Audit Trail & Compliance Logging
Compliance decision logging, rule evaluation records, override tracking, retention policies, and examination readiness for Asset Atrium Manager.
Regulatory basis
UCITS management companies and AIFMD-regulated managers must maintain records of all compliance monitoring activities, breach events, and remediation actions for a minimum of 5 years (10 years for MiFID II transaction records). Asset Atrium's audit trail is designed to meet these requirements with tamper-evident, append-only logging to Oracle RAC audit tables.
Audited compliance events
The following compliance events are automatically logged to the Asset Atrium audit trail:
| Event Category | Events Logged | Data Captured |
|---|---|---|
| Pre-Trade Compliance | Every rule evaluation for every order submitted | Order ID, fund, rule ID, projected exposure, limit value, result (PASS/SOFT_BREACH/HARD_BREACH), timestamp, PM user ID |
| Override Decisions | Override request, approval, rejection | Override ID, breach details, PM justification, approver ID, approval/rejection rationale, timestamp |
| Post-Trade Compliance | Every rule evaluation in daily compliance run | Run ID, fund, rule ID, actual exposure, limit value, result, breach classification (active/passive), timestamp |
| Breach Lifecycle | Detection, classification, assignment, remediation updates, resolution, closure | Breach ID, all stage transitions with timestamps, responsible parties, remediation notes |
| Rule Changes | Rule creation, modification, activation, deactivation | Rule ID, version, old/new parameters, change reason, approval chain, effective date |
| Mandate Changes | Fund rule assignment, inheritance changes, exception grants | Fund ID, rule set before/after, approver, effective period |
| Regulatory Reports | Report generation, review, approval, filing, amendment | Report type, period, generation timestamp, reviewer/approver, filing confirmation |
| System Configuration | Escalation threshold changes, notification rule changes, user role changes | Configuration parameter, old/new value, changed by, approval |
Audit log schema
All compliance audit records are stored in the AT_COMPLIANCE_AUDIT Oracle table with the following structure:
| Column | Type | Description |
|---|---|---|
AUDIT_ID | NUMBER(19) | Unique audit record identifier (sequence-generated) |
EVENT_TYPE | VARCHAR2(50) | Event category (PRE_TRADE_CHECK, POST_TRADE_CHECK, OVERRIDE, BREACH_EVENT, RULE_CHANGE, etc.) |
EVENT_TIMESTAMP | TIMESTAMP WITH TIME ZONE | UTC timestamp with millisecond precision |
FUND_ID | NUMBER(12) | Fund identifier |
RULE_ID | NUMBER(12) | Compliance rule identifier (nullable for non-rule events) |
USER_ID | VARCHAR2(50) | Authenticated user or system service account |
ACTION | VARCHAR2(30) | Specific action (EVALUATE, APPROVE, REJECT, CREATE, MODIFY, RESOLVE, etc.) |
RESULT | VARCHAR2(20) | Outcome (PASS, SOFT_BREACH, HARD_BREACH, APPROVED, REJECTED) |
DETAIL_JSON | CLOB | JSON payload with full event details (exposure values, rule parameters, justification text) |
SESSION_ID | VARCHAR2(64) | WebLogic session ID for security correlation |
CORRELATION_ID | VARCHAR2(64) | Links related audit events (for example, pre-trade check to override to execution) |
Log integrity
The AT_COMPLIANCE_AUDIT table is protected by Oracle Database Vault. No user - including DBAs - can modify or delete audit records. INSERT-only grants are assigned to the application service account. Oracle Audit Vault monitors all access to compliance audit tables.
Retention policy
| Record Type | Retention Period | Storage Tier | Regulatory Basis |
|---|---|---|---|
| Pre-trade compliance checks | 7 years | Online (2 years) then archive | MiFID II RTS 25 (5 years); firm policy extends to 7 |
| Post-trade compliance runs | 7 years | Online (2 years) then archive | UCITS / AIFMD recordkeeping requirements |
| Override decisions | 7 years | Online (full retention) | Critical for regulatory examination |
| Breach records | 10 years | Online (3 years) then archive | Matches maximum regulatory retention requirement |
| Rule change history | Life of fund + 7 years | Online (full retention) | Required to reconstruct compliance state at any historical point |
| Regulatory report filings | 10 years | Online (5 years) then archive | MiFID II transaction records (10 years) |
Examination readiness
Asset Atrium maintains an examination-ready compliance package that can be produced within 48 hours of a regulatory examination notice. The package includes:
- Current compliance rule set for all funds under examination
- Complete breach history for the examination period with full lifecycle documentation
- Override register with justifications and approval chains
- Daily compliance run results for the examination period
- Rule change log showing all modifications during the examination period
- Regulatory report filing confirmations and regulator acknowledgments
- Compliance officer and PM training records
Access controls
| Role | Audit Trail Access | Review Frequency |
|---|---|---|
| Portfolio Manager | Read own fund compliance checks and breach records | N/A (self-service) |
| Compliance Officer | Read all compliance events for assigned funds; approve overrides | Daily review of breach and override events |
| Chief Compliance Officer | Full read access to all compliance audit data across all funds | Weekly review of escalated items |
| Internal Audit | Full read access; cannot modify; can export for audit workpapers | Annual compliance program audit |
| External Auditor / Regulator | Read access granted per engagement scope; time-limited credentials | Per examination schedule |
| System Administrator | No access to compliance audit data (Database Vault enforced) | N/A |
Legal hold
Upon receipt of a regulatory investigation notice, litigation hold, or examination notice, all normal retention and archival schedules for affected funds are suspended. Records must be preserved in their current state until the hold is formally released by Legal. Asset Atrium supports fund-level legal hold flags that prevent archival jobs from processing affected records.
Splunk integration
Asset Atrium compliance audit events are replicated to Splunk in near-real-time via Oracle GoldenGate. Compliance teams can use Splunk dashboards for ad-hoc queries, trend analysis, and anomaly detection across the audit trail without impacting production Oracle RAC performance.