The aim is to store documents that are subject to retention requirements in such a way that they cannot be subsequently manipulated or deleted, remain completely intact, and can be presented at any time during an audit (review). These requirements apply to all types of business documents: from invoices, receipts, and contracts to emails with tax or legally relevant content. The term “audit-proof” is based on the understanding of auditing in financial auditing and refers not only to technical measures, but to the entire organizational and technical archiving process. This includes, among other things, protection against subsequent changes, complete logging of access and processing steps, and ensuring readability and availability over many years.

Audit-proof archiving is a central component of corporate compliance, especially for fulfilling tax and commercial law retention obligations. It ensures that companies can properly present the necessary documents during operational or tax audits. Otherwise, there is a risk of legal consequences such as fines or even prison sentences for serious violations.

Definition: Document Management, Backup, and Storage

It is helpful to distinguish audit-proof archiving from related terms.

Document Management (DMS)

A document management system manages documents in day-to-day business and makes it easier to create, edit, and find files. Not every DMS automatically meets audit-proof requirements. Although many DMSs offer functions such as versioning and access rights, an additional archiving system or special configuration is often necessary for truly audit-proof archiving. A DMS is used for day-to-day business, while an archiving system stores documents in an unalterable form for years. For this reason, companies often use an electronic archive “behind” a DMS that offers WORM storage, integrity checks, and retention rules, for example.

If you would like to learn more about document management systems, you can read the glossary article on the topic.

Backup (Data Backup)

A backup is a technical data backup with the aim of enabling recovery in the event of system failures or data loss. Backups are not archives. They are overwritten in short cycles and often store complete system images for weeks or months, but not necessarily all tax-relevant individual documents for years. A backup therefore does not fulfill the legal retention requirements, as it neither guarantees the immutability of individual documents nor ensures their selective retrievability. For compliance (GoBD, UGB, BAO, GDPR, etc.), a company must separate data backup and archiving: the backup protects against technical failures, while archiving ensures legally compliant long-term storage.

Retention Obligation

This term generally refers to the legal obligation to retain business documents for a certain period of time (in Germany usually 6 or 10 years, in Austria 7 years). However, simply storing documents (e.g., in paper folders or simple files) does not automatically make them audit-proof and legally compliant. For example, it is not sufficient to simply scan documents and save them on a USB stick. Only through appropriate measures (e.g., WORM data carriers or certified archiving software) does mere storage become legally compliant archiving. The documents must be organized, complete, and unaltered.

Legal Basis in Germany and Austria

The requirements for audit-proof archiving are laid down in various laws and guidelines. They differ from country to country, but follow similar principles.

Austria

The main legal basis here is the Federal Tax Code (BAO) and the Commercial Code (UGB).

• 132 BAO: Regulation of the retention obligation for accounting records, invoices, receipts, and business documents. Companies must retain the originals of these documents for seven years (or longer if, for example, proceedings are pending). The BAO permits electronic archiving provided certain criteria are met.
• § 190, 212 UGB: Obligation for corporations to store annual financial statements, opening balance sheets, business letters, etc. in an orderly and secure manner, also for at least 7 years. The UGB refers to the principles of proper accounting (GoB), which, analogous to German principles, require completeness, accuracy, clarity, etc.

Electronic archiving is permitted if the reproduction of the documents is guaranteed to be complete, identical in content, and true to the original. In practical terms, this means that digitally archived documents must be made readable at any time in the same way as the original. WORM media or comparable technological solutions are recommended to ensure immutability. Simple scanning without further measures is not sufficient. Under Austrian law, as in Germany, the retention obligation begins at the end of the year of the last entry. Example: A document from April 2023 must be retained until December 31, 2030 (7 years from the end of 2023). Failure to comply may result in consequences: for example, the authorities may estimate the tax base if books/documents have not been properly retained. Intentional non-compliance may result in fines.

Germany

The central regulations can be found in the German Commercial Code (HGB) and the German Fiscal Code (AO). The following are particularly relevant:

• § 238, 257 HGB: Obligation to keep accounts and store commercial books and documents in an orderly manner for at least 6 or 10 years. It is required that the books are kept correctly, that no changes go unnoticed, and that documents are legible, complete, and securely stored.
• § 146, 147 AO: Obligation to retain tax-relevant documents (e.g., accounting documents, invoices) for 6 or 10 years in a proper, auditable form. Changes to digital records must be logged. The tax authorities must be given access to the data during an audit (GDPdU regulations).
• GoBD (Principles for the proper management and storage of accounting records, files and documents in electronic form and for data access): These guidelines, issued by the Federal Ministry of Finance, specify the HGB and AO for digital accounting. Among other things, they require traceability, completeness, immutability, timely posting and internal controls. The GoBD does not prescribe a specific medium or format, but contains detailed requirements for how an electronic archiving procedure must be designed. If these criteria are met, archiving is considered GoBD-compliant and therefore audit-proof.

In addition to HGB/AO and GoBD, other laws may also apply, e.g., the Electronic Commercial Register Act, special regulations for certain industries, and the GDPR (General Data Protection Regulation), which requires that data not be stored indefinitely (conflict between the obligation to delete and the obligation to retain). In principle, every organization in Germany that is required to keep accounts is obliged to set up an internal control system that ensures compliance with the above requirements. Procedural documentation (a written description of the archiving process) is explicitly required so that auditors can understand the processes.

Basic Principles of Audit-Proof Archiving in Austria, Germany, and Switzerland

The German GoBD are more technical and detailed, while the Austrian UGB/BAO are more principle-oriented. In practice, the requirements are very similar: those who archive in accordance with GoBD usually also meet the Austrian requirements—however, the reverse is not automatically true.

Comparable requirements apply in Switzerland, for example under the Swiss Code of Obligations (OR Art. 958f for 10 years of retention) and the Business Records Ordinance (GeBüV). There, too, business documents must be archived in an authentic, intact, available, and traceable manner. The principles of audit-proof archiving are therefore similar throughout the DACH region, even if the deadlines and details vary slightly.

Immutability

Once information has been archived, it must not be possible to change or delete it without notice. Subsequent changes must be technically prevented or at least identified as such. This principle ensures that the original content of a document is always preserved. Technically, immutability can be achieved, for example, through WORM storage or digital signatures.

Traceability (Verifiability)

Every action in the life cycle of a document, from creation to editing to archiving, must be traceable. This means that there is a log (audit trail) of all accesses and changes. An auditor must be able to see who did what with a document and when. Even years later, the history of each document must remain transparent.

Completeness

All documents subject to retention requirements must be archived completely and without gaps. No relevant document may be missing. Completeness also refers to the content of each document: a digital copy must match the original in terms of content; for example, a scan must not lose any pages. Similarly, files related to a business transaction (receipts, attachments, emails) must be findable in context.

Availability

The archived information must be available and readable at all times. This means that nothing must be lost or become inaccessible during the entire retention period. This includes protection against loss (e.g., through technical redundancy and backups) on the one hand, and readability (format preservation) on the other. Documents are only considered available if they can be retrieved and opened within a reasonable time when needed. Availability therefore encompasses findability, accessibility, and interpretability (e.g., old file formats may need to be migrated so that they can still be read).

Accuracy and Order

Often mentioned as part of completeness, accuracy means that the contents of the archived document are factually correct and identical to the original information. The archive must not contain any falsified or unauthorized versions. Order means that the filing system is organized systematically and comprehensibly (e.g., by customer, date, transaction) so that no chaos arises. These principles ensure that the accounting and documentation in the archive remain clear and auditable.

Reliability of the Process

All of the above criteria must be guaranteed throughout the entire process. This includes, for example, protection against unauthorized access (only authorized persons may view or edit documents), protection against external influences (theft, fire, flooding, e.g., through offsite storage), and good documentation of the archiving system. The archiving process as a whole must be verifiable, i.e., the manner in which the archiving itself is implemented must be documented and controllable.

Technical Requirements and Solutions

Technical measures are necessary to implement the principles mentioned above. Important requirements and solutions for electronic archiving are:

WORM storage: Write Once, Read Many

These are storage media or technologies to which data can be written once and then only read. Classic examples are CD-R, DVD-R, or WORM-enabled network storage. Once stored on a WORM medium, a file can no longer be changed or deleted. Modern archiving systems also offer software-based WORM mechanisms on hard drives or in the cloud. WORM guarantees technical immutability and is therefore a core component of audit-proof storage.

Versioning:

Changes to documents must not overwrite the original. Instead, a new version is automatically created with each change, while previous versions remain unchanged. This allows the status of a document at an earlier point in time to be viewed at any time. Versioning ensures that even reworked documents remain traceable in their original version. Versioning is integrated into many DMS/ECM systems, but must be used consistently to be audit-proof.

Logging (Audit Trail):

All actions in the archive system should be recorded in a tamper-proof logbook. This applies to the creation, modification, viewing, deletion, and export of documents. Ideally, each log entry should contain a timestamp, the responsible user, and the action. Important: the log itself must also be protected against subsequent changes (audit-proof log). This logging enables the above-mentioned traceability and is often the first thing auditors look at.

Digital Signatures and Hash Values

Electronic signatures or cryptographic hashes can be used to verify the integrity of a document. A hash is calculated and stored during archiving. Any subsequent verification of the same document will yield the identical hash – if this is not the case, the document has been altered. Digital signatures also provide proof of authenticity, i.e., they confirm the author of a document and that it has remained unchanged since it was signed. Such procedures are particularly useful for electronic invoices or documents in order to create legal certainty.

Access Controls and Authorizations

The archiving system must ensure that only authorized persons have access to the archived data. Fine-grained permissions (role-based) prevent unauthorized viewing, modification, or deletion of information. Audit-proof archiving also requires that particularly critical actions (such as deletion after expiration) can only be performed by appropriately authorized administrators or automatically after approval.

Data Security and Redundancy

Although backups and archives serve different purposes, archive data must of course also be protected against loss. Regular backups of the archive or mirroring of data across multiple systems (redundancy) are among the mandatory measures. This ensures availability even in the event of hardware failure or other incidents. It is important that a backup of the archive also remains unchanged until it is used in an emergency.

Format Conversion (Long-Term Formats)

From a technical perspective, it is important to consider that files may need to remain readable for decades. Standards such as PDF/A (ISO-standardized PDF for archiving) are therefore often used. Ideally, an archive system should automatically convert to such long-term formats or at least support their use. This ensures that, for example, an Office file can still be displayed even after many years, even if the original software no longer exists.

Retention Management

The archive should have functions to monitor retention periods. For example, a deletion date can be stored for each document. Once this period has expired, the document must be released for deletion. A good system prevents premature deletion (protection during the retention period) and enables regulated deletion after the retention period has expired. This helps to reconcile GDPR requirements (data minimization, right to erasure) with retention obligations.

In summary, technical solutions ensure that archive data is physically and logically protected against changes and that all processes can be traced automatically. Many modern archiving software packages and DMSs have integrated functions or can be linked to specialized archive storage systems.

Do you Need Special Software or Hardware for Audit-Proof Archiving?

The key factor is a software or platform basis that can technically and organizationally fulfill the requirements for audit-proof archiving. This includes, in particular, authorization concepts, logging/audit trails, versioning, retention guidelines, and a traceable archiving process.

In practice, audit-proof archiving is difficult to implement reliably without a suitable system: although file servers or simple cloud folders can be “improved” with rules and policies, they often remain prone to errors because logging, protection against unnoticed changes, and a clean deadline and deletion process are not implemented consistently and in an audit-proof manner.

Modern platforms such as Microsoft 365 and SharePoint can be a solution: as the basis for a DMS/ECM, documents can be managed in a structured manner, permissions can be controlled cleanly, and document lifecycles can be regulated. In combination with a suitable approach (concept, governance, implementation of archiving rules and processes), SharePoint/Microsoft 365 can also be used for audit-proof archiving – especially if archiving requirements such as traceable storage, defined retention periods, and controlled access are systematically mapped.

If you already use Microsoft 365, the advantage is obvious: you can seamlessly integrate document management and archiving into your existing work environment, including clear processes, compliance rules, and user-friendliness.

Organizational Requirements and Processes

In addition to technology, the organizational framework plays an important role in audit compliance. The following aspects are crucial:

• Clear responsibilities: it must be defined who in the company is responsible for archiving. Management is responsible for compliance with retention regulations and must provide resources. The IT department or external service providers are responsible for technical implementation. There is often also a data protection officer who monitors compliance with GDPR aspects. This distribution of tasks, sometimes referred to as the compliance triangle (management, IT, data protection), should be defined and documented.
• Policies and processes: Companies should establish internal archiving policies that specify which documents must be archived, how, and when. For example, incoming invoices are digitally captured and archived immediately upon receipt (learn more about such an end-to-end incoming invoice solution), emails with orders are automatically archived using a centralised process, etc. It is important that these processes are standardised and binding for all employees. Where possible, archiving processes should be automated with the support of a system in order to minimise human error.
• Process documentation: A central organizational document is the process documentation. It describes the entire archiving system and process. It typically includes: the hardware and software used, responsible persons, processes from the creation of a document to its archiving, the authorization concept, quality assurance measures, and how data is provided in the event of an audit. The GoBD explicitly requires such documentation so that an auditor can check the correctness of the procedure. Changes in the process (e.g., system changes, format changes) must also be documented. Complete and up-to-date procedural documentation is itself a criterion for audit compliance.
• Training and awareness: Employees who handle documents that must be archived must be familiar with the rules. Training ensures that everyone knows the dos and don’ts. This is particularly relevant for those who are authorized to enter documents or delete them later. Awareness measures help prevent misconduct.
• Internal controls and auditing: The archiving system should be reviewed periodically, whether through internal audits, data protection audits, or external auditors as part of the annual financial statements. Such checks determine whether processes are being followed and whether the system still complies with all rules. Any gaps or weaknesses can thus be identified and remedied at an early stage (dual control principle, regular reports on archived vs. not yet archived documents, etc.).
• Cooperation with auditors: It is advisable to take the perspective of an auditor into account or even consult an auditor/tax advisor during the design phase of an archiving solution. This allows requirements such as data export interfaces, indexing fields for simple sampling, etc. to be taken into account from the outset. In the event of subsequent audits, it should be clear how the data will be transferred. A good organizational concept avoids surprises in the event of an audit..

In summary, the organization must ensure that the technology is used correctly and embedded in a clear regulatory framework. Audit compliance can only be achieved through a combination of technical precautions and organizational discipline. No archiving system is audit-proof “out of the box” if it is not administered correctly. Similarly, a well-intentioned procedure can fail if employees are not involved. Clear rules, responsibility, documentation, and training are therefore essential.

Conclusion

Audit-proof archiving is an essential foundation of digital corporate management. It combines legal requirements with IT systems and internal processes. Those who take the principles—unchangeable, traceable, complete, available—to heart and implement them both technically and organizationally can look forward to the next audit with confidence.