Audit trails
Related information
Related topics
Sage Intacct embeds audit traceability in all its relevant features, which means a record of all user actions pertinent to an audit are kept centrally within Sage Intacct. As a result, the finance team has access to the information auditors need. These are naturally detective controls, but they often complement preventive controls provided by access or permissions and workflow. Audit trails can perform both accuracy and existence checks; particularly if reports are used to interrogate audit trails for particular parameters.
Audit trails can often be used to provide mitigating evidence. If a control has failed, for example a person was granted additional access by mistake, then audit trails may be able to show that access was not used to bypass controls. Though this may not change the auditor’s opinion on controls, it can demonstrate that the impact of a control failure was lower or contained. In turn, the auditor should take this into account when drawing their overall conclusions on an organization’s control environment.
User login history
Auditors need to understand who can access a company’s financial management software. They need comprehensive login security along with documentation of who successfully logged in. Sage Intacct documents each time a user either successfully or unsuccessfully logs into the system and creates a record with the user ID included. Regardless of whether the user was successful in logging in or not, their user ID, a timestamp, and the IP address of the device they used to log in are recorded. If they are successful in logging in, their session duration is included in the record as well.
To learn more, see User access report.
Audit history of database records
Companies need to document the actions a user performs after logging in since auditors may need to investigate these transactions. Whenever a user creates, edits, or deletes a record, Sage Intacct automatically documents the user ID of the employee who did so, while also creating a timestamp of when the action occurred. In doing so, Sage Intacct can show a task’s chain of custody, so they know who they should consult should questions arise.
As users navigate Sage Intacct, the system documents changes that occur within the following action types:
- Master record objects, such as customer, supplier, contracts, and others
- Transactions, including invoices, bill payments, journal entries, and others
- Other features, including configurations, custom reports, and user setups
You can view logged changes in Audit History reports and from the records directly via access to the audit trail. To learn more, see Audit Trail.
Considerations for audit history controls
Control ergonomics are important. If too much data is logged and reported, a reviewer has a hard time finding genuine issues. With so much audit data available, picking the right data for review can take some time to get right. Attributes that support controls might not be key fields and looking for them can be like looking for a needle in a haystack. Logging and audit trails are a type of control where it might make sense to refine the control after go-live. In which case, make sure to update the control documentation.
System-level audit trails
Tracking changes in system configuration is important because the changes can impact all users. Each time a user changes a configuration in Sage Intacct , such as in the General Ledger or Accounts Payable, the user ID of the employee along with a timestamp and IP address are recorded. Other tasks documented by Sage Intacct include the following:
- Email delivery
- Smart events
- Offline job history
If your organization needs greater HIPPA-compliant audit traceability, you can add the Sage Intacct advanced audit functionality to increase what's captured in the audit trail. With advanced audit functionality, Sage Intacct records each time a user views any associated record, transaction, or report that's related to potential PHI identified fields across the application areas covered within the system. To learn more, see Advanced Audit Trail overview.
Application integration audit trail
Audit trails for integrated applications help auditors identify applications that access Sage Intacct and for what purpose to help protect against cybersecurity breaches. In Sage Intacct, any time an API call takes place with a third-party application, a new report is created. Each report includes a timestamp, a sender ID (unique token), and the function performed, such as creating an invoice or paying a bill. After an API report is compiled, users can access it within Sage Intacct.
To learn more, see Example API Usage Detail report—CRW.
