During our practice we have developed a suitable solution to handle legal compliance of information systems or products. We call this  solution "legal compliance audit based on an intermediate model". The core of our approach is that the legal compliance of a system or product is observed through an abstract intermediate functional model, which is suitable to represent both he particular technical reality and the legal requirements.

It is always hard to apply legal requirements directly to information systems and products or control the fulfillment of these requirements without facing severe ambiguities. The reason for this we can find mainly in the distance between the general wording of legal requirements and the particular configuration of an information system or product.

In spite of this usually big distance in practice it is not allowed to circumvent the problem, because it is necessary to find a clear answer whether a particular system or product complies to regulatory requirements or not. With our methodology it is always possible to give a clear answer.

The use of an abstract functional intermediate model allows the comparison of the technical reality with the legal requirements without blurring the line between them. This approach has several advantages, the most important ones are the following:

• technical rationality is not disrupted by legal requirements
• legal rationality is  not disrupted by the technical reality
• it is much easier to prove compliance after changes in  the system or product
• it is possible to examine the compliance with other sets of requirements without producing parallel documentation for the different purposes