An auditor asks: "Who approved this journal entry reversing $47,000 in grant revenue?" In a properly maintained financial system, the answer takes ten seconds. In a spreadsheet, or in an accounting system without transaction-level logging, the answer may simply be: no one knows.
An audit trail is a chronological record of every financial transaction and change in your system — showing who did what, when, and why. It is the foundation of accountability that auditors, regulators, and your board depend on. For nonprofits managing restricted funds, federal grants, and board-designated assets, an adequate audit trail is not optional infrastructure. It is a compliance requirement.
What an Audit Trail Actually Captures
Not all audit trails are equal. A useful audit trail captures, at minimum:
- Who performed the action (specific user, not a shared login)
- What changed (the data field, the transaction, the account)
- When the action occurred (timestamp, including time zone)
- Previous value and new value (what the record showed before and after the change)
- Approval records where workflows require authorization
For financial systems specifically, every journal entry, account modification, payment approval, budget change, and user permission change should generate a logged record that is immutable — it cannot be altered or deleted after the fact.
Immutability is the critical word. An audit log that can be edited is not an audit log. It is a document.
Why Spreadsheets Fail the Audit Trail Test
Spreadsheets have no audit trail in any meaningful sense. The file system records when a file was last modified. It does not record who made a specific change, what the previous value was, which cell changed, or whether the change was authorized.
This creates a risk that Controllers at spreadsheet-dependent organizations live with every day: any number in the file could have been changed at any time by anyone with access, and there is no way to know. The version proliferation problem compounds this. When a file called "Budget_Final_v3_FINAL_USE_THIS.xlsx" exists alongside three earlier versions with conflicting numbers and no one can say which is authoritative, you do not have financial records. You have a collection of files with related numbers.
The consequences are practical and immediate.
Audit exposure. External auditors ask for source documentation and approval records for significant transactions. When the source is a spreadsheet with no history, the auditor must rely on whatever paper documentation exists — or qualify their opinion.
Fraud vulnerability. The Association of Certified Fraud Examiners finds that small organizations suffer higher median losses per fraud incident than large ones, primarily because of weaker controls. The absence of an audit trail is a significant contributor.
Internal accountability gaps. When errors occur — and they do — the inability to trace a transaction back to its origin means the error may recur, because the root cause cannot be identified.
The Regulatory Context
Several regulatory frameworks require or strongly expect audit trail documentation for nonprofit financial data.
Single Audit (2 CFR 200). Federal grant compliance requires that organizations maintain records sufficient to support the information in their financial reports. Transaction-level records with timestamps and user attribution are the documentation standard auditors apply.
IRS. Form 990 asks about financial controls and record retention. The IRS expects organizations to maintain documentation supporting all transactions for the relevant retention periods.
COSO Framework. The Committee of Sponsoring Organizations of the Treadway Commission's internal control framework — the most widely referenced standard for nonprofit internal controls — specifically addresses information and communication, including the adequacy of financial record documentation.
SOC 2. Organizations processing financial data may be subject to or benefit from SOC 2 audits, which specifically evaluate audit logging as part of the security and availability trust service criteria.
State charity regulation. Many state charity oversight agencies can examine financial records as part of regulatory enforcement. Adequate documentation standards apply.
How Long Records Must Be Retained
The applicable retention period depends on the record type and funding source:
- General accounting records: Seven years is the standard reference in most state nonprofit statutes and IRS guidance
- Federal grant records: 2 CFR 200 requires retention for three years after submission of the final expenditure report, with extensions when litigation, claims, or audit findings are unresolved
- Payroll records: IRS requires retention of employment tax records for at least four years
- Board minutes and governance records: Permanently
- IRS determination letter: Permanently
Your document retention policy should map each record type to its applicable retention period and define the process for secure destruction after that period expires. For audit trail data specifically, erring toward the longer end is always appropriate — storage is cheap, and audit trail data is often needed years after the original transaction.
Soft Delete vs. Hard Delete
One of the most important design decisions in a financial system is what happens when a record is deleted.
Hard delete permanently removes the record from the database. Once gone, it cannot be recovered. This creates an obvious audit trail problem: if a transaction was deleted, there is no record it ever existed.
Soft delete marks a record as deleted but retains it in the database. The record no longer appears in normal operation, but it is accessible to administrators and auditors who need the full history of the system — including records that were removed.
For nonprofit financial systems managing restricted funds, grants, and tax filings, soft delete is not a design preference. It is a compliance requirement. Federal grant regulations and IRS retention rules effectively prohibit hard deletion of financial records within the applicable retention period.
Where Manual Systems Break Down
The typical audit trail failure mode at nonprofit organizations is structural, not malicious. Accounting systems that lack adequate logging, spreadsheets used as primary ledgers, and shared user accounts that make individual attribution impossible all create audit trail gaps that surface only when an auditor or regulator asks a question the system cannot answer.
Every financial operation in sherbertOSOS is logged with user attribution, timestamp, and transaction context. Soft delete ensures no financial record is permanently destroyed. Sensitive operations — journal entry reversals, permission changes, budget modifications — generate specific log entries accessible to administrators and reviewable by external auditors. When your auditor asks who approved a specific entry, the answer is a report.
For the broader audit preparation process this infrastructure supports, see Nonprofit Audit Preparation: The Complete Checklist. For role-based access controls that complement the audit trail, see Role-Based Access Control for Nonprofit Financial Systems.
Frequently Asked Questions
What should an audit trail capture?
Every create, update, and delete action on financial data, including the user, timestamp, previous value, new value, and any approval records associated with the transaction. Immutability is essential: the log itself cannot be altered after the fact.
Do spreadsheets have audit trails?
No. Spreadsheets record when a file was last modified, but not what changed, who changed it, or what the previous value was. This is a fundamental compliance risk for organizations using spreadsheets as primary financial records.
How long should audit trail data be retained?
Most nonprofit accounting standards reference seven years as the standard retention period for financial records. Federal grant records must be retained for at least three years after the final expenditure report. When in doubt, retain longer.
What is the difference between a soft delete and a hard delete?
A soft delete marks a record as removed but retains it in the database. A hard delete permanently destroys it. For financial records subject to retention requirements, soft delete is the only compliant approach.
Who should have access to the audit trail?
System administrators should have full access. External auditors should be able to request access to relevant portions during fieldwork. Regular finance staff typically do not need direct access to the raw log, but all of their actions should be captured by it.
The Bottom Line
The audit trail is not a feature. It is the foundation of financial accountability. When your accounting system cannot answer basic questions about who changed what and when, you do not have adequate financial controls — regardless of how accurate the numbers look on the surface.
Organizations that discover audit trail gaps do so under the worst possible circumstances: during an audit, a fraud investigation, or when a key staff member leaves and takes their institutional knowledge with them.
→ Request a demo to see how sherbertOSOS's structured audit trail provides complete transaction history with user attribution.
Frequently Asked Questions
What should an audit trail capture?
Every create, update, and delete action on financial data — including the user, timestamp, previous value, new value, and any notes or approval records.
Do spreadsheets have audit trails?
No. Spreadsheets track when a file was last modified but not what changed, who changed it, or what the previous value was. This is a fundamental compliance risk.
How long should audit trail data be retained?
Most nonprofit accounting standards require 7 years of records. Federal grant records must be retained for 3 years after the final expenditure report.
Related Articles
See sherbertOS in action
Schedule a personalized walkthrough with our team.