Skip to content
    Operations guideGovernance and traceability

    Auditability and Business-Event Traceability

    Auditability is the ability to reconstruct important actions and state changes with enough trustworthy context to answer who or what acted, when, through which source, on which subject, and what changed.

    Audit logsBusiness eventsPermissionsData governance

    Key takeaways

    • Technical logs explain system behavior; audit records explain accountable business and administrative actions.
    • Traceability is difficult to retrofit when workflows do not preserve actor, source, previous state, resulting state, and stable identifiers.
    • Not every view or field update needs permanent history; scope should follow business, security, contractual, and verified regulatory needs.

    What an audit record should answer

    For a material action, a useful record may include the human or service actor, tenant and subject, event type, timestamp, source channel, correlation identifier, reason, previous and resulting state, and relevant approval context.

    The record should describe a domain action such as approval granted, role changed, data exported, payment status updated, or integration correction applied—not merely a database statement.

    • Who or what performed the action
    • What subject and tenant were affected
    • When and through which source it occurred
    • What changed and why, where appropriate

    Events that commonly justify traceability

    High-impact administrative actions, permission changes, approvals, status transitions, exports, deletions, configuration changes, support access, and integration-triggered updates often need stronger traceability than ordinary reads.

    The final set should be decided with process owners and appropriate legal or security guidance. Publishing an audit feature does not establish compliance by itself.

    Data model, access, and tamper concerns

    Audit events need stable identities and an append-oriented model that resists casual editing through ordinary application paths. Access should be narrower than access to general application data because records can expose sensitive behavior and historical values.

    Retention, deletion, legal hold, privacy requests, exports, clock consistency, and cross-system correlation require explicit policy. Avoid copying secrets or unnecessary personal data into immutable history.

    Interface, testing, and operations

    An audit viewer should support understandable event names, time, actor, subject, source, and scoped filtering without exposing raw internal payloads as the only explanation.

    Tests should verify that protected actions create the intended record, failed attempts are handled according to policy, tenant boundaries remain intact, integration actors are distinguishable, and ordinary users cannot alter history.

    Proportionate implementation checklist

    A smaller system may record a bounded set of high-impact actions with controlled administrator access. A critical workflow may require broader event coverage, stronger retention and export controls, cross-service correlation, periodic review, and independent storage protections. Define events, actors, state detail, access, retention, integrity, review, and export before implementation.

    Decision factors

    • Material business and administrative actions
    • Actor, source, subject, and tenant identity
    • Previous and resulting state needs
    • Retention, privacy, and access policy
    • Integrity and export requirements
    • Review and investigation workflow

    Common mistakes

    • Using debug logs as the audit system
    • Recording secrets or full sensitive payloads
    • Capturing every action without decision value
    • Adding audit history after actor and state context were discarded
    • Claiming compliance from logging alone

    Cost considerations

    Auditability affects domain modeling, event capture, storage, retention, administrative interfaces, access control, export, testing, and review procedures. The number and detail of events are major scope drivers.

    View planning ranges

    Timeline considerations

    Core audit events should be identified during workflow and permission design. Retrofitting history later cannot reconstruct context that was never stored and may require changes across services and interfaces.

    Apply the framework to a real system decision.

    If the workflow, constraints, or integration boundaries are unclear, a focused scope review can identify what needs technical validation before a build or purchase decision.