Audit Trails – Do Not's and Don't's

Normally CEO would handle a topic such as this, but I've been personally involved in it now, so I'm handling this round.

When you are contracting with the Federal Goverment (maybe State too, not sure), they require audit logs of just about every financial transaction imaginable. It makes sense, they want to make sure they are awarding contracts to organizations that they believe will be around long enough to complete the project and provide support for N years thereafter. In theory, they also want to make sure that taxpayers' money is being used legitimately, but I won't go into that right now.

Therefore, this becomes a mission critical process for Billing, Payroll, Accounting, and a variety of other internal departments. There must be accountability on WHO did WHAT transaction WHEN. For example, when someone submits their timesheet for the week, you'd like to know who it was, when it happened, and what projects they billed to throughout the week.

What happens when there is no audit/transaction log? What happens when there are no security practices?

In my current position, nearly none of the applications track who logs in or when. None of the applications track who made what changes. In addition to this, the standard authentication is the Employee's Id and a subset of the Social Security Number. Therefore, we have a username/password that is entirely predictable and cannot be changed, coupled with minimal logging. What results is a auditors' dream.

When a client is sent a bill, there is no way to determine whether the hours charged are correct, if the person who worked the hours actually put in their hours, or if the hours were changed between an employee inputting them and the bill being created.

Employees in departments such as HR, Payroll, or their supervisors who legitimately have access to the required data (Employee ID & SSN, remember?) can cause huge problems for the organization months or years after they leave because this “authentication scheme” provides zero authenticity, zero credibility, and zero reliability.