What Is Audit-Proof Archiving? Requirements and Implementation

Audit-proof archiving means that documents are stored in a way that prevents them from being subsequently altered, deleted, or manipulated. They must be fully retrievable, machine-readable, and traceable at all times. The concept originates from German commercial and tax law and is mandatory for all businesses subject to bookkeeping obligations.

Simply storing business documents in a folder on the hard drive does not meet these requirements. A file that can be renamed, moved, or deleted at any time is neither immutable nor traceable. Audit-proof archiving requires specific technical measures: hash verification, timestamps, access logging, and versioning.

This article explains what audit-proof archiving means in detail, which legal requirements apply, how the technical implementation works, and which mistakes businesses should avoid.

What Does "Audit-Proof" Mean?

The four core characteristics of audit-proof archiving

The term "audit-proof" (revisionssicher) describes storage that withstands an audit (revision). Specifically, four conditions must be met:

1. Immutability

Once archived, documents must not be modified afterwards. Neither the content nor the metadata may be altered without documented traceability. This is technically ensured through write protection, hash values, and digital signatures. Even the smallest change to the document alters the hash value and is immediately detectable.

2. Traceability

Every access to an archived document must be logged: who accessed, downloaded, or exported which document, and when? This complete audit trail is essential during tax audits. Tax authorities examine not only the documents themselves but also how they are handled.

3. Completeness

All documents subject to retention requirements must be archived without gaps. This includes not only invoices and contracts, but also business correspondence, accounting vouchers, inventories, and tax-relevant emails. A single missing document can lead to estimates and significant additional tax payments during an audit.

4. Machine Readability

Archived documents must be machine-searchable and evaluable. A scanned PDF without text recognition (OCR) does not meet this requirement, because tax authorities must be able to electronically search, filter, and evaluate documents during an audit. This means full-text search must be possible.

Legal Framework: GoBD, AO and HGB

The laws and regulations governing audit-proof archiving in Germany

The requirements for audit-proof archiving derive from several legal sources. The most important are:

GoBD (Principles for Proper Record-Keeping)

The GoBD issued by the German Federal Ministry of Finance (BMF letter dated 28 November 2019) define the specific requirements for electronic record retention. They apply to all taxpayers and encompass ten principles: traceability, verifiability, completeness, accuracy, timely recording, orderliness, immutability, machine readability, data backup, and procedural documentation.

Section 147 AO (German Fiscal Code)

Section 147 AO governs the retention periods for tax-relevant documents. Accounting vouchers, annual financial statements, and invoices must be retained for 10 years; commercial and business correspondence for 6 years. The period begins at the end of the calendar year in which the last entry was made or the letter was received or sent.

Section 257 HGB (German Commercial Code)

Section 257 HGB obliges merchants to retain commercial correspondence, accounting vouchers, and annual financial statements. The retention periods largely correspond to those of the AO: 10 years for accounting vouchers and annual statements, 6 years for commercial correspondence.

Section 146 AO (Bookkeeping Requirements)

Section 146 AO stipulates that entries and records must be made completely, accurately, in a timely manner, and in an orderly fashion. Changes must be documented so that the original content remains identifiable. This is the legal basis for the immutability requirement.

Important: The GoBD do not only apply to large corporations. Freelancers, sole proprietors, and small businesses with bookkeeping obligations must also archive in an audit-proof manner. The size of the business has no bearing on the requirements.

Technical Implementation: How Does Audit-Proof Archiving Work?

From hash verification to the audit trail

Audit-proof archiving is not a single feature, but an interplay of several technical measures:

Hash Verification (SHA-256)

When archiving, a cryptographic hash value is calculated for each document (typically SHA-256). This hash value acts as a digital fingerprint: even the smallest change to the document, such as a single space or a changed pixel, produces a completely different hash value. By regularly comparing stored hash values with the current document inventory, any manipulation is immediately detected.

Timestamps

Each archived document receives a qualified timestamp documenting the exact moment of archiving. Combined with the hash value, this creates cryptographic proof that the document existed in a specific state at a specific point in time. This is a decisive advantage in legal disputes and tax audits.

Access Log (Audit Trail)

A complete access log documents every interaction with the archive: who accessed, downloaded, exported, or printed which document, and when? This log is itself immutable and is regularly requested during tax audits. It proves that the organisation ensures proper handling of its records.

Versioning

If a document needs to be supplemented or corrected after archiving (e.g., a reversal for an invoice), the original is not overwritten. Instead, a new version is created. The original version remains unchanged. This makes the entire document history traceable, a central GoBD requirement.

PDF/A as Archiving Format

The PDF/A format (ISO 19005) is the standard for long-term archiving. Unlike regular PDF, PDF/A embeds all required resources such as fonts, does not allow external dependencies, and does not permit JavaScript execution. This ensures that the document looks exactly the same in 10, 20, or 30 years as it did at the time of archiving.

Access Permissions

A role-based permission system ensures that only authorised individuals can access documents. Administrators define who may view, download, or export which document categories. This not only protects against unauthorised access but also fulfils GDPR requirements for access control.

Audit-Proof vs. Simple Storage: The Difference

Why a file on the hard drive is not audit-proof archiving

Many businesses store their documents in folder structures on file servers or in the cloud. That is storage, but it is not audit-proof archiving. The difference is significant:

Criterion	Simple Storage	Audit-Proof Archiving
Immutability	Files can be changed or deleted at any time	Documents are write-protected and hash-secured after archiving
Traceability	No access log available	Complete audit trail of all access events
Completeness	No control over completeness	Systematic capture of all mandatory documents
Machine Readability	Depends on file format	OCR full-text search across all documents
Versioning	Originals are overwritten	All versions are retained
Tax Audit	High risk during audit	GoBD-compliant, audit-proof

The central problem with simple storage: there is no proof that a document has not been altered since its creation. During a tax audit, the tax authority can question the regularity of the accounting and make its own estimates, often to the detriment of the business.

Who Needs Audit-Proof Archiving?

Bookkeeping obligations as the deciding factor

In principle, all businesses and organisations with bookkeeping obligations are required to implement audit-proof archiving. Specifically, this includes:

Corporations (GmbH, AG, UG) — regardless of size and revenue
Partnerships (OHG, KG) — as merchants under commercial law
Sole proprietors — with revenues exceeding EUR 600,000 or profits exceeding EUR 60,000 (Section 141 AO)
Freelancers — for tax-relevant documents (invoices, receipts)
Associations and foundations — when conducting commercial activities
Public authorities and institutions — under budgetary law and data protection legislation
Professional practices (lawyers, tax advisors, notaries) — professional regulations and GoBD

Practical note: Businesses that voluntarily maintain books are also subject to GoBD requirements as soon as they operate electronic bookkeeping. The obligation for audit-proof archiving does not begin with the tax audit but with the very first business transaction.

Common Archiving Mistakes

These mistakes can be costly during a tax audit

Mistake 1: USB Stick or External Hard Drive

Storing documents on a USB stick is one of the most common mistakes. USB sticks offer no write protection, no access logging, and no versioning. There is also a significant risk of loss and theft. During a tax audit, a USB stick is not accepted as an archiving medium.

Mistake 2: Desktop Folder or File Server

Saving files in folders on the desktop or corporate file server may seem straightforward, but it does not meet a single GoBD requirement. Files can be renamed, moved, overwritten, or deleted without any log being created. There is no hash verification and no versioning.

Mistake 3: Email Inbox as Archive

Leaving invoices and business correspondence in the email inbox does not constitute audit-proof archiving. Emails can be deleted, moved, or altered. Furthermore, the machine readability of attachments in an email inbox is not guaranteed. The GoBD require separate, immutable archiving.

Mistake 4: Missing Procedural Documentation

Even if the technical archiving is implemented correctly, many businesses lack procedural documentation. The GoBD require written documentation describing how documents are captured, processed, archived, and protected. Without this documentation, the archiving is formally not GoBD-compliant.

Mistake 5: Scanned Documents Without OCR

Scanning paper documents and saving them as image PDFs is not sufficient. Without OCR text recognition, the documents are not machine-readable, a central GoBD requirement. Tax authorities must be able to electronically search and evaluate archived documents during an audit.

Audit-Proof Archiving in Practice

Docuflair Archive stores your documents in an audit-proof manner in PDF/A format, with OCR full-text search, a complete audit trail, and role-based access control. Fully on-premises, GDPR-compliant. Schedule a free demo today.

Request Free Demo Discover Docuflair Archive

Frequently Asked Questions

Answers to the most important questions about audit-proof archiving

What exactly does audit-proof archiving mean?

Audit-proof archiving means that documents are stored in a way that prevents subsequent modification or deletion, ensures they are always complete and machine-readable, and maintains a complete access audit trail. The requirements stem from the GoBD, Section 147 of the German Fiscal Code and Section 257 of the German Commercial Code.

Is a file on the hard drive considered audit-proof archiving?

No. A file on a hard drive, USB stick, or desktop folder is not audit-proof because it can be renamed, moved, overwritten, or deleted at any time. Audit-proof archiving requires technical measures such as hash verification, access logging, and versioning.

Which businesses are required to implement audit-proof archiving?

In principle, all businesses with bookkeeping obligations in Germany and Austria. This includes corporations, partnerships, sole proprietors with revenues exceeding EUR 600,000 or profits exceeding EUR 60,000, and freelancers with tax-relevant documents.

What role does the PDF/A format play in audit-proof archiving?

PDF/A is an ISO-standardised format specifically designed for long-term archiving. It ensures that documents remain readable in their original form for decades, as all required resources such as fonts are embedded and no external dependencies exist.