Auditability Requirements

Why this matters

As a Data Architect, you are accountable for making data verifiable. Auditability means you can reliably answer: who did what, to which data, when, where, how, and why. Real tasks include:

• Designing platform-wide audit logs for reads, writes, schema changes, deployments, and policy decisions.
• Enabling regulators and internal auditors to replay and verify events.
• Providing evidence packs for incidents, data deletion requests, or quarterly control reviews.
• Balancing privacy, cost, and performance while keeping logs complete and tamper-evident.

Concept explained simply

Auditability is the capability of your data platform to produce trustworthy, complete, and discoverable records of important events. If something went wrong yesterday, you can reconstruct the story today without guesswork.

Mental model: the detective timeline

Imagine building a tamper-evident timeline. Each event is a card with: who, when (UTC), where (system), what (object), action, before/after, why (justification), result, and a unique ID. Cards are chained with checksums so missing or altered cards are obvious.

Core auditability requirements (practical checklist)

• Event coverage: access (read/write), CRUD on data, schema/migration changes, configuration changes, deployments, policy enforcement decisions, data exports, privileged actions.
• Standard fields: event_id (UUID), timestamp_utc (ISO 8601), actor_id and actor_role, subject_type and subject_id (dataset/table/record), action, request_id/correlation_id, source_application, auth_method, client_network_info (avoid full IP if restricted), result (success/failure), error_code, justification/policy_id, before_hash and after_hash for data changes, dataset_version/job_run_id, code_version.
• Integrity: append-only storage, write-once or object-lock where feasible, hashing/signatures, chain_id/prev_event_hash for tamper evidence, clock sync (e.g., NTP), monotonic IDs per stream.
• Retention and archiving: defined per regulation/risk (e.g., 1–7 years), warm vs cold tiers, defensible deletion after expiry.
• Discoverability: indexed by time and key fields; queryable without custom code; documented schema.
• Access control: least privilege; separation of duties; audit logs themselves are monitored; break-glass access is logged.
• Privacy: avoid logging raw PII; log hashes or tokens; classify events; mask sensitive fields.
• Performance: async logging, backpressure handling, sampling only for low-risk events (never for critical writes or privileged actions).
• Operationalization: dashboards, scheduled reviews, alerting on high-risk patterns, runbooks for investigations.

Worked examples

{
  "event_id": "e-9f1c...", "timestamp_utc": "2025-04-21T13:22:09Z",
  "action": "READ", "subject_type": "table", "subject_id": "sales.customers",
  "actor_id": "user_912", "actor_role": "support_agent",
  "source_application": "CustomerServicePortal", "auth_method": "SAML",
  "request_id": "req-7f2", "correlation_id": "corr-2ab",
  "result": "SUCCESS", "row_scope": "customer_id IN (1001,1002)",
  "policy_id": "POL-READ-001", "client_network_info": {"ip_last_octet": "*.45"}
}

{
  "event_id": "e-4aa1...", "timestamp_utc": "2025-05-11T02:00:04Z",
  "action": "BULK_UPDATE", "subject_type": "table", "subject_id": "dw.orders",
  "actor_id": "svc_etl_orders", "actor_role": "service",
  "job_run_id": "jr-2025-05-11-0200", "code_version": "git:3fbc12a",
  "before_checksum": "sha256:abc...", "after_checksum": "sha256:def...",
  "rows_affected": 10000, "result": "SUCCESS",
  "source_application": "Airflow", "request_id": "req-jr-0200",
  "prev_event_hash": "sha256:...", "event_hash": "sha256:..."
}

{
  "event_id": "e-mig-778", "timestamp_utc": "2025-06-02T09:14:33Z",
  "action": "SCHEMA_ALTER", "subject_type": "table", "subject_id": "sales.customers",
  "migration_id": "2025-06-02_add_phone_idx", "change_summary": "ADD INDEX idx_phone",
  "actor_id": "ci_cd_bot", "approver_ids": ["dba_04", "security_02"],
  "pull_request": "PR-1831", "result": "SUCCESS", "code_version": "git:9ab8cd1"
}

Implementation recipe

1. Map events: list systems and critical actions (access, data changes, schema, deployments, exports, policy decisions).
2. Define a standard log schema: adopt required fields from the checklist and document them.
3. ID and time strategy: UUIDs, UTC ISO timestamps, correlation IDs across services, NTP across hosts.
4. Choose storage: append-only store (e.g., object store with object lock or an immutable log), plus a queryable analytics table.
5. Integrity: compute event hash and optional chain hash (prev_event_hash). Restrict delete/update on audit tables.
6. Routing: async collectors; retry queues; dead-letter for failures; never drop critical events.
7. Retention and privacy: set retention per class; mask or hash sensitive values; classify events.
8. Operations: dashboards for high-risk events, monthly sample reviews, alerting on anomalies, and clear investigation runbooks.

Common mistakes and self-check

• Missing correlation IDs. Self-check: can you trace one user action across services? If not, add request_id/correlation_id.
• Logging raw PII. Self-check: scan fields; replace with hashes/tokens and store only necessary context.
• Mutable audit tables. Self-check: ensure append-only permissions; enable object lock or strong controls.
• No coverage for reads. Self-check: confirm sensitive read paths create events with scope and policy ID.
• Unsearchable logs. Self-check: can you answer a question in under 5 minutes? If not, add indexes/partitions on time and key fields.
• Clock drift. Self-check: compare event timestamps across systems; enforce NTP.
• Over-logging low-value noise. Self-check: review cost and signal; tune sampling for low-risk events only.

Exercises

These mirror the tasks below. Try them before opening solutions.

{"event_id":"e1","timestamp_utc":"2025-01-01T10:00:00Z","action":"UPDATE","subject_type":"table","subject_id":"sales.customers","actor_id":"user_912","row_primary_key":"1001","result":"SUCCESS"}

Self-checklist

• My event includes unique IDs and UTC timestamps.
• I can link actions across services using request_id/correlation_id.
• Sensitive values are hashed or masked.
• There is tamper evidence (hash/chain) and append-only storage.
• Retention and access policies exist and are documented.

Practical projects

• Build a minimal audit pipeline: emit JSON events to object storage with object lock (or immutable bucket), ingest to a query table, and verify append-only permissions.
• Implement event hashing and a simple chain (prev_event_hash). Prove tamper detection by attempting to alter a past event and showing mismatch.
• Create an “evidence pack” for a mock incident: query relevant events, export as a signed bundle, and write a one-page narrative.

Mini challenge

You receive an audit event for a data export that includes actor_id, action=EXPORT, dataset, and timestamp, but nothing else. Identify the top five missing fields that would make this auditable and justify each.

Who this is for

• Data Architects designing enterprise data platforms.
• Senior Data Engineers implementing logging frameworks.
• Analytics platform owners accountable for compliance.

Prerequisites

• Basic understanding of data pipelines and storage (batch/stream).
• Familiarity with IAM (roles, policies) and environment segregation.
• Comfort reading/writing JSON.

Learning path

• Start: Auditability requirements (this page).
• Next: Data lineage and metadata modeling.
• Then: Access control design and separation of duties.
• Then: Data quality checks and reconciliation patterns.
• Optional: Compliance basics (e.g., retention classes, privacy by design).

Next steps

• Finish the exercises and take the quick test below.
• Draft your platform’s standard audit event schema and review it with security and compliance.
• Pick one system this week and enable end-to-end audit logs with integrity checks.

Quick Test reminder: available to everyone; sign in to save your progress.