HGB & AO — German Commercial Code and Tax Code

During a tax audit the tax office demands machine-based data access to the bookkeeping data of the last ten years. Three system changes have taken place since then, data migration from the oldest system has never happened, and the process documentation ends in 2019. The tax office rejects the bookkeeping as non-GoBD-compliant — and estimates the tax base under Section 162 AO. An estimate costs, on average, more than orderly retention over ten years.

The German Commercial Code (HGB) and the German Fiscal Code (AO), together with the Principles for the Proper Management and Retention of Books, Records and Documents in Electronic Form (GoBD), govern the requirements for accounting-relevant data. They form the foundation of every audit-proof IT architecture — and therefore a central source of duties for information security.

Who is affected?

Effectively every organisation with commercial activity. The duties are tiered by size and legal form:

Merchants (Section 1 HGB) — commercial entrepreneurs above a certain size. Balance-sheet and full bookkeeping obligation under Sections 238 et seq. HGB.
Small traders and freelancers — income-surplus calculation under Section 4(3) EStG; retention obligations under Section 147 AO apply equally.
Stock corporations and limited liability companies (AG, GmbH) — stricter duties on management-report preparation, internal control system (Section 91(2) AktG, Section 43 GmbHG) and disclosure.
Taxpayers with recording duties (AO Sections 140 et seq.) — even without a bookkeeping obligation, retention duties apply to tax-relevant documents.

With electronic bookkeeping, the catalogue of duties is extended by the GoBD: process documentation, data access (Z1/Z2/Z3), machine-readable analysis and unalterability.

What does the law require?

From an information security perspective three blocks of duties are relevant — retention, orderliness, data access:

Section 257 HGB / Section 147 AO — Retention duties — commercial ledgers, inventories, balance sheets, annual financial statements, management reports, opening balance sheets, accounting vouchers: ten years. Commercial letters and other documents: six years. Each starts at the end of the calendar year.
Section 239 HGB / Section 146 AO — Orderliness — complete, correct, timely, orderly. Records must not be altered in a way that prevents the original content from being determined.
Section 147(6) AO — Data access — three access types: direct read access (Z1), indirect access via the system (Z2), data-carrier transfer in a machine-readable format (Z3). The tax authority chooses the form.
GoBD — Process documentation — description of the bookkeeping system and business processes; evidence of the internal control system; description of data security; description of the hardware and software in use.
GoBD — Unalterability — technical or organisational measures that prevent subsequent changes or log them in an audit-proof manner. WORM storage, cryptographic signatures and seamless logs are established methods.
Section 91(2) AktG — Internal control system — the management board must take appropriate measures so that developments threatening the continued existence of the company are detected early. This covers IT risks and overlaps with KonTraG.

In practice

Define retention classes early. A classification of “general business data” does not help when it matters. Proven in practice: concrete classes (accounting vouchers, commercial letters, contracts, personnel files, payroll) with retention period, storage location, technical protection method and a deletion or blocking concept. Classification is the interface between IT, tax and data protection.

Do not treat the process documentation as a one-off project. Every ERP migration, every new interface, every new cloud service belongs in the process documentation. Proven in practice: a living document in the wiki or GRC tool that maintains a profile per system, with owners, interfaces, authorisation concept and a short risk assessment.

Plan the migration path over ten years. The biggest risk sits in the system lifecycle: ERPs are replaced every four to eight years, but the retention period runs for ten. An organisation without a data-migration strategy and without read-only archive access for legacy systems will be caught at the next tax audit.

Mapping to ISO 27001

The HGB/AO requirements on audit-proof retention map well to ISO 27001 Annex A, above all in the areas of retention, backup and logging.

Directly relevant controls:

A.5.10 — Acceptable use of information and other associated assets: usage rules for accounting-relevant data.
A.5.13 — Labelling of information: classification as a retention class.
A.5.33 — Protection of records: the central bridging control; explicitly aimed at statutory retention duties.
A.5.36 — Compliance with policies, rules and standards for information security: periodic compliance review of retention and deletion concepts.
A.5.37 — Documented operating procedures: process documentation as part of operational documentation.
A.6.3 — Information security awareness, education and training: training on retention and deletion duties.
A.8.4 — Access to source code: protection of processing routines that generate accounting-relevant data.
A.8.10 — Information deletion: orderly deletion after the retention period expires.
A.8.13 — Information backup: backup as a technical prerequisite for the retention obligation.
A.8.14 — Redundancy of information processing facilities: availability across the retention period.
A.8.15 — Logging: audit-proof logs as evidence of unalterability.
A.8.16 — Monitoring activities: detection of unauthorised manipulation.
A.8.24 — Use of cryptography: cryptographic signatures for unalterability.
A.8.34 — Protection of information systems during audit testing: preparation for data access during tax audits.

Typical audit findings

Process documentation outdated or absent — the most frequent cause for complaint. The documentation ends at the last ERP change or describes a process retired long ago.
No data migration from legacy systems — data in retired systems is technically no longer readable; the Z3 export is not possible.
Unalterability not evidenced — the bookkeeping runs on a standard database system without WORM properties and without seamless audit logs.
Cloud retention not notified — accounting has been moved to a US cloud without notification under Section 146(2a)/(2b) AO.
Retention classes missing — blanket “lifetime” retention clashes with GDPR deletion duties; blanket “one year” deletion breaches HGB retention duties.
Z1 access not rehearsed — on an on-site audit, IT cannot set up read access for the auditor because this was never tested operationally.

Sources

HGB full text (gesetze-im-internet.de) — official version of the Commercial Code
AO full text (gesetze-im-internet.de) — official version of the Fiscal Code
BMF letter “GoBD” — Principles for the Proper Management and Retention of Books, Records and Documents in Electronic Form
IDW PS 880 — audit of software products for bookkeeping
Federal Fiscal Court — case law on Section 158 AO — evidentiary value of bookkeeping and authority to estimate

ISO 27001 Controls Covered

A.5.10 Acceptable use of information and other associated assets A.5.13 Labelling of information A.5.33 Protection of records A.5.36 Compliance with policies, rules and standards for information security A.5.37 Documented operating procedures A.6.3 Information security awareness, education and training A.8.4 Access to source code A.8.10 Information deletion A.8.13 Information backup A.8.14 Redundancy of information processing facilities A.8.15 Logging A.8.16 Monitoring activities A.8.24 Use of cryptography A.8.34 Protection of information systems during audit testing

Frequently asked questions

Which retention periods apply?

Commercial ledgers, inventories, opening balance sheets, annual financial statements and accounting vouchers must be retained for ten years under Section 257 HGB. Received commercial letters and copies of sent commercial letters for six years. Section 147 AO sets the same periods in parallel and additionally covers electronic records relevant for taxation. The period starts at the end of the calendar year in which the record was created.

What does audit-proof retention mean in concrete terms?

Records must be stored in a complete, orderly, unalterable, always-available and machine-readable way -- over the entire retention period. Audit-proof retention covers technical measures (WORM storage or cryptographic hashing), organisational rules (process documentation, authorisation concept) and a seamless migration path when systems are changed.

What is the GoBD process documentation?

A written description of the accounting systems and processes in use, allowing a knowledgeable third party to understand the procedure within a reasonable time (paragraphs 151 et seq. of the GoBD). It covers a general description, user, technical and operational documentation and an internal control system. If missing or outdated, the bookkeeping loses its evidentiary value.