When audit trails go off track and how to prevent this


Johannesburg, 16 Jan 2020
Denis Bensch, CIO, FlowCentric Technologies.
Denis Bensch, CIO, FlowCentric Technologies.

We live in an era in which compliance and accountability are key to business sustainability, and this requires the implementation of effective and unambiguous audit trails.

Audit trails not only provide the support documentation and history required to authenticate security and operational actions, they can also identify areas of non-compliance and provide information for audit investigations. They will, for example, contain details that include the date, time and user information associated with a transaction or process.

But sometimes audit trails go off track. According to Denis Bensch, CIO of FlowCentric Technologies, this usually occurs when employees no longer follow the correct procedures.

“While deviations from correct procedure may occasionally be the result of some kind of criminal intent such as fraud or theft, more often than not, it is because the steps involved in the process itself are too difficult to follow or understand,” he explains.

“When a process is slow or ineffective, or when it hasn’t been updated to reflect pertinent changes in the organisation, that’s when people begin to stray from the prescribed procedure.

“It’s human nature to look for the simplest – or laziest – way to get something done. If that means circumventing a tedious process to achieve what appears to be the same result, there’s no doubt some employees will take that route. Thereafter, the new ‘less tedious’ but unauthorised process could become the de facto – and undocumented – process that all other employees will either follow, or also circumvent with modifications of their own.”

Undocumented changes to and deviations from official processes may be so incremental that they remain undetected for months or even years. But the cumulative effect of these incremental changes could ultimately lead to a situation of “process anarchy” with every employee or department having their own “process”, doing their own thing in their own way.

“That’s when an audit trail will disappear into a minefield of opaque unaccountability,” Bensch says. “Management will have lost control over how the company’s processes are executed.”

Stay on track

Keeping an audit trail on track is therefore a matter of controlling processes and ensuring employees don’t deviate.

But how? Micromanagement is not an option in large organisations; and continually threatening people’s jobs should they not adhere to processes and policies will undermine both employee morale and the company’s reputation.

The answer, says Bensch, is to make it as easy as possible for employees to follow the company’s processes – and as difficult as possible to deviate from them – by making processes unobtrusive and transparent.

This is where business process management (BPM) comes to the fore.

Digitising and automating business processes can alleviate a great deal of pressure from managers, freeing them to focus on important aspects of business, instead of having to micromanage their team’s every action,” Bensch adds.

An advanced BPM platform enables organisations to entrench their business rules in every step of a process. Employees simply follow the instructions laid out on a consistent set of screens, capture the required data, and hit submit. The BPM platform will then execute the next step according to the rules defined by the business.

Because the system is easy to follow, only minimal training is required, and the risk of human error or unauthorised intervention is drastically reduced.

As an additional benefit, notifications and reminders can be sent to users directly from the system, informing them when they have tasks to complete, ensuring that no task is forgotten and that nothing slips between the cracks.

“At no stage is an employee able to deviate from the system or alter the execution of the process so unauthorised incremental change is impossible. Importantly, each step in the process, from initiation to completion, is tracked and fully auditable, ensuring that every individual is accountable for their role in any process. Compliance is assured and a full audit trail is maintained,” Bensch says.

Once the integrity of the audit trail is assured, businesses will be in a position to realise all its benefits:

  • Accountability. Because the audit trail can identify who accessed the system, when, and what actions were taken, it promotes appropriate user behaviour and significantly reduces the improper use of information, including unauthorised use or data modification.
  • Event reconstruction. To successfully investigate a flagged event, the investigator needs data supporting the “when”, “where”, “what”, “how”, and “who” of the event. A flagged event could range from hacking and system failures, to corruption or fraud. An audit trail provides visibility into events, enabling the business to not only detect potential problems, but prevent any further occurrences of the issue.
  • Intrusion detection. Unauthorised access to systems is a serious threat to every organisation. There are increasingly stringent regulations in place for the protection and security of information, the maintenance of customer confidentiality and protection of personnel information. Financial records and intellectual property must also be secured. Audit trails can help with the identification of suspicious behaviour or actions that could indicate a breach of the system, regardless of whether that breach is external or internal.

Auditing is a complex process, one that can involve investigators from both inside and outside of the business looking for the proverbial needle in a haystack.

Organisations that have leveraged a BPM platform to digitise and automate their corporate operations find that audits are much simpler as the system stores accurate, searchable data that is easy to understand and straightforward to review.

When implemented correctly, a BPM platform can deliver an audit trail that internal stakeholders can use to identify and address problems before an external auditor needs to be brought in.

Share