I understand that penetration testers should leave audit trails. I am confused as to the purpose. I have heard that it is so the organization can see what changed in their applications and websites to make them exploitable? Is this correct? Could you please explain with a little bit of detail?