Audit Trail, Export & Reporting

PolicySuite maintains a permanent, tamper-proof record of every significant action taken within your organisation. This gives you the evidence you need for SOC 2, ISO 27001, GDPR, and any other compliance framework that requires demonstrable policy controls.

1. What the audit trail captures

Every action that affects a policy, a user, or a distribution is automatically logged. Captured events include:

• Policy lifecycle — policy created, edited, published, archived
• Distribution events — distribution sent, magic link opened, acknowledgement recorded
• User management — user invited, role changed, user removed
• Authentication — login, logout, failed login attempt, 2FA enrolled

Each log entry records the user email, action type, timestamp (UTC), and IP address. Audit logs are immutable — they cannot be edited, deleted, or overwritten by any user, including org_owners. This immutability is enforced at the database level, not just through the UI.

2. Accessing the audit trail

Navigate to Settings > Audit Log. Access requires the compliance_admin or auditor role — policy authors and employees cannot view the log.

Use the filter controls to narrow results by:

• Date range — select any start and end date
• User — filter to a specific team member's actions
• Action type — e.g. show only acknowledgement events or only role changes
• Policy — show all events related to a specific policy document

3. The auditor role

If you work with external auditors or have an internal audit function, add them to PolicySuite with the auditor role. Auditors receive read-only access to all policies, acknowledgement records, and audit logs — precisely the access they need to conduct a certification audit without the ability to modify anything.

To invite an auditor: Settings > Team > Invite User, enter their email, and select auditor from the role dropdown. They will receive a login invitation and can access the platform independently without requiring you to export files on their behalf.

4. Exporting evidence

For most certification audits, you will need to export records in a format your auditor can work with offline.

• Acknowledgement records (CSV) — go to the Distributions page, open a distribution, and click Export CSV. The export includes employee name, email, policy title, sent date, opened date, acknowledged date, and IP address.
• Audit log (CSV) — from Settings > Audit Log, apply your desired filters and click Export. This produces a timestamped CSV of all matching log entries.
• Policy documents (PDF) — from your policy library, open any published policy and click Export PDF to download a formatted copy including version number and publication date.

For SOC 2 and ISO 27001 audits, you will typically need: policy documents (PDF export), acknowledgement records for each policy distributed during the audit period (CSV), and access review logs showing who had access and any changes made (audit log export filtered to user management events).

5. Running reports in the Analytics tab

The Analytics tab gives you a live view of your compliance posture without exporting anything. Key metrics available include:

• Acknowledgement rate by policy and by department
• Acknowledgement rate over time (trend charts)
• Average time from distribution to acknowledgement
• Top non-completing departments
• Training module pass rates

These dashboards are useful for presenting compliance status to leadership and for identifying which departments need follow-up before an audit.

6. Record retention

PolicySuite retains all audit logs and acknowledgement records for the full duration of your active subscription. There is no automatic expiry. If you cancel your subscription, export and archive all records before your subscription ends — data is permanently deleted 30 days after account closure in accordance with our data retention policy.

Related Articles

• Tracking Acknowledgements & Chasing Non-Completers
• SOC 2 Type II: Policy Requirements Explained
• ISO 27001:2022 Policy Requirements