In the ECM context, the term audit proof refers to the archiving process as well as to the properties of electronic archiving systems and the documents archived in them. This legal requirement for archiving processes has arisen from the regulations of the GoBD [DE], the German Commercial Code (HGB) [DE], the German Fiscal Code (Abgabenverordnung) [DE] and other laws.
Who must archive in an audit-proof manner?
The requirement for audit-proof archiving in the sense of the GoBD affects every company. No matter what form of company: from freelancers as sole proprietorships or together with others in a civil law partnership (GbR) to SMEs and corporate groups – all companies must comply with the requirements of the GoBD and archive in an audit-proof manner accordingly.
What must be archived in an audit-proof manner?
Let’s first clarify which documents are subject to the requirement for audit compliance: Documents subject to retention include all documents relevant under tax law.
Documents to be archived in an audit-proof manner – examples
According to Section 147 of the Tax Ordinance, the following documents must be stored in an audit-proof manner:
- Books and records, inventories, annual financial statements, management reports, the opening balance sheet as well as the work instructions and other organizational documents required for their understanding,
- the received commercial or business letters,
- reproductions of commercial or business letters sent,
- accounting documents,
- documents referred to in Article 15(1) and Article 163 of the Union Customs Code,
- other documents, insofar as they are relevant for taxation.
The retention period of the records or documents is between six and ten years (here is an overview). After the expiry of the retention period, however, the GDPR imposes further requirements on these documents.
So what is audit compliance?
In general, revision security in the sense of the GoBD means that the root document/origin document during its retention period continues to be:
- in the original,
This expresses the fact that electronically stored documents and records must always remain in the original – as the original document and unchanged. Changes and adjustments must be made in separate, new documents.
This expresses that documents to be archived in an audit-proof manner must neither be lost in the archive nor during the transfer there.
In the sense of the GoBD, this means that documents and records are protected against forgery and manipulation. Different procedures are used for this; these are described in the procedural documentation.
- Immediately and completely available at all times – and
Refers to several points: On the one hand, this GoBD requirement means that documents and records must be stored as quickly as possible; ideally in a system with indexing. On the other hand, it must be possible to access the audit-proof archived content at any time. In addition, this passage states that all subsequent changes must be logged in a traceable manner and the resulting document versions must remain reproducible.
- remains machine evaluable.
This point merely states that the documents and records are readable with commercially available software (PDF reader, office software for DOCX or ODT formats. .
Often forgotten: the procedural documentation for audit-proof archiving.
This describes in detail how the five objectives mentioned above are achieved. The procedure documentation thus describes the process in technical and organizational terms for digital archiving in the company. In other words, it documents how documents and other records subject to retention are received, digitized, stored, processed, issued again and retained.
Adit proofing – everyone wants it
These requirements also apply to everyone’s everyday life. Even if not to quite the same strict extent as in business contexts and the requirements of legal regulations. Nowadays, everyone wants to ensure that stored documents are audit-proof; at least the point “unchangeable” should be guaranteed.