Let’s talk about user logging. I want to start with the premise that most employees want to perform their job properly and legally. The same can be said for taxpayers regarding voluntary compliance, and for licensees in a regulatory scheme. However, having said this, it does not mean that we shouldn't be concerned with keeping track of who and how the tax administration, or licensing solution, is being used.
User logging records critical system events; for example, changes to roles and users or the database configuration. It can also record access to sensitive data and write and read access to objects such as tables, overviews, and the execution of procedures. System logging provides user audit trails, which have multiple advantages.
As a management tool, user logging is useful in tracking actions taken by specific employees. This insight can determine who has taken various actions and whether proper protocols were followed. Using the secure database table as the target for the audit trail makes it possible to query and analyse auditing information quickly. It also provides a secure and tamper-proof storage location. Additionally, analysis of these actions can be a tool in detecting fraud or other irregularities, including unfortunately internal fraud.
Logging also provides a clear history of actions taken by the taxpayer. This is useful when communicating with taxpayers, who are less than forthcoming about the actions taken within their accounts. During the communication, much can be said when a tax officer has the ability to recount to the taxpayer the steps of the taxpayer’s own actions.
I have seen many articles regarding agencies, including some of the largest in the world, whose applications have insufficient internal audit trails to detect unauthorised access to sensitive information, or improper manipulation of information. It's hard to imagine, in today’s age of digitalisation and modernisation, that user logging doesn't exist, but unfortunately that wasn't the standard with many older legacy systems, many of which are still in use today. If the system does have some form of user logging it may only apply to certain transactions, rather than all.
I believe the scrutiny provided by oversight auditing authorities will continue to become more prominent in all tax administration agencies (and really all public sector agencies) across the globe, due to the increased citizen demand to ensure the proper use of their money. As a result, governing bodies are also taking a more active role in reviewing how administrative agencies are operating and using their budgeted funds. Furthermore, many national government projects across the globe are funded by grants or loans from the World Bank Group or other similar lenders. As a result, they are highly interested in the proper use of the funding.
To provide an example, one of my former agencies was audited by no less than five different entities, because of the array of responsibilities of the agency. We were subject to audit by: the Agency’s Internal Inspector General, the Chief Inspector General (Executive Office of the Governor), the state Auditor General (state’s independent auditor), the Department of Financial Services (contract management, risk management), the Office of Program Policy Analysis & Government Accountability (Legislature), and the federal Internal Revenue Service.
There are a minimum set of requirements that should be considered. A good commercial-off-the-shelf (COTS) solution should provide proper auditing of all data resources, inclusive of the details associated with creation, modification, and deletion operations. These details should include the identity of the user performing the operation and the operation timestamp. All deletions should be soft deletes in which the 'deleted' resources are either logically marked as deleted or are moved to an online archive. The system:
- should make the audit trail accessible to authorised users.
- must retain a copy of all data resources which are transmitted to external systems.
- should keep an activity log of all system logins for a period of five years or the legally required minimum.
- should log all system and database administrator activities through a user interface.
- should keep the same log for logins into the enterprise system platform.
- should record all users and system activities in an audit log, which is configurable by user and transaction type.
As you embark on a modernisation project, keep the usefulness of user logging in mind. It provides great proactive capabilities and safeguards from a management perspective, saving you from being in the unenviable position of not being able to recreate the history of a record, should you find yourself in a dispute with a taxpayer or an unfortunate event of internal fraud.