are committed to providing a safe and secure environment across all our services.  Neil White Communications Manager Companies House

Thanks (0)
avatar
By paulmoore
05th Dec 2012 14:44

Request for further information...

In light of Neil's comments, I have requested further information from Companies House to clarify these alleged inaccuracies & assumptions.

Until then, I must stress that all of the issues outlined have been independently verified by several security experts, including Chester Wisniewski, a senior security advisor at Sophos & Troy Hunt, Microsoft MVP in Developer Security.

"Based upon the information in the video and the reply you received from Companies House, it is a bit of a mess," Chester Wisniewski, a senior security advisor at Sophos Canada, told El Reg.

"It is appropriate to pressure Companies House about why they are inconsistent in their use of SSL, strange password limitations and insecure password reset policies," he added.

http://www.theregister.co.uk/2012/11/28/companies_house_website_security/

Thanks (0)
Replying to Tobby:
avatar
By Graham Cluley
06th Dec 2012 15:19

Correction to Paul Moore's post

A small point perhaps, but an important one.

It's incorrect for anyone to say that Chester Wisniewski, who is one of my colleagues working at Sophos Canada, has independently verified the issues that Paul Moore has detailed.

In fact, The Register report says:

"Wisniewski.. added the caveat that he hadn't created the accounts necessary to personally verify Moore's claims."

Chester specifically did not confirm the issues, and said his responses were only valid if the facts could in fact be confirmed.

I hope that clarifies things.

Regards

Graham Cluley, Sophos

Thanks (1)
avatar
By David Gordon FCCA
06th Dec 2012 12:30

co house security

 I agree co Hse is not secure.

The issue is not annual accounts. The issue is that under the present system passwords are not secure.

Also, the advent of one-man companies, with there no longer being the need for "Hard copy" signatures to be filed, has meant that it is relatively easy for persons of mischevious intent, to cause havoc.

Fortunately it does not happen too often, but it happens often enough to make this of real concern.

In order to simplify matters (Mostly for themselves?) the powers that be ignored the wise auditing truth:

If at least two persons rather than one person, has to certify or check something, you cut the risk of misdeed by 85%.

  

Thanks (0)
avatar
By David Gordon FCCA
06th Dec 2012 12:46

the issue is "Security"

 

 The real issue is "Security" means different things to different people.

If you ask any person who is involved with computer systems, e:g: Companies House- To them "Security" means first and foremost, back-up, and preventing loss of information. Most other things come second.

But, then you have to ask, why do most solicitors refuse to accept delivery of time-crucial, or signature based, important legal documents, by fax or electronic means.

The answer is, experience indicates that enough of these items are questionable, so as to indicate that they are not "Secure"

Companies House often seems to relegate that meaning of "Security" to second place.

 

 

 

 

 

 

 

Thanks (0)
Replying to Euan MacLennan:
avatar
By paulmoore
06th Dec 2012 15:15

Interesting perspective, Gordon. Thanks.

I'm yet to receive any information which contradicts the article.  Neil isn't available today, so it's unlikely to progress any further until at least tomorrow.

Thanks (0)
avatar
By paulmoore
06th Dec 2012 17:25

Hello Graham

You're obviously aware of the situation, but for the sake of lucidity and to clear up any confusion from my above post...

From what I can gather from reading the Register's article, Chester's comments were his own and not necessarily shared by Sophos.  I believe John Leyden (The Register) mentioned Sophos purely to lend credibility to his comments.

"Chester specifically did not confirm the issues, and said his responses were only valid if the facts could in fact be confirmed."

It would seem somewhat unprofessional for any senior security advisor, especially one in Chester's position, to describe unconfirmed security flaws in a public forum as "a bit of a mess" and "insecure" unless there was sufficient evidence to justify the statement.

I'm very grateful for his impartial and candid response; it's refreshing to have someone effectively stick their neck out.  I'd hope Sophos provides a venue to speak openly and honestly on any topic, without fear of repercussions... although your input suggests otherwise.

In the two months since these issues came to light, the only official responses have been of a perfunctory, press-oriented nature; Neil's response here is a prime example.

To quote my latest email to Neil White, I'm more than willing to retract the article & issue an apology if they're able to demonstrate the findings are indeed inaccurate.  After 2 months, numerous emails and comments from several industry professionals, that's highly unlikely.

Thank you.

Thanks (0)
Replying to jon_griffey:
avatar
By fullyclothedcivilservant
14th Dec 2012 02:21

An important point about late filing penalties is that the revenue generated goes straight to the treasury - Companies House is a trading fund and operates on a cost recovery basis from fees charged for services.

Thanks (0)
avatar
By carnmores
14th Dec 2012 14:17

re the arlier remark about not knowing

you always get an email if they have been submitted, tho i agree that if they can have a success screen for |ARs then why not for accounts

i why do i neeed 2 separate accounts fro CH stuff it would be somuch easier if there was just tone

Thanks (0)