The Inspector General's First Question: Why Audits Are Won or Lost in the Change Log
The first artifact an OIG asks for is rarely the report. It's the log. The agencies that win their reviews are the ones that designed the log into the operating system from the start.
The change log is not a feature. It is the audit's foundational evidence.
Every veteran public works director has had the conversation. The inspector general's office calls. A review is opening. The agency assembles its leadership and asks "what do they want first?" The answer, in nearly every case under both federal OIG protocols and state-level equivalents, is the same: the change log for the records covering the audit period.
The change log — the continuous, attributed, immutable record of every modification to every operational record — is the artifact that determines the rest of the audit. The Council of the Inspectors General on Integrity and Efficiency (CIGIE) Quality Standards for Federal Offices of Inspector General and the U.S. Government Accountability Office's Yellow Book (Generally Accepted Government Auditing Standards) both emphasize that decision history attribution is the foundation on which other audit conclusions are built. If the log is incomplete, the rest of the audit is built on testimony — and testimony, no matter how well intentioned, is not equivalent to a contemporaneous record.
The agencies that fare well in inspector general reviews share one architectural property: their operating system was designed from the start to produce a continuous, named-actor change log as a byproduct of routine work. Every status change, every property edit, every approval is captured the moment it occurs. The audit response begins with an export, not with an investigation.
Four properties a change log must hold
Drop any one of the four and the auditor discounts every finding derived from the log.
Continuously captured
Every property change on every record produces an event the moment it occurs. No backfilling. No gaps.
Named-actor attribution
Every event is tied to a specific human user — not a generic service account. The auditor can trace the decision back to the person.
Immutable history
Prior values are preserved. The current value can change; the record of every prior value remains in the log.
Queryable on demand
The log is exportable for any time window, record class, or actor. The auditor receives the answer as a query result, not a reconstruction.
Why audit findings are usually about the log — not the work
Read enough OIG reports across federal and state public works programs and a pattern emerges. Most material findings are not findings against the work. They are findings against the documentation of the work. The bridge inspection happened. The contractor was paid for the right scope. The funding source was, in fact, federally compliant. The finding is that the agency could not produce, on demand, the contemporaneous evidence to demonstrate it.
This is the most common operational tragedy in modern public works oversight. The agency did the work correctly. The agency lost the audit anyway. The cause was structural — an operating system that did not produce a defensible change log as a byproduct of routine work — and the remedy is also structural. Bolting an audit log onto an existing system after the fact rarely produces an evidentiary artifact strong enough to satisfy CIGIE or Yellow Book standards. The log has to be a property of the system from the start.
The agencies that have made this architectural commitment describe a different audit experience. The OIG opens the review. The agency exports the change log for the audit period. The auditor reviews the log — already attributed, already immutable, already queryable — and the conversation moves directly to substantive policy questions. The finding, if any, is about a decision the agency made — not about the agency's ability to demonstrate that the decision was made by the right person on the right day for the right reason.
A field story you have probably already lived
A state department of transportation receives an OIG inquiry into the federal cost-share allocation on a $58M corridor reconstruction. The first request is for the change log on the project's funding source field across the 28-month execution window. Under the legacy posture, the project's funding allocations were tracked in a spreadsheet that was emailed between the program manager and the finance office. There is no continuous record of who changed the allocation, when, or why. The agency assembles a narrative reconstruction with footnotes. The OIG issues a finding citing "insufficient contemporaneous documentation of decision attribution". The federal cost-share is partially reclaimed.
Under a governed posture, the same inquiry produces the same record in twenty minutes. The log shows every adjustment to the funding allocation — the program manager who initiated it, the finance director who approved it, the timestamp, the prior value, the new value, and the linked memo. The OIG reviews the log, confirms the attribution, and closes the inquiry without finding. The federal cost-share is preserved. The corridor reconstruction proceeds without an open compliance overhang.
- Council of the Inspectors General on Integrity and Efficiency (CIGIE) — Quality Standards for Federal Offices of Inspector General.
- U.S. Government Accountability Office (GAO) — Generally Accepted Government Auditing Standards (Yellow Book).
- Office of Management and Budget (OMB) — Uniform Guidance, 2 CFR Part 200, decision attribution and recordkeeping requirements.
- National Association of State Auditors, Comptrollers and Treasurers (NASACT) — state-level audit posture and standards.
- American Public Works Association (APWA) — operational documentation and audit readiness guidance.
- Federal Highway Administration — Title 23 program oversight and recordkeeping standards.
Frequently asked questions about the inspector general change log
What does an inspector general actually look for first in a public works review?
+
The first artifact requested in nearly every OIG and state-level inspector general review is the change log: who modified what, when, and under whose authority, across the records covering the audit period. CIGIE (Council of the Inspectors General on Integrity and Efficiency) standards and the GAO Yellow Book both emphasize the change log as the foundational evidentiary artifact, because it allows the auditor to reconstruct the operational decision history without depending on staff testimony.
Why are change logs more important than periodic reports?
+
Periodic reports are snapshots. They show the state of the system on the date the report was generated. A change log shows the trajectory: every modification, every actor, every timestamp, in sequence. Auditors care about trajectory because most material findings are about decisions made over time, not about the current state. A periodic report cannot answer "who changed the funding source on this project in October" — only the change log can.
What disqualifies a change log in an audit?
+
Three things: (1) gaps — periods where no events were captured because the system was not instrumented, (2) ambiguous attribution — events tied to a generic system user rather than a named human, and (3) mutability — evidence that prior values can be edited or deleted after the fact. Any of the three reduces the change log's evidentiary weight, and an audit team treating the log as their primary artifact will discount findings derived from a discounted log.
How does a properly governed change log change the dynamic of an OIG inquiry?
+
It moves the conversation from "tell us what happened" to "here is what happened." The agency leadership briefs the OIG on the operational record itself. Staff are not asked to recall decisions from eighteen months prior. The audit narrative aligns with the system narrative because they are the same narrative. Findings, if any, address policy and outcome — not documentation deficiency.
Related Public Works Reading
Continue exploring how leading agencies build defensible operating posture.
Win the Audit in the Log
Stop reconstructing decision history. ServiceIQ produces a continuous, attributed, immutable, queryable change log as a byproduct of how work gets done.