Audit Trail & Traceability
The Audit Trail Report is a chronological log of everything that happens to documents — who did what, to which document, in which workspace, and when. It's the screen you open to answer "who changed this?", to investigate a deletion, or to hand an auditor proof of activity.
How to open this page
From the left navigation, open Reports & Analytics → Audit Trail Report.
- Route:
reports/audit-trail - Access required: the View Reports permission (
REPORTS.VIEW). Without it the report won't appear in your menu.
What you see on this page
Header
The header shows Audit Trail Report with a short description and two buttons — Advanced Filter and Export.
Filter bar
A row of controls lets you narrow the log:
- Search by user or document — free-text box.
- Action dropdown — All Actions or a single type (Create, Edit, View, Delete, Download, Share, Approve, Lock, Restore, Export).
- Workspace dropdown — All Workspaces or a specific one.
- Clear — resets the filters.
- A counter on the right shows how many events are currently shown.
KPI cards
Four summary cards sit above the log:
| Card | What it shows |
|---|---|
| Total Events | All recorded events (labelled Last 30 days). |
| Critical Actions | Delete and Restore events combined. |
| Approvals | Documents approved. |
| Unique Users | How many distinct users are active in the log. |
Events by Action Type
A breakdown that shows, per action type (Edit, Create, Approve, Download, and so on), how many events of that kind occurred — a quick way to see what's happening most.
The event log
The main table — also presented as a Recent Activity Timeline — lists each event with:
- Timestamp
- User (and their role)
- Action — shown as a colour-coded badge (e.g. EDIT, CREATE, DELETE)
- Document
- Workspace
- IP Address
- Details — a short note about what happened (e.g. "Updated section 4.2 – Leave Policies").
If your filters match nothing, the table shows "No audit events match the current filter."
Finding a specific event
- Type a name in Search by user or document to jump to one person or file.
- Narrow further with the Action and Workspace dropdowns.
- Read the result count to confirm how many events match.
- Use Clear to start over.
Each action badge is colour-coded, so destructive actions (like DELETE) stand out at a glance in the table and timeline.
Tips
- Combine filters. Pair a Workspace with an Action (for example Finance & Accounting + DELETE) to zero in on exactly the events you care about.
- Start with the Critical Actions KPI. It surfaces deletes and restores — usually the events worth reviewing first.
- The Details column tells the story. It explains why (e.g. "soft delete — moved to Trash", "new version supersedes…"), which a bare action type can't.
How this differs from the Audit Vault
This report is the everyday, filterable activity log for documents. The Audit Vault on the Legal Holds screen is a separate, narrower, append-only log specifically for governance actions (holds placed/released, records declared, destructions approved), with per-entry SHA-256 hashes and a signed export. Use the Audit Trail Report for general traceability; use the Audit Vault for hold-and-destruction evidence.
Troubleshooting
| Problem | Likely cause / fix |
|---|---|
| Audit Trail Report isn't in my menu. | You lack the REPORTS.VIEW permission. Ask an administrator. |
| "No audit events match the current filter." | The combination of search text, action, and workspace is too narrow. Click Clear and widen it. |
| I can't see events from another workspace. | Change the Workspace dropdown to All Workspaces (visibility still depends on your access). |
| I need governance/hold evidence, not general activity. | Use the Audit Vault tab on the Legal Holds page instead. |