Regulatory updates

On 24 March 2021, the Ministry of Corporate Affairs (MCA) issued certain amendments to the Companies (Accounts) Rules, 2014 (the Accounts Rules) and the Companies (Audit and Auditors) Rules, 2014 (the Audit Rules) with regard to audit trail of transaction recorded in an accounting software (audit trail).

As per Rule 3(1) of the Accounts Rules, every company which uses an accounting software for maintaining its books of account, should use only such an accounting software which has the following features:

• Records an audit trail of each and every transaction
• Creates an edit log of each change made in the books of account along with the date when such changes were made, and
• Additionally, companies must ensure that the audit trail is not disabled.

Companies are required to comply with the audit trail requirements from 1 April 2023. Further, Rule 11(g) of the Audit Rules read with Section 143(3) of the Companies Act, 2013 prescribes the reporting responsibility of the auditors with regard to audit trail. In this regard, an auditor is required to provide his/her comments in the auditor’s report stating that the company has used such an accounting software for maintaining its books of account which has a feature of recording audit trail facility. Auditors should also comment on whether:

• The audit trail feature has been in operation throughout the year, for all the transactions recorded in the software
• The audit trail feature has not been tampered with, and
• The audit trail has been preserved by the company as per the statutory requirements for record retention.

Auditors are required to report on the audit trail requirement with effect from 1 April 2022. With a view to provide guidance on the reporting requirements and procedures that auditors should adopt while discharging their reporting responsibilities on the audit trail features, on 28 March 2023, ICAI issued an Implementation Guide on Reporting under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014 (IG). The key guidance provided by the IG is given hereunder:

• Scope of applicability: The requirement to implement and maintain an audit trail is applicable to all companies which prepare their financial statements as per the provisions of the Companies Act, 2013⁴This implies that the audit trail feature would also apply to Section 8 companies and a foreign company as defined in the 2013 Act.. Further, this feature would apply for both standalone as well as consolidated financial statements.Auditors of the companies which are within the scope of applicability would be required to report on whether the auditee companies have complied with the stated requirements. For the purpose of reporting on this clause in the consolidated financial statements, auditors would need to assess the matters reported by the auditors of subsidiaries, associates and joint ventures that are Indian companies. While making such assessments, auditors of the holding company should apply the principles of Standard on Auditing (SA) 600, Using the Work of Another Auditor.
• Absence of compliance due to different applicability dates: Companies are required to comply with the audit trail feature from 1 April 2023, however, auditors are required to report on the audit trail feature of the management from 1 April 2022. Therefore, there is likely to be a scenario for the financial year 2022-23 where in the absence of compliance requirement for the companies, auditors would not be able to report under the Audit Rules.
• Preservation of audit trail: The management should retain the records pertaining to audit trail as per the statutory requirements for record retention i.e., a period of eight years from the date of applicability of the audit trail requirement in the Account Rules i.e., from 1 April 2023.
• What is an ‘audit trail feature in an accounting software’: The IG defines and provides key considerations pertaining to an accounting software and the audit trail requirement. This is given as below:
  1. Accounting software: The definition and other features of an accounting software are given as below:
     1. Accounting software is a computer program or system that enables recording, maintenance and reporting of books of account and relevant ecosystem applicable to business requirements. The functionality of such accounting software differs from product to product. As every organisation employs multiple software for accounting, operations and other requirements like consolidation, collection of data, etc. the guide emphasises that only the accounting software which is relevant for maintaining books of account should be considered for enabling of audit trail.
     2. Accounting software may be hosted and maintained in India or outside India
     3. Accounting software may be on the premise or on a cloud or subscribed to as Software as a Service (SaaS) software or maintained at a service organisation.
     4. In scenarios wherein the accounting software is supported by service providers, the independent auditor’s report of the service organisation should be considered to ensure compliance with audit trail requirements.
     For ease of reference for the practitioners and the companies, the IG has provided the illustrative list of accounting software used by the companies.
  2. Audit trail: Audit trail is a visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source. Audit trails are a chronological record of the changes that have been made to the data. Any change to data including creating new data, updating or deleting data that must be recorded. Records maintained as audit trail may include the following information:
     1. When changes were made i.e., date and time (timestamp)
     2. Who made the change i.e., user ID
     3. What data was changed i.e., data/transaction reference; success/failure
  Audit trails may be enabled at the accounting software level depending on the features available in such software or the same may be captured directly in the database underlying such accounting software.

• Management’s responsibility: It is the primary responsibility of the management of the company using an accounting software to ensure that an audit trail is effectively implemented as per the requirements stipulated in the Accounts Rules. The key points for implementation and maintenance of an audit trail feature include the following:
  1. Identify what constitutes books of account
  2. Identify the software
  3. Ensure the software has audit trail feature
  4. The audit trail should capture changes to each and every transaction
  5. There should be controls to ensure that changes to the configurations of the audit trail feature are authorised and logs of such changes should be maintained.
  6. The audit trail feature should always be enabled at database level, controls should be implemented for the same.
  7. The audit trail should be protected from any modification.
  8. There should be controls to ensure that periodic backups of the audit trails are taken and archived
  9. There should be controls over maintenance and monitoring of audit trail and its feature, to ensure they are designed and operating effectively throughout the period of reporting.
  10. There should be controls to ensure that User IDs are assigned to each individual and that User IDs are not shared.
  11. There should be controls to ensure that access to the audit trail (and backups) is disabled or restricted and access logs should be maintained, whenever the audit trails have been accessed.
• Responsibility of the auditor: Auditors are required to comment on whether the company is using an accounting software which has a feature of recording audit trail. Additionally, the auditor should report on whether the audit trail feature is configurable, whether it operated throughout the year, whether all transactions in the software are covered in the audit trail feature, whether the audit trail feature has been preserved for record retention. Some of the key responsibilities of the auditor includes the following:
  1. The auditor’s responsibility under the Audit Rules is restricted to transactions which have been recorded in the accounting software and subsequent changes made thereto
  2. With regard to the auditor’s procedures to verify a company’s compliance with the requirements of maintaining an audit trail, it needs to perform the following key procedures:
     1. Assess on a test basis, whether the audit trail has been configured and enabled for the identified
     2. The software configuration that controls enabling or disabling of the audit and access to such configuration.
     3. Changes to the audit trail configuration during the period of audit and management’s review mechanism for such changes
     4. Completeness and accuracy of audit trail or edit logs
     5. Testing that management has performed to assess the completeness and accuracy of the audit trail
     6. Evaluate the management’s approach regarding identification of accounting software considered for the purposes of maintenance of audit trail
     7. Inquire with the management on how they evaluated changes that are required for the maintenance of audit trail as part of changes or upgrades to the accounting software
     8. Consider involvement of specialists or experts to assist in evaluation of management controls and configurations in the accounting software with regard to audit trail
     9. Reviewing the independent auditor’s report of the service organisation in scenarios where the company’s accounting software is supported by service providers
     10. Inquire and understand from the management regarding the procedures implemented to preserve the records as per the statutory record retention period.
  3. Reporting considerations: The auditor is expected to evaluate the reporting implications by giving due consideration to SA 250, Consideration of Laws and Regulations in an Audit of Financial Statements .
  4. Special considerations in case of fraud: In scenarios wherein the occurrence of an error or fraud cannot not be established due to lack of maintenance, availability or retrievability of audit trails, the auditor should consider performing an assessment of risk of material misstatements due to fraud. Professional judgement should be applied while determining reporting implications under the audit report, including under CARO.
  5. Reporting on internal financial controls: An auditor should state in his/her audit report whether the company has adequate internal financial controls with reference to financial statements in place and the operating effectiveness of such controls. Where the feature of audit trail has not operated throughout the year, the auditor may need to appropriately modify his/her comment while reporting under Rule 11(g) depending upon further testing/examination. However, it should be noted that mere non-availability of audit trail does not necessarily imply failure or material weakness in the operating effectiveness of internal financial controls over financial reporting.
  6. Written representations: Auditors should obtain written management representation- the IG has provided an illustrative management representation letter.
  7. Audit documentation: The auditor should comply with the requirements of SA 230, Audit Documentation to document the work performed on the audit trail.

To access the text of the IG, please click here