Support

Audit logs and admin actions

adminsecurity Last updated 26 April 2026

The platform records every meaningful action in an audit log. This matters for compliance, for debugging, and for the rare case where you need to investigate suspicious activity.

What’s recorded

Every entry in the audit log captures:

  • Who. The user account that performed the action.
  • When. A precise timestamp.
  • What. The action type (see list below).
  • Where from. The IP address and browser (User-Agent) the action came from.
  • What changed. For data changes, the specific fields that were modified, with their old and new values.

The platform records these action types:

  • create — A new record was created (employee, policy, leave request, etc.).
  • update — An existing record was modified.
  • delete — A record was deleted (most modules use soft delete, so this is rarer).
  • view_sensitive — Someone viewed a sensitive field (e.g. TFN decryption was triggered).
  • login — A successful sign in.
  • login_failed — A failed sign-in attempt.
  • logout — A sign out.
  • export — Data was exported (CSV download, report download).
  • password_reset — A password was reset.

What’s NOT in the log (intentionally)

Sensitive field values are redacted in the audit log itself. The log shows “the TFN was changed from [redacted] to [redacted]”, not the actual numbers. This means the audit trail can be reviewed widely within your organisation without exposing the underlying data.

Specifically redacted: TFN, bank BSB, bank account, bank name, super member number, password hashes.

Login As actions are logged

When an admin uses the Login As feature on an employee’s profile to act on their behalf (commonly for support: “I’ll log in as them and see what they’re seeing”), this action is recorded with:

  • The admin who triggered it
  • The employee whose account was accessed
  • The reason the admin entered (a free-text field)
  • The IP and browser

Login As is genuinely useful but it’s a powerful feature. Reviewing the Login As log periodically helps your organisation maintain trust around how it’s used.

Where to review the audit log

The audit log is currently exposed through the platform’s database. A dedicated admin UI for browsing and filtering the log isn’t yet shipped in the user interface (it’s on the roadmap). For now:

  • For urgent investigations, contact security@yourhrtoolkit.com.au and we’ll pull the relevant log entries for you.
  • For routine compliance reviews, request a periodic export.

Retention

Audit log entries are retained for the life of the database (no automatic deletion). They form part of your organisation’s compliance record.

What admins should be alert to

Patterns worth investigating in an audit log:

  • Multiple login_failed events on the same account in a short window (possible credential-stuffing attempt).
  • A login from an unfamiliar IP or country, especially outside your normal hours of operation.
  • A burst of view_sensitive actions from one admin account at an unusual time (e.g. weekend, late night).
  • An export event followed by an unusual activity pattern.
  • Changes to employee records made under an unfamiliar account.

If you spot any of these, contact security@yourhrtoolkit.com.au straight away.

Linking to incidents

If you have a workplace concern (suspected data misuse, an HR matter, a legal hold), the audit log is one of the data sources we can pull for you. The earlier you tell us, the easier it is to preserve the relevant evidence with chain of custody intact.