A good web application provides good experience on the front end for customers and the back end for web managers.  Project funding tends to focus on the front end experience primarily, but it’s really the back end that can break a business when something goes wrong.  

• A customer calls and claims they were given last year’s terms and conditions.  
• A product manager says IT uploaded the wrong PDF.  
• A customer says they never logged in to authorize that payment.  
• A customer says that the data they saw was not theirs.

Careful planning now will make auditing requests like these much less painful in the future.  

First, take steps to enhance security for your portal database.  Close all of the possible unauthorized ports of entry.  Ensure that firewalls are strong.  Check the latest security recommendations and do all that’s possible to meet each one.  Are there features to require additional authentication under circumstances where the user is out of his or her normal area or has failed some login attempts?

Now, check the design of the portal database to be sure that there are adequate auditing tables available.  How are transactions tracked? Is there a session detail record to view all activity during a session?  Is the user’s IP addresses from sessions recorded so that likelihood of identity can be considered?   A well-designed web portal database is an important part of auditing because it can include details of every transaction and activity by user, including text entered where necessary.  This is very helpful when a user calls into the call center with concerns about his or her account.

Next, prepare your Web Analytics software for auditing capabilities.  Work with your web analytics professional to pass an unintelligible user ID key to the web analytics software for logged in users and create a custom report to record pages and downloads by this user key.  This simple step is a godsend when something goes wrong, like a PDF or web page has an error in it and you need to quickly identify who has seen this content so that a correction can be made to that group of users.  This is extremely valuable from a risk management perspective.

Now, take an inventory of the tools you have.  Do you have any session recording capabilities?  It is great to have access to a tool that will allow you to replay any session in question to see exactly what pages were viewed and what was accomplished.  Most companies do not have access to these tools for their web properties, but tools like these can be very helpful for auditing, especially in industries that are strictly regulated.

After some preparation, answers to tough auditing questions become more routine.

• A customer calls and claims they were given last year’s terms and conditions.  Retrieve that customer’s encrypted ID, open the web analytics reporting and query which PDFs were viewed.  
• Then, a product manager says IT uploaded the wrong PDF.  In the web analytics package, query that PDF and view which customers, if any, saw the incorrect PDF so that the product manager can draft a letter to those customers.  
• Now, a customer says they never logged in to authorize that payment.  Use your web portal database to see details of that transaction, verify the session details to see if there was a chance the account was compromised.  
• If a customer says they saw data from another customer and you have a session recording tool, check the tool to see what happened.  If not, look into the web portal database session activity to see if any wires might have been crossed.

With careful planning and a few simple steps, you will be prepared for these and any other questions that come up in the future.