Number7AI — Docs

AP audit trail requirements

An AP audit trail is not a log file. It is a complete, immutable, structured history of every event from document upload to accounting post — sufficient for an auditor to reconstruct any decision without interviewing staff.

Last updated: April 2026

TL;DR

  • Six required components: source linkage, extraction versioning, field-edit logs, approval paths, exception lifecycle, and export events.
  • Every log entry needs: actor identity, timestamp, before/after values where applicable.
  • Audit logs must be append-only and retained for the statutory period (7–8 years for Indian GST compliance).
  • Use the checklist below to evaluate any AP platform's audit readiness.

Why AP audit trails matter beyond compliance

Audit trails are required for GST scrutiny, statutory audits, and internal financial controls. But beyond compliance, a good audit trail is operationally useful: it lets AP managers understand how an exception was resolved, why a vendor was paid twice, or when a field was manually edited and by whom. Without structured audit data, root cause analysis is impossible and disputes with vendors take weeks to resolve.

Required audit trail components

  • 1

    Source document linkage

    The original uploaded file (or a content-addressed hash of it) must be permanently linked to every downstream event. Auditors need to trace any posted entry back to the scanned original.

  • 2

    Extraction version history

    If a document is re-processed (e.g., after model update or manual re-trigger), each extraction run must be versioned and the active version must be explicit.

  • 3

    Field-level edit log

    Every operator change to an extracted field must record: the original extracted value, the new value, the operator ID, and a UTC timestamp. Bulk edits must log each field individually.

  • 4

    Approval path and decisions

    The complete approval chain — who was asked, when, what decision was made, and any comments — must be immutably stored. Approval changes (escalations, re-routings) must be logged.

  • 5

    Exception lifecycle

    Each exception must record: when it was raised, the failure type, the extracted value that triggered it, who resolved it, the resolution action, and any resolution notes.

  • 6

    Export and posting events

    Each export to ERP, accounting software, or CSV must log: timestamp, operator, destination system, record count, and the field values exported. Failed exports must also be logged.

Audit readiness checklist

Use this when evaluating an AP platform or auditing your current implementation.

  • Are source documents stored with content-addressable identifiers (not just filenames)?
  • Does every field edit log the before value, after value, actor, and timestamp?
  • Are extraction re-runs versioned rather than overwriting the previous result?
  • Is the full approval chain (including re-routes and escalations) stored per invoice?
  • Are exception resolutions logged with resolution type and notes, not just a status change?
  • Are export events logged with the exact set of records and field values exported?
  • Can you produce a complete history of any invoice — from upload to posting — in under 2 minutes?
  • Is audit log access read-only for non-admin operators?
  • Are audit logs stored with tamper-evidence (append-only or cryptographic)?
  • Do you retain audit data for the statutory retention period (typically 7–8 years in India)?
Reconciliation framework →Multi-client AP management →How to evaluate AP platforms →