Yes, I don't think the issue here is about confidentiality, it's about data integrity. I cannot think of a justification for updating an audit trail 'through the back end' unless, say, a generic system bug meant that recorded data was incorrect and had to be updated by the vendor. You'd expect quite a lot of documentation to cover such a fix though. An end user should always be editing data through the front end and/or API whereby the audit trail would be created automatically. This is one of the central tenets of data integrity.