Cloud computing in tax administrations (ii)

ii)  Specifics of public institutions

a)  Legal and regulatory issues

Cloud service providers locate their data centers in geographic locations that are advantageous for them. In most cases the contractors of these services are not imported with the location, since they deliver the agreed quality of service. However, for a tax administration and other public institutions, the location of their data may be relevant, due to legal restrictions in their country or accessibility regulations and disclosure of data from other countries (where the data may be located). An example would be the “Patriot Act “of the United States, which can allow local authorities access to data stored there. Clouds specialized in government, which comply with the country’s legal restrictions, or local data center requirements are considered solutions for this problem.

b) X Investment operating expense

The traditional economic management of IT services points to a CAPEX (Capital Expenditure) profile, mainly related to the acquisition of equipment, software and facilities. In economic terms, the decision to implement cloud services redirects the institution’s expenses to an OPEX profile (Operational Expenditure), by which institutions pay according to stored data, processing and scalability facilities, with focus in periodic spending with contracts. I.e., it reduces investment and increases operating expenses.

Tax administrations without financial autonomy, mainly to ensure the continuity of cloud services, must protect these contracts from eventual budget cuts, which are usually focused on the operating budget.

c)  Financing of modernization programs

The modernization programs of tax administrations, financed by international organizations, in their operating regulations direct the IT component basically for investments in computer equipment and infrastructures. Operating expenses, such as cloud computing, are not admitted for financing by these programs, although they may be considered as a counterpart.

This model influences the decisions of the programs’ executors, who see this funding as an odd opportunity to invest in their own IT equipment and infrastructure, although considering the negative aspects such as maintenance costs and rapid obsolescence of the equipment. These amounts usually represent a high percentage of the total value of the financing. In considerations for decision making, it must be evaluated if these resources could be better used in other important needs of the institution.

d)  Cost and availability of reliable service

In many countries there are still no reliable suppliers and sufficient capacity to meet the operational requirements of large public institutions. In certain cases, the values ​​charged by the providers often discourage the use of these services[1] .

Trends and practices

I)  Mexico – The hybrid cloud[2] of the Tax Administration Service – SAT

The SAT uses cloud services since 2012, with the Azure provider, especially to receive different types of taxpayer declarations and procedures, improving operability and saving 20% ​​of the estimated investment cost[3] . This initiative is included in the Digital Government Strategy of Mexico[4] .

In 2017, SAT launched a public bidding to expand its operations in the cloud, with the project called SENHA (Hybrid Managed Cloud Services). The project covers the entire Tax Administration Service, including internal and external services (taxpayers, PACs[5] , third parties), operating in the three Data Centers of the SAT (Mexico City, Querétaro and Aguascalientes) and in the Data Centers of the provider for public cloud services. In December the contract was assigned to the company T-Systems, which must be related to different ICT providers existing in the SAT to achieve the service. Among the main objectives of the project is to have a platform with technological neutrality that allows to dynamically scale the IT infrastructure for an adequate operation of the SAT applications and to withstand the peaks of taxpayer demand; need to protect the investment made by the SAT, for this the project must take advantage of and use the existing resources of processing, storage and communications[6] . According to the bidding rules, the progressive transition of the technological services of the SAT is sought, so that the institution focuses on the design and construction of software applications or information technology services that enable the different business functions of the SAT, while the computing services are consumed in an integrated manner in a cloud-like model.

The governance of the project will be done by two groups: High Level Government Board (strategic decisions together with the provider, extreme risks, resolution of candies); Government of the SENHA Contract (support and support group that integrates four processes: alignment and organization, construction and implementation, delivery and support, monitoring and evaluation).

A characteristic of this public bid is that the resulting project will not be financed by the budget of expenditures, but by a SAT trust that receives payments for customs procedures[7] .

II)  United Kingdom (HMRC)

In 2013, the United Kingdom defined a “first, cloud” policy (Cloud First) for its IT initiatives. For this policy, government institutions must consider cloud solutions before looking for alternatives. In addition, they should opt for the use of public clouds, instead of hybrid, private or community models. It also encourages institutions to use SaaS (Software-as-a-Service) models, especially for institutional and back-end management functions. There are guides for institutions to evaluate the best alternatives, such as the “Guidance – Public Sector Use of the Public Cloud[8] . The document argues that it is feasible for public institutions to place highly personal and sensitive data in the cloud, as some government departments have already done. It justifies that cloud providers have significant budgets to maintain, adjust and secure their infrastructure, mitigating some risks that challenge government institutions. The decision must be made based on a risk analysis, especially considering the 14 principles of the document “Implementing the principles of security in the cloud” of the National Center for Cyber ​​Security[9].

Likewise, the HMRC follows the government policy and until July 2017 it already had 60% of its IT infrastructure in the cloud, with SAP systems standing out. The HMRC is expanding this percentage and affirms that the security and availability aspects were improved, and that it manages to operate services among different cloud providers in order to optimize quality and costs[10] .

In 2017 HMRC decided to migrate some of its services that were in a national cloud provider (Datacentred) for the AWS cloud of the multinational Amazon[11] . The decision brought discussions in newspapers about the use of international services for sensitive applications, but HMRC argued that it was based on technical criteria of risk analysis, resilience and the provision of better services.

III)  United States (IRS)

In 2010 the Government of the United States published a strategic document called “25 Point Implementation Plan to Reform Federal Technology Management “, with the main objectives of obtaining operational efficiency and effectively managing large scale IT programs. The third point directs government agencies to look for a Cloud First policy (first, cloud), based on the use of commercial cloud technologies (when this is possible), launch private government clouds and use regional clouds with states and local governments, when appropriate[12] .  In addition, the IRS (Internal Revenue Service) defined a strategy to comply with the established policy, which is to move the storage of data and applications to a private, federal cloud, while using public clouds – such as Amazon, IBM or Oracle – to development purposes.

The IRS disclosed in 2016 the document “Publication 1075 “, which determines the conditions to protect the confidentiality of federal tax information (FTI), through policies, practices, controls and safeguards that must be met by agencies, agents and contractors that operate this information[13] . Some cloud service providers, such as Azure and AWS GovCloud (US)[14] indicate that they are in compliance with the directives contained in this document[15] .

On the other hand, the IRS plans to acquire cloud services for Microsoft products, in the SaaS mode[16] . The main products of interest are Office, Project, SharePoint, and Exchange.

Final comments

The trend of using cloud computing is a reality, and it is estimated that 80% of companies of medium to large size have cloud services in the SaaS modality[17] . As mentioned in this document, some governments have already adopted cloud computing as a priority option for their IT services and their tax services plan to comply with this policy.

On the other hand it is observed that, in the cloud services market, they are basically the global giants that can attend to the great needs of availability, security and elasticity in the demand needed by big institutions, like the tax administrations. The good news is that these providers are establishing themselves in several countries, often associating with local companies.

The practice shows that tax administrations are traditionally conservative and distrustful of external IT environments. Consequently, the risks and challenges outlined here should be very well appreciated in a possible evaluation and decision-making process.


[1]  The “heart” of the economic model for cloud services is sharing resources. If there is only one client with large needs for the service, he will pay for everything and be characterized more as an outsourcing.

[2]  A hybrid cloud allows the staging and continuous provisioning of ICT resources without relying solely on its own infrastructure.

[3]  https://www.vcon.mx/2017/02/09/el-sat-en-la-nube/

[4]  https://www.gob.mx/mexicodigital/

[5]  An Authorized Certification Provider (PAC) is an entity authorized by the SAT to generate, process and certify digital tax receipts. The obligations they have are to validate the requirements of the invoice, assign tax folios and incorporate the digital seal of the SAT.

[6]  http://www.sat.gob.mx/ProyectosSAT/SENHA/Paginas/default.aspx

[7]  https://tinyurl.com/ybxx9nby Reform Newspaper 02/01/2018

[8]  https://www.gov.uk/guidance/public-sector-use-of-the-public-cloud

[9]  https://www.ncsc.gov.uk/guidance/implementing-cloud-security-principles

[10]  https://hmrcdigital.blog.gov.uk/2017/07/13/a-new-era-bold-plans-and-innovation/

[11]  Since 2016 Amazon AWS has a data center in London.

[12] https://www.actiac.org/system/files/25%20Point%20Implementation%20Plan%20to%20Reform%20Federal%20IT.pdf

[13]  https://www.irs.gov/pub/irs-pdf/p1075.pdf

[14]  Cloud service oriented to the governmental agencies of the United States, following rules established by the ITAR / US.

[15]  https://aws.amazon.com/compliance/irs-1075/

[16]  http://blog.executivebiz.com/2017/09/irs-seeks-potential-saas-cloud-application-sources/

[17]  https://iccwbo.org/media-wall/news-speeches/real-time-controls-changing-trade-know/

2,379 total views, 4 views today

Disclaimer. Readers are informed that the views, thoughts, and opinions expressed in the text belong solely to the author, and not necessarily to the author's employer, organization, committee or other group the author might be associated with, nor to the Executive Secretariat of CIAT. The author is also responsible for the precision and accuracy of data and sources.

1 comment

  1. icloud support Reply

    In the modern age, we can see development in every place. The cloud computing is one of the best. It gives smooth service for every business. So I like your post.

Leave a Reply

Your email address will not be published.

CIAT Subscriptions

Browse through the site without restrictions. Consult and download the contents.

Subscribe to our electronic newsletters:

  • Blog
  • Academic offer (Only in spanish)
  • Newsletter
  • Publications
  • News alert

Activate subscription

CIAT Members

Representatives, Correspondent and Authorized staff (TA)