Tax audit sharing (audit-share)
To grant a tax inspector temporary, traceable, read-only access during a tax audit, PratikYedek offers audit-share mode. The inspector sees only the backups of the taxpayer you authorise, from their own device; access closes automatically when the duration expires.
KVKK § 12 + audit right balance: the inspector cannot modify data, time is limited, every event is written to the audit log. Your taxpayer is informed by email that a share has occurred.
When to use it
- A tax office inspector will review the system during an audit
- An independent audit firm will test financial statements
- Evidence sharing with a lawyer / legal advisor is needed
- A senior inspector (Treasury, Council) needs a one-off review
Creating a share — step by step
1. Select the taxpayer
Panel → Tax Advisor → Taxpayers → click the relevant taxpayer.
2. Sharing tab
On the taxpayer detail page open the Sharing tab. Click + New share.
3. Choose access level
| Level | Description | Typical use |
|---|---|---|
read_only | View backup list + download | Tax audit (default) |
download_audit_log | Audit log download only — no backup access | Independent audit firm |
read_only_filtered | Only a specific date range | VAT refund audit (period) |
Tip:
read_onlyis sufficient for most audits. Pickread_only_filteredand set the range only if a date restriction is required.
4. Set duration
- 1 day — short audit (e-ledger verification)
- 7 days — standard audit (default)
- 30 days — long audit (Treasury, Council)
Access closes automatically when the duration expires. You can extend it if necessary.
5. Inspector email
Enter the inspector's corporate email. This address is:
- Where the one-time link is sent
- Where the OTP is sent
- The inspector identity retained in the audit log
Important: Use a corporate email, not a personal one (gmail/hotmail). Otherwise this may violate KVKK § 12.
6. Create
Click Create. The system:
- Generates a one-time access link
- Sends it to the inspector's email
- Sends an information email to the taxpayer
- Writes an entry to the audit log
A new row appears in the Sharing list: Status: Pending (the inspector has not logged in yet).
The inspector's side
Access flow
The inspector clicks the link in the email:
- audit.pratikyedek.com opens
- Email + 6-digit OTP verification (sent by email)
- Accept → only the authorised taxpayer and level is shown
What the inspector can see
- Backup list of the taxpayer (date + size + file type)
- Download button per backup (at read_only level)
- Audit log download (at download_audit_log level)
What the inspector cannot see
- Your other taxpayers
- Billing / account settings
- Master password / encryption key
- The plaintext of backup content (end-to-end encrypted — only the encrypted blob)
Note: At read_only level the inspector downloads the backup and opens it locally. The master password to decrypt it is provided by your taxpayer (KVKK § 4 accurate data principle — the advisor does not store the master password).
Audit log
All sharing events are written to audit_log and retained for 7 years (KVKK § 12 + Tax Procedure Law).
Which events are logged?
| Event | Detail |
|---|---|
share_created | Share was created (advisor identity + inspector email) |
share_viewed | Inspector logged in (IP + time + user agent) |
share_otp_failed | OTP entered incorrectly (brute-force protection) |
share_backup_listed | Inspector opened the backup list |
share_backup_downloaded | Inspector downloaded a backup (which backup + size) |
share_audit_downloaded | Inspector downloaded the audit log |
share_expired | Time expired, automatically closed |
share_revoked_manual | Advisor revoked manually |
Audit log export
Panel → Tax Advisor → Taxpayers → [taxpayer] → Audit Log page:
- Date range filter
- Event type filter
- CSV / JSON / PDF export
- Search by inspector email
Practical use: When the audit ends, download the audit log as CSV and send it to your taxpayer. This is both KVKK § 10 disclosure and evidence in the taxpayer's own files.
Error scenarios
"Invalid OTP"
- OTP is valid for 5 minutes, then auto-deleted
- After 5 wrong attempts the account is locked for 15 minutes
- The inspector can request a new code via "Resend"
"Access denied"
- Time has expired — you need to create a new share
- The advisor revoked manually — the reason is in the log
- The inspector is trying to open the wrong taxpayer — the link only opens the specified taxpayer
Taxpayer information email didn't arrive
- The taxpayer's email may be wrong in the database — update via Taxpayers → edit
- Ask them to check spam
- If there's a Mailcow SPF/DKIM/DMARC issue, a notification arrives at info@islemci.com
Inspector says "the download is very slow"
- The backup is end-to-end encrypted — no server-side decryption, so the size is original + encryption metadata = ~1% bigger
- Slow if the inspector uses ADSL/3G
- For very large backups (10+ GB), recommend they use a corporate connection
Email examples
Access email sent to the inspector
Subject: PratikYedek tax-audit access — [Taxpayer Name]
Dear [Inspector Name],
[Advisor Name] has granted you temporary access to backup data of
[Taxpayer Name] via PratikYedek.
• Duration: 7 days (until 30 June 2026 23:59 Türkiye)
• Level: read_only (list + download backups)
• Access link: https://audit.pratikyedek.com/share/abc123
Click the link and enter the 6-digit OTP that will arrive at your email.
In the KVKK § 12 + audit-right balance, all your actions are written
to the audit log. For questions: kvkk@pratikyedek.com
PratikYedek — destek@pratikyedek.comInformation email sent to the taxpayer
Subject: Your backups were shared for audit purposes
Dear [Taxpayer Name],
Your tax advisor [Advisor Name] has granted temporary read-only access
to your backups within the following tax audit:
• Inspector: [Inspector Name] ([inspector@authority.gov.tr])
• Duration: 7 days (until 30 June 2026 23:59)
• Access level: List and download backups only
All accesses are written to the audit log; ask your advisor for the
full list or write to kvkk@pratikyedek.com.
This sharing is made under KVKK § 12 + § 5/2-a (legal obligation);
no separate consent from you is required.
PratikYedek — destek@pratikyedek.comRevoking a share
Panel → Shares → row's ⋮ menu → Revoke.
- Access is closed instantly (if the page is open, the inspector sees "Access ended")
- audit_log records
share_revoked_manual+ reason - A revocation email is sent to the taxpayer
- A revocation email is also sent to the inspector
FAQ
Q: If the inspector downloads a backup to their own device, does that data stay there? Yes — the file the inspector downloads is on their device. Under KVKK § 12 the inspector uses this data only for the audit and deletes it afterwards. This is the responsibility of the inspector's institution.
Q: Can I create a single share for multiple taxpayers? No — one share per taxpayer. This is a deliberate design choice for audit log clarity + separation of authority.
Q: Is there auto-renewal of the duration? No — When the duration expires, the advisor must approve manually. This prevents unnecessarily long inspector access.
Q: The inspector says the OTP didn't arrive? Ask them to check spam. It is sent by Mailcow; SPF/DKIM/DMARC are intact but some institutional filters can be strict. Solution: instead of the inspector's email, use another corporate email (open a new share).
What's next?
→ Taxpayer transfer — to another advisor → KVKK § 12 — Data security