The structure of a bundle looks like this:
- The 0th transaction is the spend transaction, where you transfer IOTAs to the recipient's address.
- The remaining transactions are inputs, where you transfer IOTAs from your addresses to fund the spend. Each input transaction contains a signature fragment that proves that you own the private key for that address.
- By default, signatures are so big that each one requires 2 transactions to store it. This is configurable depending on the "security level" of the corresponding address — it can be between 1 and 3. I don't think the wallet lets you set the security level, but it can be done in the API libraries.
- If the sum of the inputs is greater than the spend, then an additional transaction is added to the end of the bundle that sends the change to an address that you own.
For security, if an address is used as an input, its entire balance is transferred, to avoid reusing the address later.