--- title: The 6 Most Common Mistakes in Audit-Proof Archiving date: 2026-04-22T15:30:00+02:00 author: FAST LTA canonical_url: "https://www.fast-lta.de//en/blog/die-6-häufigsten-fehler-bei-der-revisionssicheren-archivierung" section: "Entries: Articles" --- ### Mistake 1: Using a File Server as the Archive [\#](#mistake-1-using-a-file-server-as-the-archive "Mistake 1: Using a File Server as the Archive") **The problem:** A folder structure on a file server feels like an archive, but it has no immutability. Any administrator (and any attacker with admin credentials) can modify or delete records. In an audit, you cannot prove that a single document is unchanged. **The fix:** Move records under statutory retention to hardware WORM storage (for example Silent Cubes), where the system itself prevents modification and deletion for the retention period, regardless of credentials. --- ### Mistake 2: Software WORM Without Organizational Controls [\#](#mistake-2-software-worm-without-organizational-controls "Mistake 2: Software WORM Without Organizational Controls") **The problem:** Object locks and retention flags are software WORM. In many configurations, privileged accounts can change policies, shorten retention, and then delete the logs that would have revealed it. Without strict separation of duties and protected audit logs, the ​“immutability” is an assertion, not a guarantee. **The fix:** For compliance data, use hardware WORM, where no software path to the data’s integrity exists. Where software WORM remains in use, add separation of duties, four-eyes changes, and tamper-resistant log storage. --- ### Mistake 3: No Process Documentation [\#](#mistake-3-no-process-documentation "Mistake 3: No Process Documentation") **The problem:** The auditor cannot evaluate what they cannot understand. An archive without documented capture, workflow, authorization, and error-handling processes fails the orderliness requirement, even if the technology is flawless. National bookkeeping standards (in Germany, for example, the GoBD) make this documentation explicitly mandatory. **The fix:** Write and maintain process documentation covering the full chain: capture, validation, archiving, access, retention, deletion, responsibilities. Update it with every system change. --- ### Mistake 4: Retention Periods Not Managed [\#](#mistake-4-retention-periods-not-managed "Mistake 4: Retention Periods Not Managed") **The problem:** A single global retention setting is almost always wrong. Some records get deleted before their statutory period ends (an audit finding), others are kept forever (a GDPR storage-limitation violation). Retention periods differ by record type and member state; in Germany, for example, 10 years for commercial books and annual accounts, 8 years for accounting documents and invoices, 6 years for commercial correspondence. **The fix:** Implement a retention table per record type with legal basis, store the retention class with each record, and automate deletion after expiry. --- ### Mistake 5: Readability Not Ensured [\#](#mistake-5-readability-not-ensured "Mistake 5: Readability Not Ensured") **The problem:** Immutable storage preserves the bits, not the ability to render them. Proprietary formats from discontinued software become unreadable within a decade, and an archive you cannot open fails the availability requirement. **The fix:** Archive in long-term formats, primarily PDF/A (ISO 19005), and run periodic readability checks and format migrations where needed. --- ### Mistake 6: Ignoring GDPR Erasure [\#](#mistake-6-ignoring-gdpr-erasure "Mistake 6: Ignoring GDPR Erasure") **The problem:** ​“It is on WORM, we cannot delete it” is not a valid answer to a data protection authority. GDPR Art. 17(3)(b) lets retention obligations take precedence while they apply, but after expiry, personal data must be erased. Indefinite retention exposes you to fines of up to EUR 20 million or 4% of global annual turnover. **The fix:** Use WORM systems with built-in retention management: immutable during the statutory period, deletable (and deletion-logged) afterwards. Silent Cubes implement exactly this lifecycle. --- ### The Pattern Behind All Six [\#](#the-pattern-behind-all-six "The Pattern Behind All Six") Each mistake comes from treating archiving as a storage purchase instead of a compliance process. The technology baseline (hardware WORM with retention management) solves mistakes 1, 2, and 6. The process work (documentation, retention table, format strategy) solves 3, 4, and 5. You need both. --- ### Further Resources [\#](#further-resources "Further Resources") → Audit-Proof Archiving Guide (/en/blog/revisionssicherheit-leitfaden/) → The 10 Criteria of Audit-Proof Archiving (/en/blog/10-kriterien-revisionssicherheit/) → Audit-Proof Archiving and GDPR (/en/blog/revisionssicherheit-dsgvo/) → PDF/A as an Archiving Format (/en/blog/pdf-a-archivformat/) → Silent Cubes: Hardware WORM Archive Storage (/en/produkte/silent-cubes/) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### GoBD The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gobd) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### Audit-Proof Archiving Audit-proof archiving describes the legally required property of an archiving system that preserves documents completely, immutably, traceably and accessibly at all times — and that this can be demonstrated without gaps to tax authorities, auditors and data protection supervisory bodies. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/audit-proof-archiving) ### Audit-Proof Archiving Audit-proof archiving describes the legally required property of an archiving system that preserves documents completely, immutably, traceably and accessibly at all times — and that this can be demonstrated without gaps to tax authorities, auditors and data protection supervisory bodies. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/audit-proof-archiving) ### Audit-Proof Archiving Audit-proof archiving describes the legally required property of an archiving system that preserves documents completely, immutably, traceably and accessibly at all times — and that this can be demonstrated without gaps to tax authorities, auditors and data protection supervisory bodies. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/audit-proof-archiving) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)