What is an audit trail?
An audit trail is a chronological, immutable record of every action taken on a financial document or transaction. It captures who performed each action, when it occurred, what changed, and the state of data before and after. Tax authorities in France, the UAE, and under EU frameworks require audit trails for invoice integrity verification.
What are the five mandatory elements of a compliant audit trail?
Regulatory frameworks consistently require five elements for audit trail entries to be considered compliant:
- Who: User identity of the actor who performed the action
- When: Precise timestamp with time zone
- What: Action type (create, modify, delete, transmit, approve)
- Which: Identifier of the affected document or transaction
- State: Before-and-after data snapshot for modifications
How long must audit trails be retained?
Retention requirements vary by jurisdiction. Businesses operating across multiple jurisdictions must apply the longest applicable period:
- France (DGFiP): 10 years for invoices and related financial records
- UAE (FTA): 5 years for VAT records
- EU (general): Aligned with national tax statute of limitations, typically 7-10 years
- ISO 27001: No fixed period, but records must support audit and investigation requirements
What does immutability mean for audit trails?
An immutable audit trail cannot be edited, deleted, or overwritten after entries are created. Corrections are handled by appending a new entry that documents the correction and references the original entry. Any system that allows modification of existing audit trail entries does not meet compliance requirements.
Frequently Asked Questions
- Is an audit trail the same as a log file?
- Not exactly. Log files are technical records of system events. Audit trails are compliance records focused on business actions and data changes. A compliance-grade audit trail is structured, tamper-evident, and retained according to regulatory requirements. A log file may not meet these standards.
- Can an audit trail be modified?
- No. A defining characteristic of a compliant audit trail is immutability. Entries cannot be edited, deleted, or overwritten. Corrections are appended as new entries. Any system allowing modification of audit trail entries does not satisfy regulatory requirements.
- What triggers an audit trail entry?
- Any action on a financial document should trigger an entry: creation, modification, approval, rejection, transmission, receipt, payment, archiving, or access by a new user. The specific events required vary by regulatory framework.
- Does an audit trail apply to e-invoices?
- Yes. E-invoices require audit trails covering their full lifecycle: generation, validation, transmission, receipt confirmation, payment, and archiving. The audit trail must link to the structured invoice data, not only to the visual representation.