What does an immutable audit trail mean - and how do you verify a system actually has one?

Test rather than trust the brochure. With an admin account in a demo or sandbox: try to edit a historical log entry, delete an activity record, or alter a recorded timestamp - the system should refuse all three, with no "super admin" tier that escapes the rule. Ask the vendor directly: can any role, including your own support staff, modify activity history? What happens when a record is corrected - does the original survive alongside the correction? Then check the independent evidence: the vendor's SOC reports speak to the change-management and access controls protecting the log infrastructure itself.

Auditing standards want evidence that is relevant (speaks to the assertion being tested) and reliable (hard to fabricate or alter). For an approval, that means: system-generated rather than recollected, attributable to a named authenticated user, timestamped, tied to the specific invoice state approved, and produced from a log the actors couldn't edit. A screenshot of an approval screen is weaker on every axis than a system-generated history export - which is why auditors increasingly ask for the latter.

Export system-generated reports (not screenshots) covering the full requested period and population, note the generation date and parameters, and deliver without manual editing - if you must transform data, keep the raw export alongside. Auditors will test the export's completeness; let the system's own counts do the proving.

Screenshots get accepted reluctantly and tested skeptically - they're point-in-time, croppable, and editable. System-generated exports with parameters visible are the standard; if a screenshot is unavoidable, capture it with context (URL, date, user) and expect corroboration requests.

The proof is architectural: timestamps are system-assigned at action time, no role can edit history, and the vendor's SOC report covers the controls protecting that design. Offer the auditor a walkthrough of an attempted edit failing, plus the SOC 1/SOC 2 sections on logical access and change management. If your system can't support that answer, the auditor's question is the finding.

Match them - an invoice retained seven years with a three-year activity log loses its evidentiary value for years four through seven. Set log retention to at least the document retention period, and confirm decommissioned-system archives include activity history, not just documents.

IPE - information produced by the entity - is any report your systems generate that auditors rely on (aging, approval listings, user access reports). Auditors test it because their conclusions inherit its accuracy: they'll verify the report's logic, parameters, and completeness before trusting what it shows. Expect questions about who can modify report definitions.

It should never be truly deleted - voiding should be a logged state change with actor, timestamp, reason, and the record retrievable in historical views. If your system hard-deletes invoices, that's a control gap to remediate; the audit answer for legacy deletions is whatever offline evidence survives, disclosed as a limitation.

Stampli maintains a complete, immutable audit trail for every action - the record is created as work happens and stands as a chain of custody from intake through coding, approval, and ERP posting. Field changes carry before/after values, approvals carry the approver and context, delegations are recorded as such, and corrections appear as new events rather than silent rewrites. Evidence is retrievable, not reconstructed: finance teams can pull an invoice's full history or export invoice data for auditors on demand.