Common use of Automated Audit Trail Clause in Contracts

Automated Audit Trail. SSA requires EIEPs to implement and maintain a fully automated audit trail system (ATS). The system must be capable of creating, storing, protecting, and efficiently retrieving and collecting records identifying the individual user who initiates a request for information from SSA or accesses SSA-provided information. At a minimum, individual audit trail records must contain the data needed (including date and time stamps) to associate each query transaction or access to SSA-provided information with its initiator, their action, if any, and the relevant business purpose/process (e.g., SSN verification for Medicaid). Each entry in the audit file must be stored as a separate record, not overlaid by subsequent records. The Audit Trail System must create transaction files to capture all input from interactive internet applications which access or query SSA-provided information. If a State Transmission Component (STC) handles and audits the EIEP’s transactions with SSA, the EIEP is responsible for ensuring that the STC’s audit capabilities meet SSA’s requirements for an automated audit trail system. The EIEP must also establish a process to obtain specific audit information from the STC regarding the EIEP’s SSA transactions. Access to the audit file must be restricted to authorized users with a “need to know.” Audit file data must be unalterable (read-only) and maintained for a minimum of three (preferably seven) years. Information in the audit file must be retrievable by an automated method. EIEPs must have the capability to make audit file information available to SSA upon request. EIEPs must back-up audit trail records on a regular basis to ensure their availability. EIEPs must apply the same level of protection to backup audit files that apply to the original files. If the EIEP retains SSA-provided information in a database (e.g., Access database, SharePoint, etc.), or if certain data elements within the EIEP’s system indicate to users that SSA verified the information, the EIEP’s system must also capture an audit trail record of users who viewed SSA-provided information stored within the EIEP’s system. The retrieval requirements for SSA-provided information at rest and the retrieval requirements for regular transactions are identical.