Home Articles Building an Audit Trail: Why Timestamped Supplier Verification Reports Matter
18 March 2026 · Gumshoe Team

Building an Audit Trail: Why Timestamped Supplier Verification Reports Matter

When fraud happens despite your best efforts, what saves your business is evidence that reasonable due diligence was performed. A timestamped verification report is that evidence.

Due Diligence Is Not Just About Preventing Fraud

The primary purpose of supplier verification is to prevent fraud. But the secondary purpose — which becomes primary in the event that fraud succeeds anyway — is to demonstrate that reasonable due diligence was performed. These are two distinct objectives, and most supplier verification processes serve the first without adequately serving the second.

Reasonable due diligence, in the context of supplier payments, means taking the steps that a prudent person in your position would take to verify the legitimacy of the entity you are paying. In 2026, for a business of any significant size, that standard is higher than checking an ABN on the ABR website. It includes domain verification, email infrastructure assessment, ASIC cross-referencing, and reputation checking — and it requires evidence that these checks were performed at a specific point in time.

What Auditors and Insurers Actually Need

Following a fraud event, the two parties most interested in your verification records are your auditor and your insurer. They have different but overlapping needs.

Your auditor needs to understand whether your internal controls — including supplier verification — operated as designed. If your policy says you verify suppliers before payment and you cannot produce evidence of that verification, the auditor will conclude the control did not operate. This can result in a qualified audit opinion, reportable deficiencies in your internal control assessment, and potentially personal liability for the officers responsible for the control.

Your insurer needs to determine whether the loss is covered under your crime or cyber policy. Most business crime policies exclude losses that result from a failure to follow documented procedures. If your procedures require supplier verification and you cannot demonstrate that the verification occurred, the insurer may decline or reduce the claim. At a time when you are trying to recover from a significant financial loss, a coverage dispute is the last thing you need.

The Problem With Manual Verification Records

Manual supplier verification leaves almost no usable audit trail. A printout of an ABR lookup — if anyone thought to save it — shows the current state of the ABN record, not its state at the time of verification. Browser history is not maintained for six months. Notes in a spreadsheet are not timestamped or authenticated. An email to a colleague saying "checked the ABN, it's fine" is not evidence of what was checked or what the result was.

Even where organisations have developed manual verification checklists — a genuinely good practice — the completed checklists are often not retained in a form that can be produced on demand. They may be filed in a physical folder, saved in a shared drive folder that has since been reorganised, or simply not saved at all.

The absence of usable manual verification records is not a compliance failure — it is the predictable result of a process that was never designed to produce them.

What a Good Audit Trail Looks Like

A verification audit trail that will satisfy an auditor, an insurer, and a regulator needs to contain:

  • Timestamp: The exact date and time the verification was performed — not the date it was supposed to be performed, but the actual execution time
  • Operator identification: Who performed the verification
  • Entity identification: The entity verified, including ABN, registered name, and case reference
  • Checks performed: Which specific checks were run — not just "supplier verified" but "ABN status, GST registration, ASIC cross-reference, web presence, domain WHOIS, email infrastructure, reputation checks"
  • Results: The outcome of each check, including the specific data retrieved
  • Data sources: Where each data point came from — ABR, ASIC, RDAP, crt.sh, DNS, Spamhaus DBL, etc.
  • Assurance score: An aggregated assessment that can be compared against your risk tolerance thresholds

Gumshoe generates a report containing all of these elements for every verification, accessible for download or email from the dashboard at any time after the verification is run.

The Methodology Statement

One component of a verification audit trail that is often overlooked but that auditors particularly value is a methodology statement: a plain-language description of how each check was performed, what data source was used, and how the result was interpreted. This is not just useful for auditors — it is also useful for your own team in understanding what the verification results mean and for training new AP staff.

Gumshoe's audit trail option includes a methodology section for each check, explaining the data source (e.g., "WHOIS/domain data was obtained via RDAP query to auDA for .au domains and Verisign for .com domains; where registration dates are not exposed by RDAP, domain age was cross-referenced against certificate transparency logs via crt.sh"), the result obtained, and the basis for the PASS/WARN/FAIL determination.

Integrating Verification Records Into Your Vendor Master

The most effective way to maintain supplier verification records is to link them directly to the vendor record in your accounting system. The Gumshoe case reference provides a stable identifier that can be stored as a custom field in most accounting platforms — Xero, MYOB, QuickBooks, and their equivalents all support custom vendor fields.

This means that when an auditor asks for the verification record for a specific supplier, the reference is immediately available and the full report is accessible from the Gumshoe dashboard. There is no hunting through shared drives or physical filing systems.

Re-Verification and Record Maintenance

An audit trail is not a one-time event. Best practice requires re-verification at defined intervals — annually for active suppliers, and immediately upon any change to banking or payment details. Each re-verification creates a new case record with its own timestamp and results, providing a history of the supplier relationship over time.

This history is valuable beyond its audit function. A supplier whose assurance score has declined over successive annual verifications — perhaps because their domain is now appearing in threat intelligence databases, or their DMARC policy has been removed — is providing early warning of a potentially deteriorating relationship. The ability to identify these trends before they become fraud events is one of the underappreciated benefits of systematic, documented supplier verification.

The Bottom Line on Audit Trails

Fraud prevention is the reason to verify suppliers. But documentation of that verification is what protects your business when verification is not enough. A timestamped, structured report that records exactly what was checked, what data was retrieved, and what the automated assessment concluded — produced in 60 seconds and available forever — is the due-diligence evidence that manual verification can never produce.

In the post-fraud conversations with auditors, insurers, and regulators, the businesses that recover fastest and with least pain are those that can demonstrate, document in hand, that they did what they were supposed to do. The audit trail is not bureaucracy — it is protection.

Related Articles

16 June 2026
Make Your Next Audit Boring
9 June 2026
Active ABN Is the Floor, Not the Ceiling
2 June 2026
The Three-Second Check That Prevents a Five-Figure Mistake
VERIFY A SUPPLIER
Run a free check in seconds

Search by business name, ABN, or ACN. Get a real-time PASS/WARN/FAIL report across 8 verification checks.

Start verifying →

Contains data sourced from the Australian Business Register and ASIC, © Commonwealth of Australia, licensed under CC BY 3.0 AU.