de en
Digital company audit / GDPdU

Digital company audit / GDPdU

Since January 1 , 2002 the German Federal Ministry of Finance has issued new requirements regarding the German Tax Code (AO) relating to the issue and retention of automatically processable data for the external audit of financial accounting. The associated BMF document "Principles regarding Data Access and the Auditability of Digital Documents (GDPdU)" [Link] states that companies are required to provide their tax-relevant data that is set to

  • read-only access (access type 1, "Z1"),
  • direct data access (Z2) and/or
  • presentation on a data-storage medium (Z3)

for external audit by the tax authorities.

During the statutory retention period of ten years, the tax-relevant digital data must be

  • available at the company at all times,
  • able to be set to read access at any time and
  • automatically processable.

If these criteria are not met, sanctions such as estimations, fines, and compulsory measures may be imposed.

A particular issue is to identify the respective tax-relevant data, which is the responsibility of the taxpayer. This includes for example information/data in financial accounting, fixed-asset accounting, payroll accounting, or the ERP system. However, tax-relevant data may also be located in other areas of the IT systems; e-mails may also be deemed tax-relevant.

Additionally, the automatic processability of electronic statements as set out at section 14 (4) sentence 2 UStG and other digitized documents not submitted in hard copy (original digitally generated data) must be ensured.

Additionally, proper documentation (i.e. that complies with the “Generally Accepted Principles of IT-based Accounting Systems (GoBS)” [Link] of the IT systems and processes used must be retained.


GDPdU Check

During workshops and interviews IT AUDIT uses the available IT systems, data flows (interfaces) / business processes as well as process documentation to identify the tax-relevant data in the company, evaluates the current status, and analyzes any need for adjustments to comply with the statutory requirements of the GDPdU.

The outcomes of this GDPdU Check are summarized in a written report (gap analysis) and may be supplemented with recommendations for action aimed at ensuring that the requisite legal requirements are satisfied.


When implementing necessary measures, IT AUDIT can provide the support you need based on its previous experience. As well as completing the requisite process documentation, this includes in particular an analysis of the data that experience shows the company auditor is likely to request and analyze.

The analysis tool IDEA and SmartX (import module), which is also used by the financial authorities, is used to assess extracted data. This ensures that the (tax-relevant) data extracted from the systems complies precisely with the requirements of the tax authorities’ description standard (Link).

A written report is drafted that documents the outcome of this conformity check and contains a cause analysis as well as a description of the test results. If the conformity of the export interfaces is ultimately assured, this will be confirmed in a letter from IT AUDIT.

Simulation of company audit /data analysis

At the same time, prior to a company audit it is recommended that corresponding audit tasks, analyses, evaluations, and queries using the data identified as being tax-relevant is performed with the aid of the analysis software IDEA and AIS TaxAudit, an add-on module that adds numerous automated inspection steps to IDEA for simulating a digital company audit. To do so the extracted data is analyzed during the simulation by comparing and linking the files, gap and multiple-occupant analyses as well as spot-check and statistical processes (e.g. Benford’s law or chi-square test), which identifies weaknesses and potential risks.

Critical outcomes can be verified again with InfoZoom, a further data analysis tool from IT AUDIT.

The outcome of such a simulation is summarized in an outcome report that also contains an assessment of the analysis outcomes, supplemented by recommended actions.

IT AUDIT can continue to provide support in compliance with the legal framework conditions for data and system migrations and the potential switch-off of the legacy systems.

Where to find us:
Im Mediapark 5a
50670 Cologne
Phone+49 221 952681-190
Fax+49 221 952681-114
E-Mail infoit-auditcom