It’s been around since accountants ditched adding machines for Apple II’s. And it’s a feature that—when used correctly—can save your business from some truly nasty predicaments.
Ladies and gentlemen, reintroducing your old, but underappreciated friend: the humble accounting audit trail.
Of course, the idea behind the audit trail is simple, really. When you make an entry or change to your accounting records, your accounting software automatically logs the details for future reference. Who did what, when, how, and for how much? It’s the job of the audit trail to make sure that story is always accessible.
As straightforward as the audit trail is, maintaining and monitoring it properly can keep your business out of some complicated messes, including the following:
The Association of Certified Fraud Examiners estimates that 5% of organizational revenues are lost to fraud. That’s more than $3.5 trillion annually defrauded on a global basis. Brought down to the level of the individual organization, the average occupational fraud case amounts to $140,000 of lost revenue.
The audit trail is the fundamental business tool for both identifying and preventing fraud.
Fraud, of course, doesn’t just happen magically. It takes an accumulation of actions that will leave footprints. For instance, a common scheme involves entering a record into the AP ledger, printing a blank check, and then assigning a phony payee after the fraudster has made payment to themselves or someone else in on the scheme. This sort of fraud is relatively easy to detect—if there is an active audit trail being maintained and monitored. A pattern where checks are cut and the payee is assigned afterwards is highly unusual and should stick out like a sore thumb in the audit trail.
The audit trail doesn’t just provide a mechanism for fraud detection, though. The presence of a carefully maintained and frequently monitored audit trail also acts as a powerful deterrant, in precisely the same way as a video monitor, alarm system, or any other visible security measure.
2. Investigation by the IRS.
Nobody likes the word audit much. But don’t confuse it with audit trail. An audit trail can actually be an important tool in helping you avoid an IRS tax audit.
Fundamentally, an IRS audit is about inquiring into the legitimacy of your records. In the same way that you can rely on the audit trail to make sure nobody is getting over on you, the IRS is interested in using it to determine the same thing. In fact, the IRS has even specially trained over 1,000 agents to be experts in the audit trails of particularly common small business software accounting programs like Sage 50 (Peachtree) and Quickbooks.
The Journal of Accountancy recommends that businesses always keep audit trails on. Here’s their logic:
Practitioners do not want the IRS to perceive that their client’s internal controls are weak. When the IRS requests records with associated audit trails, all of a taxpayer’s recording errors are exposed, and the agent can make conclusions based on entries that are reversed or corrected… If the IRS concludes that a taxpayer’s controls are weak, the IRS may expand the audit. Some practitioners have suggested that their clients turn off the audit trail indicator on QuickBooks. Regardless of the reason, that approach is not advisable, because it will immediately raise the audit agent’s suspicion.
3. Lending or funding rejections.
It’s not uncommon for lending institutions to want to review accounting records as a part of loan qualification process. Access to an audit trail report can help prevent lending rejections.
Most lending institutions will require a profit and loss statement for any business loan decisions—especially if credit is unestablished. In fact, the SBA.gov website lists a P&L statement as one of the main items on their loan application checklist.
Providing an audit trail increases a lending institution’s confidence both in the records themselves and the financial management capabilities of their stewards. In some cases, an audit trail may actually be a requirement, if a lender deems it necessary to complete a full financial audit of the records.
The relevance of audit trails can apply to other funding sources as well. Non-profits applying grants may need to provide audit trail logs to demonstrate the integrity of financial records and business investors doing due diligence may this data as well.
4. Compliance infractions.
Infractions of compliance standards can lead to all sorts of negative business outcomes like lost contracts, penalties, and even fines. Audit trails can help to avoid these infractions.
The Defense Contract Audit Agency (DCAA) is an example of one organization that publishes compliance standards. Contractors working on defense contracts must meet some stringent requirements. While the DCAA standards are wide-ranging, two important focus areas have to do with timekeeping and cost allocations. Audit trails provide an important mechanism for contractors to demonstrate compliance in these areas. For instance, an audit trail can provide evidence that the hours billed for labor indeed are the hours that were worked and recorded and haven’t been tampered with.
The requirement for audit trails can even pop up in some potentially unexpected places when it comes to compliance standards. For instance, the HIPAA Act includes language mandating audit controls for health care providers, as organizations storing sensitive patient information are required to have “mechanisms to record and examine activity in informations systems that contain or use electronic protected health information.” (HHS.gov)
Putting the audit trail to work for you
It’s easy to take the audit trail for granted.
But in order for the audit trail to help you avoid the messes list above, you need to make sure:
- You have one.
- It’s properly set up.
- You, or somebody you trust, knows how to use it and checks it regularly.
You might assume that all new accounting software includes audit trail functionality. But there are, in fact, quite a few commercially available programs that lack it. Because audit trails record every action that creates or alters an accounting record, they produce an enormous amount of data. The additional data requires more server resources. For that reason, audit trails often aren’t included in many lower cost cloud solutions, where the provider is the software host and supplies the computing resources. (Note: More robust cloud solutions will include audit trail functionality.) But inexpensive cloud solutions are not the only software choices that can lack audit trails. Whether you are shopping for a SaaS or on-premise accounting system, it’s a feature whose presence you’ll always want to verify.
Even if your software offers audit trail functionality, it frequently will need to be configured. In some programs you may actually even need to specifically enable the audit trail. You may also want to adjust the amount of detail that is captured in each audit trail log record. Finally, it’s critical that only approved users have the ability to affect the audit trail. If unapproved users can turn the audit trail on and off, the only thing it may be providing is a false sense of security. Tapping your software support provider for best practices on audit trail configuration is never a bad idea. It can save you from a significant amount of grief later.
The audit trail gives you an important tool for detecting fraud, but it only works if you use it. Monitoring audit trails on a regular basis—with special attention paid to reviewing changed and deleted/voided records—is an easy way to improve your company’s financial security profile. A certified external audit provides an even higher degree of confidence in the integrity of your records, of course. But it also comes at an expense. Depending on your company’s risk profile, whether that is a warranted expense—and how often it’s warranted—will vary. But ultimately whether your auditing procedure is internal or external, one thing that remain constant is the benefit audit trails can provide toward safeguarding your finances.