Generally speaking, "audit-proof archiving" means that archived data is protected against subsequent modification. In other words, it is about protection against manipulation. The legal framework for an audit-proof archive is provided by the GoBD and the German Cash Register Security Ordinance (Kassensicherungsverordnung). KassenSichV - before. In the guidelines, the authorities point out that the information must not only be protected from modification. It must also be archived in a traceable, retrievable and unchangeable manner.
How can auditability be ensured?
Audit-proof archiving refers to the verifiability of the procedure used. Verified is:
- the user organization
- the safe operation and process
- the proper use
- proof of procedural documentation
You can find detailed information about the requirements HERE.
So what does this mean for POS data? The legislator prescribes audit-proof archiving of cash register data, i.e. of receipts and cash register reports. Retailers must be able to make this data available with an identifier, accurate to the day, with totals and in a form that can be evaluated! In technical terms, this means that electronic cash registers must be upgraded with a Technical Security Device (TSE) and a Archiving solution needed.
The TSE provides each business transaction with a signature and generates a so-called TAR file. Retailers can purchase a TSE as a hardware or cloud solution. In addition, the POS data migrates to the POS system of the respective provider and finally ends up in SAP modules such as SAP CAR, BW, FI CO, etc. Depending on the structure of the ERP system, the archive is available physically or via cloud.
GoBD /KassenSichV stipulate that Z1, Z2 and Z3 access to POS data must be guaranteed. Z1 and Z2 refer to access in that an auditor of the financial authorities is shown the data in the system or is allowed to retrieve it himself. Z3 refers to the transfer of data, e.g. on a USB stick. This means that not only audit-proof archiving, but also data retrieval must be ensured at the same time. There are also specifications for this data format: DSFinV-K. The DSFinV-K export enables auditors to perform a uniform evaluation with tools such as IDEA.
In addition to the technical requirements, there must be process documentation that makes it possible to trace exactly where and how the POS data moves in the system. The path from the receipt to the FI document and vice versa must be clearly visible through this document!
By the way: The regulations of the KassenSichV also cover public administrations and Disposer!
