Portfolio Audit Trail: Every Decision

In 2019 I watched a small RIA fail an SEC exam on a single issue: the examiner asked for the rationale behind 14 specific trades over a 12-month period. The firm had notes scattered across email, Slack threads, and the head PM's personal notebook. Three of the trades had no documented rationale at all. The firm wasn't charged with anything, they hadn't done anything wrong on the trades themselves, but the exam deficiency letter took six weeks of remediation, two outside-counsel opinions, and a ~\$40,000 bill to close out. The deficiency was not "you made bad trades." It was "you cannot prove what you were thinking when you made them."

That is why audit trails exist, and why you want yours to be contemporaneous, queryable, and stored somewhere you can't accidentally edit. This post is about the audit trail I rely on, the specific workflows I run against it, and the three mistakes I've seen other managers make.

TL;DR

• Audit trails are about retrospective defensibility, not current workflow. They exist so that twelve months from now you can prove what you were doing today.
• Contemporaneous notes are the cornerstone. A timestamp on the note matters more than the length of the note.
• Rule-triggered events should auto-log, not ping you for manual capture. The log is only as good as what actually gets into it.
• Monthly CSV exports into cold storage turn a live log into a fixed record. Regulators and LPs want records they can trust weren't edited after the fact.
• The failure mode is silence. A quiet audit trail in a volatile month is usually an incomplete one, not a disciplined one.

Why an audit trail matters

If you manage external capital under an RIA registration, or inside a fund wrapper, examiners will eventually ask the same question in different forms: *what did you do, when, and why?* The only defensible answer is a contemporaneous log that captures trade decisions, rebalance rationales, compliance alerts, and the research context around them. Assembling that log after the fact is impossible, memory fades, chat logs are incomplete, and what you remember as the reason for a trade in Q2 is often different from what it actually was.

The audit trail also protects you internally. Six months from now, when a position that worked has stopped working, you want to know whether the original thesis was "momentum breakout" or "fundamental mispricing" because the re-evaluation rules differ. A good log tells you which. A bad log tells you the ticker symbol and the fill price, which you could have read off your brokerage statement.

What the Audit Trail card shows

The Audit Trail card logs every portfolio-level event with:

• Timestamp to the second, in the portfolio's canonical timezone
• Actor: which user or which system process wrote the entry
• Event type: trade, rebalance, alert triggered, note added, compliance rule flagged, webhook fired, and a handful of less-common events
• Affected positions: the tickers and sizes in play
• Free-text description: whatever the actor chose to record

Filters scope by date range, event type, or ticker. The full log exports to CSV (for regulator submissions or LP reports) and to JSON (for ingestion into your own archival pipeline).

Three workflows that pay off

Link notes to trades at the time you make them. The Portfolio Notes card timestamps your rationale directly into the audit stream. Retroactive notes, "I added this because X" typed three weeks later, are less defensible by every standard regulators apply. A thirty-second note at the moment of entry beats a thirty-minute reconstruction six months later.

Review the compliance sub-log weekly. Rule-triggered events (concentration limits crossed, sector caps breached, wash-sale flags, liquidity thresholds) accumulate silently. Nothing breaks; nothing stops working; but drift compounds. A standing ten-minute review on Friday afternoon catches these while they're still fixable in next Monday's rebalance.

Archive the export monthly. Regulators and LPs prefer immutable records. A monthly CSV snapshot into cold storage (S3 with object-lock, or a write-once filesystem) creates that immutability. The live audit table is editable by definition; the cold-storage snapshot isn't. This is the single cheapest piece of compliance hygiene you can do.

Example: a real reconciliation in Q3 2025

In September I had a position in a small-cap biotech I'd opened in March. Thesis at entry (per the audit note): "positive Phase 2 readout, cash runway through late 2026, below-average short interest." In September the stock was up 40% but the thesis had drifted, the company had done a secondary offering that extended runway but diluted 15%, and short interest had risen. My audit trail told me exactly when the dilution event logged (an alert fired the morning of the 8-K) and what my note had said that day: "Re-evaluate at next rebalance."

When I re-evaluated in October, I had the original thesis, the dilution event, the moment I flagged re-evaluation, and my current read, all in one queryable stream. The decision (trim by half) came from data, not from "I think I remember being worried about this." The audit trail is not glamorous, but it turns portfolio management into something closer to engineering than to memory.

What the log should capture that people often miss

• Why you *didn't* make a trade. A decision not to act is still a decision. If a compliance rule flagged a potential add and you chose not to add, log that reasoning. Examiners ask about inaction as often as action.
• Overrides of system recommendations. If the system ranked a ticker for entry and you skipped it, or ranked for exit and you held, log the override explicitly. This is one of the highest-value entry types for post-hoc performance attribution.
• Conversations with counterparties or LPs that influenced portfolio action. A ten-second "LP asked for lower gross, reducing by 10%" entry saves you hours six months later.
• Source-of-truth events for pricing. If a stale quote caused a mispriced rebalance, log the incident, the remediation, and the corrected values. Price-impact disputes on partial fills are the single most common LP question I've fielded.

Common mistakes

• Relying on memory for post-hoc reconstruction. If you haven't logged it contemporaneously, by the time you need it, it's gone. This is the single biggest failure I see.
• Letting compliance alerts sit unreviewed. An unreviewed breach is a breach twice, once when it happened, once when the examiner asks why you didn't respond.
• Editing the live log after the fact. Even if your system allows it, the audit trail should be append-only in spirit. Corrections are added as new entries referencing the old, not by mutating the old entry.
• Exporting but not archiving. A CSV you save to your Downloads folder is not an archive. An archive is stored somewhere you can retrieve from after a laptop fails or a workstation is re-imaged.
• Treating the log as a checkbox. The value is in the data, not in its existence. Three-word entries ("rebalance done") have roughly the same defensibility as no entry at all.

Where it fits in the rest of the product

The audit trail integrates with Compliance, rule-triggered events flow there automatically, so manual compliance logging is rare. It also integrates with Notes so your timestamped journal entries are audit lines. And with Webhook Alerts so triggered alerts (and their payloads) are part of the record.

FAQ

How long should I retain the audit trail?

SEC expectation for registered advisers is five years, with the first two years readily accessible. Most LPs with institutional compliance desks ask for seven. I default to seven and save the cost argument for another day, storage is cheap relative to the cost of producing one on demand.

Is a CSV export good enough for a regulator?

Usually yes, as long as you can demonstrate the export came from a system that writes append-only. If the export includes hash signatures or a separate chain-of-custody record, even better. Ask the regulator what format they prefer before the exam, examiners routinely have preferences you can accommodate trivially if you know in advance.

What if my compliance rules change mid-year?

Log the rule change itself as an audit event, actor, timestamp, before-state, after-state, rationale. Then old compliance-flagged events remain interpretable under the old rules, and new events are flagged under the new rules. This is how you answer "but the rules were different then" questions defensibly.

Does the audit trail slow down workflow?

A good one doesn't. Notes are keystrokes, not forms. Auto-logged events are auto-logged. The only manual overhead is the Friday-afternoon compliance review, and that one pays for itself the first time something gets flagged you didn't already know about.

Can I grant read-only access to my LPs or compliance consultant?

Yes, the read-only access is scoped to the audit-trail view, not to account-admin privileges. This is usually the right level for quarterly LP letters and for an external compliance consultant doing spot checks.

Related reading

• Compliance Rules Engine
• Portfolio Credibility Scoring
• Portfolio Attribution, Where Returns Come From

Open the Audit Trail → /app/portfolio