Audit-compliant archiving

Here you’ll learn the essentials of compliant archiving and how an audit-proof archive helps you manage digital documents securely and transparently over the long term.

Das Wichtigste kompakt zusammengefasst:

  • What does audit-proof archiving mean? Which documents are affected? What legal requirements apply? How to successfully implement audit-proof archiving

The digital office has long been part of everyday life. Files are created in seconds on the screen, emails have replaced paper mail, and e-invoices arrive automatically. While this offers convenience, documents often end up unstructured and scattered across multiple systems. This gives rise to two key challenges: How do you keep track of digital documents? And what requirements does the law impose on audit-proof storage?

What does audit-proof archiving mean?

Audit-proof archiving ensures that digital records are stored permanently in a complete, unaltered, and fully traceable manner. Essentially, it involves storing electronic documents in such a way that their authenticity can be verified at any time—including their metadata, content, and all relevant processing steps.

Revisionssicher heißt: Ein Dokument bleibt so erhalten, wie es ursprünglich entstanden oder eingegangen ist. Jede Änderung muss dokumentiert, jede Version eindeutig erkennbar und jede Information zuverlässig wiederauffindbar sein. Genau diese Eigenschaften bilden das Fundament für rechtssichere digitale Prozesse.

Damit erfüllt die revisionssichere Archivierung drei zentrale Anforderungen:

  • Integrität – digitale Dateien werden unverändert geschützt.
  • Nachvollziehbarkeit – jede Aktion ist eindeutig dokumentiert.
  • Auffindbarkeit – relevante Informationen stehen jederzeit bereit.

Wer digitale Geschäftsprozesse nutzt, benötigt eine Ablage, die diese Grundprinzipien konsequent einhält. Revisionssichere Archivierung sorgt dafür, dass Entscheidungen, Transaktionen und Dokumentationen auch Jahre später noch nachvollziehbar bleiben und ist damit ein elementarer Baustein moderner Compliance.

Archiving is not the same as data backup – a brief explanation of the difference

Archiving and data backup serve two completely different purposes. Data backup protects against data loss by creating copies of files that can be overwritten or restored as needed. Archiving, on the other hand, preserves digital documents over the long term, keeping them unchanged and traceable—including all relevant metadata and versions.

Backups sind wichtig für die Betriebssicherheit, ein revisionssicheres Archiv dagegen sichert die Rechtssicherheit, Transparenz und Nachvollziehbarkeit im digitalen Büro.

Common Misconceptions

There are a number of persistent misconceptions surrounding audit-proof archiving. One particularly common misconception is the assumption that a simple PDF is automatically audit-proof. In fact, it only meets these requirements if it is stored in a suitable archiving system in a way that prevents modification and if every action is logged.

Ebenso häufig wird angenommen, dass die Ablage in einem Netzlaufwerk oder die Synchronisation mit Cloud-Ordnern ausreicht. Beides bietet zwar Zugriff, aber keine lückenlose Dokumentation oder Schutz vor unbemerkten Änderungen. Auch Backups werden oft mit elektronischer Archivierung verwechselt, obwohl sie völlig andere Aufgaben erfüllen. Solche Missverständnisse führen schnell zu Nachweislücken – ein professionelles, revisionssicheres Archiv verhindert genau das. 

Which documents are subject to archiving requirements?

Quotes, contracts, approvals, minutes, records, invoices: Many of these used to be on paper—today, they are almost exclusively in electronic form. This raises a simple but crucial question: Which digital documents must be stored in an audit-proof manner?

Die Antwort ist klar und rechtlich eindeutig: Alle Unterlagen, die im Zusammenhang mit einem geschäftlichen Vorgang stehen und damit steuer- oder handelsrechtliche Relevanz besitzen.

These business documents must be archived in an audit-proof manner: 

  • Books and records
    Inventories
    Annual financial statements
    Management reports
    Opening balance sheets, as well as the work instructions and other organizational documents necessary for their understanding
    Accounting documents (such as e-invoices)
    Incoming commercial and business correspondence
    Copies of sent commercial and business letters
    Documents pursuant to Article 15(1) and Article 163 of the Customs Code
    Other documents, insofar as they are relevant for taxation
Die GoBD: Eine Geschichte von Mythen und Legenden

The Foundation: The 7 Pillars of Audit-Proofing

Audit compliance is based on seven clearly defined fundamental principles. These principles ensure that digital records remain accurate, tamper-proof, and traceable at all times:

  • Richtigkeit – Inhalte stimmen mit dem Original überein.
  • Vollständigkeit – nichts darf fehlen.
  • Unveränderbarkeit – nichts darf unbemerkt verändert werden, jede Anpassung muss nachvollziehbar bleiben.
  • Nachvollziehbarkeit – jede Aktion ist lückenlos dokumentiert.
  • Ordnung – Unterlagen sind strukturiert und wiederauffindbar abgelegt.
  • Sicherheit – Zugriff und Schutzmechanismen sind gewährleistet.
  • Einhaltung der Aufbewahrungsfristen – Dokumente bleiben so lange erhalten, wie das Gesetz es verlangt.

Kurz gesagt: Diese sieben Säulen bilden das Regelwerk für prüfungssichere digitale Ablagen.

Und nur ein revisionssicheres Archiv erfüllt diese Anforderungen konsequent, was nicht zuletzt auch das Leben von Wirtschaftsprüfern erleichtert. Denn genau darauf kommt es am Ende an.

Whitepaper

7 Schritte zur erfolgreichen Einführung eines Dokumentenmanagementsystems

Erfahren Sie in unserem Whitepaper, wie der gesamte Einführungsprozess eines Dokumentenmanagementsystems (DMS) abläuft. Auf diese Weise können Sie frühzeitig die notwendigen Weichen stellen und bekommen mehr Sicherheit bei der Planung und Durchführung des gesamten Projekts. Mit unserer Checkliste zeigen wir Ihnen, wie Sie bei der Einführung eines DMS im Unternehmen Schritt für Schritt vorgehen.

Whitepaper anfordern

Audit-proof storage – Implementing it step by step

The key question is: Which documents subject to retention requirements enter the company, and through which channels?

Typical intake channels include:

automated transfers from ERP or e-invoicing systems
paper documents to be digitized, including OCR text recognition
clearly defined intake points (e.g., a central inbox for invoices)

The more accurately this data is captured, the lower the risk of gaps later on.

The second step involves determining exactly what type of document it is and the business context to which it belongs. This classification is crucial because it determines how a document is sorted, reviewed, filed, and quickly retrieved later.

In addition, the metadata for the archive is defined. Document type (e.g., invoice, contract, minutes)

Related business transaction or process
Details such as date, amount, or customer number

The combination of subject-matter classification and metadata forms the “control center” of the document. It ensures that automated review and filing processes function smoothly—and that documents remain reliably retrievable even years later.

Zudem werden die Metadaten für das Archiv festgelegt. Dokumenttyp (z. B. Rechnung, Vertrag, Protokoll)

  • zugehöriger Geschäftsvorgang oder Prozess
  • Angaben wie Datum, Betrag oder Kundennummer

Die Kombination aus fachlicher Einordnung und Metadaten bildet das „Steuerzentrum“ des Dokuments. Sie sorgt dafür, dass automatisierte Prüf und Ablageprozesse sauber funktionieren – und dass Unterlagen auch Jahre später zuverlässig auffindbar bleiben.

One thing matters above all else here: the document must remain unchanged and clearly traceable. Every subsequent view, every version, and every access must still be verifiable even years later.

What matters most?

Immutable storage
Unique identification of the document
Complete linking to all relevant information
Logging of accesses and actions
Audit-proof archiving is thus the moment when a document becomes permanently reliable evidence—regardless of how systems or processes within the company may change in the future.

As soon as a document arrives at the company, the statutory retention period begins. It depends on the type of document and typically ranges from six to ten years—in some cases, longer. At the same time, GDPR requirements come into effect, mandating deletion once the retention period has expired. How can this balancing act be managed without manual effort?

An archiving system automatically manages retention periods. Retention periods are stored in the system based on the document type. After that, the processes run reliably in the background.

Key features:

automatic assignment of the correct retention period
system-controlled monitoring until the end of the retention period
clear marking for documents entering the deletion phase
documented approval in case deletion needs to be verified

The result: Documents are neither removed too early nor stored for an unnecessarily long time. Companies remain legally compliant and relieve the burden on their departments.

Audit compliance depends on transparency. That is why it must always be possible to trace who opened, modified, or reviewed a document. An audit-compliant archive automatically logs these steps, thereby protecting documents from tampering.

Core features for secure traceability:

Role-based permissions (e.g., accounting, purchasing, management)
Clear separation between read and edit access
Logging of every action through versioning—from opening to final storage
Support for the dual-control principle for sensitive processes (e.g., deletion of documents after the retention period)
Regular backups and integrity checks (e.g., via hash values)

This transparency builds trust in data integrity during the retention period in audit-proof archiving. At the same time, it meets key GoBD requirements and facilitates both internal and external audits.

How to choose an Audit-Compliant Archive

Look for certifications

When choosing an archiving system, one question takes center stage: Can the software truly store documents in a way that is audit-proof in accordance with GoBD? A quick and reliable indicator of this is, for example, the “TÜV-certified archiving” certificate.

What does this mean?
This certificate from TÜV Saarland attests that a software solution fully meets the strict legal and technical requirements for electronic archiving. The audit is based on the principles of GoBD, the German Commercial Code (HGB), and the German Fiscal Code, and confirms to users that documents are stored in a tamper-proof, legally compliant manner and are available at all times. In addition to functional security, the seal validates that the IT security aspects comply with modern standards such as the BSI IT-Grundschutz.

Cloud, on-premises, or hybrid?

Companies should determine how the archive will be deployed:

Cloud: reduced IT workload, automatic updates.
On-premises: full control, but requires in-house maintenance.
Hybrid: certain data must remain on-premises, while other documents are stored in the cloud.

The choice depends on the company’s requirements, compliance regulations, IT resources, internal policies, and other factors.

Which business processes and systems are affected?

Important is that the archive system can integrate with all of the company’s relevant business processes and systems. Typical sources include:

  • Incoming invoice processes
  • ERP or CRM systems
  • Contract and quality documentation, etc.
  • A good archive system imports documents in a structured manner, automatically assigns metadata, and integrates them directly into existing business processes.

PROXESS DMS

Mit unserer TÜV-zertifizierten Lösung PROXESS DMS können Sie Ihre Unternehmensdokumente revisionssicher archivieren und schnell wiederfinden.

learn more

Conclusion

Audit-compliant archiving is a core task for every company. E-invoices and new compliance requirements are increasing the pressure to store information in a clean, traceable, and tamper-proof manner.

The question of how an archive is technically implemented is becoming increasingly important. Experience shows that purely cloud-based or purely on-premises models have their limitations. The trend is clearly moving toward hybrid solutions—they combine local control with the flexibility of modern cloud services and adapt better to different departments. Companies that make this strategic decision early and deliberately lay a foundation that will stand the test of time: for stable processes, simple audits, and audit-proof archiving you can trust.

proxess kontakt headset business woman

Sie interessieren sich für unsere Lösungen?

Unsere Experten beantworten gerne Ihre Fragen und zeigen Ihnen persönlich unsere Lösungen.

Abonnieren Sie unseren Newsletter

Wir liefern Ihnen Trends, Best Practices und Lösungen rund um digitales Dokumentenmanagement und effiziente Workflows.

Frequently Asked Questions

Legally compliant or audit-proof archiving means storing documents in a way that complies with legal requirements (GoBD, HGB, AO, GDPR). It ensures that records remain valid and are accepted as evidence in the event of tax audits, legal disputes, or internal audits.

A legally compliant archive must therefore ensure that the archived documents and data:

Are unalterable: Once stored, documents may not be modified. Changes must be documented, e.g., through versioning.
Are securely stored: The archiving system must protect documents and data from loss or unauthorized access.
Remain quickly accessible and retrievable: According to GoBD, documents must be retrievable at any time and machine-readable.

GoBD stands for “Principles for the Proper Management and Retention of Books, Records, and Documents in Electronic Form, as well as for Data Access.”

The GoBD is a guideline issued by the Federal Ministry of Finance (BMF) for digital accounting and archiving, designed to ensure that documents are tamper-proof, traceable, and complete. The current GoBD 2020 was published in a letter from the BMF dated November 28, 2019, and is effective as of January 1, 2020. It replaces earlier regulations (GoBS, GDPdU) and applies to all taxpayers who process electronic and digital documents to make them verifiable by the tax authorities. Key principles include traceability, completeness, accuracy, order, timeliness, and immutability.

The GoBD does not specify which documents must be retained or for how long; rather, it supplements and clarifies the general legal framework regarding the proper handling of digital documents within a company.

Supplementary information on the provision of data carriers:
Upon request by the tax authorities, the audited company must also provide, as part of an audit, all structural information necessary for the evaluation of the data in a machine-readable format. To assist with this, the Federal Ministry of Finance (BMF) has provided supplementary information on the provision of data carriers: 2019-11-28-GoBD-Supplementary-Information

 

Legal Regulations for DMS/ECM Systems

When it comes to legal requirements for DMS/ECM systems, a distinction is made between commercial law, tax law, and civil law aspects.

Commercial Law

According to Section 257 of the German Commercial Code (HGB), merchants are obliged to retain relevant documents in accordance with the principles of proper accounting (GoB).
Section 257 HGB also defines rules for the digital retention of documents.

Tax Law

Retention periods for both analog and digital documents are governed by Section 147 of the German Fiscal Code (AO).
Due to the Fourth Bureaucracy Relief Act (BEG IV), a reduced retention period of 8 years applies to certain documents (e.g., accounting records, receipts, invoices) starting from January 1, 2025.

GoBD

The GoBD 2020 define how electronically archived documents must be handled. They regulate the proper management and retention of books, records, and documents in electronic form, including data access requirements. The GoBD also require the creation of a procedural documentation (Verfahrensdokumentation).

GDPR

Since May 25, 2018, the EU General Data Protection Regulation (GDPR) has been in force.
It governs the handling of personal data in archives, including access, deletion after retention periods, and data security.

Civil Law

In civil law, an optically archived document is considered an “object of visual inspection.”
In individual cases, a judge may decide whether a reproduced document is admissible as evidence.
However, if the party that reproduced the document can demonstrate that it is a true visual or content-based representation of the original (e.g., through procedural documentation), the document is generally accepted.

 

Yes, documentation is mandatory for GoBD-compliant archiving. It serves as a central document for auditors in the event of a tax audit or company review, providing a comprehensive overview that enables understanding of the technical and operational processes. In other words, the procedural documentation clearly describes the "how" of audit-proof archiving.

The purpose of this procedural documentation is to make the digital bookkeeping processes in your company transparent and understandable for auditors. It therefore becomes an indispensable tool if you want to maintain your company's books, records, and documents in compliance with GoBD requirements.

Die Verfahrensdokumentation hat also die Aufgabe, die digitalisierte Buchführung in Ihrem Unternehmen für die Prüfer transparent und verständlich zu machen. Sie wird somit zu einem unverzichtbaren Instrument, wenn Sie die Bücher, Unterlagen und Aufzeichnungen in Ihrem Unternehmen GoBD-konform führen wollen.  

 

 

 

The procedural documentation must clearly and comprehensively describe the content, structure, and workflow of the relevant processes. Accordingly, it should include:

  • A description of the business-logical solution
  • A description of the technical (program-related) solution
  • A description of how program identity is ensured
  • A description of how data integrity is maintained
  • User instructions for operating the system

A detailed description can be found here: Contents of Procedural Documentation.pdf

Below you will find two sample templates for possible procedural documentation provided by the German Association of Tax Advisors:

  • Sample Procedural Documentation 2015
  • Sample Procedural Documentation for Substitute Scanning 2019

 

  • eine Beschreibung der sachlogischen Lösung
  • eine Beschreibung der programmtechnischen Lösung
  • eine Beschreibung, wie die Programmidentität gewährt wird
  • eine Beschreibung, wie die Integrität von Daten gewahrt wird
  • Arbeitsanweisungen für den Anwender

Eine ausführliche Beschreibung finden Sie hier: Inhalte einer Verfahrensdokumentation.pdf

Untenstehend finden Sie zwei Muster für mögliche Verfahrensdokumentationen des deutschen Steuerberaterverbands:

 

Compliance essentially means adhering to applicable laws and regulations.

In the context of DMS systems, particular attention must be paid to aspects such as retention obligations, data security, and data protection.

No. Only business-relevant emails must be archived—i.e., messages with tax or accounting relevance, such as offers, order confirmations, or invoices. Private or purely organizational emails are not included, nor are advertising or spam emails.

Ja – aber nur im richtigen Prozess. Ein PDF ist nicht automatisch revisionssicher. Erst wenn es in einem revisionssicheren Archivsystem gespeichert wird, greift der GoBDGrundsatz der Unveränderbarkeit: Das Dokument wird entweder vor Veränderungen geschützt oder jede Änderung wird vollständig protokolliert. Entscheidend ist also nicht das Dateiformat, sondern der Ablageprozess und die technischen Schutzmechanismen des Archivs.

 

Yes. Cloud archiving is permitted—as long as the system meets GoBD requirements and the provider processes data and documents in a legally compliant manner. This includes clear logging, transparent processes, and reliable protection against unnoticed changes.

And how important is the data location?

For German tax authorities, the storage location plays a crucial role. In principle, tax-relevant data must be stored in Germany or within the EU/EEA so that the authorities can access it at any time. Storage outside this area is possible, but only with special approval (“permission for data storage abroad”), which is now rarely granted.

In short:

  • EU/EEA cloud? Unproblematic if GoBD requirements are met
  • Outside the EU/EEA? Only with official approval
  • Practical trend: Hybrid models to keep sensitive data stored locally

This allows companies to remain flexible while still complying with regulatory requirements.

Für die meisten steuerrelevanten Unterlagen gelten Aufbewahrungsfristen zwischen 6 und 10 Jahren. Rechnungen müssen seit der gesetzlichen Anpassung zur ERechnungspflicht im Jahr 2025 nur noch 8 Jahre archiviert werden, während Jahresabschlüsse weiterhin 10 Jahre aufzubewahren sind. Wichtig ist, dass die Dokumente während der gesamten Frist vollständig, lesbar und unverändert bleiben – unabhängig vom Eingangsmedium.

Die GoBD definieren die zentralen Anforderungen für den Umgang mit steuerrelevanten Daten. Für die Archivierung bedeutet das: Dokumente müssen unveränderbar, vollständig, nachvollziehbar und jederzeit verfügbar sein. Zudem müssen alle Schritte dokumentiert werden. Kurz gesagt: Die GoBD bilden den verbindlichen Rahmen, an dem sich jedes revisionssichere Archiv orientieren muss.

 

If audit-proof archiving is lacking, this can lead to tax assessments, additional claims, or objections during audits. Internal risks also increase: documents may be missing, manipulated, or no longer traceable.

In the worst case, this can result in legal consequences or delays in critical business processes. Proper archiving therefore not only protects against audit risks but also helps stabilize daily operations.