The Importance of the Audit Trail for Electronic I-9 Forms

It’s no secret that the electronic I-9 and E-Verify systems can offer numerous benefits to organizations looking to improve and streamline their employment eligibility verification process. There are many compelling reasons to go electronic, one of which is the ability to shred all those messy paper forms after your records have been audited and converted to an electronic format. What many organizations forget, however, is that the government’s goal behind electronic I-9s is not only to facilitate employer compliance, but also to improve law enforcement. So while it’s certainly a good idea to streamline your operations (via a smart, electronic I-9 system), it’s equally important to conduct a thorough review of potential electronic I-9 solutions to make sure they’ll stand up to an ICE investigation. .

The audit trail

There are a number of factors to consider when choosing an electronic I-9 system. These factors include security, ease of use, cost effectiveness, and the ability to track usage or “auditability.” Some of these factors are employer-driven, while others stem from legal requirements detailed in ICE’s interim final regulations covering electronic I-9s (soon to be final).

One of the more stringent provisions in the regulations states that ICE can essentially “invalidate” an electronic I-9 (pretend an employer didn’t do it) if one of the “record-keeping standards” hasn’t been met. Why is there such a draconian provision for what many would consider an innocent clerical error? Essentially, it all comes down to the reliability of an electronic record. In the world of paper, an auditor may examine the ink on the form, the handwriting, evidence of tampering, etc. By contrast, an electronic form (in plain PDF) does not offer any of these clues for review by an examiner.

To overcome this problem, ICE included a fairly broad but significant requirement for an electronic I-9 system: It must be capable of producing “electronically stored Forms I-9, any supporting documents, and their associated audit trails, reports, and other data.” used to maintain the authenticity, integrity, and reliability of records.” What does that mean? Elsewhere in the regulation, ICE clarifies that an audit trail is a record that shows who has accessed a computer system and the actions taken within it. or on the computer, which is understood to mean that everything that happens in the system must be logged, traceable, and reviewable by an authorized agent.

Sounds pretty simple, right? Computer systems are already monitoring our every move on the Internet; it shouldn’t be much of a problem for an electronic I-9 system to do so. Well yes and no.

Yes, it is possible for an electronic I-9 system to achieve this level of sophistication through a well-planned, comprehensive framework that combines detailed event and user tracking and internal controls to ensure the integrity of the process. However, the implementation of such a system requires a design choice (by the provider) that is difficult to implement and expensive to maintain. Many software applications fail in this regard, offering only the standard “material data change” audit trail that shows only relevant key changes (or milestones) to the I-9 record. Unfortunately, this doesn’t really tell the whole story, and if you find yourself in the unenviable position of speaking to an ICE forensic auditor, the full story is what you need.

For example, a small business switched to an electronic I-9 system about 2 years ago. This system was offered by their payroll company and was sold to the company on the theory that the payroll company would handle all of their employees’ employment-related needs. This isn’t a bad argument, particularly for smaller employers who typically don’t have the ability to fully staff an HR department. Unfortunately for this employer, a year later, ICE stepped in and requested to audit all I-9 records for its 50 or so employees. During that I-9 year, the company added about 100 I-9s to the system, including 30 new hires. However, there was no electronic tracking system for the I-9s, there was no way to know if the I-9s had been completed on time, and there was no way to know if the I-9s had been modified in any way. This company is still litigating these issues and is facing serious fines, even though their electronic I-9s “appeared” to be fine.

In audits of electronic I-9 systems, ICE investigators take the approach that every aspect of that electronic system must be “auditable.” In other words, ICE wants to be able to verify who entered what data, what was entered, and when.

Best practices for an irrefutable I-9 audit record

The ultimate goal of your I-9 software (from a risk management perspective) is to ensure that electronic I-9 records accurately represent the certifications made by both the employee and the employer and ensure complete confidence in the integrity of the system used to facilitate that process Assuring the integrity of Form I-9 data is achieved through technology along with internal policies and procedures to ensure that:

I-9 transactions (view, add, update, delete, etc.) are limited to authorized users. I-9 data has not been compromised by unauthorized or authorized means. All changes to the I-9 data are monitored. To achieve this level of complexity, security must be implemented at both the perimeter and application levels, as well as through detailed data audit logs and logs. The following three “best practice” points describe how this can be done (and, more importantly), what to consider when reviewing the capabilities of the electronic I-9 audit record.

1. The audit trail must be generated independently from the I-9 system. Many systems only have “application level” built-in audit logs (i.e. they will only track what you do in the interface), which do not provide reasonable assurance that the data has not been tampered with by an external source (for example , batch processing). update work, data import through an HRIS, etc.). The best method is to generate a complete audit trail of all changes made to the I-9, recording the “who, what, when and where” of the change, regardless of where it occurred. An auditing system that operates at the database level, rather than at the application level, is really the only means of ensuring auditing of all I-9 data changes made by whatever means possible.

2. The audit trail must record all activity in the system to reveal the full life of the I-9 in indisputable detail. At a minimum, the system must record:

Name of the employee/record for which the data was changed

Type of event (i.e. add, update, etc.) Date and time stamp (down to the second) Name of the user who made the change, as well as IP address The button clicked (or action performed to make this record an event) The field that was changed The old data (if any) The new data (if any was added) Additionally, a conservative reading of the regulations dictates that the I-9 system must also track each time a record is “accessed or viewed”. “and record the identity of the user, the date of access and the page(s) visited.

3. I-9 records must be irrefutably linked to the electronic signature and any supporting documents. Another critical component is the method by which the software attaches an electronic signature to the I-9 record. While electronic signatures are technology neutral, you still need to prove the trustworthiness of the process that created and preserved the records in question. To make this assessment, ICE can assess the overall strength of the signature by examining the authentication method while looking for potential security issues. Many industry experts recommend using a multi-factor signing process that combines affirmative assent plus a second level of identification to attest authorship through the use of a randomly generated PIN, biometric scan, secure ID card, or a digital signature. Strengthening the signature process in this way not only satisfies regulatory requirements, but also minimizes the risk of ICE questioning the validity of the signature.

There are a variety of other technical considerations (separate and distinct from audit trails) that should be examined when selecting an I-9 software application. While the task may seem daunting, it ultimately comes down to doing your due diligence. Claims are easy, but proof is hard, so be sure to request a copy of your provider’s audit logs and other documents to see for yourself if they meet regulatory requirements. Finally, whether you are examining audit trails, reviewing general compliance, or investigating provider stability, it pays to educate yourself about electronic Forms I-9s, consult an experienced immigration attorney who is familiar with such systems, and make the hard questions.