Regulatory updates

On 24 March 2021, the Ministry of Corporate Affairs (MCA) issued the Companies (Audit and Auditors) Amendment Rules, 2021, notifying certain changes to Rule 11¹ Other matters to be included in auditors report of the Companies (Audit and Auditors) Rules, 2014 (the Audit and Auditors Rules). Rule 11(g) was introduced, which specified that auditors should report on the use of accounting software by companies having audit trail (edit log) feature. Consequently, in March 2023, ICAI issued the Implementation Guide on Reporting under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014 (the implementation guide). Based on the feedback and queries received from different stakeholders, in February 2024, ICAI has issued a revised Implementation Guide on Reporting under Rule 11(g) (the revised implementation guide). The revised implementation guide comprises of detailed guidance on various aspects of the reporting requirement as well as includes a new section on Frequently Asked Questions (FAQs). Some of the important FAQs include:

• Definition of books of account: The FAQs have clarified that the following would be considered as ‘books of account’ maintained in an accounting software and accordingly, an audit trail for the same should be maintained.

• Master data: Vendor/customer master data complements the transaction record and provides further information pertaining to books of account
• Purchase order/sales order: Purchase order/sales order or contracts are used by companies as control/governance mechanism to establish the contractual obligations of the parties. Where the terms of such purchases or sales are agreed at the time of receipt or at the time of booking the invoice and thus depending upon the likely interface/input to the ‘books of account’, one may conclude it to be part of accounting software requiring existence of an audit trail feature
• Records of Property, Plant and Equipment/intangible assets: Property, plant and equipment /intangible assets register may be classified as accounting software, if the same provides direct and auto feed to the accounting software² Auto feed to books of account by a PPE register would be in terms of depreciation, profit or loss on sale of property, plant and equipment/intangible assets, etc..
• Use of spreadsheets: End-user computing tools, like spreadsheets, may be classified as accounting software if the same provides direct and auto feed to the accounting software.

• No exemptions from audit trail requirements: In case a company maintains its books of account in electronic mode, then it is required to comply with the requirements of Rule 3 of the Companies (Accounts) Rules, 2014³ Rule 3 of the Companies (Accounts) Rules, 2014 inter alia requires every company which uses accounting software for maintaining its books of account to include a feature of recording audit trail of each and every transaction. It also requires the software to create an edit log of each change made in the books of account, whether or not the underlying journal entry can be edited or not. This is applicable from 1 April 2023 (Accounts Rules). This requirement is applicable to all companies and no exemption is available for the small and medium companies or for banks and Non-Banking Finance Companies (NBFCs)
• No requirement to report on audit trail in the limited review report: The revised implementation guide has clarified that currently, there is no requirement prescribed under the Companies Act, 2013 or any of the SEBI Regulations for the auditors to report on the audit trail feature of accounting software while issuing their limited review report
• Use of specialist/expert or reliance on information system audit report by the auditor: It has been specified that the auditor may consider involvement of a specialist or expert in the field of information technology to assist in evaluation of management controls and configurations in the accounting software regarding audit trail. However, while doing so, the auditor must comply with the requirements of SA 620, Using the Work of an Auditor’s Expert. Similarly, where accounting software is provided by a service provider, the auditor may consider using independent auditor’s report on service organisation (for example, SOC 1/SOC 2/ SAE 3402) for compliance with audit trail requirements⁴ It has been further clarified that if the SOC or SAE report of the service organisation does not cover the full reporting year, then the auditor would need to modify the reporting under clause 11(g) of the Audit and Auditors Rules. While doing so, statutory auditor of the company is required to comply with the requirements of SA 402, Audit Considerations Relating to an Entity Using a Service Organisation. However, the ultimate responsibility for reporting on audit trail would remain with the statutory auditor only.
• Implication of audit trail feature not operational throughout the year: The revised implementation guide has clarified that in case there are no transactions during any part of the year, it would not be considered as a reason for not enabling the audit trail feature. Similarly, technical glitches in the accounting software during any part of the financial year due to which audit trail feature remains non-functional does not give any exemption to the management regarding their responsibility. Consequently, if the audit trail feature remains non-functional during any part of the year, the auditor would need to appropriately modify reporting under Rule 11(g) of the Audit and Auditors Rules⁵ It has also been clarified that reporting on the audit trail feature is independent of any adverse findings by the auditor . It would also have an impact on reporting under Section 143(3)(b)⁶ The auditor’s report should state whether proper books of account as required by law have been kept by the company, so far as appears from the examination of those books and proper returns and Section 143(3)(h)⁷ The auditor’s report should state any qualification, reservation or adverse remark relating to the maintenance of accounts and other matters connected therewith of the 2013 Act.
• Applicability of materiality concept for reporting on audit trail: Rule 11(g) of the Audit and Auditors Rules states that audit trail is required for each and every transaction, creating an edit log of each change made in the books of account. Thus, reporting would apply for all the transactions, irrespective of the amount involved. Reporting on audit trail is a factual reporting. Auditor’s reporting is based on test checks which would require application of the concept of materiality for the purpose of sample selection
• Requirement to comment on details of audit trail logs: As per Rule 11(g) of the Audit and Auditors Rules, the auditor needs to comment only on the below aspects:

• Whether the company has used such accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility
• Whether the audit trail has operated throughout the year for all transactions recorded in the software
• Whether audit trail feature has not been tampered with, and
• Whether audit trail has been preserved by the company as per the statutory requirements for record retention.

Thus, there is no requirement for auditors to comment on the details of audit trail logs.

• Log of all changes: In case of multiple changes made in the books of account, the log of entire chain of changes should be maintained. Retaining only the last/latest changes will not serve the purpose of compliance with audit trail requirements. In a situation where only the last/latest changes are maintained, the auditor would need to appropriately modify the reporting under Rule 11(g) of the Audit and Auditors Rules
• Reporting on accounting software outside India: Audit trail requirements are applicable even for accounting software maintained outside India if the company is incorporated in India. In case the auditor is relying on the work of another auditor, then audit trail feature requirement should form part of SOC/SAE report

• Requirement of audit trail to remain accessible in India at all times: There may be a situation wherein the audit trail is recorded at back-end on a server/cloud maintained outside India.

Rule 3 of the Accounts Rules requires companies to maintain a daily back-up of books of account⁸ This includes other books and papers of the company maintained in electronic mode (including at a place outside India), to be kept in servers physically located in India. Since audit trail would fall under the definition of books of account, a daily backup of the audit trail would also be required to be maintained in a server physically located in India.

---

To access the text of the revised implementation guide, please click here

On 7 February 2024, ICAI issued the following revised Standards on Auditing (SAs):

• SA 800 (Revised), Special Considerations – Audits of Financial Statements Prepared in Accordance with Special Purpose Frameworks
• SA 805 (Revised), Special Considerations – Audits of Single Financial Statements and Specific Elements, Accounts or Items of a Financial Statement
• SA 810 (Revised), Engagements to Report on Summary Financial Statements

(Together referred to as the ‘revised standards’)

The key changes in the revised standards is:

• Auditors should consider the requirements of SA 700 (Revised), Forming an Opinion and Reporting on Financial Statements, while forming their opinion
• Auditors should also address specific considerations relating to issues such as going concern, key audit matters, other information, etc. while forming their opinion.

Effective Date: The revised SAs would be applicable to audits/engagements for financial years beginning on or after 1 April 2024. The extant SA 800, SA 805 and SA 810 would continue to apply to audits/engagements for the financial year 2023-24.

---

To access the text of the revised SAs, please click here