Docs

PII-003: Financial Data No Audit

Financial account number or card data accessed without audit logging

criticalpiiuipath • power_automate • aa • blue_prism

What it detects

Financial account number or card data accessed without audit logging Flowcerta currently surfaces this finding from the active validation pipeline for supported patterns.

Why it matters

PII findings matter because workflow automations regularly touch regulated identifiers, customer records, and health data. Weak auditability or unsafe logging turns ordinary bot activity into a compliance exposure.

Example violation

Financial account number or card data accessed without audit logging

Fix guidance

UiPath

  • Load PII-related identifiers from a secure asset store, not workflow variable defaults.
  • Use platform-native assets, credentials, bounded retries, and Log Message checkpoints instead of hardcoded literals or silent failure paths.
  • Revalidate the workflow after the change and confirm the finding no longer appears.

Power Automate

  • Load PII-related identifiers from a secure asset store, not workflow variable defaults.
  • Prefer environment-aware connectors, connection references, structured scopes, and explicit run-history logging.
  • Revalidate the workflow after the change and confirm the finding no longer appears.

Automation Anywhere

  • Load PII-related identifiers from a secure asset store, not workflow variable defaults.
  • Move sensitive values into credential vaults or externalized configuration and keep task-bot calls explicit and reviewable.
  • Revalidate the workflow after the change and confirm the finding no longer appears.

Blue Prism

  • Load PII-related identifiers from a secure asset store, not workflow variable defaults.
  • Use release metadata, data items, and process/page references intentionally so reviewers can trace ownership and fix paths quickly.
  • Revalidate the workflow after the change and confirm the finding no longer appears.

Verification steps

  1. Run validation again and confirm the rule no longer appears in the finding list.
  2. Review the changed workflow artifact directly to verify the risky pattern is gone.
  3. Capture the new validation result as evidence for the relevant owner or compliance review.

Compliance references

  • SOC2 CC6.8 — Logical Access Controls — Transmission/Output
  • HIPAA 164.312(b) — Audit Controls
  • GDPR Art.32 — Security of Processing

Related rules

PII-001PII-002

This page is generated from canonical rule seed data plus the current runtime validation mapping.

Browse all rule playbooks