data.day
audit / compliance / record keeping / risk

The Missing Attachment Incident: How a Simple PDF Became an Audit Problem

An audit room is silent until a file is missing. Then it gets loud. One lost PDF can invalidate your controls. Here is how to build a bulletproof trail.

Klara Budget Klara Budget

The Most Expensive Hide-and-Seek

The most stressful week of my life was not a cash crunch. It was a tax audit where we lost a folder.

The auditor selected a sample of 20 high-value transactions. Transaction #12: A €15,000 payment to a consulting firm. “Show me the invoice and the contract,” the auditor said.

We clicked the link in the accounting software. 404 Not Found. We checked the shared drive. Nothing. We checked the email of the CFO. He had left the company two years prior.

Suddenly, a standard operational expense looked like money laundering. The auditor raised an eyebrow. The timeline extended. The fees went up. We spent three days hunting for one PDF.

This is the absurdity of fragile trails. We move millions of Euros, but we store the proof in scattered, disconnected shoe boxes.

The Audit Risk: The “Disconnected” Ledger

In a bad system, the Data (the numbers in Xero/QuickBooks) and the Evidence (the PDF invoice) live in different places.

  • Data is in the cloud.
  • Evidence is in John’s “Downloads” folder.

This separation is fatal. Over time, links break. Files get renamed. People delete folders to “save space.”

When the tax man comes, he does not care about your intent. He cares about the chain of evidence. If the chain is broken, the expense is disallowed. You pay the tax, plus the fine, plus the interest.

The Control: The “Attached or Nothing” Policy

We need to treat the PDF as the body of the transaction. The data entry is just the shadow. You cannot have a shadow without a body.

Rule 1: No Entry Without Attachment Configure your accounting software (or your Ops team’s brain) to refuse any journal entry that does not have a source document attached.

  • No PDF? Do not click “Post”.
  • Wait for the document.

Rule 2: The Digital Archive is Primary Do not print invoices. Paper fades. Paper gets lost in fires. The digital PDF attached to the transaction ID in the cloud is the legal record. Ensure your software provider backs this up.

Rule 3: The “Narrative” Field A PDF tells you what. It does not always tell you why. For every weird transaction (e.g., “Consulting Fees”), add a memo: “Rebranding project Q3 2025 - Contract signed by CEO.” Give the auditor the context before they ask for it.

Conclusion

An audit should be boring.

If you are sweating, running around, and searching through archived emails from 2023, you have failed. The goal is to open the screen, point to the attachment, and watch the auditor nod and move on.

Sleep is precious. Don’t lose it over a missing PDF.

FAQs

Can't I just email the vendor for a copy later?

Maybe. If they still exist. If they answer. If you have the order number. Relying on 'later' is gambling.

Do banks statements count as proof?

No. A bank line says who you paid. It does not say *what* you bought or *why*. It is proof of movement, not proof of obligation.

Where should I store the PDFs?

Attached directly to the transaction in your accounting software. Google Drive is a graveyard. The ledger is the source of truth.