What is the Post-Audit Model?
The post-audit model is the traditional VAT compliance regime in which invoices are exchanged directly between the supplier and the customer, and the tax authority does not see them until a specific audit is triggered. Invoices are self-validated by the trading parties, archived according to national retention rules, and made available on request during an inspection.
The model has dominated Europe for decades and remains the default in many EU Member States as of 2026 — notably Germany (transitioning), Netherlands, Austria, Ireland, Denmark, and most Nordic countries outside the SII/CTC scope.
Post-audit is the counterpart to Continuous Transaction Controls (CTC). Where CTC gives the tax authority continuous visibility (via clearance or real-time reporting), post-audit gives it retrospective visibility only.
How the Post-Audit Model Works
A typical post-audit invoice lifecycle:
1. Seller issues the invoice. The invoice may be paper, PDF, structured electronic (UBL, CII), or hybrid (Factur-X/ZUGFeRD). Legal validity is between the two parties.
2. Buyer receives the invoice, books it, and recovers input VAT.
3. Both parties archive the invoice according to national retention rules (commonly 7–10 years in the EU).
4. Tax authority files periodic VAT returns — summary numbers, not transaction-level data.
5. During an audit, the tax authority requests specific invoices or a full VAT book; the business must produce them with integrity and authenticity intact.
The defining property: the tax authority never sees the invoice proactively. It only sees what the business submits in summary VAT returns, unless an audit is opened.
Legal Requirements Under Post-Audit
Even in a post-audit regime, structured rules apply to how invoices must be handled:
Authenticity, Integrity, and Legibility
For the tax authority to accept electronic invoices as primary evidence, the business must ensure, over the full retention period:
Under the EU VAT Directive (2010/45/EU), businesses can satisfy these requirements in three ways:
1. Business controls — documented audit trails linking invoice to business transaction (widely used, flexible, but evidence-heavy in audits).
2. Qualified electronic signature (QES) — cryptographic signature based on qualified certificates.
3. EDI (Electronic Data Interchange) — structured exchange under a written agreement between parties.
In post-audit jurisdictions, "business controls" is the most common approach. Companies build controlled procurement-to-pay workflows that demonstrate a reliable link from order to invoice to payment.
Retention
Invoices must be archived for the national retention period. EU minimum: 6 years; many countries require 7–10 years. Archival must preserve authenticity and integrity — simple email folders are not sufficient for audit defense.
Why Post-Audit Is Being Replaced
Three pressures are pushing EU Member States away from post-audit:
1. VAT gap — the difference between expected and actual VAT revenue was €89 billion in 2022 across the EU. Post-audit's retrospective visibility gives fraudsters weeks or months to disappear.
2. Missing trader (carousel) fraud — exploits the delay between invoice issuance and tax-authority visibility.
3. ViDA — the EU's VAT in the Digital Age package, adopted March 2025, mandates Digital Reporting Requirements (DRR) by July 2030 for intra-EU B2B. DRR is real-time reporting; post-audit is incompatible with it.
As a result, most EU Member States are moving (or have moved) from post-audit to a CTC model:
By 2030, most of the EU will have moved off post-audit for cross-border B2B.
Post-Audit vs. CTC: Operational Comparison
Is Post-Audit Ever Coming Back?
No. The direction is one-way. Once a Member State adopts CTC for a transaction type, it does not revert. Germany's current B2B e-invoicing obligation is a stepping stone — structured invoices are exchanged between parties today, but ViDA DRR in 2030 will add the reporting leg.
Even countries that still look like post-audit today are building the plumbing for future CTC adoption. If you are designing an ERP or AP system for any EU market, assume that post-audit is a temporary state and architect for a future real-time reporting model.
What ERP Developers Need to Know
1. Post-audit is the default, not the future. Don't build a system that assumes invoices only flow between seller and buyer. Architect for a reporting endpoint to a third party (tax authority or CTC infrastructure).
2. Retention is non-trivial. Under post-audit, invoices must be preserved with authenticity and integrity for 7–10 years. Treat archiving as a compliance feature, not an afterthought.
3. Business controls need evidence. If your customers rely on business controls (vs. QES or EDI) for authenticity, make the audit trail exportable and linkable from order → invoice → payment.
4. Track the CTC transition per country. Post-audit Member States are all moving toward CTC on different timelines. Germany (2025/2027/2030+), Netherlands (ViDA 2030), Denmark (ongoing digital bookkeeping), Poland (already in clearance since 2026) — each requires a different roadmap.
5. Don't invest in post-audit-only workflows. Features like "internal-only e-invoice archive" are short-lived. Any new build should treat structured electronic invoicing + reporting as the target state.