What should an AP audit trail capture?

Log everything; pay attention selectively. Storage is cheap and you can't retroactively log what you didn't capture - but your review and alerting should concentrate on control-relevant changes: amount, vendor, banking details, GL coding, entity, and approval-related fields. The before/after pair is what makes a change log useful: "amount edited" is a fact, "amount changed from $4,800 to $48,000 by user X after approval" is evidence. Edits made after initial entry - and especially after approval - deserve their own scrutiny, because that's where both honest errors and manipulation concentrate.

As one connected chain, not a set of parallel logs. The invoice record should reference the matched PO and receipt, carry its own approval history (including delegations and reassignments), and link forward to the payment that settled it - so an auditor can walk commitment -> delivery -> validation -> authorization -> cash in either direction. Fragmented logs (an ERP object history here, an email approval there, a bank record elsewhere) are where audit prep time goes to die; chain-of-custody connection is the property to demand from any system.

The chronological, attributable record of everything that happened to a transaction - receipt, edits, coding, approvals, payment - that lets you prove the process operated. It is the difference between asserting controls exist and demonstrating they ran.

Yes - rejections are control successes and their reasons are process intelligence. A trail that only shows approvals can't demonstrate that review was real, and rejection patterns (by vendor, by error type) tell you what to fix upstream.

The system should bind each approval to the invoice state at action time: the amount, coding, documents, and flags as they stood. This is the strongest answer to the auditor question "did the approver have what they needed?" - and it's why approvals inside the invoice workspace beat approvals in a detached email or list view.

Yes. The question "is this the contracted rate?" and its answer are part of how the decision was reached - evidence of genuine review. When that dialogue lives in email instead, the trail shows a bare approval and the diligence behind it is invisible.

Every edit needs actor, timestamp, and before/after values - and material post-approval edits should trigger re-approval, since the authorization applied to different numbers. Auditors specifically probe the edit-after-approval window; make sure your system can answer it.

Immutability (no edit or deletion of history, by anyone); field-level before/after capture; approval history including delegation and reassignment; human vs. AI action attribution; in-context communication capture; linkage across PO, receipt, invoice, and payment; and clean export for auditors. Then test it in the demo: change a field, approve, and ask to see - and to alter - the log.

For the audit at hand: pull the invoice, the related email threads, payment evidence, and any approval artifacts into a per-sample package, and be candid about gaps - auditors handle disclosed limitations better than discovered ones. Then treat the reconstruction cost as the business case: a system that captures the trail automatically eliminates this work category entirely.

Stampli captures the audit trail as a byproduct of doing the work: every dispatch, coding change (with before/after values), approval, rejection, question, comment, delegation, skip-approval reason, recall, and ERP sync event lands on the invoice's activity record - alongside the invoice image, documents, and conversation. Because communication happens on the invoice rather than in email, the approval context is part of the evidence, and invoice data can be exported when auditors ask. The trail is immutable: it documents what happened, including corrections, rather than allowing history to be rewritten.