Happy Business Starts Here

Re: Require Audit Trail

Require Audit Trail

Feature Request: Require Audit Trail

Status: under evaluation

Reference Number: DE5826/PMT-876

Business Need:

There are business requirements that are looking for the ability to have an audit trail for all fields and records. The requirement is to have an audit trail on all

- Account fields (including all custom fields)
- Subscription Fields (including all custom fields)
- Contact Address Fields (including all custom fields)
- Settings changes
- Users' actions

 

35 Comments
Partner

 Auditability, and specifically the means to associate a single change to a unique user, isn't merely crucial in a financial system, it's a requirement for compliance with industry standards, public company policies, and SEC and other compliance regulations. When Zuora was simply a billing system, this wasn't an issue. When Zuora added Revenue Recognition, this became a problem - one which we have surfaced to Zuora several times over the past 18 months, and which dozens of other Zuora customers have asked for. Now we're all entering an era of ASC606 compliance, and in addition to being a revenue platform Zuora has Sales Order functionality which puts it squarely in the crosshairs of ASC606. The Salesforce side is compliant, and we can associate a specific change to a specific user without issue on that end. The core Zuora platform does not have that capability, and it continues to hinder our business and cost us money in the form of increased development time, increased case management, and increased troubleshooting time while we determine which of 6+ integrations we're using made a given change.

 

Zuora is literally the only system we're using which does not have a field-level audit log for all objects. You've had 80 customers ask for this, and the request has been outstanding for over 2 years. When can we expect Zuora to add this functionality?

Tutor

Agreed that this is a critical requirement. Disappointed to see this has been on the radar for two years with no action.

Savvy Scholar

We would very much like to see this capability implemented.  

 

From a risk perspecitve, Zuora does not allow us to implement data loss prevention measure.  The ability of users to bulk export sensitive customer data, and delete records of the export, without any logs or auditiing is concerning.

 

Please consider implementing this as a priority.

Newly Enrolled

I agree this would be very helpful. As of now, when making changes to any of these fields we have to add a note. With human error in play, if someone forgets or makes a mistake, we don't have accurate information as to when certain changes are made.

Scholar

What is the status of this?  Our auditors were very concerned over the lack of this control in our billing system this past audit cycle.

Scholar

@lukasz Checking back on this request from another round of auditor requests that we are having trouble completing, any update on status would be appreciated, thanks!

Zuora Product Team

@kcavanaugh, thanks for checking in. We're starting to plan this out, by starting with some Engineering research starting next month. I still don't have a concrete timeilne, as we need to get this research done. The main wrinkle we're working on is making sure that we capture 100% of the changes in the system, without dropping anything. This is because we expect the Audit Trail to be the authoritative source of this information, and dropped information would not be tolerated. Would love to get folks to come back and tell me that's not required...

Scholar

This is a must-have. I am shocked this isn't already available...

Scholar

I agree. I'm expecting to need solid user-centric activity reporting in the next few months. What is offered today is not only very hard to use, but has significant functional gaps that would be hard to explain to an auditor. We need this ASAP.

Scholar

Thanks @lukasz - certainly understand that it's a large effort to make sure that 100% of system changes are being tracked. Based on the responses and need for this feature, has a phased approach been considered? For example, not being able to see who created a user or who updated user permissions is a big issue during our audit reviews. I expect there are other customers that may value having this audit log feature for Administration changes as soon as possible even if that means waiting for full system audits.