What are the benefits of having an audit trail?

---

Request for Question Clarification by politicalguru-ga on 25 Jun 2002 09:09 PDT

Benefits to whom, the businessman?

Thanks for asking!

Webopedia defines an audit trail as:

"A record showing who has accessed a computer system and what
operations he or she has performed during a given period of time.
Audit trails are useful both for maintaining security and for
recovering lost transactions. Most accounting systems and database
management systems include an audit trail component. In addition,
there are separate audit trail software products that enable network
administrators to monitor use of network resources."

Internet.com
Webopedia - Audit Trail - October 31, 2001
http://www.webopedia.com/TERM/A/audit_trail.html


The article "Leaving a Digital Trail" by Sandi Smith, prepared for the
American Institute of Certified Public Accountants (AICPA) states:

"The electronic audit trail is a broad concept without an agreed-upon
definition or standard. In the software industry, it's a feature of a
system that usually comes in the form of logs. For example, an
accounting system might track all journal entries made during a
particular time frame and log them in a file or report, which can be
printed upon demand. An intrusion detection system would log all
attempted break-ins into another type of log. And an authentication
system on a network would log all users, their time of login and
logout, and potentially their activities.

In the accounting industry, "audit" is a very specific word with a lot
of responsibility. An electronic audit trail is a form of electronic
evidence that can be used to trace transactions to verify their
validity and accuracy. As of yet, there is little authoritative
guidance in the profession as to what an electronic audit trail should
look like. But there is a lot of talk about the possible components of
an electronic audit trail."

Components of a Digital Trail

"The digital equivalent of a handwritten signature is a digital
signature. A digital signature offers a guarantee that the
corresponding document has not been altered and that it originated
with the person signing it. A digital certificate goes a step further:
it authenticates the sender because a certificate must be issued by a
third party certificate authority, such as Verisign. A further
concept, PKI, or public key infrastructure, uses a combination of
encryption technologies, software, and services to ensure transaction
security by and between business organizations."

Electronic Benefits

"Predictions of a few years ago heralded the concept of the paperless
office to be ubiquitous by now. Interestingly enough (and
embarrassingly enough to the predictors), the trend has reversed
itself. We now have more paper than ever before. Perhaps the
predictors would have been more accurate if they focused on the paper
trail instead of paper in general. The paper trail is certainly
yielding to its electronic counterpart, as companies realize the
significant financial benefits that automation brings."

Toptech - AICPA
Leaving A Digital Trail, by Sandi Smith
http://www.toptentechs.com/issues/Issue9/


SearchEBusiness.com also offers an audit trail definition. "In
accounting, an audit trail is the sequence of paperwork that validates
or invalidates accounting entries. In computing, the term is also used
for an electronic or paper log used to track computer activity. For
example, a corporate employee might have access to a section of a
network in a corporation such as billing but be unauthorized to access
all other sections. If that employee attempts to access an
unauthorized section by typing in passwords, this improper activity is
recorded in the audit trail."

The full definition is available at:

searchEBusiness.com
Audit Trail - Definitions
http://searchebusiness.techtarget.com/sDefinition/0,,sid19_gci541384,00.html


Some electronic applications require a specific degree of
accountability, for example FDA regulation 21 CFR Part 11requires a
particular set of procedures and an audit trail with respect to record
keeping and digital signatures within the pharmaceutical industry. The
audit trail is used to assure the authenticity of electronically
submitted documents.

FDA Office of Regulatory Affairs Compliance References:
Title 21 CFR Part 11 - Electronic Records/Signatures
http://www.fda.gov/ora/compliance_ref/part11/


The exact audit trail benefits will, of course, be dependent upon the
industry, company or process. To summarize - the general benefits of
audit trails include:

*  Authentication of users and access within a network
*  Authentication of digital signatures
*  Transaction accountability in electronic record keeping
*  Reduction of paper logs
*  Cost savings
*  Compliance with general oversight regulations
*  Compliance with government regulations (some applications)
*  Expeditious investigation of cybercrime


Background

Additional examples and/or case histories of audit trail applications

MOSA Organic
Audit Trail - Certified Organic Farming
http://www.mosaorganic.org/audit.html

USA Today Tech Report
Digital Trail Leads to Teen Hacker
http://www.usatoday.com/life/cyber/tech/cth369.htm

Audit Trail Software Examples

ExpressMetrix
http://www.expressmetrix.com/default.asp

CyberLAB
http://www.scisw.com/products/cyberlab/features/feature08.htm

ADS - Limathon
http://www.limathon.com/toc.htm

Palace Guard
http://www.pgsas400.com/secure_net.htm


Google Search Terms
"audit trail" benefits
"audit trail"
"audit trail software"

I hope you find this information useful. Should you have any
questions, please, feel free to ask.

- larre -

---

Request for Answer Clarification by ideasmerchant-ga on 26 Jun 2002 02:04 PDT

I was more looking for a list of reasons why audit trails are
important. Something along the lines of "we have audit trails
because..."

---

Clarification of Answer by larre-ga on 26 Jun 2002 10:01 PDT

"We have audit trails because: "

**  Audit trails are used for authentication of users and access
within a network

"An audit trail is a series of records of computer events, about an
operating system, an application, or user activities. It is generated
by an auditing system that monitors system activity. Audit trails have
many uses in the realm of computer security :
Individual Accountability : An individual's actions are tracked in an
audit trail allowing users to be personally accountable for  their
actions.  This   deters  the users from circumventing  security
policies.  Even if they do, they can be held accountable.

Reconstructing Events
Audit trails can  also be used to  reconstruct  events after a problem
has occurred. The amount of damage that occurred with an incident can
be assessed by reviewing audit trails of system activity to pinpoint
how, when, and why the incident occurred.

Problem Monitoring
Audit trails  may also be used as on-line  tools to help  monitor
problems  as they occur.  Such real time monitoring helps in detection
of problems like disk failures, over utilization of system resources
or network outages.

Intrusion Detection
Intrusion detection  refers  to the process of identifying  attempts
to penetrate a system and gain unauthorized access.  Audit trails can
help in intrusion detection if they record appropriate events. 
Determining what events to audit so that audit trails can be used in
an effective manner to aid intrusion detection is one of the present
research issues being looked into by the research community."

Audit Trails
http://www.cerias.purdue.edu/homes/rgk/at.html

**  Audit trails are used in conjunction with authentication of
digital signatures

'The notion of a digital signature can prove extremely useful to
guarantee the accuracy of audit trail logs. For example, if it is
claimed that a record was accessed by a particular user, it makes
sense to demand that a digital signature be created by that user in
order to provide access, and this digital signature should then be
countersigned by the authority that provided access to the records. In
this way, the audit logs cannot later be tampered with by either party
in order to make it appear that access either did or did not occur.

Technology Tools - Audit Trails
http://www.swcp.com/~mccurley/cs.sandia.gov/health/node20.html#SECTION00035000000000000000


**  Audit trails provide transaction accountability in electronic
record keeping

"The Internet and other electronic telecommunications networks are
becoming a center of commercial transactions. Many of these
transactions take place entirely over the network, with no physical
goods changing hands. Contracts, software, news articles, technical
designs, music, video-recordings, subpoenas, land deeds, stocks,
airline ticket confirmations, and money can be transferred across a
telecommunications network without a single piece of paper changing
hands. Such transactions require two critical features that are often
in conflict: auditability and privacy [17]. This paper demonstrates
that it is possible for a system to provide both without compromise.

In the physical world, we often balance privacy and auditability by
generating papers which are inherently hard to forge. For example, it
is possible to purchase items from a store using cash while
maintaining complete anonymity. A cash register provides auditability
by recording every purchase on paper. These papers make it possible
for store owners to catch a dishonest sales clerk, and for tax
collectors to catch a dishonest store owner. In addition, the customer
is given a receipt for the transaction. Receipts are also on paper,
making them difficult to forge. If a system cannot provide (at least)
the same degree of auditability, it may not meet the demands of users
to be protected from fraud[17], or the legal requirements of tax
collectors [16,17]. This auditability must be achieved through a new
mechanism, as bits in computer memory are easy to change. There has
been considerable attention on the development of a suitable payment
system for electronic commerce [2,19], but not on the complementary
system to produce and verify an audit trail.

Even one-party transactions can require both privacy and auditability.
For example, consider an inventor racing to patent an invention. If an
auditor can determine that the invention's documentation was complete
by the stated date, then the inventor's rights are protected. However,
the inventor clearly does not want to reveal her invention, i.e. she
wants to maintain privacy."

Proc. of Internet Society INET ‘99
Electronic Commerce with Verifiable Audit Trails, by Jon M. Peha 
http://www.ece.cmu.edu/~peha/etrans.html


**  Audit trails offer a reduction of paper logs and cost savings

The White House
Office of Management and Budget
Guidance on Inter-Agency Sharing of Personal Data - Protecting
Personal Privacy

OMB is issuing guidance to remind agencies of several privacy-related
legal requirements that apply to computer matching and to clarify how
agencies should conduct computer matching activities. This guidance
applies to data matching activities or programs for purposes of
establishing or verifying eligibility for Federal benefit programs or
recouping payments or delinquent debts under such programs covered by
the Computer Matching and Privacy Protection Act ("Matching Act"),(1)
an amendment to the Privacy Act of 1974, 5 U.S.C. Section 552a,
whether data are shared between Federal agencies or matched with State
agency data.(2) Although this guidance applies directly only to
programs covered by the Matching Act, agencies should consider
applying these principles in other data sharing contexts.

Inter-agency sharing of information about individuals can be an
important tool in improving the efficiency of government programs. By
sharing data, agencies can often reduce errors, improve program
efficiency, identify and prevent fraud, find intended beneficiaries,
evaluate program performance, and reduce information collection burden
on the public.

As government increasingly moves to electronic collection and
dissemination of data, under the Government Paperwork Elimination Act
and other programs, opportunities to share data across agencies will
likely increase. Agencies should work together to determine what data
sharing opportunities are desirable, feasible, and appropriate. In
general, data sharing should only be pursued if the benefits outweigh
the costs.

With increased focus on data sharing, agencies must pay close
attention to handling responsibly their own data and the data they
share with or receive from other agencies. When information about
individuals is involved, agencies must pay especially close attention
to privacy interests and must incorporate measures to safeguard those
interests. Prior to any data sharing, agencies must review and meet
the Privacy Act requirements for computer matching, including
developing a computer matching agreement and publishing notice of the
proposed match in the Federal Register; OMB Guidance on Computer
Matching (54 Fed. Reg. 25818, June 19, 1989); and OMB Circular A-130,
Appendix I, "Federal Agency Responsibilities for Maintaining Records
About Individuals." Agencies must also review and meet applicable
requirements under other laws, including the Paperwork Reduction Act
of 1995."

The White House
Office of Management and Budget
Guidance on Inter-Agency Sharing of Personal Data - Protecting
Personal Privacy
http://www.whitehouse.gov/omb/memoranda/m01-05.html


**  Audit trails provide compliance with general oversight regulations

Security Controls

While the Board of Directors has the responsibility for ensuring that
appropriate security control processes are in place for e-banking, the
substance of these processes needs special management attention
because of the enhanced security challenges posed by e-banking. This
should include establishing appropriate authorisation privileges and
authentication measures, logical and physical access controls,
adequate infrastructure security to maintain appropriate boundaries
and restrictions on both internal and external user activities and
data integrity of transactions, records and information. In addition,
the existence of clear audit trails for all e-banking transactions
should be ensured and measures to preserve confidentiality of key
e-banking information should be appropriate with the sensitivity of
such information.

Although customer protection and privacy regulations vary from
jurisdiction to jurisdiction, banks generally have a clear
responsibility to provide their customers with a level of comfort
regarding information disclosures, protection of customer data and
business availability that approaches the level they can expect when
using traditional banking distribution channels. To minimise legal and
reputational risk associated with e-banking activities conducted both
domestically and cross-border, banks should make adequate disclosure
of information on their web sites and take appropriate measures to
ensure adherence to customer privacy requirements applicable in the
jurisdictions to which the bank is providing e-banking services."

Bank for International Settlements
Risk Management Principles for Electronic Banking
Basel Committee Publications No. 82, May 2001
http://www.bis.org/publ/bcbs82.htm


**  Audit trails are often required to provide compliance with
government regulations

"There are two imperatives currently vying for priority in health care
the need to provide easy, instantaneous access to medical information
to improve patient care, and the need to restrict such access to avoid
compromising patient privacy. Instead of resolving the issue,
technology further complicates it with very sophisticated tools that
can address either issue separately but not simultaneously.

Currently, we can apply uniform standards to electronic health
information, thus enabling seamless data exchange. The finalization of
the Health Insurance Portability and Accountability Act's transaction
and code set standards, which were expected this summer, will likely
take effect in 2002. These sets comprise strict national standards for
all bills to be submitted and will ultimately lead to universal
provider, payer, and possibly patient identifiers as well. "

American Health Information Management Association
Access Audit Trails - En Route to Security
http://www.ahima.org/journal/features/feature.0009.2.html


**  Audit trails can provide expeditious investigation of cybercrime

"A potent blend of high-tech sleuthing and old-fashioned detective
work helped to point the FBI toward "Mafiaboy," a 15-year-old hacker
in Canada who is one of several suspects in the Web site attacks last
week.

Mafiaboy clumsily left a digital trail and boastful dialogue in chat
rooms that was traced by computer experts at Stanford University and
two Palo Alto-based security consulting firms, Recourse Technologies
and Securify.com. "

USA Today Tech Report
Digital Trail Leads to Teen Hacker
http://www.usatoday.com/life/cyber/tech/cth369.htm

Perfect, thanks, good job.

Hello,

Just to follow up on the comment regarding the Pharma industry and 21
CFR Part 11.  21 CFR 11 basically attempts to accomodate the need to
have electronic records be as secure and verifiable as paper records.

For example, if on a paper record you have to change a value for
something due to a type/misspelling, you would cross out the word,
initial and date the crossout, provide a comment explaining the
crossout and write the correct word.  An audit trail provides the
ability to change a value and maintain the ability to look at the
history of what the value was previously.  Otherwise if you overwrote
a record in a database you would have no knowledge of what it had
previously been.  Also this helps to prevent, for example, a
non-passing result being changed to a passing result as the employees
are aware that their actions are tracked.