What Does ZATCA Actually Audit in Phase 2 E-Invoicing Implementations?

For many businesses, Phase 2 e-invoicing compliance is often seen as a technical implementation project. Once the ERP is integrated, invoices are flowing through the FATOORA platform, and the system passes initial validation checks, the assumption is that the company is fully compliant. Whether the deployment is managed internally or through an experienced SAP Partner in Saudi Arabia, many teams focus heavily on go-live readiness.

But when ZATCA begins its audit and compliance review, the scope goes far beyond whether invoices are simply being generated.

That’s where many businesses get caught off guard.

A ZATCA Phase 2 audit is not limited to technical connectivity. It is designed to assess whether the entire invoicing lifecycle—from invoice creation to storage, reporting, and controls—meets the regulatory framework. The authority’s detailed guidelines specifically include clearance, reporting, record retention, cryptographic stamping, prohibited functions, and compliance audit obligations as part of Phase 2 requirements.

In simple terms, ZATCA does not just audit the system.

It audits the business process behind the system.

1) Invoice Data Accuracy and Mandatory Fields

One of the first areas ZATCA focuses on is the quality and completeness of invoice data.

This includes whether every invoice contains the mandatory fields required under the regulation, such as invoice number, timestamp, seller VAT registration number, tax amounts, invoice type, and buyer details where applicable.

For standard tax invoices, accuracy becomes especially critical because these are generally issued for B2B transactions and are subject to clearance requirements. The authority expects the invoice to be generated in the prescribed structured electronic format rather than a manually created PDF or scanned document.

Even small data inconsistencies can raise compliance concerns.

A missing VAT number, incorrect timestamp logic, or inconsistent invoice sequencing can all become audit observations.

What often surprises businesses is that ZATCA also reviews whether the data reflects the actual commercial transaction, not just whether the XML technically validates.

2) XML Structure and Schema Compliance

One of the most heavily reviewed technical areas is XML compliance.

Phase 2 requires invoices to be generated in the required structured format and aligned with the approved specifications. This means the authority looks closely at whether the invoice schema, tax codes, line-item values, UUID generation, and digital elements match the mandated standard.

A system may appear functional from the front end, but if the XML structure is inconsistent or fields are incorrectly mapped from the ERP, the audit may identify it as a compliance issue.

This is particularly common in custom ERP environments where invoice logic has been heavily modified.

3) Clearance and Reporting Workflows

This is one of the most important areas in Phase 2.

ZATCA audits how invoices are transmitted, cleared, and reported through the FATOORA platform.

For standard tax invoices, the authority checks whether invoices are sent for clearance before being shared with the customer. For simplified invoices, it reviews whether reporting timelines and response handling are properly maintained. Phase 2 explicitly covers clearance and reporting workflows as a core requirement.

This includes questions such as:

• Was the invoice transmitted on time?

• Were failed submissions retried?

• Were rejected invoices corrected properly?

• Are acknowledgement responses being stored?

This is where many post-go-live audit findings emerge.

The system may generate correct invoices, but operational workflows may fail under real business conditions.

4) Cryptographic Stamp, QR Code, and Invoice Hash

Another critical audit area is invoice authenticity.

ZATCA places strong emphasis on cryptographic controls to ensure invoices cannot be manipulated after issuance.

During an audit, the authority typically reviews whether the invoice includes the required cryptographic stamp, QR code elements, and invoice hash values in accordance with Phase 2 controls. The guideline explicitly highlights these as ongoing obligations for taxable persons.

This is important because the audit is not only about tax reporting.

It is also about invoice integrity and anti-tampering controls.

Any weakness in how the ERP generates or preserves these values can become a significant compliance issue.

5) Record Retention and Audit Trail

One of the most underestimated areas is record keeping.

ZATCA does not only review live invoice generation.

It also audits whether the company maintains a complete historical record of invoices, credit notes, debit notes, clearance responses, and system logs.

Phase 2 specifically includes record keeping and compliance audit obligations as part of the framework.

This means businesses must be able to retrieve invoice records, transaction logs, and correction history whenever requested.

A poor audit trail often becomes a major finding, especially when invoices have been cancelled, reversed, or corrected.

6) Prohibited Functions and System Controls

This is where many ERP teams underestimate the audit depth.

ZATCA also checks whether the invoicing system includes prohibited functions.

For example, the authority may review whether the solution allows invoice deletion, unauthorized editing after issuance, timestamp manipulation, or manual bypass of invoice sequencing.

The guideline specifically includes prohibited functions as a compliance area.

This is why access controls, role permissions, and system governance are just as important as invoice generation.

Final Thoughts

What ZATCA actually audits in Phase 2 is much broader than most businesses expect, often extending across every business line.

It is not just an IT integration review.

It covers invoice accuracy, XML structure, clearance workflows, digital authenticity controls, audit trails, and system governance.

In other words, the authority audits both the technology layer and the operational process layer.

Businesses that focus only on technical go-live readiness often miss the controls that matter most during an audit.

That is why successful compliance requires continuous monitoring, process discipline, and strong ERP governance long after implementation.