# Audit Trails: Because 'I Think It Was Dave' Isn't a Defence



> What audit trails mean in metals manufacturing — and how GoSmarter satisfies ISO 9001 Clause 8.5.2, IATF 16949, and AS9100 automatically.
> 
> **URL:** https://www.gosmarter.ai/blog/audit-trails-why-they-matter-metals-manufacturing/

**Date:** 2026-06-19
**Author:** Steph Locke

**Categories:** blog

**Tags:** compliance, data-strategy, manufacturing, metals, quality

## 


GoSmarter automatically records every change to mill certificates, inventory, and orders in metals manufacturing. Every entry logs who made the change, what the original value was, what it changed to, and when. That is a permanent record that nobody can edit or delete. It covers Mill Test Reports (MTRs), stock adjustments, and order specs across your entire operation. It meets ISO 9001 Clause 8.5.2, International Automotive Task Force (IATF) 16949, and AS9100. GoSmarter also tracks deleted items and keeps them recoverable. [Read the full announcement.](https://change.gosmarter.ai/announcements/audit-trails-everywhere)

> "Traceability shows you where material went. Audit trails prove what happened to the data."

## Why Audit Trails Matter in Metals

### Metals manufacturing lives on documentation

The metals industry lives on documentation. A missing heat number or an unexplained MTR edit isn't just messy admin. It's a compliance failure, a potential recall trigger, and a very bad conversation with a customer. They have their own regulatory requirements to meet.

Here's what a proper audit trail actually gives you:

- **Proven data integrity** — GoSmarter logs every change (who, what, when, why) so records can't be quietly altered. You get a complete, auditable history of your data, not just your materials.
- **Real traceability** — not just linking data, but proving the complete history of MTRs, batches, and orders
- **One-click audit prep** — pull a full change history instead of chasing spreadsheets, emails, and filing cabinets
- **Faster incident response** — isolate the problem quickly instead of widening a recall because you can't tell what changed
- **Natural accountability** — when every action is attributable to a person, errors drop without anyone needing to say a word
- **Process insight** — repeated corrections signal poor processes or bad data upstream; you can only see the pattern if it's logged

## What Happens Without One

Let's be honest about the alternative.

Without audit trails, MTR values get edited with no record of what the original said. Inventory adjustments can't be explained. Order spec changes go unnoticed until a customer raises a non-conformance. Auditors ask questions you can't answer. And when something does go wrong, you're stuck with a wider recall. You can't narrow down what was affected.

It's not a hypothetical. It's the default state of most metals operations. They run on spreadsheets and legacy software built before data accountability was even a purchasing requirement.

The cost isn't abstract either. A single traceability dispute — a customer non-conformance report (NCR), an internal recall, or a failed audit — typically runs to £5,000 in staff time for a mid-size operation. Quarantine product, and you're into six figures. An audit trail that takes 90 seconds to pull doesn't just satisfy the auditor. It limits the blast radius.

## The Standards That Require Them

This isn't optional for most metals manufacturers. Here's the regulatory landscape:

| Standard | Applies to | Key audit trail requirement | GoSmarter covers this |
|---|---|---|---|
| **ISO 9001 Clause 8.5.2** | All manufacturers | Documented identification, traceability, and change history throughout production | ✓ |
| **IATF 16949** | Automotive supply chain | Strict part and material traceability; customer audits expected | ✓ |
| **AS9100** | Aerospace | Same traceability expectation as IATF; higher consequences for non-compliance | ✓ |
| **FDA 21 CFR Part 11** | Regulated electronic records | Secure, time-stamped, tamper-resistant logs; no retrospective editing | ✓ |
| **EU GMP Annex 11 / MHRA** | Regulated data systems | Audit trails required; controls to prevent retrospective modification | ✓ |

The FDA and EU GMP standards apply specifically if you supply into pharmaceutical, medical device, or similarly regulated supply chains. For everyone else, ISO 9001, IATF 16949, and AS9100 are the ones that matter.

The common thread across all of them: audit trails must be **automatic, time-stamped, secure, and tamper-resistant**. "Dave thinks he remembers" doesn't appear in any of those standards.

## What "Good" Actually Looks Like

A compliant, defensible audit trail covers six things:

### 1. Before and after values

Not just that something changed, but what it changed from and to. "Yield strength modified" is not an audit trail. "Yield strength changed from 355 MPa to 350 MPa" is.

### 2. User identity — no shared logins

Every action must trace back to an individual. Shared logins make the entire log worthless. GoSmarter enforces individual credentials; every change is attributed to a specific person.

### 3. Server-side timestamps

Precise, generated by the server, and not editable by the user. A timestamp that can be changed is not evidence of when something happened.

### 4. Approval / flagging reasong

Optional in some systems, but invaluable during an audit. GoSmarter supports adding a note against approvals or rejections of mill certificates.

### 5. Immutability — the record cannot be edited

An immutable, tamper-resistant log is what separates a defensible audit trail from a spreadsheet with a "last modified" timestamp. GoSmarter audit log entries are written as append-only records; they cannot be modified or deleted at the database level, including by GoSmarter staff.

### 6. Full coverage across all data areas

MTRs, cert heats, inventory, orders, order lines, scrap log, and reference data. Not just the obvious bits. Partial trails are fine until the moment they're not.

## GoSmarter vs. Alternatives: Audit Trail Capability

If you're evaluating tools, here's what the audit trail landscape actually looks like:

| Capability | GoSmarter | Generic ERP (e.g. Sage, Epicor) | Spreadsheet |
|---|---|---|---|
| Before and after values on every change | ✅ Automatic | ⚠️ Varies by module | ❌ No |
| Individual user attribution (no shared logins) | ✅ Enforced | ⚠️ Often optional | ❌ No |
| Server-side tamper-resistant timestamp | ✅ Append-only log | ⚠️ Varies | ❌ Editable |
| Deleted records tracked and recoverable | ✅ All data types | ⚠️ Rarely | ❌ No |
| Mill certificate (MTR) change history | ✅ Per-field logging | ❌ Not metals-specific | ❌ No |
| Inventory and order change history | ✅ Full coverage | ⚠️ Partial (varies) | ❌ No |
| Meets ISO 9001 Clause 8.5.2 | ✅ Direct evidence | ⚠️ Possible with configuration | ❌ No |
| Meets IATF 16949 / AS9100 | ✅ Direct evidence | ⚠️ Possible with configuration | ❌ No |
| Retrievable in under 2 minutes | ✅ In-platform search | ⚠️ Often needs IT involvement | ❌ Manual reconstruction |

The critical distinction is "automatic" vs. "configurable." A generic ERP *can* produce an audit trail if it's configured correctly and if your team uses it correctly. GoSmarter produces one automatically, from day one, regardless of whether anyone thought to set it up.

## GoSmarter Now Does This Across the Board

### What GoSmarter logs

GoSmarter's audit trail isn't limited to three data types. It spans the full operation. Here's the current coverage:

| Data area | Full version history | Recoverable if deleted | Bulk restore |
|---|---|---|---|
| Mill certificates (MTRs) | ✅ | ✅ | Single record |
| Inventory items | ✅ | ✅ | Single record |
| Orders | ✅ | ✅ | ✅ Bulk |
| Tags & tagging rules | ✅ | ✅ | Single record |
| Scrap log | ✅ | ✅ | ✅ Bulk |
| Stock locations, materials, order statuses | ✅ | ✅ | Single record |

Every entry captures the original value, the new value, the user, and a server-side timestamp. That timestamp cannot be edited after the fact.

Deleted items are tracked and recoverable across all the above. For orders, a bulk restore is available and cascades to all line items, so if an order is accidentally removed, everything under it comes back in one action.

Audit trail coverage is available across all GoSmarter plans, including [MillCert Reader](/products/millcert-reader/), which digitises and links your incoming MTRs automatically before the audit trail begins.

### How fast can you retrieve an audit history?

Under two minutes. Search by record, user, date, or change type. No chasing spreadsheets, emails, or filing cabinets. If an auditor asks "who changed this MTR value last Tuesday?", you have the answer in seconds — a complete, auditable history of every change, fully exportable for a customer or regulator.

This is the kind of feature that sits quietly in the background until the day you desperately need it. We built it so that day goes well for you.

The full details are in [the release notes](https://change.gosmarter.ai/announcements/audit-trails-everywhere). Short version: if something changes in GoSmarter, you'll know exactly what, who, and when.

See how GoSmarter's [compliance solution](/solutions/compliance/) maps to each of these requirements. Or explore the full picture of [integrated cert traceability and audit trails working together](/hubs/integrated-cert-traceability/).

## Frequently Asked Questions

{{< faq question="What exactly does GoSmarter log in its audit trail?" >}}
GoSmarter logs every change to mill certificates (MTRs), inventory items, orders and line items, scrap log, test results, and all your reference data — stock locations, materials, order statuses, and more. Each entry captures the original value, the new value, the user who made the change, and a server-side timestamp. Deleted items are tracked and recoverable across all data types. For orders, a bulk restore is available and cascades to all line items.
{{< /faq >}}

{{< faq question="Does GoSmarter's audit trail meet ISO 9001 Clause 8.5.2?" >}}
Yes. ISO 9001 Clause 8.5.2 requires documented identification, traceability, and change history for products throughout production. GoSmarter's audit trail automatically captures who changed what, when, and (if recorded) why, across MTRs, inventory adjustments, and order specs. No manual logging required.
{{< /faq >}}

{{< faq question="How is GoSmarter's audit trail tamper-resistant?" >}}
Audit trail entries are immutable once written. They cannot be edited or deleted by any user, including administrators. That covers FDA 21 CFR Part 11 and EU GMP Annex 11. Both standards require electronic records secured against retrospective modification. GoSmarter meets that requirement by design.
{{< /faq >}}

{{< faq question="Can we use GoSmarter's audit trail for IATF 16949 or AS9100 compliance?" >}}
Yes. Both IATF 16949 (automotive) and AS9100 (aerospace) require strict material traceability and change accountability throughout the supply chain. GoSmarter logs every MTR edit, inventory adjustment, and order change with individual user attribution, meeting traceability requirements for both standards.
{{< /faq >}}

{{< faq question="How long does it take to pull an audit history for a specific record?" >}}
Under two minutes. GoSmarter's audit trail is searchable by record, user, date range, and change type. You don't need to reconstruct a history from emails, spreadsheets, or filing cabinets. The full change log is in the system and filterable instantly.
{{< /faq >}}

{{< faq question="Does the audit trail cover deleted records?" >}}
Yes. Items that are deleted in GoSmarter are tracked and recoverable. The audit trail records when a record was deleted, by whom, and preserves the content, so you can prove a record existed even after it has been removed from active use.
{{< /faq >}}

{{< faq question="How does GoSmarter support traceability from incoming stock to finished part?" >}}
GoSmarter links MTR data to inventory records and order specs, creating a traceable chain from the original mill certificate through to the job it supported. Every data change gets captured with full before-and-after values: cert edits, inventory allocations, spec adjustments.
{{< /faq >}}

{{< faq question="Can we export the audit trail for an external auditor or customer?" >}}
GoSmarter's full change log is accessible through the platform. If you need to present a history to an auditor, a customer, or a regulator, you can retrieve the complete record: who changed what, from what value to what value, and when. No reconstructing from multiple systems.
{{< /faq >}}

## Further Reading {#further-reading}

- [GoSmarter Metals Manager](/products/metals-manager/) — real-time inventory management with a permanent audit trail built in
- [Audit Panic is Optional: How to Stop Freaking Out Over Lost Certs](/blog/audit-panic-stop-freaking-over-lost-certs/)
- [AI and Mill Test Report Traceability](/blog/ai-mill-test-report-traceability/)
- [MillCert Reader: Automate Mill Certificate Processing](/products/mill-certificate-reader/)
- [Case Study: MillCert Reader Saves 10 Hours a Month](/newsroom/case-study-millcert-reader-saves-10-hours-a-month-for-busy-production-teams/)