Audit Trails: Because 'I Think It Was Dave' Isn't a Defence
- Steph Locke
- Blog
- June 19, 2026
Table of contents Show Hide
GoSmarter automatically records every change to mill certificates, inventory, and orders in metals manufacturing. Every entry logs who made the change, what the original value was, what it changed to, and when. That is a permanent record that nobody can edit or delete. It covers Mill Test Reports (MTRs), stock adjustments, and order specs across your entire operation. It meets ISO 9001 Clause 8.5.2, International Automotive Task Force (IATF) 16949, and AS9100. GoSmarter also tracks deleted items and keeps them recoverable. Read the full announcement.
“Traceability shows you where material went. Audit trails prove what happened to the data.”
Why Audit Trails Matter in Metals
Metals manufacturing lives on documentation
The metals industry lives on documentation. A missing heat number or an unexplained MTR edit isn’t just messy admin. It’s a compliance failure, a potential recall trigger, and a very bad conversation with a customer. They have their own regulatory requirements to meet.
Here’s what a proper audit trail actually gives you:
- Proven data integrity β GoSmarter logs every change (who, what, when, why) so records can’t be quietly altered. You get a complete, auditable history of your data, not just your materials.
- Real traceability β not just linking data, but proving the complete history of MTRs, batches, and orders
- One-click audit prep β pull a full change history instead of chasing spreadsheets, emails, and filing cabinets
- Faster incident response β isolate the problem quickly instead of widening a recall because you can’t tell what changed
- Natural accountability β when every action is attributable to a person, errors drop without anyone needing to say a word
- Process insight β repeated corrections signal poor processes or bad data upstream; you can only see the pattern if it’s logged
What Happens Without One
Let’s be honest about the alternative.
Without audit trails, MTR values get edited with no record of what the original said. Inventory adjustments can’t be explained. Order spec changes go unnoticed until a customer raises a non-conformance. Auditors ask questions you can’t answer. And when something does go wrong, you’re stuck with a wider recall. You can’t narrow down what was affected.
It’s not a hypothetical. It’s the default state of most metals operations. They run on spreadsheets and legacy software built before data accountability was even a purchasing requirement.
The cost isn’t abstract either. A single traceability dispute β a customer non-conformance report (NCR), an internal recall, or a failed audit β typically runs to Β£5,000 in staff time for a mid-size operation. Quarantine product, and you’re into six figures. An audit trail that takes 90 seconds to pull doesn’t just satisfy the auditor. It limits the blast radius.
The Standards That Require Them
This isn’t optional for most metals manufacturers. Here’s the regulatory landscape:
| Standard | Applies to | Key audit trail requirement | GoSmarter covers this |
|---|---|---|---|
| ISO 9001 Clause 8.5.2 | All manufacturers | Documented identification, traceability, and change history throughout production | β |
| IATF 16949 | Automotive supply chain | Strict part and material traceability; customer audits expected | β |
| AS9100 | Aerospace | Same traceability expectation as IATF; higher consequences for non-compliance | β |
| FDA 21 CFR Part 11 | Regulated electronic records | Secure, time-stamped, tamper-resistant logs; no retrospective editing | β |
| EU GMP Annex 11 / MHRA | Regulated data systems | Audit trails required; controls to prevent retrospective modification | β |
The FDA and EU GMP standards apply specifically if you supply into pharmaceutical, medical device, or similarly regulated supply chains. For everyone else, ISO 9001, IATF 16949, and AS9100 are the ones that matter.
The common thread across all of them: audit trails must be automatic, time-stamped, secure, and tamper-resistant. “Dave thinks he remembers” doesn’t appear in any of those standards.
What “Good” Actually Looks Like
A compliant, defensible audit trail covers six things:
1. Before and after values
Not just that something changed, but what it changed from and to. “Yield strength modified” is not an audit trail. “Yield strength changed from 355 MPa to 350 MPa” is.
2. User identity β no shared logins
Every action must trace back to an individual. Shared logins make the entire log worthless. GoSmarter enforces individual credentials; every change is attributed to a specific person.
3. Server-side timestamps
Precise, generated by the server, and not editable by the user. A timestamp that can be changed is not evidence of when something happened.
4. Approval / flagging reasong
Optional in some systems, but invaluable during an audit. GoSmarter supports adding a note against approvals or rejections of mill certificates.
5. Immutability β the record cannot be edited
An immutable, tamper-resistant log is what separates a defensible audit trail from a spreadsheet with a “last modified” timestamp. GoSmarter audit log entries are written as append-only records; they cannot be modified or deleted at the database level, including by GoSmarter staff.
6. Full coverage across all data areas
MTRs, cert heats, inventory, orders, order lines, scrap log, and reference data. Not just the obvious bits. Partial trails are fine until the moment they’re not.
GoSmarter vs. Alternatives: Audit Trail Capability
If you’re evaluating tools, here’s what the audit trail landscape actually looks like:
| Capability | GoSmarter | Generic ERP (e.g. Sage, Epicor) | Spreadsheet |
|---|---|---|---|
| Before and after values on every change | β Automatic | β οΈ Varies by module | β No |
| Individual user attribution (no shared logins) | β Enforced | β οΈ Often optional | β No |
| Server-side tamper-resistant timestamp | β Append-only log | β οΈ Varies | β Editable |
| Deleted records tracked and recoverable | β All data types | β οΈ Rarely | β No |
| Mill certificate (MTR) change history | β Per-field logging | β Not metals-specific | β No |
| Inventory and order change history | β Full coverage | β οΈ Partial (varies) | β No |
| Meets ISO 9001 Clause 8.5.2 | β Direct evidence | β οΈ Possible with configuration | β No |
| Meets IATF 16949 / AS9100 | β Direct evidence | β οΈ Possible with configuration | β No |
| Retrievable in under 2 minutes | β In-platform search | β οΈ Often needs IT involvement | β Manual reconstruction |
The critical distinction is “automatic” vs. “configurable.” A generic ERP can produce an audit trail if it’s configured correctly and if your team uses it correctly. GoSmarter produces one automatically, from day one, regardless of whether anyone thought to set it up.
GoSmarter Now Does This Across the Board
What GoSmarter logs
GoSmarter’s audit trail isn’t limited to three data types. It spans the full operation. Here’s the current coverage:
| Data area | Full version history | Recoverable if deleted | Bulk restore |
|---|---|---|---|
| Mill certificates (MTRs) | β | β | Single record |
| Inventory items | β | β | Single record |
| Orders | β | β | β Bulk |
| Tags & tagging rules | β | β | Single record |
| Scrap log | β | β | β Bulk |
| Stock locations, materials, order statuses | β | β | Single record |
Every entry captures the original value, the new value, the user, and a server-side timestamp. That timestamp cannot be edited after the fact.
Deleted items are tracked and recoverable across all the above. For orders, a bulk restore is available and cascades to all line items, so if an order is accidentally removed, everything under it comes back in one action.
Audit trail coverage is available across all GoSmarter plans, including MillCert Reader, which digitises and links your incoming MTRs automatically before the audit trail begins.
How fast can you retrieve an audit history?
Under two minutes. Search by record, user, date, or change type. No chasing spreadsheets, emails, or filing cabinets. If an auditor asks “who changed this MTR value last Tuesday?”, you have the answer in seconds β a complete, auditable history of every change, fully exportable for a customer or regulator.
This is the kind of feature that sits quietly in the background until the day you desperately need it. We built it so that day goes well for you.
The full details are in the release notes. Short version: if something changes in GoSmarter, you’ll know exactly what, who, and when.
See how GoSmarter’s compliance solution maps to each of these requirements. Or explore the full picture of integrated cert traceability and audit trails working together.
Frequently Asked Questions
What exactly does GoSmarter log in its audit trail?
Does GoSmarter's audit trail meet ISO 9001 Clause 8.5.2?
How is GoSmarter's audit trail tamper-resistant?
Can we use GoSmarter's audit trail for IATF 16949 or AS9100 compliance?
How long does it take to pull an audit history for a specific record?
Does the audit trail cover deleted records?
How does GoSmarter support traceability from incoming stock to finished part?
Can we export the audit trail for an external auditor or customer?
Further Reading
- GoSmarter Metals Manager β real-time inventory management with a permanent audit trail built in
- Audit Panic is Optional: How to Stop Freaking Out Over Lost Certs
- AI and Mill Test Report Traceability
- MillCert Reader: Automate Mill Certificate Processing
- Case Study: MillCert Reader Saves 10 Hours a Month
About the Author
Co-founder & Head of Product
Steph Locke is Co-founder and Head of Product at GoSmarter AI β former Microsoft Data & AI MVP building practical tools to cut paperwork and automate compliance for metals manufacturers.
