ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

AUDIT-TRAIL

Immutable timestamped log of each operation on an EDI transaction. Legal, operational and governance tool.

Definition

An audit trail (also audit log or piste d'audit in French regulatory usage) is a sequential log that records every event in the life of an EDI message — from front-end receipt to downstream transmission — with timestamp, actor identity, parameters and outcome. NIST SP 800-12 defines it as "a chronological record of system activities sufficient to enable the reconstruction, review, and examination of the sequence of environments and activities".

For an EDI, a correct audit trail covers:

  1. Transport: AS2/AS4/OFTP2/SFTP reception/emission, MIC or hash of the file, archived signed MDN/EERP/receipt.
  2. Syntactic validation: parser invoked, version used, valid/invalid segments, CONTRL or 997 emitted.
  3. Business validation: Schematron or business rules applied, return code, ORDRSP/855 emitted.
  4. Mapping: source, target, mapping version, duration, raised exceptions.
  5. Dispatch: to ERP/WMS/accounting, downstream processing identifier.
  6. Retention: storage of original, transformed, and all acknowledgments.

Immutability (write-once, hash-chained, or stored on WORM / S3 object lock) protects the evidence in case of dispute or tax audit. The French legal retention period for e-invoices is 10 years (Commercial Code L123-22 and CGI art. 286).

Origin

The audit trail concept comes from paper accounting: each entry must be traceable to its supporting document. Computer translation appeared in the 1970s (COBOL/CICS audit, IBM SMF logs). EDI inherits this tradition: AS2 was designed in part to provide a signed audit trail (MDN), HIPAA and SOX (US) make it mandatory, the European eIDAS regulation formalises it for qualified electronic signatures, French CGI art. 286 mandates it for electronic invoices.

Example in context

During a VAT inspection, the French tax administration asks an e-merchant for proof of a B2B invoice issued 4 years earlier. The audit trail must provide: the original EDIFACT INVOIC, the customer's signed MDN, the returned CONTRL, any modification ORDRSP, the corresponding accounting entry, the timestamp of each step, and proof that the archival system complies with NF Z42-013 or an equivalent.

  • Non-repudiation — property strengthened by a signed audit trail.
  • MDN — central element of the AS2 audit trail.
  • Idempotency — property that simplifies auditable retransmission.
  • XAdES — signature that provides archivable proof.

Last updated: May 14, 2026