Regulatory updates

On 24 March 2021, the Ministry of Corporate Affairs (MCA) issued the Companies (Audit and Auditors) Amendment Rules, 2021, notifying certain changes to Rule 111 of the Companies (Audit and Auditors) Rules, 2014 (the Audit and Auditors Rules). Rule 11(g) was introduced, which specified that auditors should report on the use of accounting software by companies having audit trail (edit log) feature. Consequently, in March 2023, ICAI issued the Implementation Guide on Reporting under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014 (the implementation guide). Based on the feedback and queries received from different stakeholders, in February 2024, ICAI has issued a revised Implementation Guide on Reporting under Rule 11(g) (the revised implementation guide). The revised implementation guide comprises of detailed guidance on various aspects of the reporting requirement as well as includes a new section on Frequently Asked Questions (FAQs). Some of the important FAQs include

• Definition of books of account: The FAQs have clarified that the following would be considered as ‘books of account’ maintained in an accounting software and accordingly, an audit trail for the same should be maintained.

• Master data: Vendor/customer master data complements the transaction record and provides further information pertaining to books of account
• Purchase order/sales order: Purchase order/sales order or contracts are used by companies as control/governance mechanism to establish the contractual obligations of the parties. Where the terms of such purchases or sales are agreed at the time of receipt or at the time of booking the invoice and thus depending upon the likely interface/input to the ‘books of account’, one may conclude it to be part of accounting software requiring existence of an audit trail feature
• Records of Property, Plant and Equipment/intangible assets: Property, plant and equipment /intangible assets register may be classified as accounting software, if the same provides direct and auto feed to the accounting software2.
• Use of spreadsheets: End-user computing tools, like spreadsheets, may be classified as accounting software if the same provides direct and auto feed to the accounting software.

• No exemptions from audit trail requirements: In case a company maintains its books of account in electronic mode, then it is required to comply with the requirements of Rule 3 of the Companies (Accounts) Rules, 20143 (Accounts Rules). This requirement is applicable to all companies and no exemption is available for the small and medium companies or for banks and Non-Banking Finance Companies (NBFCs)
• No requirement to report on audit trail in the limited review report: The revised implementation guide has clarified that currently, there is no requirement prescribed under the Companies Act, 2013 or any of the SEBI Regulations for the auditors to report on the audit trail feature of accounting software while issuing their limited review report
• Use of specialist/expert or reliance on information system audit report by the auditor: It has been specified that the auditor may consider involvement of a specialist or expert in the field of information technology to assist in evaluation of management controls and configurations in the accounting software regarding audit trail. However, while doing so, the auditor must comply with the requirements of SA 620, Using the Work of an Auditor’s Expert. Similarly, where accounting software is provided by a service provider, the auditor may consider using independent auditor’s report on service organisation (for example, SOC 1/SOC 2/ SAE 3402) for compliance with audit trail requirements4. While doing so, statutory auditor of the company is required to comply with the requirements of SA 402, Audit Considerations Relating to an Entity Using a Service Organisation. However, the ultimate responsibility for reporting on audit trail would remain with the statutory auditor only.
• Implication of audit trail feature not operational throughout the year: The revised implementation guide has clarified that in case there are no transactions during any part of the year, it would not be considered as a reason for not enabling the audit trail feature. Similarly, technical glitches in the accounting software during any part of the financial year due to which audit trail feature remains non-functional does not give any exemption to the management regarding their responsibility. Consequently, if the audit trail feature remains non-functional during any part of the year, the auditor would need to appropriately modify reporting under Rule 11(g) of the Audit and Auditors Rules5. It would also have an impact on reporting under Section 143(3)(b)6 and Section 143(3)(h)7 of the 2013 Act.
• Applicability of materiality concept for reporting on audit trail: Rule 11(g) of the Audit and Auditors Rules states that audit trail is required for each and every transaction, creating an edit log of each change made in the books of account. Thus, reporting would apply for all the transactions, irrespective of the amount involved. Reporting on audit trail is a factual reporting. Auditor’s reporting is based on test checks which would require application of the concept of materiality for the purpose of sample selection
• Requirement to comment on details of audit trail logs: As per Rule 11(g) of the Audit and Auditors Rules, the auditor needs to comment only on the below aspects:

• Whether the company has used such accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility
• Whether the audit trail has operated throughout the year for all transactions recorded in the software
• Whether audit trail feature has not been tampered with, and

• Tenure and rotation: The guidelines specify that:

• The statutory auditors would be appointed at a time for a period of one year only and should be reappointed annually for the succeeding two years . During such period, premature removal of the statutory auditors would require prior approval of the RBI
• An auditor/audit firm would not be eligible for appointment/re-appointment in the same bank for six years (two tenures) immediately after the completion of a full or part tenure⁴ In case an auditor/audit firm has conducted audit of the bank for part-tenure (one or two years) and then is not re-appointed for the remainder tenure, it would not be eligible for re-appointment in the same bank for six years after the completion of part-tenure. However, audit firms can continue to undertake statutory audit of other banks. .

• Maximum number of audits: An audit firm can concurrently take up the statutory audit of a maximum of five banks⁵ The limit of five banks would be in addition to the limit of 20 Regulated Entities (REs), as prescribed in the Guidelines for Appointment of Statutory Central Auditors (SCAs)/Statutory Auditors (SAs) of Commercial Banks (excluding RRBs), UCBs and NBFCs (including HFCs) dated 27 April 2021. (including not more than one StCB) in a year. Further, in a year, an audit firm cannot simultaneously take up the statutory audit of both StCB and CCBs operating in the same state. An audit firm can concurrently take up the statutory audit of a maximum of four commercial banks [including not more than one Public Sector Bank (PSB) or one All India Financial Institution⁶ NABARD, SIDBI, NaBFID, NHB, EXIM Bank or RBI, eight Urban Co-operative Banks (UCBs), eight Non-Banking Financial Companies (NBFCs), and five StCBs/CCBs in a year.
• Review of performance of auditors: Banks must review the performance of statutory auditors on an annual basis and any serious lapse/negligence should be reported to NABARD within two months from the completion of audit.

• Other requirements: The guidelines mention that:

• Banks should frame a Board-approved policy on appointment of statutory auditor and host the same on its website/public domain
• Banks should also formulate the necessary procedures for selection/appointment/ re-appointment/removal of auditor.

• Appendices: In addition to the requirements discussed above, the guidelines also incorporate:

• Eligibility criteria for appointment as a statutory auditor (Appendix I to the guidelines)
• Procedure for appointment (Appendix II to the guidelines), and
• Guidelines for selection of branches for audit by the statutory auditors (Appendix III to the guidelines).

---

To access the text of the guidelines, please click here