Audit Trail

An audit trail is a chronological record of every action taken on a financial transaction. In accounts payable, a complete audit trail shows who received an invoice, when it was received, who coded it, who approved it, when each approval was given, and when and how the payment was made. It provides the evidence needed to answer the question: was this payment properly authorised?

An audit trail is not the same as a paper file. A stack of invoice PDFs with some handwritten notes does not constitute an audit trail. A proper audit trail is a structured, tamper-evident record that links each action to a specific user, a specific timestamp, and a specific document version. It should be possible to reconstruct the entire history of any invoice from the audit trail without needing to interview anyone about what they remember.

What a complete AP audit trail contains

A complete AP audit trail for each invoice should record: the date and time the invoice was received and by which channel, the data extraction results and any fields that required manual correction, the account codes assigned and by whom, the validation checks performed and their results, the approval workflow path followed, the identity of each approver, the date and time each approval was given, any comments or rejection reasons recorded during the approval process, the payment date, payment method, and bank reference, and any subsequent changes to any of these fields with timestamps and user identification.

The audit trail should be stored in a way that prevents retrospective modification. An invoice that was approved by the wrong person, or an invoice that was paid twice, should not be concealable by editing the audit trail. The integrity of the audit trail is as important as its completeness.

Why audit trails matter for Australian businesses

The ATO requires businesses to keep records sufficient to explain and support their income and deductions for five years. For GST, this includes records of all tax invoices received and the basis on which input tax credits were claimed. A complete AP audit trail satisfies these requirements and provides the evidence needed in the event of an ATO audit.

Beyond ATO compliance, audit trails are essential for investigating suspected fraud. When a business suspects that an invoice was paid fraudulently, the audit trail shows exactly how the invoice moved through the system: who entered it, who approved it, and whether any of the validation controls should have flagged it. Without an audit trail, a fraud investigation relies on people's recollections, which are less reliable and more subject to self-interested interpretation.

How AP automation generates audit trails

Manual AP processes generate audit trails only to the extent that people remember to document their actions. Emails provide some record, but they are not structured, not tamper-evident, and not linked to the invoice records in a systematic way. A bookkeeper who approved an invoice by email three months ago may not be able to produce the relevant email quickly, or at all.

AP automation software generates audit trails automatically as a byproduct of the workflow. Every action taken in the system is timestamped and attributed to a specific user. The audit trail exists without anyone needing to remember to create it. For businesses that need to demonstrate compliance in an audit or investigate a fraud incident, a system-generated audit trail is substantially more reliable and accessible than a manually maintained paper record.