Does Xero keep an audit trail?

Yes. Xero records a full History & Notes log for every transaction — showing who made each change, what was changed, and when. It's accessed from the detail panel of any invoice, bill, or contact record.

Can you see who made changes in Xero?

Yes. Every edit, void, deletion, or payment application in Xero records the username and timestamp of the person who made it. This makes it possible to trace unauthorised changes back to a specific user account.

How long does Xero keep audit records?

Xero retains History & Notes data for the life of your active subscription. If you cancel your subscription, access to that data is lost — making regular exports essential for compliance and legal purposes.

Can I export Xero audit logs in bulk?

Not directly. Xero's audit data must be captured transaction-by-transaction via the History & Notes panel. There is no native bulk export. Third-party tools can help fill this gap for ongoing monitoring.

What should I do if I find evidence of fraud in Xero?

Preserve the evidence immediately by exporting History & Notes screenshots and running a bank reconciliation report. Then contact your accountant, report to ACCC Scamwatch at scamwatch.gov.au, and notify your insurer. For BEC fraud, the AFP's ReportCyber portal is the appropriate authority.

Using Xero's Audit Trail to Investigate Suspicious Transactions

Australian businesses lost $2.74 billion to scams in 2023, according to the ACCC — and false billing and payment redirection consistently rank among the top three business loss categories. When a suspicious transaction surfaces in your Xero account, the clock starts ticking.

Most finance managers know something is wrong before they know what is wrong. An unfamiliar payee name. A payment amount that doesn't match an invoice. A vendor claiming they never received funds. These are the moments when Xero's built-in audit trail becomes your most important investigative tool.

This guide walks through exactly how to use Xero's History & Notes — the audit trail most businesses don't know they have — to investigate suspicious transactions, document findings, and take the right next steps under Australian law.

In this article:

What Is Xero's Audit Trail?
Red Flags That Should Trigger an Investigation
Step-by-Step: Investigating a Suspicious Transaction in Xero
What Xero's Audit Trail Cannot Show You
Australian Legal Context: What to Do When You Find Evidence
Strengthening Your Xero Setup After an Incident
Related Reading

What Is Xero's Audit Trail?

Xero does not call it an "audit trail." It calls it History & Notes — and that understated label is probably why so many finance managers don't know it exists.

Every time someone creates, edits, voids, deletes, approves, or pays a transaction in Xero, the system records a timestamped log entry showing:

Who made the change (the Xero user's name and email)
What changed (status updates, payment amounts, contact details)
When the change was made (date and time, in your local timezone)

You'll find History & Notes at the bottom of every invoice, bill, purchase order, expense claim, and contact record. It's a vertical timeline that reads newest-at-top.

For fraud investigation purposes, this is gold. It can confirm whether a supplier's bank details were changed inside Xero, who approved a payment, when an invoice was voided, and whether a contact record was edited before a payment was made.

It is not, however, a comprehensive forensic tool on its own. Understanding both its capabilities and its limits is what separates an effective internal investigation from one that misses key evidence.

Red Flags That Should Trigger an Investigation

Not every unusual transaction warrants a formal investigation — but certain patterns should immediately prompt you to open the History & Notes panel and start asking questions.

Payments to unfamiliar payees. A vendor name you don't recognise, or a variation on a known supplier's name (e.g. "ABC Supplies Pty Ltd" vs "ABC Supply Pty Ltd"). This is a common indicator of a ghost supplier or vendor impersonation.

Bank account details that recently changed. If a long-standing supplier suddenly updates their BSB and account number, particularly via email request, treat it as high-risk until verified directly by phone.

Round-number invoices from new suppliers. Fraudulent invoices frequently use round numbers ($5,000, $10,000) and come from recently added contacts with minimal transaction history. Learn more in our guide to 7 suspicious payment patterns every CFO should monitor.

Deleted or voided invoices you didn't authorise. Xero logs voids and deletions — if someone on your team (or with access to your account) voided a legitimate invoice to reissue a fraudulent one, History & Notes will show it.

Payments made outside business hours. Transactions approved at 11 pm or on a weekend warrant scrutiny, particularly if the approving user doesn't normally work those hours.

Bank reconciliation discrepancies. If your bank statement shows a payment that doesn't match any bill in Xero — or a bill exists in Xero with no corresponding bank transaction — something has gone wrong.

Payroll anomalies. Changes to employee bank accounts in Xero Payroll, or pay runs processed by someone other than the usual payroll manager, are serious red flags for payroll fraud.

Step-by-Step: Investigating a Suspicious Transaction in Xero

When a red flag surfaces, work through this process methodically. Document each step as you go — your notes may be needed by an insurer, auditor, or law enforcement.

Step 1 — Identify the Transaction in Question

Start with the specific payment or invoice that triggered your concern. In Xero, navigate to Accounts → Purchases (for bills) or Accounts → Sales (for invoices), or go directly to the bank transaction in your Bank Reconciliation feed.

Note the:

Transaction reference number
Amount and date
Payee name
Payment method (bank transfer, BPAY, credit card)

Step 2 — Access History & Notes

Open the transaction. Scroll to the bottom of the detail page and look for the History & Notes panel. This will show you the full lifecycle of that transaction — from creation through to payment.

Read the timeline carefully. Look for:

Any edits made after the original entry (especially to amounts or contact details)
The name of the user who created, approved, or paid the transaction
Whether the transaction was ever voided and re-entered

Step 3 — Cross-Reference the Contact Record

Navigate to the supplier's Contact record (Contacts → Suppliers, search by name). Open their History & Notes. This is where you'll find evidence of bank detail changes on the supplier record itself.

A fraudulent bank detail change will typically show:

A change to bank account number or BSB
Often made by someone other than the usual contact manager
Frequently made shortly before a payment was due

If you see a bank detail change in the supplier record that preceded a payment, treat this as a serious fraud indicator.

Step 4 — Check User Activity and Timestamps

In Settings → Users, review which users have access to your Xero organisation and what their permission levels are. Note whether any users have been added or reactivated recently.

Then return to the History & Notes entries you've found. Do the usernames match the people who should have made those changes? Was the change made by a user who left the company? Was it made at an unusual time?

Step 5 — Run the Account Transactions Report

Go to Reports → Account Transactions and filter to the date range and account in question. This gives you a summary view of all transactions hitting a specific account — useful for spotting patterns you might miss looking at individual bills.

Export this report as CSV. You'll need it if you escalate to your accountant, insurer, or police.

Step 6 — Export and Document Your Findings

Xero does not provide a single-click audit log export. You will need to:

Screenshot each History & Notes panel you've reviewed
Run and export the Account Transactions report
Download the bank reconciliation report for the period in question
Note all usernames, timestamps, and amounts in a separate document

Organise this documentation chronologically. If the matter escalates, this is the evidence trail that authorities and insurers will ask for.

What Xero's Audit Trail Cannot Show You

Being clear about Xero's limitations is as important as knowing its strengths. A common mistake in internal investigations is assuming Xero's History & Notes is the complete picture. It isn't.

It doesn't capture login activity. Xero does not log when users log in or log out, from what IP address, or from what device. If an employee's credentials were compromised, Xero won't tell you that.

It doesn't record what users viewed. History & Notes only logs actions — creates, edits, payments. A user who browsed your supplier list and bank details without making changes will leave no trace.

It doesn't log external changes. If a fraudster changed a supplier's bank details via an email to your team (rather than inside Xero), that change won't appear in Xero's audit trail at all. Your email records are the evidence in that scenario.

Data is lost if you cancel your subscription. Xero retains History & Notes for the life of your subscription. If you downgrade or cancel, that forensic data disappears — potentially at exactly the moment you need it for an insurance claim or legal proceeding.

There is no bulk export. You cannot download a complete audit log for your entire Xero organisation. Evidence collection is manual, transaction-by-transaction. For ongoing monitoring, this is a significant gap — one that purpose-built tools are designed to fill.

Understanding these limitations matters particularly for businesses in high-risk industries like construction and professional services, where transaction volumes are high and forensic review needs to be comprehensive. Our guide on vendor fraud in Australian small businesses covers additional detection methods that complement the Xero audit trail.

Australian Legal Context: What to Do When You Find Evidence

If your investigation uncovers evidence of fraud — whether internal or external — there is a correct sequence of steps to follow in Australia. Acting out of order can compromise evidence or breach your own legal obligations.

1. Preserve the evidence. Before you confront anyone or make account changes, capture everything you've found. Screenshots, exported reports, and written notes with timestamps. Do not delete or modify anything in Xero.

2. Engage your accountant or forensic specialist. An experienced accountant can review your findings independently, identify anything you may have missed, and advise on whether forensic accounting support is warranted. If losses are significant, a forensic accountant can produce a report suitable for legal proceedings.

3. Notify your bank immediately. If funds have left your account fraudulently, contact your bank the same day. While recovery is not guaranteed — particularly with NPP real-time payments — fast notification gives you the best chance of a recall. Some banks can freeze the recipient account if notified quickly.

4. Report to ACCC Scamwatch. All business payment fraud should be reported at scamwatch.gov.au. This contributes to national data that informs ACCC enforcement and industry warnings.

5. Report to ReportCyber for BEC incidents. If the fraud involved email compromise or impersonation, report it to the Australian Federal Police via the ReportCyber portal at cyber.gov.au/report-and-recover/report. BEC fraud is a criminal matter investigated by the AFP.

6. Notify your insurer. Contact your cyber insurance or crime insurance provider as early as possible. Most policies have strict notification timeframes — missing these can void your claim. Be prepared to provide your documented Xero evidence.

7. Consider ATO notification. If fraudulent invoices have already been included in a BAS lodgement, you may need to amend that return. Your accountant can advise on the ATO's amendment process.

Strengthening Your Xero Setup After an Incident

Once the immediate matter is resolved, use the experience to close the gaps that allowed it to happen.

Review and restrict user permissions. Apply least-privilege access — users should only have access to the Xero functions their role requires. A bookkeeper processing bills doesn't need payroll access. Go to Settings → Users and audit every account.

Enable two-factor authentication. Require 2FA for all Xero users. This is one of the simplest controls that prevents credential-compromise attacks from succeeding.

Implement dual approval for high-value payments. A two-person approval requirement for payments above a certain threshold is the most effective control against both internal fraud and BEC. Xero doesn't enforce this natively, but approval workflow tools and monitoring platforms designed for Xero can fill the gap.

Schedule regular audit trail reviews. Monthly review of History & Notes for your highest-risk transaction types — supplier bank detail changes, voided invoices, payroll changes — takes less than an hour and catches anomalies before they become losses.

Implement a supplier bank detail change policy. Require that all bank detail change requests be verified via a direct phone call to a number on file — not a number provided in the change request email. Document every verification.

For a complete monthly review process, see our finance manager's fraud detection checklist.

Xero's audit trail is a genuinely powerful tool — but it works best when finance teams know it exists and know how to use it. The businesses that investigate suspicious transactions methodically, document their findings thoroughly, and escalate through the right channels are the ones that limit their losses and improve their controls.

If you want continuous monitoring rather than reactive investigation — catching bank detail changes and payment anomalies the moment they occur rather than after the fact — OutflowGuard integrates directly with Xero to alert your team in real time. It's free to start, and the first scan often finds issues businesses didn't know were there.