Sarras
  Writing

Essay

Auditable by design

Most software asks you to trust it. The better question is whether you can verify it — and what it costs to build software that lets you.

SarrasJune 2026

Every piece of software makes the same quiet promise: the number you're looking at is the right number. The balance is correct. The record wasn't altered. The search returned everything it should have. For most software, that promise rests entirely on faith — in the vendor, the codebase, and a chain of systems you will never see.

For a lot of software, faith is fine. If a playlist shuffles imperfectly, no one is harmed. But some software carries weight: it informs a financial decision, a medical one, a legal one. When the stakes are real, "trust us" stops being good enough. The useful question isn't do you trust this system — it's can you check it.

Two ways to earn trust

There are really only two ways for software to earn it. The first is reputation: a brand, a track record, a logo on a slide. Reputation is valuable, but it's also transferable in exactly the wrong direction — it asks you to extend trust before anything has been proven, and it offers you nothing to fall back on when something goes wrong.

The second way is to make the system verifiable. Instead of asking to be believed, it hands you the means to confirm. Where did this figure come from? Show me the source. Has this file changed since it was filed? Here is a hash that says no. Who touched this record, and when? Here is a log that can't be quietly rewritten. Verifiable software doesn't need your faith, because it gives you something better: the ability to not need it.

The goal isn't to be trusted. It's to be checkable — so trust becomes a choice the user makes with evidence, not one we ask for on credit.

What "auditable" actually means

Auditability is easy to claim and harder to build, because it has to be designed in from the first commit rather than bolted on before a launch. In practice it comes down to a few concrete properties:

  • Provenance. Every derived value can be traced back to its source. A total points at the rows that produced it; a transcript line points at the second of audio it came from.
  • Tamper-evidence. You can't always prevent a record from being altered, but you can make alteration detectable — a hash chain where changing any link breaks every link after it.
  • A complete, append-only history. Not "the current state," but the sequence of events that produced it, with who and when attached to each.
  • Exportability. If you can't get your data out — originals, logs, and all — you can't independently verify anything. Lock-in and auditability are opposites.

None of this is exotic. It is, however, a set of decisions that are nearly free to make early and punishingly expensive to retrofit. By the time anyone asks "can we prove this wasn't tampered with?", the answer is usually decided by choices made months before.

The cost, honestly

Building this way is not free. Provenance means carrying more context through every layer. Tamper-evidence means treating history as immutable when it would be easier to overwrite. Exportability means resisting the gravity of lock-in even though lock-in is good for business. It is slower, and it asks for discipline precisely where shortcuts are most tempting.

What you get in return is software that holds up under scrutiny — the kind that can sit in front of an auditor, an opposing attorney, or a regulator and not flinch. For work where that day eventually comes, it's the only thing that matters.

Where we land

We've spent more than twenty years building information systems where correctness, provenance, and scale weren't features but requirements — the kind where someone, eventually, asks you to prove it. That's the bias we build with now: auditable by design, because the alternative is to find out it wasn't, at the worst possible moment.

It's the spine of Scribe Verbatim, our first product — a tamper-evident chain of custody for evidence, with every line traceable to its source. And it's the lens we bring to the consulting we take on. If you're building something that will one day have to be proven, that's exactly the kind of problem we like.