Sloppy wording on my part. Accounting gets the termination record when you log out or when you your process is deleted, and that record includes the login data, and you won't uniformly find data for a user's process until then. (Dig around for earlier discussions. This on-logout behavior has confounded many folks over the decades.)
There are other corner cases, such as the lack of process accounting records after system crashes. Which means spotting system boot records, and recognizing that you'll have probably "lost" some of the process accounting data upstream of that.
(This behavior particularly bothered the service bureaus in Ye Olden Daze. The service bureaus folks then tended to add extensions that generated an accounting record at login. It's a little surreal mentioning service bureaus with VMS, as that hasn't been a commonplace occurrence in some eons. But I digress.)
Auditing can be a better data source, as you can (if enabled) catch and log both the logins and the logouts.
I tend to end up processing the data records with a simple state machine here as it's easier to implement and to tweak, and I prefer to enable and use auditing as the data source.
One of my favorite (obscure, integrated) hammers when presented with a requirement for a state table is the tparse, err, lib$table_parse support, the finite-state table-driven parser, but that's another digression.
And another option for heterogeneous environments is to send the auditing data over to a server via (open-source add-on) syslog client, and doing the the data reduction via syslog tools. But again I digress.
This reply is a repost, as ITRC is being, well, ITRC again.
