π E8 Audit Trail Requirements¶
Overview¶
The E8 Assessment Framework must maintain comprehensive audit trails for compliance, governance, and continuous improvement. This document defines requirements for capturing, storing, and reporting audit information.
Audit Trail Principles¶
Core Requirements¶
- Immutability: Once recorded, audit entries cannot be modified or deleted
- Completeness: Every significant action must be logged
- Traceability: Full chain of custody for all data
- Accessibility: Appropriate access for auditors and regulators
- Retention: Comply with 7-year regulatory requirements
Compliance Drivers¶
- APRA CPS 234: Requires audit trails for cybersecurity controls
- Directors' Liability: Board needs evidence of oversight
- Insurance Claims: Proof of controls for claim validation
- Regulatory Audits: ASIC, APRA, ACSC review requirements
Data Lineage Tracking¶
Question Answer Lifecycle¶
graph TD
A[Question Presented] --> B{Answer Source?}
B -->|Pre-filled| C[Crossover Engine]
B -->|Manual| D[User Input]
C --> E[Confidence Score]
D --> F[User Attribution]
E --> G[Answer Stored]
F --> G
G --> H[Evidence Linked]
H --> I[Review/Approval]
I --> J[Final State]
J --> K[Audit Record]Required Audit Fields¶
interface E8AuditRecord {
// Core identification
id: string // Unique audit ID
timestamp: Date // ISO 8601 UTC timestamp
sessionId: string // Assessment session
// Question context
questionId: string // E8_STRATEGY_NNN
questionText: string // For historical reference
questionVersion: number // Question version at time
// Answer details
answerValue: any // The actual answer
answerSource: AnswerSource // How answer was obtained
previousValue?: any // If this is an update
// Attribution
userId: string // Who provided/approved
userRole: UserRole // Role at time of action
delegatedFrom?: string // If delegated
// Evidence
evidenceIds: string[] // Linked evidence
confidenceScore: number // 0-1 confidence
verificationStatus: string // Verified/Unverified/Pending
// Metadata
clientIP: string // Source IP address
userAgent: string // Browser/client info
actionType: AuditAction // Create/Update/Approve/etc
}
enum AnswerSource {
MANUAL_ENTRY = 'manual_entry',
POLICY_PREFILL = 'policy_prefill',
INSURANCE_PREFILL = 'insurance_prefill',
ASSESSMENT_IMPORT = 'assessment_import',
API_INTEGRATION = 'api_integration',
DELEGATED_RESPONSE = 'delegated_response',
}
enum AuditAction {
ASSESSMENT_STARTED = 'assessment_started',
QUESTION_ANSWERED = 'question_answered',
ANSWER_UPDATED = 'answer_updated',
EVIDENCE_ATTACHED = 'evidence_attached',
DELEGATION_CREATED = 'delegation_created',
REVIEW_COMPLETED = 'review_completed',
APPROVAL_GRANTED = 'approval_granted',
REPORT_GENERATED = 'report_generated',
}
Crossover Intelligence Audit¶
Pre-fill Tracking¶
For each pre-filled answer, capture:
prefill_audit:
question_id: E8_MFA_001
original_source:
type: policy_document
document: 'IT Security Policy v2.3'
section: '5.2 Authentication'
extracted_text: 'Multi-factor authentication is required for all remote access'
extraction_method: keyword_match
extraction_confidence: 0.9
transformation:
raw_value: 'Multi-factor authentication is required for all remote access'
interpreted_as: 'YES'
transformation_rule: "contains 'required' + 'multi-factor'"
manual_override: false
validation:
auto_validated: true
validation_rule: 'Recent policy + high confidence'
requires_human_review: false
reviewed_by: null
review_timestamp: null
Confidence Score Calculation¶
interface ConfidenceAudit {
baseScore: number // Initial confidence
adjustments: {
age_penalty: number // Reduction for old data
source_reliability: number // Source trust level
validation_boost: number // Increase if validated
conflict_penalty: number // Reduction if conflicts
}
finalScore: number // Calculated confidence
reasoning: string // Explanation
}
// Example audit entry
{
baseScore: 0.85,
adjustments: {
age_penalty: -0.1, // 6 months old
source_reliability: 0.9, // Trusted policy
validation_boost: 0, // Not yet validated
conflict_penalty: 0 // No conflicts
},
finalScore: 0.75,
reasoning: "Policy document confidence reduced due to age"
}
Role-Based Delegation Audit¶
Delegation Flow Tracking¶
interface DelegationAudit {
// Delegation creation
delegationId: string
fromUser: string
fromRole: UserRole
toUser: string
toRole: UserRole
questionIds: string[]
reason: string
createdAt: Date
dueDate?: Date
// Delegation response
respondedAt?: Date
responseTime?: number // Minutes taken
answers: {
questionId: string
answer: any
confidence: number
}[]
// Escalation (if any)
escalatedBack: boolean
escalationReason?: string
escalatedTo?: string
// Completion
status: 'pending' | 'completed' | 'escalated' | 'expired'
completedAt?: Date
}
Board Review Audit¶
Special audit requirements for board interactions:
board_audit:
session:
board_members_present: ["Director1", "Director2", "Director3"]
meeting_type: "Risk Committee" | "Full Board" | "Audit Committee"
meeting_date: "2025-01-24"
agenda_item: "Cybersecurity Maturity Review"
presentation:
items_shown:
- current_maturity_summary
- industry_benchmarks
- risk_assessment
- investment_options
time_spent_seconds: 180
questions_asked: []
decisions:
- decision_type: "target_maturity"
selected_option: "ML2"
rationale: "Industry standard for our risk profile"
unanimous: true
dissent: []
- decision_type: "investment_approval"
amount: 150000
timeline: "12 months"
conditions: ["Quarterly progress reports required"]
actions:
- assigned_to: "CTO"
action: "Implement E8 roadmap"
due_date: "2025-12-31"
- assigned_to: "CFO"
action: "Allocate budget"
due_date: "2025-02-28"
Evidence Management Audit¶
Evidence Lifecycle¶
interface EvidenceAudit {
// Evidence submission
evidenceId: string
uploadedBy: string
uploadedAt: Date
fileName: string
fileHash: string // SHA-256 for integrity
fileSize: number
mimeType: string
// Evidence linking
linkedQuestions: string[]
linkPurpose: string
linkConfidence: number
// Evidence validation
validatedBy?: string
validatedAt?: Date
validationStatus: 'pending' | 'approved' | 'rejected'
validationNotes?: string
// Evidence expiry
validFrom: Date
validUntil: Date
expiryWarning: Date
renewalRequired: boolean
// Access log
accessLog: {
userId: string
accessTime: Date
accessPurpose: string
}[]
}
Document Integrity¶
integrity_checks:
upload:
- calculate_hash: SHA-256
- virus_scan: required
- file_type_validation: whitelist
- size_limit_check: 50MB
storage:
- encryption_at_rest: AES-256
- versioning: enabled
- backup: automated
- retention: 7_years
retrieval:
- hash_verification: required
- access_control: role_based
- download_logging: mandatory
- watermarking: optional
Maturity Calculation Audit¶
Calculation Transparency¶
interface MaturityAudit {
calculationId: string
calculatedAt: Date
calculatedBy: string // System or user override
inputs: {
questions: {
id: string
answer: any
weight: number
included: boolean
}[]
totalQuestions: number
answeredQuestions: number
}
strategyScores: {
strategy: E8Strategy
questionsInStrategy: number
questionsAnswered: number
positiveAnswers: number
score: number
level: string // ML0-ML3
}[]
overallCalculation: {
method: 'simple_average' | 'weighted' | 'minimum'
weights?: { [strategy: string]: number }
rawScore: number
adjustments: {
reason: string
adjustment: number
}[]
finalScore: number
maturityLevel: string
}
comparison: {
previousLevel?: string
previousDate?: Date
change?: 'improved' | 'maintained' | 'degraded'
industryBenchmark?: number
percentile?: number
}
}
Report Generation Audit¶
Report Metadata¶
report_audit:
report_id: uuid
report_type: "Board Package" | "Technical Detail" | "Compliance Certificate"
generated_at: timestamp
generated_by: user_id
generation_trigger: "Manual" | "Scheduled" | "Event"
content:
sections_included:
- executive_summary
- current_maturity
- gap_analysis
- recommendations
- evidence_appendix
data_sources:
- assessment_id: uuid
assessment_date: date
- benchmark_data: source
benchmark_date: date
filters_applied:
- show_only_gaps: boolean
- include_evidence: boolean
- detail_level: "summary" | "detailed"
distribution:
recipients:
- email: "board@company.com"
role: "Board"
sent_at: timestamp
- email: "compliance@company.com"
role: "Compliance"
sent_at: timestamp
access_controls:
password_protected: true
expiry_date: date
download_limit: 5
watermark: "CONFIDENTIAL - Board Only"
interactions:
- user: user_id
action: "downloaded"
timestamp: timestamp
ip_address: string
- user: user_id
action: "viewed"
timestamp: timestamp
duration_seconds: 120
Compliance Reporting¶
Regulatory Submission Audit¶
interface RegulatoryAudit {
// Submission details
submissionId: string
regulator: 'APRA' | 'ASIC' | 'ACSC' | 'Other'
reportingPeriod: {
start: Date
end: Date
}
submittedAt: Date
submittedBy: string
// Content attestation
attestations: {
statement: string
attestedBy: string
role: string
date: Date
signature: string // Digital signature
}[]
// Data included
dataPoints: {
metric: string
value: any
source: string
confidence: number
verified: boolean
}[]
// Submission result
status: 'draft' | 'submitted' | 'acknowledged' | 'rejected'
acknowledgementNumber?: string
feedback?: string
// Follow-up
correctionsRequired: boolean
correctionDetails?: string
resubmittedAt?: Date
}
Audit Trail Retention¶
Retention Policy¶
| Data Type | Retention Period | Deletion Method | Compliance Requirement |
|---|---|---|---|
| Assessment answers | 7 years | Automated archive | APRA CPS 234 |
| Board decisions | 10 years | Manual review | Corporations Act |
| Evidence documents | 7 years | Automated with warning | General compliance |
| User actions | 3 years | Automated | Privacy Act |
| System logs | 1 year | Automated rotation | Security best practice |
| Report access | 5 years | Automated | Internal policy |
Archive Process¶
archive_process:
trigger: 'Age > retention_period - 30 days'
steps:
1_notify:
- compliance_team
- data_owner
- legal_counsel
2_review:
hold_reasons:
- active_litigation
- regulatory_investigation
- business_critical
review_period: 30_days
3_archive:
method: 'Move to cold storage'
encryption: 'AES-256'
location: 'AWS Glacier'
retrieval_time: '24 hours'
4_deletion:
requires_approval: true
approvers: ['Compliance', 'Legal']
deletion_certificate: generated
verification: 'Hash comparison'
Audit Trail Access¶
Access Control Matrix¶
| Role | View Own | View Team | View All | Export | Delete |
|---|---|---|---|---|---|
| Board | β | β | β | β | β |
| Executive | β | β | β | β | β |
| Compliance | β | β | β | β | β |
| IT Manager | β | β | β | β οΈ | β |
| Auditor | β | β | β | β | β |
| System Admin | β | β | β | β | β |
β οΈ = Requires approval
Audit Trail Reporting¶
Available reports:
- Compliance Report: All actions for regulatory period
- User Activity: Individual user audit trail
- Change History: All modifications to assessments
- Evidence Report: Document upload and validation log
- Access Report: Who accessed what and when
- Exception Report: Unusual activities or overrides
Implementation Validation¶
Audit Trail Completeness Check¶
- Every user action creates audit record
- All data sources tracked
- Delegation chain preserved
- Evidence linked properly
- Calculations transparent
- Reports logged
- Retention automated
- Access controlled
- Exports available
- Immutability enforced
This comprehensive audit trail ensures GetCimple meets all regulatory requirements while providing transparency for boards and enabling continuous improvement of the E8 assessment process.