Audit Trail – How to track, trace and verify financial activities

Introduction

So, how does Audit Trail help to track, trace and verify financial activities?

Financial transactions such as receiving income and making purchases are a daily part of church and charity operations.

The financial records maintained are an important source of evidence that those transactions took place and by whom.

Most churches and charity organisations use accounting software to process income received, expenditure transactions, assets and liabilities.

Tracking the right information through good audit trail is very important in making sure that any subsequent need to trace back on activities, can provide information of relevance and value.

For example, a supplier (vendor) chases payment for services provided.  The finance officer finds that payment has already been made, but the supplier insists that they did not receive the payment.

Further investigation shows that the bank account that the payment was made into was different from the supplier’s bank account on the system.

It transpired that the supplier’s bank account details was changed to that of the perpetrator just before the payment was made, and changed back to the right bank account number after the fraudulent payment.

Five people have the necessary access at a level that could allow bank account details to be changed.  How do you know who made the change and when?

Good audit trail implemented for areas of high financial risk, would show when such changes are made and by whom.

This article takes you through what audit trail is, the importance of audit trail, and how to implement it.

Table Stewards uses a light-hearted scene setting approach to introduce its topics, but if you would prefer to dive straight into any part of the article, please click the relevant link in the table of contents above.

Scene Setting

The Learning and Development Committee of The Stable Foundation Church is getting ready to start their pre-meeting in the usual manner before their Saturday masterclass.

Sister Jane: We have a long list of topics to choose from today based on the emails we received during this week.  What do you think we should ask the Coach to cover today?

Leader Badtrus: Hmm!  Give me a few minutes, as I need to respond to this urgent text from Sister Comfort.  She says that the requisition for the new members class refreshments has been approved and wants me to place the order online immediately.

Sister Mary: Have you seen the approved requisition?

Leader Badtrus: Well, she put the key information in her text message – the list of refreshments, where to order from, and the amount approved.  Nothing more is required so it does not make a difference if the requisition is not attached. 

Sister Mary: You need proper audit trail for transactions and, as far as I recollect from the masterclass on internal controls, text was not mentioned as audit trail.

Leader Badtrus: Says the deputy coach! We are talking about refreshments for 30 people, not a laptop computer!

Sister Jane: Coach Emmanuel knows just when to walk in! What is your take on this – is a text message appropriate audit trail for Leader Badtrus to make a purchase online?

Coach Emmanuel: Assuming you subsequently cannot trace the approved requisition, would you be able to prove beyond doubt that you were duly authorised to carry out the purchase and have followed the internal control processes?

Leader Badtrus: Well, I wouldn’t say beyond doubt, but I don’t delete my text messages …

Coach Emmanuel: You know what, why don’t we cover Audit Trail in our masterclass today so we all know what it means, why we need it and can recognise when it is in place.  As the name implies, it leaves a trail of activities so that they can be audited, but there is a lot more you should know. Let’s head down to the masterclass…

What is Audit Trail?

Simply put, Audit Trail is a sequential record of events that enables activities and transactions to be traced back to source.

Good audit trail shows what took place, when it took place and who did it.

Another definition of Audit trail is a record of a sequence of events (such as actions performed by a computer) from which a history may be reconstructed.

Audit trail can also be defined as a step-by-step record by which accounting, trade details, or other financial data can be traced to their source. Audit trail is a sequential record detailing the history and events related to a specific transaction or ledger entry.

Organisations can maintain different forms of audit trail for various activities or transaction types.

Examples of areas where audit trail is important include the external audit of the financial records of the church or charity; investigating bank reconciliation discrepancies; investigating internal control breaches leading to fraud or error; or identifying who accessed an accounting system to process a particular transaction.

Audit trail helps support and confirm that the internal controls within a process have been followed appropriately.

If you can’t show evidence to prove that something happened, then it could easily be argued that it didn’t happen.

Audit Trail Contents

Audit trail should include enough information to help establish what event happened and the result, when it took place, and who carried it out, or what led to the event.

Most audit trail would show the before and after status of the event.

Audit trail can be offline e.g. paper or electronic forms based, or can be automated within systems via stamping transactions with user identification, dates and time, and audit logging; or a combination.

Automated audit trail is more effective and robust and facilitates consistency.  It is also important to preserve audit trail from accidental or deliberate tampering or deletion.

An example of audit trail to show that an item was approved for purchase would include;

• Description of the requested goods or services (i.e. what?);

• Signature (if paper-based) or systems username (automated) of the requester on the Requisition (i.e. who?);

• Date of the transaction if paper based, or date and time for most automated systems (i.e. when?);

• Signature (if paper-based) or systems username of the requisition approver (i.e. who?);

• Date (and time) of the approval (i.e. when?).

Similarly, in IT-enabled systems, the systems audit log of access can show who logged into the system, when, what areas they accessed or any transactions they completed.

This can be used to monitor security of systems to ensure the integrity of transactions, confidentiality of information and risks to the availability of the systems from hacking attacks.

The process of creating the automated audit trail is inbuilt into software systems and is usually controlled by the highest levels of system access.

This ensures that no user can turn it off or amend it, so that its integrity is maintained.

Audit Trail – Importance and Benefits

So, why is audit trail important and what benefit does it provide?  Audit trail:

• Supports user accountability

People carrying out transactions know that their actions are tracked and tied to their identity, be it via their system username or physical signature.

This helps promote integrity in carrying out transactions.

• Confirms compliance with internal controls

Controls which require approval of requests, financial authorisation, recording of transactions can be proven to have taken place by a review of the audit trail showing what was done, when and by whom.

Where internal controls were breached or retrospectively applied, this can also be revealed e.g. requisition approvals taking place after an invoice has been received can be discovered through a review of dates of approval.

• It is a detective control in itself

Monitoring of system audit logs and review of reports showing audit trail of transactions, can help identify errors or anomalies for further review.

This also serves as a deterrent against unauthorised transactions.

The review of audit trail should therefore built into operational processes to ensure that it happens at regular intervals so that detection and correction opportunities are not missed.

• Enables the reconstruction of events leading to a transaction

When an investigation is required to understand how a transaction happened, such as an unrecognised payment from the bank account, audit trail built into the internal control processes should help track the transaction back to source.

• Supports internal and external audits or inspections

The existence of audit trail in any system or process is the backbone of evidence that supports audit or inspection activity.

Evidence used to validate transactions, confirm assets and liabilities, income and expenditure, or dues, relies on the audit trail created over relevant periods of time.

• Provides evidence for investigation of fraud or irregularities

Who did it?, when?, what did they do? and how was it carried out?, are very important questions in any investigation into fraud or irregular activities.

Access to reliable audit trail goes a long way in helping to unravel answers to these questions.

• Enables Intrusion Detection

Attempts to gain unauthorised access to a system via intrusion can be detected in real time or after the event, depending on how audit trail is set up.

Audit trail on IT systems can be set up to send notifications of unauthorised access attempts or external system penetration to a systems administrator as they happen.

Alternatively, the audit logs can be reviewed on a daily basis to identify such activity after the event.

How to determine what Audit Trail to implement?

Any internal control process should include a means of providing evidence that the process has been followed or completed.

Audit trail should be commensurate with the risks associated with the processes and systems in the organisation.

Regulatory bodies may also require the organisation to maintain a level of audit trail to demonstrate compliance, such as reclaiming tax on donations.

Understanding what could go wrong, what the applicable minimum regulatory compliance requirements are, the environment and limitations within which the church operates should help towards a robust risk assessment to inform the appropriate strategy.

Smaller churches may rely on internal control processes that use paper or electronic forms as audit trail, such as wet signatures, or an email trail with an attached electronic form to demonstrate approval of a transaction.

Some churches use a combination of offline and automated systems such as electronic offline forms for requisitioning and automated accounting software for recording transactions, and then carry out bank reconciliations offline.

Very large churches may have full enterprise resource planning systems that automate most of their processes with inbuilt audit trail.

This would range from online completion and approval of requisitions, system based receipting and invoice matching, automated bank payments to suppliers, system-enabled bank reconciliations, system audit logs for variety of functionality, date/time stamping of transaction entries and authorisation etc.

For such systems, the risk assessment should help inform how the church configures its inbuilt audit trail to mitigate its risks.

Systems audit trail is by far more effective than a paper based or email/electronic trail, but it can take up significant storage space.

A proper risk assessment will help the church to make informed choices based on the cost-benefit analysis of the controls required to mitigate risks.

Questions that may help include:

• How can we know whether the laid down policies and internal control processes are being followed to ensure the integrity of processes or transactions?

• How can we trace who carried out or authorised a transaction for accountability and to deter or detect fraud?

• How can we track who accessed our systems and what they did, for security, integrity and confidentiality of our information?

• How can we track who has custody of the organisation’s assets?

• How do we ensure and prove compliance with regulatory requirements?

• Can personal or sensitive information be accessed or breached by unauthorised people without trace?

• How can we ensure that our audit trail is preserved from deliberate or accidental deletion or compromise?

How long should Audit Trail be Kept?

Ideally, audit trail should be maintained for the statutory life of transactions. Regulatory requirements usually specify how long accounting or transactional records should be retained for.

This should guide the retention periods of the associated audit trail.

How often should Audit Trail be reviewed?

The purpose of each type of Audit trail should guide how often it is reviewed.  For example, audit trail of access to sensitive records of donations should be reviewed often enough to quickly identify any unauthorised activity.

Reviewers should understand the indicators of unusual or unauthorised activity e.g. out of hours access by authorised personnel.

Audit trail of transactions that have good internal control processes and are reconciled regularly, may only need to be reviewed when an error or irregularity needs to be investigated, or by auditors.

Audit trail that helps prove compliance with regulatory requirements should be reviewed monthly to be assured on completeness, and then provided to the auditors, compliance checkers or inspectors on request.

Audit trail of high level or system administrator access to the accounting system should be reviewed as an embedded business process within the financial systems control function.

Challenges of maintaining Audit Trail

Audit trail requires storage space – be it physical records in a room or electronic audit trail on systems.

Storage space has costs, so it is important to balance the costs and benefits of retaining audit trail to ensure efficiency and effectiveness.

Carrying out the risks assessments described in the earlier section on “How do you determine what Audit Trail to implement” should help with getting the balance right.

Audit trail requires time to review.  Investigation on suspicious activity and reconstruction of events can be time-consuming and costly.  This therefore presents an additional overhead to the organisation.

Tools can be used to assist with analysis of events for easier identification of what is relevant to look into, but also carry a cost.

Investigations on the other hand, require human intervention to be properly conducted and to bring to a resolution.

If too many issues are identified, some of which are low risk, it may be necessary to review the settings of the audit trail to target high risks activities and provide better cost-benefit to the organisation.

It is also important to maintain adequate segregation of duties between those who review the audit logs and those who set up and maintain user access controls.

In small churches and charities with limited in-house resources, this would need to be carefully managed.

Conclusion

Well thought through audit trail is an essential part of internal control design.  Good audit trail shows what took place, when it took place and by who.

Audit trail helps ensure accountability, provides evidence for the review of compliance with processes and internal controls, as well as investigations into fraud or irregularities.

Read more about why churches need good internal controls, and how segregation of duties protects church finances.