National Records of Scotland

Preserving the past, Recording the present, Informing the future

Model Plan Guidance to Element 11

Model Plan Guidance to Element 11

Audit trail

An audit trail is a sequence of steps documenting the movement and/or editing of a record resulting from activities by individuals, systems or other entities.

In line with the Keeper of the Records of Scotland's (The Keeper) obligations under the Public Records (Scotland) Act 2011 (the Act) the following guidance is issued regarding audit trails:

It is considered good practice that the whereabouts of records should be known at all times and movement of files around an electronic system or between physical storage areas or office areas should be logged.
Records held on physical media, such as paper or microform, should be subject to an authority's registry system recording the movement of records around the organisation. Evidence of this might be a description of a 'paper trail' from retrieval request to return of a document to store. Such a system should ensure that the whereabouts of a particular record is known at all times.

Electronic records should be subject to an audit trail mechanism that records the movement of records within the IT infrastructure or out of the IT infrastructure. Electronic Document and Records Management Systems (EDRMS) usually offer this functionality and allow for the creation of audit reports, but a great deal of electronic records created by public authorities remain unstructured and are not subject to content management systems. Electronic records that are therefore held on network drives for which there is no in-built audit trail functionality, should be subject to an authority wide policy that promotes efficient management of records, through a logically organised and structured hierarchical filing system, using appropriately named electronic folders.

For all records, in whatever format, a mechanism that monitors their movement and changes to content helps authorities ensure their authenticity and supports legal admissibility. The Keeper therefore wishes to see reference under public authority RMPs to audit provisions in place or being developed to manage record movement and version control.

EDRM systems routinely offer functionality that allows access to records to be logged. Where this access does not result in editing, deletion or movement of records, the Keeper will not require evidence of such access. Element 11 under the Keeper's Model Plan is concerned with the best practice need for authorities to know where their records are at any given time and to be aware of the need for robust version control. It is not concerned with access to records for routine business purposes that do not lead to changes or movement of records.

For certain record classes, such as adoption records, access restrictions may however be of primary importance. Access control is properly part of Element 8: Information Security.
British Standard 10008 states:

This audit trail information is needed to enable the working of the system to be demonstrated, as well as the progress of information through the system, from receipt to final deletion. Audit trails need to be comprehensive and properly looked after, as without them the integrity and authenticity, and thus the evidential weight, of the information stored in the system could be called into question. [footnote 1]

Evidence

The Keeper requires evidence that an authority can locate its records and that it can confidently declare these records to be true and authentic.

The degree of audit trails required will vary according to the legislative and regulatory framework in which an authority operates.

Depending on the situation in a particular authority, potential evidence might include some of the following: A formal policy, approved by the senior accountable officer, governing access permissions; a description of the search system used to locate electronic records or the paper records location system; sample 'paper' document movement logs version controls followed or details of audit trails included in an EDRMs.

The Keeper understands that for some authorities a comprehensive audit trail system may still be some way off. However, the Keeper would require to know that authorities are working towards implementing an appropriate system(s) for all records held throughout its entire operation. Evidence of an improvement project should be approved by the senior accountable officer.

Sample Tracking Documents

The following sample retention schedules might give you an idea what such a document should include and how it might be styled:
[Moray Accession Deposit and Tracking Register - Acrobat PDF 227KB, new window]

Guidance Specific to audit trails

Edinburgh University provides guidance on tracking records (http://www.ed.ac.uk/schools-departments/records-management-section/records-management/staff-guidance/technical-guidance/tracking-records)

Complete Guidance Documents

University of Edinburgh records management guidance (http://www.ed.ac.uk/schools-departments/records-management-section/records-management/staff-guidance)

The International Congress on Archives (ICA) supported project ADRI Digital Record Exchange Specification became ISO 16175 See Principles and Functional Requirements for Records in Electronic Office Environments at (http://www.adri.gov.au/products.aspx#)

If you encounter difficulties opening linked websites, PDF documents and RTF documents listed on this page, please contact us at publicrecords@nas.gov.uk.

Return to Model Plan

Return to Model Plan or read the complete guidance to Model Plan.

Footnotes:

1. BS 10008 Evidential Weight and Legal Admissibility of Information Stored Electronically 2.15 page 79