The audit you can't reconstruct

Shared inboxes, SharePoint folders, and a legacy ticketing system don't produce a case management audit trail. They produce a reconstruction project.

AT
Avikto Team
The audit you can't reconstruct

The auditor’s email lands on a Tuesday. They want the file on case 2024-117. The complaint, the intake form, the investigator’s notes, the witness statements, the document the respondent signed, the closure memo. By Friday.

So you start. The original complaint came through the ethics hotline, which forwarded to a shared inbox. Three people had access to that inbox in 2024; one has left the company. The intake form was a Word doc someone saved to SharePoint, and SharePoint has been reorganised twice since. The investigator’s notes are in a ticket in the legacy IT system the compliance team uses with about twelve custom fields. The signed document is in DocuSign, but no one remembers which envelope, and DocuSign search returns four candidates. The closure memo was an email thread.

By Thursday afternoon, you have something. It is not a case file. It is a reconstruction.

The risk in that story is not any single tool. It is that the case record never existed in the first place. It had to be assembled, after the fact, from the residue of work that happened somewhere else.

That is the compliance exposure most teams are carrying right now, and most have not named it.

How the scattered stack gets built

Most compliance, investigative, and ethics teams did not design their current setup. They inherited it. A shared inbox was already there. SharePoint was the corporate standard. The IT ticketing system had spare capacity, so the compliance team got a project in it with a handful of custom fields. DocuSign was procured by legal. The combination works, in the sense that work gets done. It does not work in the sense that produces a case management audit trail.

The cost is paid in two places. The first is the audit response itself, which is expensive and unpredictable. A 2024 enforcement matter that should take a paralegal an afternoon to assemble takes a senior investigator three days, because the senior investigator is the only person who can remember which inbox the original complaint went to. The second cost is harder to see, and worse: the audit response that comes back incomplete because something genuinely cannot be reconstructed. The witness statement attached to a one-off email. The version of the intake form that was edited and saved over. The Slack thread where the investigation pivoted, in a channel that was archived.

A regulator or an internal audit committee does not distinguish between “we never had it” and “we cannot find it.” Both read as the same finding.

The audit trail is a property of the system

“Audit trail” usually gets used as if it were a deliverable. Something you produce when asked. Teams that have actually been through a regulatory exam or an enforcement matter know it is the other way around. The audit trail is a property of the system the work happens in. Either every action is captured, attributed, and timestamped at the moment it occurs, or it is not. If it is not, no amount of cleanup work produces it later.

This is the structural problem with the shared-inbox-plus-SharePoint-plus-legacy-ticketing arrangement. None of those tools was designed to attribute case actions. The shared inbox logs that an email was received. It does not log that an investigator read it, flagged it, assigned it, or chose to escalate it. SharePoint logs file versions. It does not log that a respondent’s statement was added to a specific case, or which investigator received it from which source. The ticketing system logs status changes. It does not log who viewed a sensitive field, or when the original complainant’s identity was redacted from the operational view.

When the auditor asks “who saw this and when,” the honest answer in most of these stacks is some version of “we have to ask around.”

What changes when the system produces the record

The alternative is not exotic. It is a case record that exists as a first-class object the moment intake happens, with every subsequent action attached to it. The complaint arrives and lands inside the case. The intake form is a versioned field set on the case, not a Word doc that shares its name with eleven other Word docs. Comments, document uploads, generated letters, DocuSign envelopes, status changes, queue moves, field edits, role changes — all attached to the case, attributed, timestamped, and retained for the period the regulator expects.

On the day the auditor’s email arrives, the file is the file.

A few things become true once that is in place. The cost of an audit response collapses to the cost of running an export. Senior investigators stop being the institutional memory; the platform is. And the cases the team did not know would matter — the ones that escalate years later — have a defensible record by default rather than by luck.

Where the scattered stack is genuinely fine

Worth saying plainly. Not every team needs to consolidate. A small compliance function that handles ten cases a year, all low-sensitivity, all closed within the same quarter, may be carrying very little real exposure in a SharePoint-based setup. A team whose work is genuinely never going to face external review can run on whatever they can configure quickly. And teams that already have a fully implemented ServiceNow case management estate with field-level security, an audit retention policy, and a partner keeping it tuned have already solved this problem. They spent the budget to solve it, but they have solved it.

The teams who should be paying attention are in the middle. Enough case volume and enough sensitivity that one bad reconstruction would be a serious problem. Not enough budget or appetite for a six-figure annual platform contract and a nine-month implementation. That is most compliance, ethics, and HR investigations teams in mid-market organisations right now.

What to do about it this quarter

The first move is not procurement. It is honesty. Pick one case from the last twelve months, ideally one that has already drawn external scrutiny, and time how long it takes to assemble the full file from the systems of record as they currently exist. Not from memory. From the tools. That number, in hours, is the answer to “how exposed are we right now.”

If it is small, the current setup is working. If it is large, the case record is not living anywhere; it is being rebuilt every time someone asks for it. Better to find that out before someone external does.

Avikto exists for the teams that take the exercise seriously: purpose-built case structures, document workflow inside the case record, and a full audit trail at $499 per month with unlimited users.

See the alternative against one of your real case templates in a 30-minute walkthrough. Book a demo.