Data analyses and GDPdU compliance
I. Data analyses
Due to the complexity of IT systems and data structures, data quality problems are detected too late or not at all. Risks are caused by the following (amongst other factors):
- Incorrect accounting and controlling values and key figures leading to incorrect decisions
- Statutory minimum requirements for data and their provisioning not being met
- External tax audits identifying inconsistencies and leading to tax assessments
We offer data analyses relating to:
- Compliance with the minimum requirements as per GDPdU and GoBS
- Consistency of the individual databases (main/sub-ledgers)
- Inconsistencies in the individual databases (e.g. inconsistent document information regarding dates)
II. GDPdU compliance
The digital tax audit now complements the previous form of the external audit. Since 1 January 2002, all businesses that use electronic data processing are now obliged to provide data in digital format.
The objective of the digital external audit is structured analysis of tax-relevant enterprise data instead of the previously typical audits of individual documents, mainly with a view to more easily discovering tax loopholes. The German tax reduction law from 23 October 2000 specifies that inland revenue staff must be given access to tax-relevant electronic enterprise data within the scope of an external audit. To ensure this access, rules were laid down in the Grundsätze zum Datenzugriff und zur Prüfbarkeit digitaler Unterlagen (GDPdU) (Principles of data access and the auditability of digital documents).
Data access can take place in three different ways:
- Direct access: A1
The inland revenue employee performs the audit at the enterprise; all required data must be made available to the employee. The external auditor must be granted read access. The external auditor cannot be held liable for any damage caused; for this reason, we strongly advise granting read-only access.
- Indirect access: A2
The auditor visits the enterprise to have the required data shown to them. The business in question must computationally evaluate the tax-relevant data itself based on the auditor’s specifications, and then give the auditor read access to the data prepared in this way.
- Providing a data medium: A3
The auditor requests the relevant data to be able to review them at the inland revenue office. The company concerned must submit all the data in digital and machine-readable format.
The digital tax audit has legal and organisational impact on companies. In addition to audit-proof documentation and archiving of all relevant data, this can also include the need to purchase appropriate hardware and software to ensure machine readability and random access.
‘Audit-proof’ in this context means that, once created, data can no longer be changed subsequently (in an unnoticed fashion). ‘Machine readability’ means the data exist in a format that allows structured evaluation. Important links must be documented. Archiving in the form of PDF documents, for example, or in document archives is thus by no means sufficient.
The IDEA software used by the auditors supports numerous accounting, database and text formats. ‘Random access’ means independence of the programs used to generate the data; more specifically, the use of a format that can be read by IDEA.
- All businesses that use business software
- All companies that exchange or electronically process originally electronic tax-relevant data; that is, data that are received electronically, for example, by email or as electronic invoices
- All businesses in which electronic data are generated by the IT system itself; that is, posting records in financial accounting etc.
Unfortunately, the term ‘tax-relevant data’ is not unambiguously defined. As a general rule, it can be said that the scope of the external audit has not changed; that is, the same data as previously are deemed to be tax-relevant, for example:
- Financial accounting
- Asset accounting
- Order processing/purchase order handling
In addition, examples of ledgers, inventories, financial statements and accounting documents listed in §147, paragraph 1 of the Fiscal Code of Germany (AO), this in particular includes all data from the financial accounting, payroll accounting and asset accounting.
However, tax-relevant data in the sense of §147, paragraph 1, no. 5 of the Fiscal Code of Germany (AO) can also be generated, for example, in the goods and materials management system, in customer relationship management, invoicing, electronic banking, the cash ledger, time recording and travel expenses. For example, if a company uses an in-house system for settlement of travel expenses, and only transfers the total record postings to payroll accounting, then the travel expense settlement system would also be relevant for payroll tax.
Likewise, all computation bases created electronically (e.g. as Excel files) must be opened for data access if only the computed results are shown in the accounting records. Price calculations can thus be tax-relevant if they were referenced to determine the manufacturing costs, or as a measure for comparing transfer prices within the group. For this reason, no module and no subsystem of the company’s in-house IT system may be excluded for the purpose of identifying tax-relevant data.
The problem is that tax-relevant data can exist in a variety of formats, such as invoices received by email, EDIFACT data, etc. All of this data must be archived and made available to the tax auditor.
Rules for retention:
- Depending on the business type, the data must be retained for six or ten years, independently of hardware- and software-based system changes
- The data must be available at all times, also from third-party service providers such as tax consultants, DATEV, etc.
- The data must be made readable without delay
- The data are machine evaluable (using IDEA)
- Check your business software to see whether it can generate auditable data.
- Check in all enterprise divisions (e.g. EDI, email, Web, online banking) to discover whether tax-relevant data are generated.
- Regularly back up all of your tax-relevant data.
- Define corporate work instructions for requirements-compliant deletion or modification of data.
- Avoid private data on your company computer.
- Simulate an external audit and prepare for the new focal points of the audit: a complete audit instead of random checks.
- Talk to us!