Audit Evidence
SCENARIO
Management Cannot Prove What Happened After an Incident
THE SCENARIO
A client contacts you to report that they believe their personal information may have been shared or compromised. They have received suspicious communications referencing details that only your business should have. You begin an internal investigation - and quickly discover that your business has no record of who accessed that client's file, when it was last opened, or who may have shared it externally.
1
How This Typically Happens
Most small and medium businesses do not have centralised audit logging in place. Information is accessed through a combination of email, shared drives and various software platforms - none of which are systematically monitored or logged. When something goes wrong, there is simply no trail to follow. Attempting to reconstruct what happened relies on individual memory and whatever fragments can be found in email history.
2
Why Businesses Often Miss the Warning Signs
Audit logging feels like an enterprise requirement - something that large corporates need, not small businesses. As a result, it is almost never implemented until after it is needed. By the time it is needed, the relevant events have already occurred without being recorded. The absence of a trail is only noticed when someone needs to produce one.
Inability to respond accurately to a POPIA complaint or regulatory inquiry
Obligation to notify the Information Regulator without being able to fully explain what happened
Reputational damage from appearing unprepared, disorganised or indifferent to the client's concern
Legal costs associated with responding to the complaint and any subsequent formal process
Potential regulatory finding that reasonable safeguards were not in place
4
Questions Management Should Ask
?
If a client claimed their information was compromised today, could you tell them what happened, when it happened and who was involved?
?
Do any of your business systems currently keep a log of who accessed which files or records, and for how long are those logs retained?
?
Is there a process for documenting and preserving information when a concern is raised - before records are accidentally deleted or overwritten?
?
Have you ever tested your ability to reconstruct what happened after an information-related incident?
5
Practical Steps to Improve Visibility
1
Enable access logging in your key business systems - most platforms including Google Workspace, Microsoft 365 and most CRM tools have this as a standard feature that simply needs to be turned on
2
Identify which systems and documents hold the most sensitive information, and ensure those specifically have logging active and retention periods configured
3
Create a basic incident response process: who to notify internally, what records to preserve, and how to document the business response
4
Run a simple tabletop exercise once a year: present a hypothetical incident scenario to your management team and trace through exactly how you would respond
Could This Scenario Happen In Your Business?
ComplyBar helps businesses find and understand hidden information risks before something goes wrong.
Built for POPIA support, AI governance, data leak prevention, employee risk awareness and audit evidence.
From R750 • Delivered online • No commitment required