Skip to main content
All CollectionsData Protection, Security & Law
GoBD certification
GoBD certification

GoBD-compliant work and help in the event of a tax audit

Andreas Pölz avatar
Written by Andreas Pölz
Updated over a week ago

Candis is GoBD-certified. What does that mean?

Candis meets the requirements of the GoBD; this means that relevant data is recorded and stored in a traceable, complete, correct, timely, proper and unchanged manner.

GoBD compliance has been certified by Peters, Schönberger & Partner Wirtschaftsprüfungsgesellschaft (PSP) on 07.08.2024 (certificate).

What was tested?

  • The Candis software itself

  • Software development processes

  • Internal and external documentation

The audit was conducted in accordance with the following auditing standards and criteria:

  • IDW Auditing Standard: The Audit of Software Products (IDW PS 880, as of January 24, 2022)

  • IDW Auditing Standard: Auditing of financial statements when using information technology (IDW PS 330, as of September 24, 2002)

  • IDW statement on accounting: Generally accepted accounting principles for the use of information technology (IDW RS FAIT 1, as of September 24, 2002)

  • IDW Statement on Accounting: Principles of proper accounting when using electronic archiving procedures (IDW RS FAIT 3, version 11.09.2015)

  • BMF letter "Principles for the proper keeping and storage of books, records and documents in electronic form and for data access (GoBD, as of 28.11.2019)

Tips for working in a GoBD-compliant way

GoBD-compliant work requires the proper use of Candis.

This means that, for example, user accounts are only used by one person. User access via central e-mail addresses such as buchhaltung@company.com should not be shared, as it would not possible to trace which person has made which change.

Further information on GoBD-compliant work and preparing for a tax audit in the magazine: Digital tax audit: Get ready! (only available in German)

What to do in the event of a tax audit?

Don't panic! In the event of a tax audit, Candis supports the Z1, Z2 and Z3 access procedures required by the tax authorities (see section "Access types as part of the tax audit").

We recommend exporting the data in the following way:

  1. download the invoice and master data yourself

  2. and request the audit logs from Candis Support.

1. Download invoice and master data yourself

These steps can be carried out by a person with Administrator role.

  1. Open my.candis.io

  2. Download invoice data (this could also be done by a requester)

    1. Select “Archive” on the left side

    2. Filter column "invoice date" based on the period to be audited (e.g. 01.01.2019 - 31.12.2023)

    3. Select "Download -> CSV file"

  3. Download contacts

    1. Select “Contacts” on the left side

    2. Optional: Filter table by type "Supplier"

    3. Select “More options -> Download as CSV”

  4. Download cost centers

    1. Select “Settings" on the left side, then "Cost centers"

    2. Select “More options -> Download as CSV"

  5. Repeat the steps for tax codes, general ledger accounts and payment conditions

2. Request audit logs

In addition to the invoice and master data, Candis offers the option of requesting and downloading audit logs (Z3 export). These contain the complete change history of the data (e.g. who, when and what was changed in a contact or invoice).

Please note that the audit logs are only available starting from 01.08.2024.

  1. Contact Candis Support to request the audit logs. Please provide the following information:

    1. For which company should the change history be created?

    2. Which audit period does it concern (from - to)?

    3. To which email address should the data be sent?

  2. As soon as the data is available, you will receive an e-mail with a download link.

  3. Click on the link in the email to download the data. Please note that the download is only available for 24 hours. The ZIP file contains a readme file with instructions on how to work with the data.

  4. You can forward the email to other people to download. Anyone with the link can download the data.

More information

Logging of changes

The following changes are logged:

  • Changes to documents

  • Contacts

  • Cost centers, general ledger accounts, tax codes and payment terms

  • Credit card transactions

  • Team members

  • Emails in the email inbox

  • Export to third-party tools

  • Payment list and changes to your own account data

Please note that the audit logs of all these data types are only available from 01.08.2024. There are logs in Candis (e.g. document history) that go back further. However, these may not contain all changes.

Documents

All activities related to a document are documented in the log. This applies to both automatic actions by the system (e.g. suggestions, extractions of document data) and actions by users (e.g. changes, approvals or additions to information during approval).

The change history is attached to the exported document as a PDF at the time of export.

Immutability

Documents are saved after export. Comments can still be added after the export and will continue to be logged.

Invoice attachments

Documents that are attached to invoices are exported as individual PDF documents via the Rechnungsdatenservice 1.0 or the DATEV XML Schnittstelle online, but are displayed together as one document in Candis and DATEV Unternehmen online.

When exported via the Buchungsdatenservice or the ZIP export, these PDFs are technically converted into one PDF file, but their content is not changed.

Deletion

Fixed (exported) documents cannot be deleted. Documents that are in the inbox or in the approval process can be deleted at any time. Documents that have been sent for approval are still saved for an audit after deletion.

Candis Support can make deleted documents available as part of an audit if required.

Other data types, such as contacts, cannot be deleted. They can only be archived.

Access types as part of the tax audit

Z1 (Direct access)

The requester role exists for exercising direct access, which can be made available to the auditor on request.

The requester role has access to the entire archive, providing a complete insight into all invoices. There is no dedicated audit user role. The auditor also has access to the master data. This means that all data and functions are made available.

There is currently no option to give third parties read-only access for a specific time period.

Z2 (Indirect access)

Indirect access can be provided by an employee of the organization with the requester role.

Z3 (Data export)

A comprehensive export can be carried out for an organization and a specified time period. This includes all information of invoices, their processing and master data usage.

DATEV User

DATEV users can use the DATEV Export external tax audit RZ function (only available in German) to obtain an export of their data.

Related Articles
Configure the standard client to connect your DATEV Unternehmen online account
How booking keys work
DATEV format (CSV)
How does the core data export work with the add-on for DATEV self-bookers?
The organization term is not created in the purchase invoice register or the "Extended" document processing form for supplier invoices.
Did this answer your question?