Your journal entries claim to be IMMUTABLE, once posted, never changed. But unless your database actively ENFORCES that, a rogue admin (or a panicked engineer) can UPDATE journal_line and silently rewrite history. Regulators won't trust ledger reports based on a 'we promise we don't update' policy. The real defense: WORM (Write-Once-Read-Many) enforcement at the database level. Tactics: revoke UPDATE/DELETE grants on the journal_line table from all application roles; add a Postgres trigger that RAISES on any UPDATE; periodically hash each row and write the hash to an append-only log; archive period-close snapshots to S3 with object lock. This lesson posts an entry and discusses the WORM checks running around it.