Audit Trail: what it is and why it is important in signing processes

An electronic signature, especially when it is not supported by verified certificates and executed on secure hardware, does not by itself guarantee the full legal validity of a signature. The validity of an agreement, in this sense, lies not so much in the act of signing, but in the ability to reconstruct in an indisputable way every step of the process that led to the signature.

This is where the Audit Trail comes into play: a chronological record that tracks all operations performed on digital documents, from the creation of the document to its signature.

Electronic signature: what is the Audit Trail?

The Audit Trail of an electronic signature is a chronological and immutable record that tracks every operation performed on a digital document, from its creation to the final signature. In case of doubts or disputes, this record provides the legal evidence needed to reconstruct the events. 

In practice, the Audit Trail appears as a file separate from the original document that is automatically generated and that contains the following information:

• Sender: name, email address, IP address;
• Signer: name, email address and, if used for SMS/OTP authentication, phone number;
• Signer authentication method;
• Timestamp: exact date and time of every operation performed on the document (viewing, approval, signing);
• Unique identifier of the document (hash), which proves that the document has not been altered after signing;
• Complete history of actions.

Incomplete operations are also recorded in the Audit Trail: if a signer, for example, views the document without signing it, the viewing will be reported in the log together with timestamps and details about the signer’s identity.

Audit Trail: why is it essential?

Without an Audit Trail, an electronic signature would lose much of its legal value, especially in the event of disputes. The audit record, in fact, ensures:

• Evidentiary value and non-repudiation of the document: it confirms the identity of the signer and the integrity of the document, demonstrating that it has not been altered after signing;
• Compliance: the log ensures that signing processes comply with standards required by regulations such as eIDAS, ESIGN and GDPR. It also supports the secure management of sensitive information as required by ISO 27001, SOC 2 and HIPAA;
• Security: it makes it possible to detect any attempts to tamper with the document and anomalies in the signing process;
• Traceability and transparency: it provides detailed documentation of the actions performed and the document’s chain of custody, ensuring transparency of operations and their complete traceability.

The signature audit log therefore makes it possible to transform any electronic signature into a verifiable and legally recognized process – an important safeguard especially for the Simple Electronic Signature (SES), which by itself does not rely on secure signature devices.

The Audit Trail in the Simple Electronic Signature (SES)

Unlike the Qualified Electronic Signature (QES), the Simple Electronic Signature does not use qualified certificates or secure hardware such as smart cards and tokens. For this reason, on its own, it can easily be challenged. However, when associated with an Audit Trail, SES can also have the characteristics of “objectivity, integrity and immutability” required by the Italian Digital Administration Code (CAD). The log, in fact, constitutes a set of “digital evidence” capable of demonstrating the intention to sign. 

This is particularly important in Italy and in the EU, where the legal validity of SES is not established a priori by law but is left to the discretion of the Judge. The information reported in the Audit Trail therefore provides the Judge with decisive evidence, including:

• Authentication: the log shows that the signer accessed the document through a link sent to their personal email (account traceability);
• Integrity: it guarantees that the file has not been altered after signing;
• Intent: the log records that the user viewed all pages before clicking “Sign”.

In essence, the log provides legal proof of the signer’s identity and their intention to sign, as well as the formal correctness of the signing process – ensuring non-repudiation and compliance with regulations. An SES with an Audit Trail therefore acquires full legal value while maintaining the ease of use and implementation of a Simple Electronic Signature.