An e-signature without a robust audit trail is just a file with a scribble on it. In a legal dispute, the signature itself is rarely what's challenged — it's the context around it. Did the signer see the full document? Were they authenticated? Was the document altered after signing? An audit trail answers these questions with timestamped, cryptographically verifiable evidence. This guide covers what every audit trail must contain, how to operationalise it, and what courts and regulators actually look for.
What an audit trail should contain
A complete audit trail captures every event in the document's lifecycle, from creation to final storage. Each event should include a timestamp (UTC), the actor (with their authentication method), the action taken, and contextual metadata.
| Event | Data captured | Why it matters |
|---|---|---|
| Document created | Creator identity, timestamp, template used | Establishes who initiated the document and the source template version |
| Sent for signature | Recipient list, delivery method, access link | Proves the signer received the document and had the opportunity to review |
| Document viewed | Viewer identity, timestamp, IP address, device/browser | Demonstrates the signer opened and reviewed the document before signing |
| Fields completed | Field name, value entered, timestamp | Shows the signer actively engaged with fillable fields, not just clicking "sign" |
| Signature applied | Signer identity, authentication method, IP, timestamp, signature image/data | The core signing event with full identity and authentication evidence |
| Document completed | All signers confirmed, document hash (SHA-256), final PDF generated | Creates the tamper-evident seal — any change to the file after this point invalidates the hash |
| Document downloaded/accessed | Who accessed, when, download vs. view | Provides chain of custody evidence for signed documents |
Why this matters for legal defensibility
When a signer disputes a contract — "I never signed that," "I didn't see page 3," "someone changed the terms after I signed" — your audit trail is the evidence that resolves the dispute. Courts in the US, UK, and EU have consistently upheld e-signatures where a robust audit trail was presented. Without one, the burden shifts to you to prove the signature is valid.
What courts look for
- Intent to sign: Evidence that the signer took an affirmative action (clicked a button, drew a signature) rather than having a signature auto-applied. The audit trail should show a deliberate signing event.
- Identity verification: How was the signer authenticated? Email-link access is the minimum. SMS/OTP, knowledge-based authentication, or government ID verification provide stronger evidence proportional to the document's value.
- Document integrity: A cryptographic hash (SHA-256) taken at the moment of signing that proves the document was not altered afterward. This is the digital equivalent of initialling every page.
- Opportunity to review: Timestamps showing the signer viewed the document before signing — and ideally, how long they spent viewing it. A signature applied 2 seconds after opening a 30-page contract raises questions.
Audit trail implementation standards
1. Store the audit log with the signed document
The audit trail should be embedded in or permanently attached to the signed PDF — not stored in a separate system that might be unavailable when you need it. When someone downloads the signed document, they should get the audit trail with it. This ensures the evidence travels with the document regardless of where it's stored or forwarded.
2. Make the audit trail tamper-evident
An audit trail that can be edited after the fact has no evidentiary value. Use append-only storage, cryptographic chaining (where each new event includes a hash of the previous event), or immutable database records. The goal: if anyone modifies any entry, the modification is detectable.
3. Use immutable naming and retention
Signed documents should follow a consistent naming convention (e.g., [DocType]_[Counterparty]_[Date]_signed.pdf) and be stored according to your retention policy. Define retention periods by document type: employment contracts might be retained for 7 years after termination, NDAs for the confidentiality period plus 2 years, and regulatory filings permanently.
4. Lock documents post-completion
Once all parties have signed and the document is completed, no one — including administrators — should be able to modify the document or its audit trail. Read-only access is the only appropriate permission level for completed documents. Any need to amend should result in a new document (an amendment or addendum) with its own signing flow.
5. Support evidence export
For regulated industries, litigation holds, or external audits, you need the ability to export a self-contained evidence package: the signed document, the complete audit trail, authentication evidence, and hash verification — all in a format that can be presented to a court or regulator without requiring access to the signing platform.
Jurisdiction-specific requirements
EU (eIDAS)
Simple e-signatures require basic audit trails. Advanced and qualified signatures require stronger identity evidence, including certificates from qualified trust service providers. eIDAS 2.0 introduces the EU Digital Identity Wallet as an authentication source for qualified signatures.
US (ESIGN / UETA)
Requires evidence of intent to sign and consent to electronic process. No specific technology mandate — the audit trail just needs to demonstrate that the signer agreed to sign electronically and took an affirmative action to do so.
UK
Retained EU law plus the Law Commission's 2019 guidance confirming e-signatures are valid for most contracts. The Electronic Trade Documents Act 2023 adds requirements for trade documents: the system must ensure "reliable" control and integrity of the document.
Healthcare (HIPAA)
Audit logs for documents containing protected health information must be retained for a minimum of 6 years. Access controls must limit who can view the audit trail itself. BAAs with your e-signature provider are mandatory.
Monthly compliance review checklist
- ☐ Review signature completion rates — flag documents signed in under 10 seconds (potential robo-signing)
- ☐ Check for missing or incomplete audit trails on completed documents
- ☐ Verify no post-completion modifications to signed documents
- ☐ Review failed authentication attempts and unauthorized access logs
- ☐ Confirm retention policy is being applied correctly (no premature deletions)
- ☐ Test evidence export for a sample document to verify the package is complete
- ☐ Review any regulatory updates affecting audit trail requirements
Not legal advice
Requirements vary by jurisdiction, industry, and document type. This guide covers general best practices. Confirm your specific obligations with qualified legal and compliance advisors.
Get audit-ready document workflows
eSignHub automatically tracks every signature lifecycle event — views, field completions, signings, and downloads — with tamper-evident audit trails attached to every signed document.
Sign Up Now