Most grants programmes have an audit policy. Few have an audit trail.
That distinction matters far more than most grantmakers realise — until the day it doesn't. An audit policy tells your team what they are supposed to do. An audit trail proves what they actually did, when they did it, and who made each decision. In the context of government grants management in New Zealand, the difference between the two can determine whether you can respond to an OIA request in twenty working days, satisfy an Auditor-General inquiry, or demonstrate to Treasury that your contestable funding round was conducted with appropriate probity.
This article defines what "government-grade" means in practical, structural terms — and how to test whether your current grants system produces it.
When grantmakers talk about their audit trail, they usually mean one of three things: a folder of decision memos, a spreadsheet tracking application statuses, or email threads preserved in an inbox. Each of these is a record of sorts. None of them is an audit trail in the sense that a controller, auditor, or OIA response officer needs.
A genuine audit trail is a chronological, immutable, field-level record of every action taken on every application, linked to a named user, timestamped to the second, and preserved in a way that cannot be edited after the fact. It answers not just "what was decided?" but "who entered that score, when did they enter it, and did they have a conflict of interest they had declared?"
The distinction is structural, not procedural. You cannot produce that record by archiving your email threads. It has to be built into the system handling your grants.
Section 15(1) of the Official Information Act requires a decision on an information request within twenty working days. For a Crown entity or government agency running a contestable grant round, an OIA request about that round could ask for almost anything: the scoring rubric, individual assessor scores, conflict of interest declarations, the record of how a borderline application was decided, or documentation showing that two applicants were assessed on the same criteria.
The challenge isn't usually the decision about what to release. It's whether the record exists in a form you can actually retrieve and release. If your assessment process ran through a combination of email, shared drives, and a spreadsheet, producing a coherent, complete record within twenty working days requires someone to reconstruct it manually — introducing both time pressure and the possibility of gaps.
A government-grade audit trail is one where every piece of information the OIA could require already exists as a structured, retrievable record before the request arrives. You are not reconstructing; you are retrieving.
For a contestable grants round administered by a Crown entity or government agency, a complete audit trail needs to capture at minimum five categories of event:
A system that captures only the outcome — "application approved on [date]" — provides almost no audit value. The trail is the journey through those five events, with full attribution at each step.
Conflict of interest management is the area where the gap between policy and trail most frequently causes problems. Almost every grants programme has a COI policy. Far fewer have a structural record that demonstrates the policy was actually followed for a specific application in a specific round.
The OAG's best-practice guidance on managing conflicts of interest in public sector procurement and funding makes clear that documenting the management of a declared conflict is as important as documenting the declaration itself. A form signed at the beginning of a panel process does not demonstrate that a conflicted assessor did not access or influence the scoring of a specific application.
Government-grade COI management requires the system to enforce the policy, not just record it. That means: when a COI is declared against an application, the conflicted assessor is automatically prevented from accessing that application's materials and scores, and that restriction is logged as part of the application record. The audit trail shows not only "Assessor X declared a COI" but "Assessor X was blocked from Application Y from [timestamp] to close of round."
Spreadsheet-based assessment is still common in the NZ grants sector, particularly in smaller programmes. The practical problem is not the format — it is the mutability.
A spreadsheet score can be changed without any record of what it was before. If an assessor updates a criterion score from 3 to 5 after a panel discussion, that history is simply gone unless someone manually tracked it. In a contestable round where an unsuccessful applicant challenges the outcome, or where an OIA request asks for the scoring record, you cannot produce evidence that scores were not changed after funding decisions were made.
An immutable scoring record — where each score entry is timestamped and attributed to a named user, and revisions create a new versioned entry rather than overwriting the old one — is a structural requirement for government-grade assessment. The score history must be part of the application record, not a separate audit log that could theoretically be altered or deleted.
A common gap in grants audit trails is the treatment of post-award activity. The assessment trail may be thorough, but once a funding decision is made and a grant agreement signed, accountability sometimes shifts to a separate contract management process with its own recordkeeping — or no formal recordkeeping at all.
For a government funder, the audit obligation does not end at approval. Treasury's probity guidance and the OAG's work on the management of public funds both make clear that accountability extends through the life of the grant: milestone reporting, payment authorisation, contract variation, and final accountability. A grantee who fails to meet a milestone and receives a payment extension needs that variation documented in the same system as the original award, linked to the same application record.
The grants organisations getting this right are treating post-award as a continuation of the same record, not a handoff to a separate system. Te Māngai Pāho, the $60M+ Crown entity responsible for Māori broadcasting funding, runs this kind of integrated accountability across a complex portfolio of funding rounds. As Larry Parr, Chief Executive at Te Māngai Pāho, put it: "Our small team has more than doubled both the number of Funding Rounds and the number of contracts under management in the last two years, thanks to Tahua." That capacity growth is only sustainable when post-award accountability is built into the same system, not bolted on.
Taupō District Council runs its community grants programme on a public register — applicants and the community can see what was funded and why. NZ On Air manages parliamentary reporting obligations across multiple contestable rounds, with data that cannot leave Aotearoa under their hosting requirements. Both use the same application and post-award trail.
If you are not certain whether your current system would satisfy an OIA request or an Auditor-General inquiry, these six questions will surface the gaps quickly:
If you can answer yes to all six, your grants system is likely producing a government-grade audit trail. If you cannot answer yes to two or more, you have a structural gap that an audit policy cannot close.
When evaluating grants management software against an audit trail requirement, the relevant questions are structural, not feature-based:
On immutability: Does the system use versioned, timestamped records for all application and assessment data — meaning records cannot be overwritten, only superseded? What is the technical mechanism? (A genuine answer names the approach; a vague one does not.)
On COI enforcement: Does the system enforce COI restrictions at the data access level — meaning a declared conflicted assessor cannot access the application, not just that they are asked not to? Is that restriction logged as part of the application record?
On post-award: Is the grant agreement, milestone record, payment authorisation, and contract variation history stored in the same record as the application and assessment history — or in a separate module that requires manual linking?
On data residency: Where is the data hosted? Is there a contractual guarantee about data sovereignty, or just a policy statement? For NZ government agencies, contractual residency in New Zealand is a governance requirement, not a preference.
On OIA readiness: Can the system export a structured, complete record of a single application — including all versions, all scores, all COI declarations, and all post-award activity — in a format suitable for OIA disclosure? How long does that export take?
A grants policy that requires accurate records and a grants system that produces them are not the same thing. The organisations that survive audits, respond to OIA requests without crisis, and maintain public trust in their funding decisions are the ones where the trail is structural — built into the system, not assembled after the fact.
If you are evaluating whether your grants process would survive OIA scrutiny, we are worth talking to. You can also read more about how Tahua approaches government grants management in New Zealand.