Who must archive in an audit-proof manner?
The requirement for audit-proof archiving affects every company. No matter what form of company: from freelancers as sole proprietorships or together with others in a civil law partnership (GbR) to SMEs and corporate groups – all companies must comply with the requirements of regulations and archive in an audit-proof manner accordingly.
What must be archived in an audit-proof manner?
Let’s first clarify which documents are subject to the requirement for audit compliance: Documents subject to retention include all documents relevant under tax law.
Documents to be archived in an audit-proof manner – examples
According to the Tax Ordinance, the following documents must be stored in an audit-proof manner:
- Books and records, inventories, annual financial statements, management reports, the opening balance sheet as well as the work instructions and other organizational documents required for their understanding,
- the received commercial or business letters,
- reproductions of commercial or business letters sent,
- accounting documents,
- other documents, insofar as they are relevant for taxation.
The retention period of the records or documents is between six and ten years. After the expiry of the retention period, however, the GDPR imposes further requirements on these documents.
So what is audit compliance?
Short answer: You want to make sure that a document has not been changed or manipulated during its lifetime – without it being noticed. In general, revision security in the sense of regulations that the root document/origin document during its retention period continues to be:
- in the original,
This expresses the fact that electronically stored documents and records must always remain in the original – as the original document and unchanged. Changes and adjustments must be made in separate, new documents.
This expresses that documents to be archived in an audit-proof manner must neither be lost in the archive nor during the transfer there.
In the sense of the GoBD, this means that documents and records are protected against forgery and manipulation. Different procedures are used for this; these are described in the procedural documentation.
- Immediately and completely available at all times – and
Refers to several points: On the one hand, this requirement means that documents and records must be stored as quickly as possible; ideally in a system with indexing. On the other hand, it must be possible to access the audit-proof archived content at any time. In addition, this passage states that all subsequent changes must be logged in a traceable manner and the resulting document versions must remain reproducible.
- remains machine evaluable.
This point merely states that the documents and records are readable with commercially available software (PDF reader, office software for DOCX or ODT formats. .
Often forgotten: the procedural documentation for audit-proof archiving
This describes in detail how the five objectives mentioned above are achieved. The procedure documentation thus describes the process in technical and organizational terms for digital archiving in the company. In other words, it documents how documents and other records subject to retention are received, digitized, stored, processed, issued again and retained.
Audit compliance – how to succeed
These requirements also apply to everyone’s everyday life. Even if not to quite the same strict extent as in business contexts and the requirements of legal regulations. Nowadays, everyone wants to ensure that stored documents are audit-proof; at least the point “unchangeable” should be guaranteed.
How can the revision security of a document be guaranteed? An example: Who would be in a position to take any document from a pool of 1,000 files and claim that this is the unchanged document?
To ensure this, checksums, also known as hash values, are used, which are calculated from the content of the document. These hash values are unique. This means: same document content, same checksum. And a modified document inevitably results in a different checksum. Modern document management and archiving systems perform this task in the background and display the calculated status.