Let's get on each others' calendars.

What’s in an Audit Trail?

Why You Need Event Logs in Your Business

52% of large companies suffered from fraud in the last two years. One in five lost more than $50 million in one incident alone.

Fraud like this is one of many problems that having a consistent audit trail will solve, and that’s precisely what this post will teach you all about, and how to do just that.

Whether you’re looking to prevent business fraud, keep your data secure, enhance productivity, or provide yourself with a method to analyze your business more effectively, audit trails are a vital tool in your arsenal that need to be used and maintained in order to run a successful company.

That’s not even mentioning that having healthy audit trails is a requirement in order to pass many vital audits such as SOC 2 compliance.

Hence why we’ll be covering:

  • What is an audit trail?
  • Why do you need an audit trail?
  • What audit trails need to include
  • How SaaS audit trails differ
  • How to make the most of your audit trails

Let’s get started.

What is an audit trail?

Source, image in the public domain

An audit trail is a log of all changes that have been performed, which can be used to verify data accuracy, uncover errors and identify potential fraud in the event of an audit. This means that the trail can be of events relating to financial transactions, employee activities, product development, and so on.

That might sound a little complicated, so let’s cut through the jargon and put it in simple terms.

Think of it like this; you have a bank account that you need to keep track of. You need to know what money has gone in and out and why those transactions have occurred in order to have a grasp of your finances and know what you can and can’t afford.

The audit trail is akin to your bank statement in this example.

The bank statement, much in the same way that the audit trail does, shows you all of the information you need to prove what the current status of your bank account is. You have records of when money was moved in or out, a reference for the payment (even if it’s as simple as the name of the coffee chain you were buying from), and from that you can be certain that you know what state your finances are in.

An audit trail does the same thing - it provides the (chronological) context of changes made to any system to prove that everything is correct and can be relied on. More than that, it can be used to diagnose where issues originated from when things go wrong, and in general encourage a greater attention to detail, since everyone knows that their activities are being monitored.

In SaaS, many enterprise-level customers will require you to have an audit trail of certain activities in order to do business with you, so they’re also a requirement to land bigger customers. Even more so, many will require you to have a method for them to create an audit trail of their own team’s activities in order to satisfy their own security procedures.

Why do you need an audit trail?

Source by KG Shreyas Thimmaiah, image used under license CC BY-SA 4.0

Audit trails are vital to ensure that any information you have and the decisions you make are true and reliable. By providing you with proof of what happened, when it happened, potentially why it happened, and who was involved, you don’t have to spend hours upon hours double-checking all of the information that goes into making core decisions like what to focus your marketing on, when to expand a department, or even what your company’s financial health looks like.

Think about it - how do you prove what your finances look like?

Chances are that you take a look at how much money you have in reserve, then examine your costs and revenue, and use that to calculate how long you have before you run out of money (if you’re going to at all). This is a core part of budgeting, especially as a startup, but there’s no way to rely on your conclusions if you can’t prove that your information is correct.

Furthermore, let’s say that you see that your reserve cash has massively decreased in the last month despite revenue and costs remaining constant. Your audit trail (in this case the financial records of the company’s account) will show you when the money left your account, who was involved in that transaction, and from that (or from the context in the log) you can deduce why this happened at all.

This is one of the reasons why audit trails are so vital, because they let you know what state your business is in and show you exactly why that’s the case.

Beyond that, an audit trail is an invaluable piece of information in proving said company’s status to other parties, be they potential customers, VCs, or legal bodies.

Whether you’re proving a company’s value to potential investors, showing enterprise-level customers that your security is up to their standards, or complying with legal requests for information relating to certain activities, audit trails of the events contributing to all of these things are the only way that you have to back up your word on the matter. In fact, most of these examples will require you to have an audit trail - they don’t just make the activity easier, they’re required for them to happen at all.

There’s another benefit to having fleshed-out audit trails which isn’t often focused on, and that’s the effect of having the systems in place to create them beyond their strict application.

For example, imagine that you’re handling sensitive company information as part of your day-to-day duties. You go about your day as per usual, doing your best to follow regulations and make sure that nothing goes wrong as a result of your actions.

Now imagine that you also know that your activities while handling that sensitive information are being tagged as part of your security audit trail.

It’s only natural that you would be hyper-aware of what you’re doing, and much more careful with any activity that could result in disaster if not performed correctly. In the same way that a speed camera might cause you to be hyper-vigilant about your speed (even if you don’t break the speed limit normally), the audit trail will impress the importance of your actions at every step of the journey, making it less likely that you’ll make a mistake in the first place.

What audit trails need to include

Source by Tom Ventura, image used under license CC BY 2.0

The contents of an audit trail will differ wildly depending on what the audit trail is focused on, what it’s trying to track, what your company’s function is, and who the information is intended for.

One of the more common forms of audit trail is that relating to your finances. These trails are used to make financial audits easier to carry out, and are in some cases required as part of external audits carried out by certified accountants. For example, in order to become SOC 1 compliant you’ll need to have a financial audit trail to hand over to the CPA assessing your business.

Generally speaking, audit trails fall into two categories; those that are automatically recorded and those that are manually filled in.

Automatically generated audit trails will usually include things such as login attempts, user IDs, dates and times of the attempts, the device they used, changes to records and files, timestamps of those changes, opens, closes, edits, prints, and item deletion. These actions are usually split between System-Level (login attempts, device used, etc) and Application-Level trails (changes to records and files).

Beyond that, you have User Audit Trails which are, as you might expect, records of actions performed by a specific user. These are also usually automatically generated by logging user actions, as manual records would require an insane amount of work and review in order to verify. User trails are particularly useful when trying to find out why a negative event occurred and who is responsible for the fallout, as you can trace back who carried out the actions which sparked the disaster.

All of these automated audit trails are also fantastic for combating fraud when and even before it happens. Not only do they allow you to see and trace back to when something suspicious happened, but you can identify the party involved with the same level of accuracy, thus discouraging bad actors from trying to do so in the first place.

Finally, there are the manually created audit trails. These are usually for elements such as your work processes and documentation, as they are more static documents that only require updating as and when needed. If you’re using some kind of checklist software you could automate tracking compliance with your procedures too, as you would be able to see when tasks were logged as complete and who by, or whether the process was followed at all to begin with.

How SaaS audit trails differ

Source by Bib Mical, image used under license CC BY 3.0 US

SaaS businesses are a little unique in their relationship to audit trails due to their nature. Providing software as a service to customers means that you need to have strict control over what data you handle, who can access that data, and what security measures are put in place in order to protect your users. Not only that, but SaaS companies as a whole are far more likely to have an entirely digital presence - the business model lends itself to remote working, meaning that asynchronous communication and having a way to track your team’s activities is vital to your success.

But what does all of this mean for SaaS companies?

Well, for starters it means that any already established SaaS company is likely to already have some kind of audit trail for everything they do, even if they don’t fully realize it. For example, Slack is a popular choice for facilitating communication between remote teams, which also means that there are message logs that can be pulled if anything comes into question. At most you might need to ensure that regular backups of those messages are saved, but otherwise Slack itself is logging some user activity for you.

Do you use checklist software? If so, you’re already documenting your processes and logging instances of employees following them, so that’s not something that needs fundamentally changing.

However, the main element that becomes much more complex (and thus requires clear recording for your audit trails) in SaaS companies is that of data security. You need to ensure that you have a tight hold on who has access to sensitive data, and a way to automatically log instances where users interact with said data.

How to make the most of your audit trails

Although your audit trails and logs may come into explicit use when you’re having an audit carried out, there is another way that you can benefit from having them around. You can use them to analyze any problems you’re running into and get the full scope of the issue in order to effectively solve it.

Whether you’re looking into a data breach, checking in on your employee’s practices and conduct, or making sure that your finances are at expected levels, audit trails give you the hard evidence you need to see exactly what happened, when it happened, and who was involved at the time.

We’re not saying that audit trails are always easy to understand and use however. Amazon Cost and Usage Reports are a fantastic example of this, in that they’re a log of all of the financial and usage data relating to your AWS accounts, but without a lot of experience reading them or a tool such as our own AWS Spend Transparency Software, you’re going to struggle to make any sense of them.

The key is having someone with the expertise on hand to be able to interpret what your audit trails are telling you, or utilizing another tool or service to take care of that for you.

Without that insight, you’re losing out on your chance to make sure that your next audit goes smoothly!

Finance Glossary for CTOs