Introduction: Under the Companies Act, 2013, auditors are obligated to report on various matters, including audit trail. This article delves into the reporting requirements, implications, and responsibilities of both management and auditors.
A) What is the reporting requirement for audit trail?
- The Companies Act, 2013 mandates auditors to report on various matters in their auditor’s report, and Section 143(3)(j) requires them to state any other prescribed matters. Rule 11 of the Companies (Audit and Auditors) Rules, 2014 specifies these additional matters.
- The Ministry of Corporate Affairs had made changes to Rule 11 in 2021 with the Companies (Audit and Auditors) Amendment Rules, 2021, including a new reporting requirement (Rule 11(g)) that compels auditors to report on the use of accounting software by companies for bookkeeping with a feature that records an audit trail. This rule casts an onerous responsibility on auditors as the scope of reporting under this rule is very wide.
- The requirement was initially made applicable for the financial year commencing on or after 01 April 2021, however the same was deferred by 1 year to financial statements commencing on or after 01 April 2022. Later, vide notification dated 31 March 2022, MCA again extended the implementation of audit trail software to financial statements commencing on or after 01 April 2023.
B) What is the notification?
Extract of the Proviso to Rule 3(1) of Companies (Accounts) Rules, 2014
“every company which uses accounting software for maintaining its books of account, shall use only such accounting software which has a feature of recording audit trail of each and every transaction, creating an edit log of each change made in books of account along with the date when such changes were made and ensuring that the audit trail cannot be disabled”
What is Audit Trail?
An audit trail is defined as a step-by-step sequential record which provides evidence of the documented history of financial transactions to its source.
What is the Managements responsibility for this reporting?
The management has the responsibility of selecting an accounting software for maintaining its books of account which has the following features:
- Records an audit trail of each and every transaction, creating an edit log of each change made in the books of account along with the date when such changes were made, and;
- Ensuring that the audit trail is not disabled
It should be noted that the accounting software may be hosted and maintained in India or outside India or may be on-premise or on cloud or subscribed to as Software as a Service (SaaS) software. Further, a Company may be using a software which is maintained at a service organization.
What is the Auditor’s responsibility?
In addition to requiring an auditor to comment whether the company is using an accounting software which has a feature of recording audit trail, the auditor is expected to verify the following aspects:
- Whether the audit trail feature is configurable (i.e., if it can be disabled or tampered with)?
- Whether the audit trail feature was enabled/operated throughout the year?
- Whether all transactions recorded in the software area covered in the audit trail feature?
- Whether the audit trail has been preserved as per statutory requirements for record retention?
Other key notes –
- Reporting applicable on all classes of Companies, including Foreign Companies and Section 8 Companies
- Where the books of accounts are maintained entirely manually the reporting responsibility would not be applicable
- Auditor is required to comment on the audit trail for both standalone and consolidated financial statements.
- In order to ensure that the audit trail feature was functional, operated and was not disabled, a Company would have to design and implement specific internal controls (predominantly IT controls) which in turn, would be evaluated by the auditors.
What is the preservation requirement of Audit Trails?
Considering the requirement of Section 128(5) of the Act, which requires books of account to be preserved by Companies for a minimum period of eight years, the Company would need to retain audit trail for a minimum period of eight years.
Audit approach
A. The Auditor shall ensure that the management takes primary responsibility for:
- Identifying the records and transactions that constitute books of accounts
- Identifying the software
- Ensuring existence of Audit Trail feature
- Ensuring audit trail captures all changes of when, who, what; is always enabled; protected from any modifications; retained as per statutory requirements
- Ensuring that controls over audit trail are designed and operating effectively
B. The Auditor shall primarily check the following controls for checking the validity of the Audit Trail:
- Controls to ensure that audit trail feature is not disabled or deactivated
- Controls to ensure that User IDs are assigned to each user and are not shared
- Controls to ensure that no unauthorised changes are made and logs are maintained
- Controls to ensure that access to the logs is restricted
- Controls to ensure that periodic back ups are taken and archived
C. The Auditor shall also evaluate:
- Assess management’s identification of records and transactions where audit trail needs to verified
- Evaluate management’s approach regarding identification of accounting software
- Inquire with the management how they evaluated changes required for maintenance of audit trail
- Involve specialists or IT experts, wherever required.
D. Other points:
- In case of accounting software supported by service providers, the Company’s management and the auditor may consider using independent auditor’s report of service organisation (i.e., SOC 2)
- Inquire with management to understand the procedures implemented to preserve the records as per the statutory record retention period.
Conclusion: The reporting requirement for audit trail necessitates meticulous attention from both management and auditors. Compliance ensures transparency, integrity, and accountability in financial reporting.
*****
The contributors to the Article are Sumit Mahajan, AccuWiz Consulting LLP along with inputs from CA Jinesh Sethia and CA Atul Bharadwaj.
Disclaimer: The content/information is only for general information of the user and shall not be construed as legal advice. The facts stated are based on information available in public domain. Views expressed above are personal.