Audit-proof. The word sounds like bureaucracy, files and stamps. In practice, it is the opposite: it is the ability to provide complete, tamper-proof evidence within minutes in an audit, a legal dispute or a recall case - for a decision, a test procedure or a production parameter that was recorded twelve years ago.
The problem: most manufacturing companies archive. But they do not archive in an audit-proof manner. They have data, but no proof. They have logs, but no evidence. And the difference only becomes apparent when it matters - in an audit, in the event of product liability, in the event of a request from the authorities.
This article explains what audit-proof archiving of production data actually means: which standards apply, what they require, how an audit-proof database is structured and where the most common gaps occur in practice.
|
THE MOST IMPORTANT POINTS IN BRIEF
|
|
BRIEFLY SUMMARIZED
|
Audit-proof archiving refers to the permanent, tamper-proof, complete and retrievable storage of data and documents that are relevant for tax, legal or normative audit purposes. It ensures that archived data reproduces its original content unchanged and can be retrieved in a targeted manner - regardless of the original capture software.
Legal basis: GoBD (BMF letter 2019), IATF 16949:2016, ISO 9001:2015, EU Product Liability Directive 2024/2853/EU
The term 'audit-proof' originally comes from the context of tax law (GoBD - principles for the proper keeping and storage of books, records and documents in electronic form). However, it has developed far beyond this area to become the standard term for any form of legally binding data archiving.
|
Property |
What it means |
How it is proven |
Frequent errors |
|---|---|---|---|
|
Immutability |
Once archived, data cannot be overwritten, deleted or modified without recorded evidence |
Audit trail with timestamp and user ID for each change operation; WORM storage or cryptographic signatures |
Database without audit trail: changes are possible without leaving a trace |
|
Completeness |
All required data is available - no gaps over time, no missing mandatory fields |
Completeness check: All data records for the prescribed period are verifiably available |
Selective archiving: 'Important' data is stored - but the definition of 'important' was too narrow |
|
Findability |
Targeted retrieval of a specific data record (e.g. component file for serial number X) without specialist IT knowledge |
Structured indexing system; documented query methodology for auditors |
Flat file storage: data is available but not indexed - targeted access takes hours |
|
Readability |
The content of the data can be read and interpreted even after the retention period without the original software |
Use of open, standardized formats; format documentation in the archive |
Proprietary database dumps: no longer readable after 10 years without original software |
NOTE: STORED IN AN AUDIT-PROOF MANNER ≠ SAVED
Stored: The data is located somewhere on a server or in a database.
Archived: The data has been intentionally stored for long-term retention.
Audit-proof: The data is unchangeable, complete, retrievable and permanently readable - and this can be verified at any time.
Most manufacturing companies are at level 2. Level 3 is an architectural decision that must be made from the outset.
REVISION SECURE ≠ STORED
Stored: The data is located somewhere on a server or in a database.
Archived: The data has been intentionally stored for long-term retention.
Audit-proof: The data is unchangeable, complete, retrievable and permanently readable - and this can be proven at any time.
Most manufacturing companies are at level 2. Level 3 is an architectural decision that must be made from the outset.
Manufacturing companies in Germany are subject to several sets of regulations with archiving requirements at the same time. These partly overlap, but do not contradict each other - they reinforce each other. The strictest requirement for each data category always takes precedence.
| Standard/law | Data category | Deadline | Archive format | Sanction for non-compliance |
| IATF 16949:2016 | Quality data: Test results, approvals, batch data, production parameters, audit logs | At least 15 years after last delivery (OEM requirements may be longer) | Auditable, structured retrievable - format not explicitly prescribed | Certificate withdrawal, OEM list risk |
| GoBD (BMF 2019) | Tax-relevant records: Bookings, receipts, relevant business letters | 10 years (Section 147 AO), from the end of the calendar year | Automatically analyzable, unalterable, readable at any time - GOBD-compliant format | Additional tax payments, fines, criminal proceedings in the event of intent |
| ISO 9001:2015 | Records of quality processes, management assessments, supplier qualification | Depending on customer requirements - typically 5-15 years | Legible, structured, traceable and retrievable | Certificate withdrawal, contractual penalties per customer agreement |
| EU Product Liability Directive 2024/2853/EU | Production data as exculpatory evidence: component-specific process data, test results | Up to 25 years for latent damage (from placing on the market) | It must be possible to reconstruct component-specific allocation - structured data archiving | Unlimited product liability without proof of exoneration, reversal of burden of proof |
| GDPR (EU 2016/679) | Personal data: Worker IDs, user logs, biometric access controls | Only as long as processing purpose exists - deletion obligation thereafter | Verifiable deletion with log | Fines of up to 4% of global annual turnover |
Important tension: IATF 16949 and EU product liability require long retention periods for production data GDPR requires the deletion of personal data after the end of the processing purpose. The solution: Technical separation of component-related production data (retention) and personal user logs (deletion after expiry).
An audit does not ask whether you have the data. They ask if you can show them in two minutes. Anyone who has to call their IT administrator for this has not understood the concept of audit-proof archiving.
-Korbinian Hermann CEO, CSP Intelligence GmbH
Not all production data requires the same level of archiving. The requirements depend on the data category, intended use and the relevant legal framework. The following overview provides a practice-oriented classification for the typical production environment.
|
Data category |
Examples |
Archiving obligation |
Max. Period |
Audit compliance required? |
|---|---|---|---|---|
|
Test results & proof of quality |
Measurement reports, SPC data, release decisions, use of test equipment |
IATF 16949, ISO 9001, EU product liability |
25 years (EU product liability) |
Yes - mandatory |
|
Batch data & traceability data |
Lot numbers, serial numbers, material batch allocation, supplier data |
IATF 16949, EU product liability |
25 years |
Yes - mandatory |
|
Production parameters & process data |
Torque curves, temperature profiles, machine configurations |
EU product liability (proof of discharge), IATF 16949 |
25 years |
Yes - for safety-relevant processes |
|
Calibration & test equipment data |
Calibration protocols, measuring equipment IDs, validity periods |
IATF 16949 §7.1.5 |
15 years |
Yes |
|
Audit logs & system accesses |
Who changed what and when, system accesses, change histories |
GoBD, IATF 16949 (record integrity) |
10 years |
Yes - this is the audit trail itself |
|
Tax-relevant production data |
Production costs, post-calculation, material write-offs |
GoBD § 147 AO |
10 years |
Yes - GoBS-compliant |
|
Personal user logs |
Worker IDs, shift logs with personal identification |
DSGVO - obligation to delete! |
Max. Processing purpose |
Pseudonymization recommended |
|
Internal work instructions & procedures |
Current and historical versions of work instructions |
ISO 9001 §7.5 (Documented information) |
Per customer requirement |
Proof of versioning required |
Revision security is not a function that can simply be activated in an existing database. It is the result of four technical architectural decisions that must be made from the outset - or that can be implemented subsequently through targeted expansion.
An audit trail (change log) documents every write operation on a data record: who changed what and when - with user ID, time stamp and old and new value. It is the technical basis for proving immutability.
In an audit-proof database for production data, this means that every change to a test result, every subsequent release and every parameter correction is recorded in the audit trail and cannot be deleted retroactively. The original entry is always retained - visible and traceable.
REQUIREMENTS FOR THE AUDIT TRAIL IN PRODUCTION
Timestamp: UTC-based, synchronized with external time server (NTP) - no local system time
User ID: Personal or uniquely assignable identifier - no group accounts
Change type: What was changed (insert, change, delete) and in which field
Old and new value: Both values must be retained - not just the current one
Immutability of the audit trail itself: The log must not be editable
Timestamps in production data fulfill a dual function: they prove the exact time at which a data record was recorded - and thus its assignment to a specific production process. A timestamp that originates from the local system time of a non-synchronized computer is worthless as proof.
Audit-proof time stamps fulfill three requirements: They are UTC-based and synchronized with an external time server (NTP), they are frozen when recorded (cannot be subsequently changed), and they are cryptographically secured or protected against manipulation in a blockchain-like structure.
In an audit-proof archiving structure, not everyone is authorized to do everything. Read access, write access and delete access to archived production data are strictly separated - with logged proof of every access operation.
The dual control principle is particularly mandatory for security-relevant changes to archived data: a subsequent correction of a test result (e.g. after the discovery of a measurement error) may only be made with a second, independent approval - and must be fully documented in the audit trail.
Checksums (hashes) ensure the integrity of archived files: A hash value (SHA-256 or better) is calculated for each archived file or data record at the time of archiving. If the content of the file is subsequently changed - including through bit red on the storage hardware - the new hash calculation results in a different value. The manipulation or damage is immediately recognizable.
Cryptographic signatures go one step further: they link the content of a file not only to a point in time, but also to a person or a system. A digitally signed component file not only proves that it has not been changed, but also who released it and when.
The archive format is the most frequently underestimated archiving decision. It determines whether data can still be read in 15 or 25 years' time - without the original software, which may no longer exist.
|
Format |
Suitable for |
Revision security |
Long-term stability |
Recommendation |
|---|---|---|---|---|
|
PDF/A (ISO 19005) |
Reports, protocols, certificates, test reports |
High - incl. embedded signatures |
Very high - ISO-standardized long-term format |
First choice for all documents and reports |
|
CSV (with schematic documentation) |
Raw data, measurement data, process parameters, batch reports |
Medium - only with external audit trail and checksums |
Very high - plain text, always readable |
First choice for structured mass data |
|
XML (with XSD validation) |
Structured data records, component files, configuration data |
High - schema validatable, easy to read |
High - open format, broad support |
Suitable for complex structured data |
|
JSON |
Structured data, API exports |
Medium - no native schema binding |
High - broad support |
Suitable if schema is documented externally |
|
Relational database (PostgreSQL, SQLite) |
Operational production data with query logic |
High - if configured with audit trail |
Medium - depending on database version |
For operational data; archive export to PDF/A or CSV recommended |
|
Microsoft Excel / Office formats |
- |
Low - easy to manipulate, no audit trail |
Low - version dependency |
Not suitable for audit-proof archiving |
|
Proprietary application formats |
- |
Very low - manufacturer dependency |
Very low - not readable without original software |
Not suitable |
|
Access database (.mdb/.accdb) |
- |
Low |
Low - End-of-life risk |
Not suitable for long-term archive |
Practical recommendation: The operational production database runs in a relational database with a complete audit trail. For long-term archiving, data is exported periodically (daily, weekly) in audit-proof formats: Reports and logs as PDF/A, raw data as CSV with schema documentation. All export files are given SHA-256 checksums.
In practice, we find these five gaps in manufacturing companies that are considered to be well documented in terms of auditing - but on closer inspection do not have audit-proof archiving.
The most common problem: The production database stores measured values and test results - but there is no audit trail. If a test result is subsequently changed (for whatever reason), the change is not logged. The current value is in the system. The original value is gone.
This is a critical finding in an IATF audit. In product liability proceedings, it is an evidentiary disadvantage: if changes are possible without proof, then the judge cannot rule out the possibility that relevant data has been subsequently adjusted.
Solution: Activate the audit trail - in most common database systems (PostgreSQL, SQL Server, Oracle) this is a configuration decision, not a new development. Subsequent activation protects from the time of activation - historical data without an audit trail remains a risk.
Many companies do not archive at all - they simply leave the data in the operational database. This is not an archive. An operational database is optimized for access performance, not for long-term stability. Database migrations, software updates and system reinstallations can change or render inaccessible operational databases.
Solution: Structured archiving process with a separate archive system: Operational data is periodically transferred to a separate, long-term stable archive system. The archive system is read-only - no write operations after the archiving time.
Test reports are archived as PDFs - but without a clear component reference. The report contains the date, the batch and the measured values. However, there is no link to the specific serial number of the component. In the audit, it is not possible to prove to which specific component the report belongs.
This is not a format problem - it is a database structure problem. The component reference must be entered as a mandatory field during data entry, not during the archiving export.
Solution: All archived test documents must contain the unique component key (serial number or batch number) as a structured metadata field - not only in the file name, but also in the document content and in the archive database as a searchable index field.
Machine control, MES and QMS record time stamps with different local system clocks. If these clocks are not synchronized, time deviations of seconds to minutes occur between data records that document the same production process. A causal link is therefore no longer clearly possible.
Solution: Cross-system NTP synchronization. All systems that record production data synchronize their system time with the same NTP server. Time deviation < 1 second as standard. Documented and regularly checked.
The company has an archiving policy - 'all data is stored for 10 years'. This blanket rule is sufficient for GoBD, but not for IATF 16949 (15 years) or EU product liability (25 years for latent damage). If data is deleted after 10 years, IATF-relevant quality data is no longer available.
Solution: Retention periods are defined per data category, not across the board for all data. The database architecture supports category-specific deletion locks: quality data is not deleted before the category-specific deadline has expired.
This test simulates the three situations in which audit-proof archiving is put to the test in practice: IATF audit, product liability case and official inquiry. Answer the questions for your actual archiving infrastructure - not for the desired one.
Imagine an IATF auditor sitting in front of your archive and asking for the complete component file for serial number XY-2021-003847 from the year 2022. Without your IT, without your database administrator.
Is there a structured index system that enables a targeted search by serial number or batch number?
✓ YES: The auditor finds the component file in under 3 minutes. Audit-proof archiving fulfilled.
✗ NO: IT escalation necessary. A yellow mark in the audit. A considerable risk in a legal dispute.
Are all documents in the component file saved in PDF/A format or as a structured CSV/XML export?
✓ YES: Format is future-proof and tamper-proof. All documents in a readable viewer.
✗ NO: Proprietary formats or Excel files. May no longer be readable in 10 years.
Does the archive contain a verifiable timestamp and a user ID of the archiving person for each entry?
✓ YES: Complete proof: Who archived what and when. Complete auditability.
✗ NO: No user IDs, no timestamps. No way to prove that data was not created retrospectively.
A court requires proof that component XY-2021-003847 fulfilled all test requirements at the time of delivery. The testing process took place four years ago.
Are the process parameters of the manufacturing process (torque, temperature, machine configuration) archived with component accuracy?
✓ YES: Proof of discharge possible: The component was demonstrably in order at the time of delivery.
NO: No process parameters archived. Proof of discharge cannot be provided. Liability risk.
Does the archive have an unalterable audit trail that demonstrably excludes subsequent manipulation?
✓ YES: Data is demonstrably original. No accusation of manipulation tenable.
NO: No audit trail. A court cannot rule out the possibility that data has been subsequently adjusted.