Compliance – Guest Article
Audit-proof archiving with SharePoint Online, is that even possible? And what exactly does “audit-proof” mean in this context? This guest article sheds light on the topic and the legal aspects involved.
18 March 2021 – Markus Olbring, comdatis it-consulting GmbH & Co. KG
Digitisation offers companies countless opportunities and possibilities, but it also confronts them with stringent legal requirements. This also applies to the exclusively digital storage of documents that must be retained. In the following, we explain what is important for audit-proof or GoBD-compliant archiving with SharePoint Online and solutions based on it, such as Shareflex ECM Online.
Audit-proof means that data is protected from being changed. In essence, this means the legal requirement of “immutability”. In somewhat broader terms, the term “audit-proof” for tax-relevant information means that the requirements of the GoBD (formerly GoBS and GDPdU) are met. This raises the question of whether, and to what extent, paper records need to be kept.
The following laws are relevant for compliance with the legal retention requirements:
We will not go into the details of the requirements here. In summary, however, it can be said that for the majority of the documents that exist in a company, the exclusive digital storage of accounting and tax-relevant documents is permissible.
SharePoint Online is a web application in the Microsoft 365 environment that makes it easier to collaborate on projects, for example. It also integrates with various communication channels to interact with internal and external business partners. Microsoft offers the software as a document management system (DMS) and content management platform. A DMS refers to the management of electronic documents with the user file as well as descriptive properties or meta-information, which ensure the retrievability of information and enable virtual file creation. SharePoint Online can therefore be used as a full Enterprise Information Management (EIM) solution.
The software is based on Web pages (sites) that can be customised. They are also the central element in SharePoint Online for presenting content in a structured way. In this way, it is possible to create sites as a document library, a wiki or an image library, but also as a list.
SharePoint Online includes the functions of a DMS. Libraries and lists can be used to manage and organise content. Additionally, retention policies prevent deleting or modifying documents.
A DMS (Document Management System) is a system for the electronic management of documents. It serves the storage, management and tracking of electronic documents. Electronic documents include paper-based documents that have been digitised using a scanner. An ECM (Enterprise Content Management) goes one step further. Although an ECM solves similar tasks to a DMS, it is not limited to the management of electronic documents. The aim of an ECM is to store, provide and manage information. In addition, an ECM provides the ability to combine unstructured and structured information. In short, a DMS is a subordinate part of an ECM system.
In the new version of the German ‘Principles of Proper Keeping and Retention of Books, Records and Documents in Electronic Form and of Data Access’ (GoBD), published in December 2019, the explicit use of cloud systems has been added in paragraph 20. From a data protection perspective, there is processing on behalf of a controller pursuant to Art. 28 or Art. 4 para. 1 No. 8 of the GDPR. This ‘processing on behalf’ is legally legitimised by the standard contractual clauses that are included in the Microsoft Online Services Terms and Conditions. Legally required data security measures are met by existing Microsoft certificates. Documents for the preservation of evidence in legal disputes can be blocked prior to deletion using ‘legal hold’ evidence protection procedures. Logging can be implemented at different levels depending on requirements.
To use SharePoint Online, you need to meet these requirements:
Other benefits of SharePoint Online include the fact that, unlike on-premises hosted solutions, there is no need to purchase or deploy your own servers or similar IT infrastructure. There is also no need for manual updates or extensive change management.
The exact location of data is listed in the Admin Centre. Documents stored with Microsoft are located in the European Union (EU) if the company is based in the EU. In the German Fiscal Code (AO), the requirements of § 146 must be observed and complied with. This states that books and other required records must be kept and retained in accordance with the law. The Annual Tax Act 2020 has created the possibility of keeping electronic books and records within the EU without a written request for exemption. Full access to data must be possible. In addition, taxation must not be adversely affected by outsourcing. The above requirements are also part of the procedural documentation to be prepared.
A written or electronic application to the relevant tax authority is only required if the data is stored in a third country. For new customers, Microsoft also offers data storage in Germany. Existing Microsoft customers can request to move their data to a German data centre.
You can choose from the following types of storage:
The following user roles need to be created:
The following Microsoft certifications guarantee a high level of information security:
Other Microsoft certificates can be viewed in the Compliance Centre at the following URL: https://docs.microsoft.com/de-de/compliance/regulatory/offering-home
As part of a digital tax audit, the auditor must be guaranteed access rights to the data. The auditor is free to choose the type of access to the data.
The tax authorities distinguish between three types of access:
All three types of access can be mapped in SharePoint Online.
Microsoft guarantees an uptime of 99.9%. Microsoft is responsible for change management, which means that the software is always up-to-date with the latest technology. This allows for increased security, as security holes are closed through updates. Microsoft offers the same security to customers based on the Microsoft Security Development Lifecycle policy. A data protection policy must be established separately.
eDiscovery search enables users to search for electronically stored information that can be used as evidence for compliance or litigation. Searchable content includes structured content such as documents and list items, as well as blogs, wikis, news feeds and content in Exchange mailboxes.
The eDiscovery hold allows you to lock information. Locking means that a copy of the original content is retained in case it is later modified or deleted by a user. You can lock content on SharePoint sites (including OneDrive for Business sites) and Exchange mailboxes (including archived Skype for Business conversations). A lock is used to keep content as it was when the lock was set. When users apply a lock to a site or mailbox, the content remains in its original location.
The following lists the core criteria of the GoBD and possible ways of implementing them. These principles are based on the principles of orderly accounting (GoB), with the GoBD specifying the principles for IT-supported systems.
Principle of order, i.e. there must be orderly and sufficient index structures:
Similar documents (document types) are filed and archived in a document library. A different retention period can be set for each document library. The settings are inherited by the subdirectories.
Completeness, i.e. the archiving of all documents, must be ensured:
As far as technically possible, documents are filed automatically. The manual processes are made known to the responsible employees through work instructions, and completeness is regularly checked as part of the internal control system.
Accuracy, i.e. the archived documents must match the original; it must be possible to prevent documents from being tampered with:
Documents are archived as they were received or sent. Paper documents sent to the archive by scanning must be subject to immediate visual inspection.
Integrity, i.e. no changes may be made to documents or changes must be traceable (versioning):
Retention policies can ensure that documents in the archive are not alterable. Versioning can apply to documents capable of modification.
Traceability, i.e. the procedures used must be documented in the procedural documentation in a way that is comprehensible to an expert third party:
Procedural documentation is necessary to meet the traceability requirement. In addition to the work processes, the procedural documentation must also describe the technical processes and settings.
Timely, i.e. prompt recording and compliance with legal retention periods is ensured:
The legal retention periods are represented by the document lifetimes defined in the guidelines. According to GoBD, the timely processing of documents is mandatory.
Audit-proof or GoBD-compliant archiving using SharePoint Online is possible if procedural documentation is available and the archive is set up correctly so that it is not possible to delete or modify the documents. Under the Annual Tax Act 2020, approval from the relevant tax office is only required if the data is stored outside Europe.
Markus Olbring, Managing Director of comdatis it-consulting GmbH & Co. KG in Ahaus, Germany, is an IT consultant and expert in the fields of digitalisation, process documentation, IT auditing, information security and data protection.
The statements represent the opinion of the author(s) and have no binding effect. To that extent, all information is provided without warranty of accuracy or completeness. Advice is always required for individual implementation.
Ahaus, 18 March 2021
Author: Markus Olbring, comdatis it-consulting GmbH & Co. KG
Please feel free to share this article:
2021 Portal Systems AG
Saving time and money during Lotus Notes migration