iBill.ca
Features Pricing Invoice Generator Tax Calculator Resources Accounting Login
Get Started
CRA Audit Trail

Financial Audit Trail — CRA ITA s.230 Ready

Every invoice, payment, void, credit memo, and correction is logged with a SHA-256 hash, timestamp, and user ID. 7-year retention built in. For Canadian businesses.

What gets logged?

Every financial action: invoice creation, payment recording, voids with reason codes, credit memos with tax breakdown, corrections with chain traceability, GL journal entries, and user logins. Each record includes a SHA-256 cryptographic hash to prove it has not been altered. Records are retained for 7 years per CRA ITA s.230.

Get Started Now

What is a Financial Audit Trail?

A chronological, tamper-proof record of every financial action in your accounting system — from the original transaction to the final financial statement

Append-Only Immutability

iBill's audit trail is append-only — once a record is written, it cannot be edited or deleted. Database immutability triggers enforce this at the PostgreSQL level. If an invoice is voided or corrected, a new audit entry is created referencing the original. The original record is never modified, giving you a complete chain of evidence for CRA audits.

SHA-256 Document Hashing

Every financial document — invoices, payments, credit memos, journal entries — receives a SHA-256 cryptographic hash at creation. This 64-character fingerprint is stored in the audit log. If even one digit of the original record changes, the hash will not match, instantly revealing tampering. This is the same standard used by banks and government agencies.

7-Year CRA Retention

The Income Tax Act section 230 requires Canadian businesses to retain financial records for at least 6 years after the last tax year they relate to. iBill automatically retains all audit trail records for 7 years, covering the filing year plus the full retention window. You never need to worry about accidentally deleting records the CRA may request.

Audit Trail Features

Everything the CRA expects under ITA s.230 — built into every transaction automatically

Append-Only Audit Log

Every financial action is written to an append-only log protected by database immutability triggers. Records cannot be edited or deleted — not even by administrators. This ensures the audit trail is a faithful, unbroken record of all activity in your accounting system.

SHA-256 Cryptographic Hashing

Each document receives a unique SHA-256 hash at creation time. This 64-character fingerprint acts as a tamper seal: if any data in the original record is altered, the hash will not match when verified. During a CRA audit, you can prove the integrity of every record with a single hash comparison.

7-Year Automatic Retention

CRA ITA s.230 requires records for at least 6 years after the relevant tax year. iBill retains all audit trail data for 7 years automatically — no manual archiving, no risk of premature deletion. Your records are always available when the CRA comes calling.

What Gets Logged

Invoice creation and updates. Payment recording. Invoice voids with mandatory reason codes. Credit memos with GST/HST/PST/QST tax breakdown. Invoice corrections with chain traceability. GL journal entries. User logins and permission changes. Every action captures who, what, when, and a document hash.

Export to CSV, JSON & XML

Export your complete audit trail in three formats: CSV for spreadsheet analysis, JSON for programmatic processing, and XML for formal CRA submissions. Filter by date range, action type, or user ID. Each export includes timestamps, user IDs, document hashes, and before/after values.

CRA ITA s.230 Compliance

Section 230 of the Income Tax Act requires adequate books and records sufficient for the CRA to determine taxes payable. iBill satisfies this with numbered journal entries, timestamped actions, user attribution, and cryptographic integrity verification — all stored in an append-only, immutable audit log.

Automatic Audit Trail on Every Transaction

Every invoice, payment, void, and credit memo is logged with SHA-256 hashing and 7-year retention. No setup required.

Get Started Now
Trusted by Canadian Businesses — 1,200+ signups

Audit Trail Example

A sample of what the financial audit trail captures for a single invoice lifecycle

Invoice INV-202603-001 — Audit Trail

Complete lifecycle from creation to payment

AUDIT LOG ENTRIES
2026-03-01 09:14:22 — Invoice Created
User: jsmith
2026-03-01 09:14:22 — SHA-256 Hash Generated
a7f3b2c1...
2026-03-05 14:32:10 — Invoice Sent to Client
User: jsmith
2026-03-12 11:05:47 — Payment Recorded ($5,650.00)
User: jsmith
2026-03-12 11:05:47 — GL Journal Entry Posted
DR 1200 / CR 4000+2110
Total Audit Entries
5 records

CRA ITA s.230 Compliance: Each entry includes a timestamp, user ID, action type, and SHA-256 document hash. The log is append-only — entries cannot be edited or deleted. All 5 records will be retained for 7 years automatically.

Financial Audit Trail FAQs

What is a financial audit trail?
A financial audit trail is a chronological, append-only record of every financial action taken in your accounting system. Each entry captures who performed the action, what changed, when it happened, and a cryptographic hash to prove the record has not been altered. It provides a complete chain of evidence from the original transaction to the final financial statement.
Why does the CRA require 7 years of record keeping?
Under the Income Tax Act section 230, every person carrying on a business in Canada must keep records and books of account for at least 6 years from the end of the last tax year they relate to. In practice, the CRA recommends 7 years to cover the filing year plus the 6-year retention period. iBill automatically retains all audit trail records for 7 years to ensure full CRA compliance.
How does SHA-256 hashing protect my financial records?
SHA-256 generates a unique 64-character fingerprint for each financial document. If even one character in the original record is changed, the hash changes completely. iBill computes a SHA-256 hash at the time of each transaction and stores it in the audit log. During a CRA audit, you can verify that no record has been tampered with by recomputing the hash and comparing it to the stored value.
What does the CRA require under ITA s.230?
ITA section 230 requires every business to keep adequate books and records at their place of business or designated location. Records must include invoices, receipts, bank statements, journal entries, and any supporting documents. The records must be sufficient for the CRA to determine taxes payable. iBill's audit trail satisfies these requirements by logging every invoice, payment, void, credit memo, and correction with timestamps, user IDs, and document hashes.
How do I export my audit trail for a CRA audit?
iBill lets you export your complete audit trail in three formats: CSV for spreadsheet analysis, JSON for programmatic processing, and XML for formal compliance submissions. Each export includes the action type, timestamp, user ID, document hash, and before/after values. You can filter by date range, action type, or user to provide exactly what the CRA auditor requests.

Ready to protect your financial records with a tamper-proof audit trail?

Create Account

Related Resources

CRA Tax Reporting GST/HST/QST reports Double-Entry Accounting Full GL system General Ledger Journal entries & GL Financial Statements Balance sheet & P&L Cash Basis Accounting CRA cash-basis method

Tamper-Proof Audit Trail for Canadian Businesses

SHA-256 hashing, 7-year retention, append-only immutability. Built into every transaction.

Create Account

• CRA ITA s.230 Ready