The Importance of the Audit Trail for Electronic I-9s

[Editor’s Note: today’s blog is co-authored by >Charles Kuck of Kuck Immigration Partners LLC.]

It’s no secret that electronic I-9 and E-Verify systems can offer numerous benefits to organizations looking to improve and streamline their employment eligibility verification process. There are many compelling reasons for going electronic, not the least of which is the ability to shred all of those messy paper forms after your records have been audited and converted into an electronic format. What many organizations forget, however, is that the government’s goal behind electronic I-9s is not only to facilitate employer compliance, but also to enhance the enforcement of the law. So while it’s certainly a good idea to streamline your operations (through an intelligent, electronic I-9 system), it’s equally important to conduct a thorough review of potential electronic I-9 solutions to ensure they’ll stand up to an ICE investigation.

The Audit Trail

There are a host of factors that you should consider in choosing an electronic I-9 system.  These factors include security, usability, cost efficiency, and the ability to track usage or “auditability”. Some of these factors are employer-driven, whereas others derive from the legal requirements spelled out in the ICE interim final regulations covering electronic I-9s (which are soon to be made final). One of the more stark provisions in the regulations states that ICE can essentially “invalidate” an electronic I-9 (pretend an employer did not do one) if one of the “recordkeeping standards” has not been met.

Why is there such a draconian provision for what many would consider an innocent administrative mistake? Essentially, it all comes down to the trustworthiness of an electronic record. In the paper world, an auditor can examine the ink on the form, the handwriting, evidence of alterations, etc. Conversely, an electronic form (in simple PDF) yields none of these clues for an examiner to review. To overcome this issue, ICE included a fairly broad yet significant requirement for an electronic I-9 system: it must be able to produce “the electronically stored Forms I-9, any supporting documents, and their associated audit trails, reports, and other data used to maintain the authenticity, integrity, and reliability of the records.” What does that mean?

Elsewhere in the regulation, ICE clarifies that an audit trail is a record showing who has accessed a computer system and the actions performed within or on the computer – which is taken to mean that everything that transpires in the system must be key logged, traceable, and reviewable by an authorized agent. Sounds simple enough, right? Computer systems are already monitoring our every move on the Internet; shouldn’t be a big deal for an electronic I-9 system to do so. Well, yes and no. Yes, it is possible for an electronic I-9 system to achieve this level of sophistication through a comprehensive and well-planned framework that combines detailed event and user tracking and internal controls to ensure the integrity of the process. Implementing such a system, however, requires a design choice (on the part of the vendor) that is difficult to implement and expensive to maintain.

Many software applications fail in this regard, offering only the standard “material change of data” audit trail which shows just the key relevant changes (or milestones) to the I-9 record. Unfortunately, this doesn’t really tell the whole story, and if you’re in the unenviable position of talking to an ICE forensic auditor, the whole story is what you need. For example, a small company changed over to an electronic I-9 system about 2 years ago. This system was offered by their payroll company, and was sold to the company on the theory that the payroll company would be handling all their employee’s needs as it related to employment.  This is not a bad pitch, particularly to smaller employers who do not generally have the capacity to fully staff an HR department.  Unfortunately for this employer, a year later ICE came in and asked to audit all of the I-9 records for its approximately 50 employees.  During that one year of I-9s the company had incorporated about 100 I-9s into the system, including 30 new hires.  But, there was no electronic tracking system in place for the I-9s, no way to know if the I-9s had been completed timely, and no way to know if the I-9s had been modified in any way. This company is still litigating these issues, and  is facing serious fines, even though their electronic I-9s “appeared” fine. In audits of electronic I-9 systems, ICE investigators take the approach that every aspect of that electronic system must be “auditable,” In other words, ICE wants to be able to verify who entered each piece of data, what was entered, and when they did so.

Best Practices for an Irrefutable I-9 Audit Trail

The ultimate goal of your I-9 software (from a risk management perspective) is to ensure that the electronic I-9 records accurately represent the attestations made by both the employee and employer and guarantee complete confidence in the integrity of the system used to facilitate that process. Assurance of the integrity of I-9 data is achieved through technology coupled with internal policies and procedures to ensure that:

  • I-9 transactions (view, add, update, delete, etc.) are limited to authorized users.
  • I-9 data has not been compromised by unauthorized or authorized means.
  • All changes to the I-9 data are monitored.

In order to achieve this level of complexity, security must be implemented at both the perimeter and application levels, as well as through detailed data audit trails and logging. The following three “best practice” points describe how this can be realized (and more importantly) what to look out for when reviewing electronic I-9 audit trail capabilities.

1. Audit trail must be independently generated from the I-9 system.

Many systems only have built-in “application-level” audit trails (i.e., it will only track what you do in the interface), which do not provide reasonable assurance that the data has not been altered by an external source (e.g., batch update job, data import via an HRIS, etc). The better method is to produce a complete audit trail of all changes made to the I-9, recording the “who, what, when and where” of the change, regardless of where it occurred. An auditing system which operates at the database level, rather than the application level, is really the only means to ensure auditing of all I-9 data changes made by any possible means.

2. Audit trail should record all activity that transpires in the system in order to reveal the entire life of the I-9 with uncontestable details.

At a bare minimum, the system should record:

  • Name of employee/record for which the data was changed
  • Type of event (i.e. addition, update, etc.)
  • Date and time stamp (down to the second)
  • Name of the user who made the change as well as the IP address
  • The button clicked (or action taken to make this record an event)
  • The field that was altered
  • The old data (if there was any)
  • The new data (if any was added)

In addition, a conservative reading of the regulations dictates that the I-9 system should also track whenever a record is “accessed or viewed” and record the identity of the user, the date of access, and page(s) viewed.

3. I-9 Records must be irrefutably linked to the electronic signature and any supporting documents.

Another critical component is the method by which the software attaches an electronic signature to the I-9 record. While electronic signatures are technology-neutral, you must still demonstrate the trustworthiness of the process that created and preserved the records in question. To make this assessment, ICE may evaluate the overall strength of the signature by examining the method of authentication while looking for potential security issues. Many industry experts recommend using a multi-factor signature process which combines an affirmative assent plus a second level of identification to attest to authorship either through use of a randomly generated PIN, biometric scan, secure ID card, or digital signature. Strengthening the signature process in this fashion not only satisfies regulatory requirements, but also minimizes the risk that ICE will question the validity of the signature. There are a variety of other technical considerations (separate and distinct from audit trails) that must be examined when selecting an I-9 software application. While the task may seem daunting, it ultimately comes down to performing your due diligence. Claims are easy, but proof is hard, so make sure to request a copy of your vendor’s audit trails and other documents to see for yourself whether they meet regulatory requirements.  Lastly, whether you’re scrutinizing audit trails, reviewing overall compliance, or investigating vendor stability, it pays to educate yourself about electronic I-9s, consult experienced immigration counsel familiar with such systems, and ask the hard questions. And remember, it’s just a one page form!