Audit trails that survive review
What 'append-only' actually means in practice and why correlation IDs are the unsung hero of gov-tech audits.
Auditability is one of those words that sells a lot of platforms but means very little until oversight asks a specific question.
The question, in our experience, is almost always the same: who changed this record, when, from where, with what authority — and can you prove they were authorised to make the change at the moment they made it?
An append-only audit log is the answer. But getting it right is harder than it looks.
First, every mutation has to append. Not just creates and deletes — every transition. State change, role change, evidence attachment, even read-with-write-intent. If your audit log misses transitions, you can't replay a case.
Second, every entry has to carry actor identity, the resource it touched, the action it took, and a correlation ID. The correlation ID is what lets you stitch together the request from gateway through every service that handled it.
Third — and this is the one most platforms get wrong — the log has to be immutable from the application's perspective. If your application can update or delete audit entries, your audit log isn't an audit log. It's a recommendation.
eTraffica appends with a hash of the prior entry. Tampering is detectable. Exports for legal admissibility ship with the chain so the receiving party can verify integrity independently.
When oversight asks who acted, when, with what authority — the answer is one query. That's what auditable means.