What Is an Audit Trail and Why Does Your DMS Need One?

Audit trails are a core compliance requirement for any document management system. Our document management GDPR compliance guide explains the full compliance framework. This article focuses specifically on what audit trails are, what they record, and why they matter.

What an Audit Trail Records

An audit trail (also called an activity log or document history) is a timestamped record of every action taken on every document. A comprehensive DMS audit trail records:

Who: The user account that performed the action
What: The specific action — viewed, downloaded, edited, shared, deleted, restored
When: Date and time stamp (UTC, immutable)
Where from: IP address and/or device (in more detailed systems)
Document: Which specific document was affected, and which version

This creates an immutable record that cannot be altered after the fact — the timestamp and entry are written once and cannot be edited by any user, including administrators.

Why GDPR Requires Audit Trails

UK GDPR Article 5(2) requires data controllers to be able to demonstrate compliance with the data protection principles — this is called the accountability principle. Demonstrating compliance means showing evidence. For document management, that evidence is the audit trail.

Specific scenarios where an audit trail provides the evidence:

Subject access requests: "Has this individual's data been accessed only by authorised staff?" The audit trail answers this.
Data breach investigation: "Who accessed this file containing personal data before it was reported as breached?" The audit trail shows the access history.
ICO investigation: The ICO can ask for evidence that you only process personal data for stated purposes. Audit trails show who has accessed what and when.
Retention compliance: "Was this document deleted at the end of its retention period, or was it accessed after expiry?" The audit trail shows the deletion event and any prior access.

Audit Trails for Regulated Sectors

Legal (SRA): The SRA requires evidence that client confidentiality has been maintained. An audit trail showing that only the fee earner assigned to a matter accessed the client file is that evidence. Ethical wall breaches are detectable only if an audit trail exists.

Financial services (FCA): FCA SYSC rules require firms to maintain records sufficient to demonstrate regulatory compliance. For document management, an audit trail of who accessed what client communication or transaction document, and when, is part of that evidence.

Healthcare (CQC / NHS DSPT): The NHS Data Security and Protection Toolkit requires documented evidence of data access controls and monitoring. CQC inspectors ask to see evidence that patient data has been accessed appropriately. The audit trail provides this.

ISO 9001 / ISO 27001: Both standards require evidence of controlled document access and change management. An audit trail is the evidence that satisfies the auditor's evidence requirements.

What a Good DMS Audit Trail Looks Like in Practice

For each document, you should be able to see a chronological log like:

2026-01-15 09:23 | j.smith@company.com | Created | Contract_Supplier_ABC_v1.pdf

2026-01-16 14:11 | m.jones@company.com | Viewed | Contract_Supplier_ABC_v1.pdf

2026-01-17 10:44 | j.smith@company.com | Edited → v2 | Contract_Supplier_ABC_v2.pdf

2026-01-20 16:02 | j.smith@company.com | Shared (external link) | Contract_Supplier_ABC_v2.pdf

2026-07-15 09:00 | system | Retention review flagged | Contract_Supplier_ABC_v2.pdf

This tells a complete story: who created the document, who accessed it, what changes were made, whether it was shared externally, and when its retention period was reviewed. No paper-based system can provide this.

Audit Trail vs Version History

These are related but distinct:

Version history: Records changes to the document content — what changed between v1 and v2, who made the changes, ability to restore previous versions.
Audit trail: Records access and actions — who opened the document, who downloaded it, who deleted it — regardless of whether any changes were made.

You need both. Version history answers "what changed in the document." Audit trail answers "who did what with the document."

What Doesn't Have an Audit Trail

For comparison: a shared network drive logs very little. Windows file server event logging can be enabled but is rarely configured, generates enormous log volumes, and is difficult to query. SharePoint provides basic access logs but they require Microsoft Purview configuration to be useful. Email has no audit trail at all — once a document is emailed, who accessed it is unknown.

A purpose-built DMS includes comprehensive audit trails by default, configured for compliance use rather than as an afterthought.