We will make sure you are GoBD-compliant – GoBD as an integral component of a tax CMS

11 August, 2020

In November 2019, the German Federal Ministry of Finance (Bundesministerium für Finanzen – BMF) published the revised version of the “Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access” (Grundsätze zur ordnungsmäßigen Führung und Aufbewahrung von Büchern, Aufzeichnungen und Unterlagen in elektronischer Form sowie zum Datenzugriff – GoBD). This replaces the original BMF Circular regarding the GoBD from 2014. Because the GoBD are not a law but rather an interpretation by the tax authorities, implementing them is not directly mandatory for the taxpayer.

In many cases, however, without implementation, taxpayers will find it difficult to prove that their accounting is compliant if errors are found in their tax declaration. This is because a vital prerequisite for proving such compliance is the transparent presentation of how the company processes the data of a transaction using its IT systems – from its initial recognition through to the tax declaration. The requirements of the GoBD therefore constitute an integral component of an effective tax compliance management system (tax CMS), which in turn serves as a vital instrument for reducing tax-related liability risks.

Your expert for questions

Matthias Walz
Partner, PwC Germany
Tel.: +49 711 25034-3203

Risks arising from tax audits 

Companies that do not fulfill their GoBD requirements risk facing trouble even in the course of tax audits. They must expect that tax auditors will have doubts about the formal correctness of their accounting. If incorrect information is found in the tax declaration in addition to this, unpleasant consequences could ensue – ranging from a major reassessment of the company's tax base to administrative offense or even criminal tax proceedings.

According to the information we have gathered, the Federal Central Tax Office (Bundeszentralamt für Steuern – BZSt) has instructed tax auditors throughout Germany to assess companies' adherence to GoBD requirements more intensively in future. Many of our clients have already received notifications of tax audits that have included requests to provide GoBD documentation.

Our PwC experts are thoroughly familiar with the requirements of the BMF Circular and have extensive experience with the compliance requirements of the tax authorities. We can support you in the implementation and documentation of all GoBD requirements with specialist, tailored solutions so that you can look towards your next tax audit with peace of mind. As part of this process, it is also possible – if requested – to identify opportunities for automation and digitalization in order to exploit such potential.

Our GoBD solutions for you

Health check
In our health check, we thoroughly assess your company to identify potential risks and challenges that may pose an obstacle to the fulfillment of GoBD requirements. We issue a final report that provides you with an overview of the topics that must be worked on in order to implement the GoBD requirements successfully.

Gap analysis
In our gap analysis, we carry out a detailed examination of the existing measures, processes and documentation for the fulfillment of the requirements of the BMF Circular regarding the GoBD. In doing so, we not only identify weaknesses, risks and opportunities for optimization, we also determine what existing work results and documents you can repurpose for the implementation of GoBD requirements so that you can avoid any unnecessary additional workload.

GoBD concept
In our GoBD concept solution, we collaborate with you in finding a way to implement the tax authorities' requirements for your company in a sensible manner. If you have already developed a GoBD concept, we will be pleased to assess it with regard to its completeness and feasibility. This will enable you to benefit from our experience and specialist expertise.

Storage obligations
We have noticed that violations of retention obligations are being penalized with increasing frequency in the course of tax audits. We will assist you in identifying documents subject to retention obligations, in the implementation of the requirements of Section 147 of the German Fiscal Code (Abgabenordnung – AO) and with the requirements of the BMF Circular regarding the GoBD. This means that you will be able to look towards your next tax audit with peace of mind.

IT tools and technologies
The rising pace of digitalization means that more and more manual processes are being supported or even replaced by IT tools and new technologies. The tax risks associated with these transformations are often underestimated. In order to minimize tax risks, we will assist you in fulfilling the requirements of the BMF Circular regarding the GoBD.

We will be pleased to assist you by providing advice about the identification, selection and implementation of such IT tools and technologies.

Archive & document management systems
The tax authorities have very high requirements with regard to GoBD-compliant archive and document management systems. We will assist you in meeting the requirements of the BMF Circular regarding the GoBD in relation to the authenticity, integrity, availability and authorization of digitally archived data.

Record-keeping obligations
With a view to the record-keeping obligations, we will assist you in designing GoBD-compliant processes for electronic accounting, extending from daybook records and journal entries to general ledger records. Our expert team will ensure that the processes implemented guarantee complete, correct, punctual, orderly and efficient accounting for every single transaction.

Identification & description of IT controls
We will assist you in assessing your existing IT systems for risks and use this assessment to determine what controls are needed in your case. We thus ensure that the controls that are recommended and required on the basis of the BMF Circular regarding the GoBD are in place. In this context, we can draw on a pool of standardized controls – or we can develop tailored controls for your IT landscape.

Data access for the tax authorities
We will assist you in determining what access to data the tax authorities require for each data processing system and in finding a way to implement these access requirements. We will also advise you about how to deal with (productive) systems that are no longer active.

Identifying tax-relevant IT systems
With the large number of IT systems used for a vast range of activities, our clients often have difficulty in determining which IT systems are relevant to the GoBD. We will assist you in singling out the relevant IT systems.

Authorization concepts
We will assist you in drawing up and implementing IT authorization concepts that will ensure adherence to the organizational segregation of duties and compliance with GoBD-specific requirements.

Procedure documentation
We will assist you in preparing GoBD-compliant procedure documentation for individual data processing systems and for all GoBD-relevant parts of your IT landscape.

Readiness check
In our readiness check, we will determine the current maturity level of your GoBD implementation. You will then receive our assessment of its current status and whether certification should be considered at this time. Furthermore, if needed, we will be able to assist you with the implementation as an independent third party.

Assessment of appropriateness
Using our assessment of appropriateness, we determine whether the measures and principals that you have described are suitable for ensuring conformity with the GoBD. You will still be able to remedy findings from this assessment and this will be taken into account in our final audit report. If requested, we can also certify that the assessment of appropriateness was successful.

Assessment of effectiveness
In the assessment of effectiveness, we go beyond the assessment of appropriateness to determine the extent to which the measures and principles were actually effective for a defined period and ask: Are the documented processes, measures and controls lived out? As with the assessment of appropriateness, it is also possible for you to remedy any findings from this assessment and to receive certification if desired.

The requirements of the tax authorities

General requirements

[margin no. 22-60]

The GoBD stipulate that the documents that are present in paper form or electronic form must be comprehensible [margin no. 30], verifiable [margin no. 145], complete and without gaps [margin no. 36] for all transactions. These requirements also apply to documents that are important for understanding and reviewing records that are legally required for tax purposes.

Voucher system (voucher function)

[margin no. 61-81]

The voucher system is a basic prerequisite for the substantiation of proper accounting and it is therefore of material importance. The BMF Circular breaks down this requirement as follows:

Secure storage of vouchers [margin no. 67]
Taxpayers must store vouchers in a manner that secures them against potential loss promptly after their receipt or creation. To this end, BMF Circular provides for organizational measures (e.g. continuously filing paper vouchers in folders or issuing voucher numbers including subsequent recording as an image). In the case of electronic vouchers, the issuing of voucher numbers can also be automated.

Attribution of the individual voucher to the associated daybook record or entry [margin no. 71]
Taxpayers must ensure that all vouchers can be unambiguously attributed to a daybook record or entry. This must be done by providing them with unambiguous attribution and identification features. These features must be selected such that any transaction is unambiguously comprehensible and provable within an appropriate period of time.

Preparing vouchers appropriately for recording [margin no. 75]
In order for vouchers to be prepared appropriately for recording, they must contain the minimum details listed under margin no. 77. This includes, in particular, an unambiguous voucher number, the voucher date, the amount and details of the volume and value that result in the amount to be booked, as well as a sufficient description of the transaction.

The procedure for the receipt, recording, processing, issuance and retention of electronic vouchers has to be documented in the procedure documentation.

Important new developments:
The new BMF Circular explicitly permits the recording of invoices in digital form, e.g. using smartphones or other mobile devices. In addition, the BMF has revised the requirements for the recording of invoices abroad. By doing so, the ministry has cleared the way for the use of digital tools and technologies. These requirements are specified in the BMF Circular under "Storage" ("Aufbewahrung").

Record-keeping obligations

[margin no. 82-99]

The regulatory requirements for accounting and records are essentially derived from the AO (Section 146).

The BMF Circular provides details about these requirements with regard to

  • recording in the daybook records [margin no. 85], 
  • digital daybook records [margin no. 87],
  • entries in the journal (journal function) [margin no. 90], as well as
  • records of transactions in the general ledger [margin no. 95].

Each record must relate to one voucher and be made individually, completely, correctly, on time and in an orderly manner [margin no. 82].

In cases of double-entry bookkeeping, it must additionally be possible to present all transactions in chronological order (journal function) and structured according to subject matter (account function) [margin no. 83].

In this context, it must be ensured that, once recorded, digital records cannot be altered without authorization or without proof of the original version of the records (revision-proof retention) [margin no. 88]. Furthermore, companies must save all necessary table data and their history records.

Challenges arise where companies use more than one tax-relevant IT system. For the transfer of data from IT applications, it must be ensured that aggregate entries are carried over and that the general and sub-ledgers are reconciled. These controls must be described in the GoBD procedure documentation.

Internal control system

[margin no. 100-102]

In order to ensure that the taxpayer adheres to the regulatory requirements pursuant to the AO, the BMF Circular calls for an internal control system (ICS) [margin no. 100]. The corresponding controls should be set up, performed and logged within the context of the ICS. The ICS should ensure that companies fulfill the general requirements as well as the requirements regarding vouchers and record-keeping obligations. In this regard, the BMF Circular does not explicitly govern how an ICS should be configured but lists examples of necessary measures:

  • access and authorization controls,
  • segregation of duties,
  • recording controls,
  • reconciliation controls for data entry,
  • processing controls, as well as 
  • protective measures against intentional and unintentional falsification.

The same can be said about the application decree pursuant to Section 153 AO, which also calls for an "internal control system for the fulfillment of tax obligations" and where the BMF does not provide any detailed instructions on system design either. Additional details about the requirements for the ICS for the purposes defined by the tax authorities are provided in the relevant Practical Note (IDW PH 1/2016) of the Institute of Public Auditors in Germany (Institut der Wirtschaftsprüfer in Deutschland – IDW). Under the heading of "Tax Compliance Management System" (tax CMS), this document describes the framework for a tax ICS and its integration into a company-wide control system.

How the tax ICS is implemented in accordance with the GoBD depends on the complexity of the processes, the applicable tax requirements and the technological diversity within the company. This topic poses major challenges for those responsible. How extensive controls need to be depends, in particular, on the complexity of the ERP system – e.g. how many interfaces exist and whether the company uses standard applications, user-specific software or in-house developments. Furthermore, the performance of controls has to be documented as part of the ICS and the ICS must be kept up to date.

In general, it can be stated that companies must ensure that all risks resulting from data processing are covered by corresponding controls. This includes both IT-based data processing and the exchange of data via system interfaces. It is therefore strongly recommended that employees with experience of ICS documentation processes are involved in the GoBD documentation process.

The description of the internal control system is a component of the procedure documentation that is also required [margin no. 151].

Data security

[margin no. 103-106]

One of the requirements of the tax authorities is data security. Companies must therefore ensure that data is protected from loss, unauthorized access and manipulation. According to the BMF's interpretation, accounting no longer fulfills the formal requirements if data is insufficiently protected. However, the BMF Circular provides taxpayers with hardly any indications of how to achieve sufficient data security in practice.

The BMF describes key features of data security under the headings of "Unalterability and logging" as well as "Storage".

Unalterability and logging

[margin no. 107-112]

The unalterability and logging of accounting entries and/or records is already statutorily regulated under the AO. In the accounting standard IDW AcS FAIT 1 "Generally Accepted Accounting Principles for the Use of Information Technology" (DW RS FAIT 1" Grundsätze ordnungsmäßiger Buchführung bei Einsatz von Informationstechnologie"), the Institute of Public Auditors in Germany (Institut der Wirtschaftsprüfer in Deutschland – IDW) has provided greater specificity regarding the requirements in this area.

The requirements of the BMF nevertheless go beyond the statutory provisions. For example, the ministry considers it a GoBD violation if changes in accounting entries or records are even possible. In this context, the BMF additionally states a position on data management systems (DMS) and explicitly points out that such systems are only GoBD-compliant if companies take suitable measures to ensure unalterability and logging. Examples given by the BMF here include:

  • Hardware-based measures (e.g. unalterable and tamper-proof data storage media)
  • Software-based measures (e.g. back-ups, blocking, permanent records, deletion flags, automatic logging, history records, versioning)
  • Organizational measures e.g. (access authorization concept and user management)


[margin no. 113-144]

The storage obligation for tax purposes is very broadly defined under the AO. It extends to all documents and data that are related to the preparation, execution, conclusion or cancellation of business transactions. In the absence of a precise definition of relevant documents and data, the task of classification is left to the taxpayer. Orientation is provided by the GoBD provisions on machine analyzability [margin no. 125], electronic storage [margin no. 130], image recording of paper documents [margin no. 136] as well as the outsourcing of data from the productive system and system changes [margin no. 142].

The BMF calls for the comprehensive documentation of the receipt, archiving, (where applicable) conversion and further processing of documents and data subject to the storage requirement. In addition, the procedure documentation must be stored with all change versions. Furthermore, all archived documents and data are to be stored in an orderly manner.

This relates to all tax-related systems in which data is received, processed or comes into existence. In order to sort them, documents and data may be changed, e.g. by means of indexing or booking references. Nevertheless, changes have to be logged. Apart from this, when archiving documents and data, taxpayers must ensure that machine analysis is possible for the entire duration of the storage obligation.

Important new developments:
In the new BMF Circular, the ministry has, in particular, significantly simplified the provisions on electronic storage and the electronic recording of paper documents. For instance, recording paper vouchers in image form will be possible in a number of ways in future (e.g. using smartphones and doing so abroad if the vouchers came into existence there/were received and immediately recorded there). In cases where an approved relocation of accounting abroad has taken place (e.g. to a shared service center), the image-based recording of received original paper vouchers in this country will no longer be objectionable either, provided that such records are created promptly for transmission abroad.

In addition, under certain circumstances [margin no. 135], it is now sufficient if companies archive exclusively documentation that has been converted into their own in-house formats. In such cases, the obligation to archive the original files no longer applies.

Procedure documentation

[margin no. 145-157]

GoBD procedure documentation is becoming more and more important. For months we have been seeing how the tax authorities are increasingly requesting that companies provide their procedure documentation within the scope of tax audits. The BMF calls for each tax-relevant IT system to have procedure documentation that describes its technical procedure and processing and should contain the following components as standard:

  • General description
  • User documentation
  • Technical system documentation
  • Operating documentation

For all system and procedure changes, versioning is to be carried out and a complete alteration history is to be maintained indicating the content and time of changes.

The specific configuration of the procedure documentation depends on the complexity and diversification of the business activities concerned as well as organizational structures and the data-processing systems used [margin no. 151].

Important new developments:

The revised BMF Circular provides greater detail on the obligation to maintain complete and comprehensible documentation of vouchers (from generation to tax declaration). The requirements regarding the historical traceability of changes to the procedure documentation have been simplified. A template for the procedure documentation that takes the new BMF Circular into account can be obtained from the relevant chambers and associations.

Data access

[margin no. 158-178]

The tax authorities have the right to access data in order to examine the documentation that is subject to the AO storage requirement and has been prepared using a data-processing system [margin no. 158]. The BMF formulates the three possible forms of data access as follows:

  1. Direct access
    The tax authority has the right to access the data-processing system directly itself in such a way that, by way of read-only access, it inspects the data subject to the recording and storage requirement and uses the hardware and software used by the taxpayer or commissioned third party for its examination of the saved data, including the respective metadata, master data and transaction data as well as the relevant links (e.g. between the tables of a relational database).
  2. Indirect access
    The tax authority can also require that the taxpayer, acting on its behalf, conduct a machine analysis of the data subject to the recording and storage obligation in accordance with its requirements or have a commissioned third party conduct a machine analysis of such data in order to allow for read-only access thereafter. It is only possible to require a machine analysis that uses the analysis capabilities that exist within the data-processing system of the taxpayer or of the commissioned third party.
  3. Handing over data media
    The tax authority can furthermore require that the data subject to the recording and storage requirement, including the respective metadata, master data and transaction data as well as internal and external links (e.g. between the tables of a relational database), and electronic documents and documentation be handed over to it on a machine-readable and analyzable data medium for analysis. The tax authority is not entitled to download data from the data-processing system itself or to make copies of available data backups.

During the statutory storage period, companies must ensure that the three specified forms of access are continuously possible.

Important new developments:

Previously, the form of data access was at the discretion of the tax authorities. This meant that companies could face problems because they had to maintain all three potential forms of access for inactive systems as well. Under the new BMF Circular, the tax authorities can no longer require the first and second form of access for inactive systems once the fifth calendar year subsequent to transition has expired. This will also mean, however, that the handing over of data media (third form of access) will have to be prepared and technically facilitated with the inclusion of all tax-relevant data. Recourse to the first or second forms of access is not possible in cases of doubt.

The BMF Circular now explicitly names inspections in the context of data access, in particular cash inspections including all upstream systems and subsystems.

Contact us

Matthias Walz

Matthias Walz

Partner, PwC Germany

Tel: +49 711 25034-3203

Rudolf Dirks

Rudolf Dirks

Senior Manager, Trust & Transparency Services, Risk Assurance Solutions, PwC Germany

Christian Scheminski

Christian Scheminski

Senior Manager Tax & Legal, Tax Reporting & Strategy, PwC Germany

Tel: +49 69 9585-6418

Follow us