A Xero audit log review should not be something your finance team only thinks about after money has gone missing. For Australian SMBs, the audit trail inside Xero can show who changed a bill, when a supplier record moved, and which transactions were edited before a payment run.
The risk is real. The ACCC's Targeting Scams Report 2024 reported $2.03 billion in total scam losses across combined reporting sources. The National Anti-Scam Centre Targeting Scams Report 2025 later recorded $166.8 million in payment redirection losses alone.
For CFOs, finance managers and bookkeepers using Xero, the question is not just whether Xero records changes. It is whether your team knows which changes matter, how often to review them, and what to do when the audit trail shows something suspicious.
In this article:
- Does Xero have an audit log
- Where to find Xero audit log information
- Xero audit log checks for fraud detection
- What the Xero audit trail does not solve
- Monthly Xero audit log checklist
- Related Reading
- Conclusion
Does Xero have an audit log?
Xero does have audit-style records, but they are not always presented as one single screen called the Xero audit log. Xero uses terms such as History and Notes, History and Notes report, Assurance Dashboard, user roles and permissions, and API history.
That naming gap matters for finance teams. A CFO might ask for the audit log, while a bookkeeper might know the same information as History and Notes. If the team is not using the same language, important evidence can be missed during a fraud review.
The official Xero Central guide to the History and Notes report explains that users can review a summary of changes to transactions and user activity. Xero's Assurance Dashboard also helps advisors review activity that may need attention.
For practical fraud detection, treat these features as parts of one control system:
-
History and Notes for record-level changes.
-
History and Notes report for broader review across transactions and users.
-
Assurance Dashboard for advisor-style exception checks.
-
User roles and permissions for understanding who had the ability to make a change.
-
Xero API history for integrations that need to monitor activity programmatically.
Where to find Xero audit log information
The right place to look depends on the question you are trying to answer. Fraud investigations usually start with a specific concern, then widen into a broader control review.
Review History and Notes on individual records
Use record-level history when you need to answer a specific question. For example, who edited this bill, when was this contact changed, or why was this transaction altered after approval?
This is useful when a supplier emails new bank details, an invoice amount changes just before payment, or a reconciled transaction no longer matches the supporting document. The audit trail can help separate normal corrections from activity that needs escalation.
Use the History and Notes report for wider review
The History and Notes report is better for monthly monitoring. It helps finance teams scan changes across a period instead of opening records one by one.
A practical monthly review might filter for edited bills, deleted transactions, new contacts, changed supplier information, and user activity outside expected patterns. The goal is not to prove fraud every month. The goal is to spot exceptions early enough to verify them.
Check the Assurance Dashboard
Xero's Assurance Dashboard is especially useful for accountants and advisors, but internal finance teams can learn from the same logic. It focuses attention on records and activity that deserve review.
For example, finance teams should pay attention to duplicate bank accounts, changed contacts, manual reconciliations, edited transactions and other exceptions that can hide payment redirection or internal misuse.
Review user roles and permissions
The audit trail tells you what happened. Xero's user roles and permissions help explain who was allowed to do it.
If one person can create suppliers, edit bank details, enter bills, approve bills, reconcile payments and release funds, the audit log becomes a post-event record rather than a preventive control. Small teams may not be able to separate every task perfectly, but they can still use reviewer roles, approval limits and independent checks.
Xero audit log checks for fraud detection
A Xero audit log review works best when it is tied to specific fraud scenarios. Do not ask your team to vaguely look for anything unusual. Give them clear patterns to review.
Supplier bank account changes
Supplier bank detail changes are one of the highest-risk events in accounts payable. A legitimate change and a payment redirection scam can look almost identical in Xero unless someone verifies the context.
When bank details change, check:
-
Who made the change.
-
Whether the change followed a documented supplier verification process.
-
Whether the supplier was contacted using a trusted phone number.
-
Whether the next payment was reviewed by a second person.
-
Whether the change occurred just before a payment run.
This is where Xero's audit trail is helpful, but not enough on its own. The log can show the change. It cannot prove the supplier request was genuine.
Edited bills, invoices and credit notes
Fraud and errors often hide inside normal-looking edits. A bill amount changes after approval. An invoice reference is altered. A credit note is added to mask a duplicate. A due date is moved to create urgency.
Review edits to high-value bills, new supplier invoices, invoices just below approval thresholds, and records changed after approval. If your team uses purchase orders, compare the edited bill against the PO and delivery evidence.
This also connects to broader AP controls. Our guide to invoice fraud red flags gives finance teams a practical review list for suspicious invoices before payment.
Deleted, voided or reversed transactions
Deleted and voided records are not always suspicious. Finance teams correct mistakes, clean up duplicates and reverse genuine errors.
The risk appears when deletions happen without notes, after reconciliation, near reporting cut-off, or by a user who should not normally make that change. A monthly review should ask whether the reason is documented and whether the supporting records still make sense.
Manual reconciliations and unusual matching
Bank reconciliation is another place where fraud can be hidden. A payment may be manually matched to the wrong bill. A transaction may be reconciled without enough supporting evidence. A suspicious payment may be cleared simply because the bank feed shows money left the account.
Review manual reconciliations for high-value payments, new suppliers, changed bank details and transactions that do not match normal supplier timing. Xero's audit information helps show who performed the action, but your finance process needs to explain why it was acceptable.
User activity that does not fit the role
Fraud detection is partly about records and partly about behaviour. A payroll user editing supplier contacts, a junior bookkeeper changing bank details, or an external advisor making changes without a workpaper trail should all trigger review.
Use audit history together with permissions. If a user should not need a permission for their role, remove it. If they do need it, add a compensating control such as second-person review or monthly exception reporting.
What the Xero audit trail does not solve
Xero audit log information is valuable, but it is not a full fraud prevention programme. It records activity. It does not automatically decide whether the activity is legitimate, risky or fraudulent.
That distinction matters. A supplier bank account change may be logged correctly and still be fraudulent. A bill edit may have a legitimate user name attached and still be based on a compromised email. A payment may be approved in Xero and still be going to the wrong account.
There are four common limitations finance teams should plan around.
The information is distributed. You may need to check History and Notes, reports, the Assurance Dashboard, permissions and supporting documents to understand one incident.
Reviews are manual unless someone owns them. Xero can hold useful data, but a busy finance team still needs a cadence, checklist and accountable reviewer.
The audit trail does not verify supplier identity. It can show a contact changed, but it cannot confirm that the real supplier requested the change.
It is easier to find problems after the event than before payment. If audit review happens monthly but payment runs happen twice a week, a loss may already be out the door.
That is why the best control design uses both detective and preventive controls. Detective controls review what happened. Preventive controls pause high-risk changes before money leaves.
The Xero History and Notes API also shows why automation is possible for teams that need more than manual review. Most SMBs do not need to build their own API monitoring, but they do need to understand that audit history can support alerts and exception workflows.
Monthly Xero audit log checklist
Use this checklist as a starting point for a finance manager, CFO or senior bookkeeper. Adjust thresholds for your payment volume, team size and risk profile.
Weekly high-risk checks
-
Review supplier bank account changes since the last payment run.
-
Check new suppliers created during the week.
-
Review edited bills above your approval threshold.
-
Check payments to suppliers with recently changed contact details.
-
Confirm any urgent payment requests were verified outside email.
Weekly checks should focus on changes that could redirect money quickly. If you only have time for one review, make it supplier and payment change activity.
Monthly control checks
-
Review the History and Notes report for deleted, voided and edited transactions.
-
Check manual reconciliations for high-value or unusual payments.
-
Review user permissions against current job roles.
-
Look for users with access they no longer need.
-
Sample invoices changed after approval and confirm supporting documents.
-
Review duplicate bank accounts or contacts that may indicate supplier data issues.
-
Document findings, even when no fraud is found.
A clean review is useful evidence. It shows directors, auditors and external accountants that someone is monitoring the control environment rather than relying on trust.
Before BAS, EOFY or audit handover
Reporting periods add pressure, and pressure increases mistakes. Before BAS lodgement, EOFY close or accountant handover, review changes to GST coding, journals, voided invoices, payroll records and bank reconciliations.
This review is not only about fraud. It also improves reporting quality. A finance team that understands its Xero audit trail can answer questions faster and resolve exceptions with less back-and-forth.
For small teams, combine this checklist with separation of duties. Our guide to segregation of duties in small finance teams explains how to create practical compensating controls when you do not have enough people for perfect separation.
Related Reading
Conclusion
The Xero audit log is not one magic screen that catches every fraud attempt. It is a set of records, reports and controls that help finance teams understand what changed, who changed it, and whether the change deserves review.
For Australian SMBs, the highest-value habit is simple: review supplier changes before payment, review unusual activity monthly, and connect audit history to user permissions and approval workflows.
OutflowGuard helps Xero-based teams move from after-the-event review to continuous monitoring. It watches for high-risk supplier and bank detail changes, supports dual approval, and gives finance teams the evidence they need without turning every payment run into a manual investigation.