Article
Auditable by Design
"Auditable" is not a final report. It is a system property: automatic evidence, traceability, and change control.
The problem
In many organizations, evidence is assembled at the end: screenshots, emails, scattered documents. That is fragile, expensive, and easy to break. When an audit or incident arrives, the team goes into "forensics" mode.
Principle
If you cannot show where a number came from, it is not data: it is an assumption. The system must be able to explain itself.
Practical implementation
- Versioned decisions (architecture, standards, policies).
- DQ rules with thresholds, alerts, and owner-led remediation.
- Least-privilege access controls with periodic reviews.
- Audit trails: what changed, who changed it, when, and the impact.
- Lineage: source → transformation → consumption.
What it looks like day-to-day
When a metric changes, the team can respond in minutes: "it changed because of X", "this is the rule", "this is the job", "these are the affected records", "this is the remediation". That is operational control.