Workflow History List for Auditing?
Yesterday a question came up on how long SharePoint keeps the workflow history, because users wanted to know for auditing purposes. The answer is that there is a timer job in SharePoint 2007 (SharePoint Central Admin -> Operations -> Timer Job Definitions) which permanently deletes workflow instances and any related task which exist for 60 days after the workflow has been cancelled or is completed. Workflow History list items however do not get deleted. (The list is a hidden list and you can access it through this link http://[servername]/[sitename]/lists/Workflow History)
The 60 day retention can be adjusted through various ways and have been mentioned lots of times in other blogs (refer to TechNet for the stsadm command), I am not going to cover this here.
The reason for the post today is more the “for auditing purposes” comment in the question. SharePoint’s Workflow History list and auditing? A bit like cats and dogs to me…they usually don’t agree with each other.
The main reason it tell my clients is, that it is not secure enough by default. (my Information Security lecturer at uni made me a bit paranoid ) At the end of the day it is a normal (although) hidden list that users with the appropriate permissions can modify. It is not temper proof and your customer will spend a LOT of time to secure all workflow history lists if they decided to use it for auditing. Also I don’t think any sane auditor will regard this as a valid auditing mechanism.
But what else can you do? Well a very good option would be to use SharePoint auditing logs and Visual Studio to create workflow auditing reports. You then don’t have to mess with the timer job definitions and all auditing standards can be met by customising the reports. Also a report centre within SharePoint could be used to centrally manage and store all auditing reports, not only workflow reports.
With all things on earth, there is a catch with SharePoint auditing. There is an approximately 15% performance decrease, so be careful when enabling auditing.
As always, I’m happy to receive any kind of feedback regarding this topic (or any other topic)