We will make sure you are GoBD-compliant – GoBD as an integral component of a tax CMS

The voucher system is a basic prerequisite for the substantiation of proper accounting and it is therefore of material importance. The BMF Circular breaks down this requirement as follows:

Secure storage of vouchers [margin no. 67]
Taxpayers must store vouchers in a manner that secures them against potential loss promptly after their receipt or creation. To this end, BMF Circular provides for organizational measures (e.g. continuously filing paper vouchers in folders or issuing voucher numbers including subsequent recording as an image). In the case of electronic vouchers, the issuing of voucher numbers can also be automated.

Attribution of the individual voucher to the associated daybook record or entry [margin no. 71]
Taxpayers must ensure that all vouchers can be unambiguously attributed to a daybook record or entry. This must be done by providing them with unambiguous attribution and identification features. These features must be selected such that any transaction is unambiguously comprehensible and provable within an appropriate period of time.

Preparing vouchers appropriately for recording [margin no. 75]
In order for vouchers to be prepared appropriately for recording, they must contain the minimum details listed under margin no. 77. This includes, in particular, an unambiguous voucher number, the voucher date, the amount and details of the volume and value that result in the amount to be booked, as well as a sufficient description of the transaction.

The procedure for the receipt, recording, processing, issuance and retention of electronic vouchers has to be documented in the procedure documentation.

Important new developments:
The new BMF Circular explicitly permits the recording of invoices in digital form, e.g. using smartphones or other mobile devices. In addition, the BMF has revised the requirements for the recording of invoices abroad. By doing so, the ministry has cleared the way for the use of digital tools and technologies. These requirements are specified in the BMF Circular under "Storage" ("Aufbewahrung").

The regulatory requirements for accounting and records are essentially derived from the AO (Section 146).

The BMF Circular provides details about these requirements with regard to

• recording in the daybook records [margin no. 85], 
• digital daybook records [margin no. 87],
• entries in the journal (journal function) [margin no. 90], as well as
• records of transactions in the general ledger [margin no. 95].

Each record must relate to one voucher and be made individually, completely, correctly, on time and in an orderly manner [margin no. 82].

In cases of double-entry bookkeeping, it must additionally be possible to present all transactions in chronological order (journal function) and structured according to subject matter (account function) [margin no. 83].

In this context, it must be ensured that, once recorded, digital records cannot be altered without authorization or without proof of the original version of the records (revision-proof retention) [margin no. 88]. Furthermore, companies must save all necessary table data and their history records.

Challenges arise where companies use more than one tax-relevant IT system. For the transfer of data from IT applications, it must be ensured that aggregate entries are carried over and that the general and sub-ledgers are reconciled. These controls must be described in the GoBD procedure documentation.

In order to ensure that the taxpayer adheres to the regulatory requirements pursuant to the AO, the BMF Circular calls for an internal control system (ICS) [margin no. 100]. The corresponding controls should be set up, performed and logged within the context of the ICS. The ICS should ensure that companies fulfill the general requirements as well as the requirements regarding vouchers and record-keeping obligations. In this regard, the BMF Circular does not explicitly govern how an ICS should be configured but lists examples of necessary measures:

• access and authorization controls,
• segregation of duties,
• recording controls,
• reconciliation controls for data entry,
• processing controls, as well as 
• protective measures against intentional and unintentional falsification.

The same can be said about the application decree pursuant to Section 153 AO, which also calls for an "internal control system for the fulfillment of tax obligations" and where the BMF does not provide any detailed instructions on system design either. Additional details about the requirements for the ICS for the purposes defined by the tax authorities are provided in the relevant Practical Note (IDW PH 1/2016) of the Institute of Public Auditors in Germany (Institut der Wirtschaftsprüfer in Deutschland – IDW). Under the heading of "Tax Compliance Management System" (tax CMS), this document describes the framework for a tax ICS and its integration into a company-wide control system.

How the tax ICS is implemented in accordance with the GoBD depends on the complexity of the processes, the applicable tax requirements and the technological diversity within the company. This topic poses major challenges for those responsible. How extensive controls need to be depends, in particular, on the complexity of the ERP system – e.g. how many interfaces exist and whether the company uses standard applications, user-specific software or in-house developments. Furthermore, the performance of controls has to be documented as part of the ICS and the ICS must be kept up to date.

In general, it can be stated that companies must ensure that all risks resulting from data processing are covered by corresponding controls. This includes both IT-based data processing and the exchange of data via system interfaces. It is therefore strongly recommended that employees with experience of ICS documentation processes are involved in the GoBD documentation process.

The description of the internal control system is a component of the procedure documentation that is also required [margin no. 151].

One of the requirements of the tax authorities is data security. Companies must therefore ensure that data is protected from loss, unauthorized access and manipulation. According to the BMF's interpretation, accounting no longer fulfills the formal requirements if data is insufficiently protected. However, the BMF Circular provides taxpayers with hardly any indications of how to achieve sufficient data security in practice.

The BMF describes key features of data security under the headings of "Unalterability and logging" as well as "Storage".

The unalterability and logging of accounting entries and/or records is already statutorily regulated under the AO. In the accounting standard IDW AcS FAIT 1 "Generally Accepted Accounting Principles for the Use of Information Technology" (DW RS FAIT 1" Grundsätze ordnungsmäßiger Buchführung bei Einsatz von Informationstechnologie"), the Institute of Public Auditors in Germany (Institut der Wirtschaftsprüfer in Deutschland – IDW) has provided greater specificity regarding the requirements in this area.

The requirements of the BMF nevertheless go beyond the statutory provisions. For example, the ministry considers it a GoBD violation if changes in accounting entries or records are even possible. In this context, the BMF additionally states a position on data management systems (DMS) and explicitly points out that such systems are only GoBD-compliant if companies take suitable measures to ensure unalterability and logging. Examples given by the BMF here include:

• Hardware-based measures (e.g. unalterable and tamper-proof data storage media)
• Software-based measures (e.g. back-ups, blocking, permanent records, deletion flags, automatic logging, history records, versioning)
• Organizational measures e.g. (access authorization concept and user management)

The storage obligation for tax purposes is very broadly defined under the AO. It extends to all documents and data that are related to the preparation, execution, conclusion or cancellation of business transactions. In the absence of a precise definition of relevant documents and data, the task of classification is left to the taxpayer. Orientation is provided by the GoBD provisions on machine analyzability [margin no. 125], electronic storage [margin no. 130], image recording of paper documents [margin no. 136] as well as the outsourcing of data from the productive system and system changes [margin no. 142].

The BMF calls for the comprehensive documentation of the receipt, archiving, (where applicable) conversion and further processing of documents and data subject to the storage requirement. In addition, the procedure documentation must be stored with all change versions. Furthermore, all archived documents and data are to be stored in an orderly manner.

This relates to all tax-related systems in which data is received, processed or comes into existence. In order to sort them, documents and data may be changed, e.g. by means of indexing or booking references. Nevertheless, changes have to be logged. Apart from this, when archiving documents and data, taxpayers must ensure that machine analysis is possible for the entire duration of the storage obligation.

Important new developments:
In the new BMF Circular, the ministry has, in particular, significantly simplified the provisions on electronic storage and the electronic recording of paper documents. For instance, recording paper vouchers in image form will be possible in a number of ways in future (e.g. using smartphones and doing so abroad if the vouchers came into existence there/were received and immediately recorded there). In cases where an approved relocation of accounting abroad has taken place (e.g. to a shared service center), the image-based recording of received original paper vouchers in this country will no longer be objectionable either, provided that such records are created promptly for transmission abroad.

In addition, under certain circumstances [margin no. 135], it is now sufficient if companies archive exclusively documentation that has been converted into their own in-house formats. In such cases, the obligation to archive the original files no longer applies.

GoBD procedure documentation is becoming more and more important. For months we have been seeing how the tax authorities are increasingly requesting that companies provide their procedure documentation within the scope of tax audits. The BMF calls for each tax-relevant IT system to have procedure documentation that describes its technical procedure and processing and should contain the following components as standard:

• General description
• User documentation
• Technical system documentation
• Operating documentation

For all system and procedure changes, versioning is to be carried out and a complete alteration history is to be maintained indicating the content and time of changes.

The specific configuration of the procedure documentation depends on the complexity and diversification of the business activities concerned as well as organizational structures and the data-processing systems used [margin no. 151].

Important new developments:

The revised BMF Circular provides greater detail on the obligation to maintain complete and comprehensible documentation of vouchers (from generation to tax declaration). The requirements regarding the historical traceability of changes to the procedure documentation have been simplified. A template for the procedure documentation that takes the new BMF Circular into account can be obtained from the relevant chambers and associations.

The tax authorities have the right to access data in order to examine the documentation that is subject to the AO storage requirement and has been prepared using a data-processing system [margin no. 158]. The BMF formulates the three possible forms of data access as follows:

1. Direct access
   The tax authority has the right to access the data-processing system directly itself in such a way that, by way of read-only access, it inspects the data subject to the recording and storage requirement and uses the hardware and software used by the taxpayer or commissioned third party for its examination of the saved data, including the respective metadata, master data and transaction data as well as the relevant links (e.g. between the tables of a relational database).
2. Indirect access
   The tax authority can also require that the taxpayer, acting on its behalf, conduct a machine analysis of the data subject to the recording and storage obligation in accordance with its requirements or have a commissioned third party conduct a machine analysis of such data in order to allow for read-only access thereafter. It is only possible to require a machine analysis that uses the analysis capabilities that exist within the data-processing system of the taxpayer or of the commissioned third party.
3. Handing over data media
   The tax authority can furthermore require that the data subject to the recording and storage requirement, including the respective metadata, master data and transaction data as well as internal and external links (e.g. between the tables of a relational database), and electronic documents and documentation be handed over to it on a machine-readable and analyzable data medium for analysis. The tax authority is not entitled to download data from the data-processing system itself or to make copies of available data backups.

During the statutory storage period, companies must ensure that the three specified forms of access are continuously possible.

Important new developments:

Previously, the form of data access was at the discretion of the tax authorities. This meant that companies could face problems because they had to maintain all three potential forms of access for inactive systems as well. Under the new BMF Circular, the tax authorities can no longer require the first and second form of access for inactive systems once the fifth calendar year subsequent to transition has expired. This will also mean, however, that the handing over of data media (third form of access) will have to be prepared and technically facilitated with the inclusion of all tax-relevant data. Recourse to the first or second forms of access is not possible in cases of doubt.

The BMF Circular now explicitly names inspections in the context of data access, in particular cash inspections including all upstream systems and subsystems.