How Do I Read the Audit Trail?
Every action in Zenoo Case Management is logged immutably. The audit trail provides a complete record of who did what, when, and why — essential for regulatory examinations, internal compliance reviews, and dispute resolution.What you’ll learn
- Where to find the audit trail
- What events are logged
- How to filter and search audit entries
- How to export data for regulatory reporting
- What the maker-checker audit pattern looks like
Where is the audit trail?
The audit trail is accessible in two places:- On a specific case or alert — scroll to the Audit Trail section in the detail view to see all events for that record
- Global audit trail — available from the main navigation for compliance officers and administrators who need to search across all records
What events are logged?
The audit trail captures 32 event types across seven categories:Case events
Case events
| Event | When it fires |
|---|---|
| Case Created | A new case is created (manually or from a verification flow) |
| Case Status Change | Case status transitions (New to In Progress, In Progress to Closed, etc.) |
| Case Assignment | Case is assigned or reassigned to an analyst |
| Case Escalation | Case is escalated to a manager or senior reviewer |
| Case Closure | Case is closed with resolution notes |
Alert events
Alert events
| Event | When it fires |
|---|---|
| Alert Created | A new alert is generated from a check result |
| Alert Acknowledged | An analyst acknowledges an open alert |
| Alert Resolved | An alert is resolved with an action and notes |
| Alert False Positive | An alert is marked as a false positive |
| Alert Escalated | An alert is escalated to a senior reviewer |
| Alert Assignment | An alert is assigned to a specific analyst |
| Alert Auto-Disposition | An alert is auto-resolved by the AI system |
Risk events
Risk events
| Event | When it fires |
|---|---|
| Risk Assessment Created | A new risk assessment is generated |
| Risk Score Calculated | Dimension scores are calculated |
| Risk Tier Override | An analyst overrides the calculated risk tier |
| Risk Assessment Approved | A risk assessment is formally approved |
Check and document events
Check and document events
| Event | When it fires |
|---|---|
| Check Status Change | A check transitions between statuses |
| Check Waived | A check is waived with a documented reason |
| Check Rejected | A check result is rejected |
| Check Completed | A check finishes with a result |
| Document Uploaded | A document is uploaded for a requirement |
| Document Reviewed | A document is reviewed and accepted or declined |
Collaboration events
Collaboration events
| Event | When it fires |
|---|---|
| Reviewer Added | A reviewer is added to a case or alert |
| Reviewer Removed | A reviewer is removed |
| Reviewer Response | A reviewer approves or rejects |
| Comment Added | A comment is posted on a case, alert, or check |
Entity and system events
Entity and system events
| Event | When it fires |
|---|---|
| Entity Added | An entity is added to a case |
| Entity Removed | An entity is removed from a case |
| Auto Escalation | A case is auto-escalated due to SLA breach |
| SLA Breach | A case breaches its SLA deadline |
| Bulk Operation | A bulk action is performed (e.g., bulk alert assignment) |
| AI Analysis | AI research is run on an alert |
How do I filter audit entries?
The audit trail panel provides filters to narrow your search:Filter by event type
Select one or more event types from the dropdown (e.g., show only “Case Escalation” and “Risk Tier Override” events).
Filter by date range
Set a start and end date to view events within a specific period. Useful for regulatory examinations that cover a defined timeframe.
Filter by actor
Search for events performed by a specific user. The audit trail stores both the user ID and their name at the time of the event — so even if a user is deactivated, their name is preserved.
What does an audit entry show?
Each audit entry contains:| Field | Description |
|---|---|
| Timestamp | When the event occurred (date and time to the second) |
| Event type | The category and specific event (e.g., “Alert Resolved”) |
| Actor | Who performed the action (name and user ID) |
| Record | Which case, alert, or check the event relates to |
| Description | Human-readable description of what happened |
| Old value | The previous state (e.g., “Open”) |
| New value | The new state (e.g., “Resolved”) |
| Reason | The justification provided (e.g., resolution notes, override reason) |
| Severity | Info, Warning, or Critical |
Audit entries are immutable. Once created, they cannot be edited or deleted — not even by administrators. This is enforced by a validation rule at the database level.
How do I export for regulatory reporting?
Click the Export CSV button at the top of the audit trail panel. The export includes:- All visible entries (respecting your current filters)
- All fields in a flat CSV format
- Timestamps in ISO 8601 format for easy processing
- UTF-8 encoding
What is the maker-checker pattern?
The audit trail supports the four-eyes principle (maker-checker) used in regulated environments:- Maker — the analyst who performs an action (e.g., resolves an alert, overrides a risk tier)
- Checker — the approver who validates the action (e.g., a senior reviewer who approves the case)