--- title: "Compliance with WORM Storage: What External Financial Auditors Expect" date: 2026-02-11T08:55:00+01:00 author: FAST LTA canonical_url: "https://www.fast-lta.de//en/blog/compliance-mit-worm-speicher-was-wirtschaftsprüfer-erwarten" section: "Entries: Articles" --- ### Why the Archive Is Part of the Financial Audit [\#](#why-the-archive-is-part-of-the-financial-audit "Why the Archive Is Part of the Financial Audit") Auditors do not audit storage hardware for its own sake. They audit the reliability of the records that support the financial statements. Two standards drive this: **ISA 315 (Identifying and Assessing the Risks of Material Misstatement)** requires the auditor to understand the entity’s information system and the IT controls around it, including how records are captured, processed, and retained. An archive in which records can be silently modified is a control weakness that raises the assessed risk and expands audit procedures. **EU and national retention law** requires that accounting records remain available and unaltered for defined periods. MiFID II adds strict record-keeping duties for investment services; eIDAS (Regulation (EU) 910⁄2014) defines the EU framework for electronic records, signatures, and qualified preservation. In Germany, for example, commercial books and annual accounts must be retained for 10 years and accounting documents for 8 years (10 for banks, insurers, and securities institutions) under the rules in force since 2025; other member states have comparable national periods. The practical consequence: if your archive cannot demonstrate immutability and recoverability for the full retention period, you have both a compliance gap and an audit problem. --- ### What Auditors Examine in the Archiving System [\#](#what-auditors-examine-in-the-archiving-system "What Auditors Examine in the Archiving System") Audit teams approach the archive with four recurring questions: #### 1. Immutability [\#](#1-immutability "1. Immutability") Can stored records be modified or deleted before the retention period expires, by anyone, including administrators? Evidence the auditor expects: - A system description showing how immutability is enforced - For hardware WORM systems: the manufacturer’s compliance documentation or independent certification - Demonstration that administrative access cannot override the retention lock Hardware WORM, where immutability is enforced at the storage hardware and firmware level, is the strongest answer here. Software retention policies depend on configuration and credentials; an attacker or a careless administrator can change a policy. A hardware-enforced retention lock cannot be talked out of its setting. #### 2. Process Documentation [\#](#2-process-documentation "2. Process Documentation") Auditors expect a documented procedure that describes how records enter the archive, how they are indexed, who can access them, and how the retention periods are managed. The documentation must match reality: a beautiful procedure manual that the team does not follow is a finding, not a defence. #### 3. Recovery Tests [\#](#3-recovery-tests "3. Recovery Tests") An archive that cannot reproduce its records is worthless as audit evidence. Auditors increasingly ask for documented restore tests: when did you last retrieve archived records, verify their integrity, and confirm readability? Keep dated test records. #### 4. Redundancy and Integrity Verification [\#](#4-redundancy-and-integrity-verification "4. Redundancy and Integrity Verification") Retention periods of 8 to 10 years and longer exceed the life expectancy of any single storage medium. Auditors look for: - Redundant storage of archived data (multiple media, ideally multiple locations) - Automatic, ongoing integrity checks that detect and repair silent data corruption - A documented media and technology migration strategy for the full retention period --- ### Germany as an Example: GoBD and Procedure Documentation [\#](#germany-as-an-example-gobd-and-procedure-documentation "Germany as an Example: GoBD and Procedure Documentation") Member states translate the EU framework into detailed national requirements. Germany is a useful example because its rules are unusually explicit: the GoBD principles require that tax-relevant records are retained completely, in an orderly manner, and protected against alteration, and they require a formal procedure documentation (Verfahrensdokumentation) describing the archiving process end to end. German auditors and tax auditors ask for this document by name. If you operate in several member states, treat the strictest applicable national requirement as your baseline; an archive that satisfies the German rules will rarely have difficulty elsewhere in the EU. --- ### How Hardware WORM Answers the Auditor’s Questions [\#](#how-hardware-worm-answers-the-auditors-questions "How Hardware WORM Answers the Auditor's Questions") Silent Cubes, FAST LTA’s hardware WORM archive, were designed for exactly this audit situation: - **Hardware-enforced immutability:** records cannot be modified or deleted during the retention period, regardless of software, credentials, or administrator intent. The control the auditor needs to verify is structural, not configurable - **Automatic integrity verification:** the system continuously checks stored data and repairs errors from redundant copies, addressing the long-term integrity question - **Redundancy by design:** data is stored with erasure coding across multiple disks, and replication to a second system or location is supported - **Audit-ready documentation:** the manufacturer’s compliance documentation supports the system description the auditor requests For records that must be kept immutable but not forever, retention periods are set per data object and expire on schedule, which also serves GDPR storage limitation duties. One clarification that matters in vendor selection: WORM is an archiving function. Backup systems serve a different purpose (fast, complete recovery), and the two should not be conflated. In the FAST LTA portfolio, Silent Cubes provide the hardware WORM archive; the Silent Brick System covers backup and secondary storage with air gap and immutability for recovery scenarios. --- ### Checklist: Before the Audit Team Arrives [\#](#checklist-before-the-audit-team-arrives "Checklist: Before the Audit Team Arrives") - System description of the archive, including how immutability is enforced - Manufacturer compliance documentation or certification for the WORM mechanism - Procedure documentation: ingest, indexing, access control, retention management - Access logs for the archive - Dated records of restore and integrity tests - Retention schedule mapped to the applicable EU and national periods - Migration strategy for media and technology over the full retention period If you can hand over these seven items on day one, the archive portion of your audit becomes a formality. --- ### Further Resources [\#](#further-resources "Further Resources") → Audit-Proof Archiving Guide (/en/blog/revisionssicherheit-leitfaden/) → 10 Criteria for Audit-Proof Archiving (/en/blog/10-kriterien-revisionssicherheit/) → Software WORM vs. Hardware WORM (/en/blog/software-worm-vs-hardware-worm/) → Audit-Proof Archiving and GDPR (/en/blog/revisionssicherheit-dsgvo/) → Silent Cubes: Hardware WORM Archiving (/en/produkte/silent-cubes/) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### GoBD The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gobd) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### Audit-Proof Archiving Audit-proof archiving describes the legally required property of an archiving system that preserves documents completely, immutably, traceably and accessibly at all times — and that this can be demonstrated without gaps to tax authorities, auditors and data protection supervisory bodies. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/audit-proof-archiving) ### Audit-Proof Archiving Audit-proof archiving describes the legally required property of an archiving system that preserves documents completely, immutably, traceably and accessibly at all times — and that this can be demonstrated without gaps to tax authorities, auditors and data protection supervisory bodies. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/audit-proof-archiving) ### Audit-Proof Archiving Audit-proof archiving describes the legally required property of an archiving system that preserves documents completely, immutably, traceably and accessibly at all times — and that this can be demonstrated without gaps to tax authorities, auditors and data protection supervisory bodies. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/audit-proof-archiving) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)