Extract SOX and audit evidence from accounting systems: change logs and approval trails

Verified steps

1. Identify the audit-relevant event types in your ERP (journal entry creation, modification, deletion, period open/close, user access changes, approval status changes) and locate the system change log or audit trail API or table for each event type.
2. Query the change log for the audit period using the ERP's API (e.g., NetSuite AuditTrail SuiteQL query, QBO ChangeDataCapture endpoint, Xero History and Notes endpoint on key objects) filtering by date range and event type.
3. For each journal entry, extract the creation timestamp, created_by user, last_modified_by user, approval_status, approver_id, and approval_timestamp; flag any entries that were posted without an approval (where required by policy) or were modified after approval.
4. Pull access control data via the ERP's user and role APIs to produce a list of users with journal entry posting or approval rights during the audit period; cross-reference against the HR system to verify that only active, authorized employees had access.
5. Export the evidence package — change log extracts, approval trails, segregation-of-duties matrix — to a structured format (CSV, PDF, or audit-tool-compatible format) with file hashes to demonstrate the extract was not altered after generation.
6. Automate the evidence collection run on a quarterly schedule and send the output to a designated secure storage location; include a completeness assertion showing the total transaction count in the change log versus the total transactions posted in the GL for the period.