“Understand the nuances of the Audit Trail as per the Companies Act, 2013 effective April 1, 2023. Explore provisions, applicability, responsibilities of companies and auditors, and key considerations for compliance. Stay informed about the latest changes in audit and reporting requirements.”
In this Article Author discusses everything about the Audit Trail. The Ministry of Corporate Affairs vide notification dated March 24, 2021, issued the Companies (Audit and Auditors) Amendment Rules, 2021 which made various changes in Rule 11 of the Companies (Audit and Auditors) Rules, 2014.
Provisions for Company:
Section 128
Rule 3(1) of Companies (Accounts) Rules, 2014
Provisions for Statutory Auditor:
Sections 143(3)(j)
Rule 11(g) of Companies (Audit and Auditors) Rules, 2014
Applicability
The requirement was initially made applicable for the financial year commencing on or after the 1st day of April 2021 vide notification G.S.R. 206(E) dated March 24, 2021. However, the applicability was deferred to financial year commencing on or after April 1, 2022, vide MCA notification G.S.R. 248(E) dated April 1, 2021.
However, its applicability has been deferred two times and this requirement is finally applicable from April 1, 2023.
INTRODUCTION
The concept of Audit Trail first time introduced in India. Globally, no similar reporting obligation exists for the auditors.
An audit trail is a step-by-step sequential record of all the events that occur in a computer system or application. This includes any actions taken by users, such as creating, modifying, or deleting files or data, as well as any system events, such as backups or updates. The purpose of an audit trail is to provide a complete and accurate record of all activity in the sy0stem, which can be used to trace the source of any errors or problems that may arise.
Audit Trail: Audit trails are a chronological record of the changes that have been made to the data. Any change to data including creating new data, updating or deleting data that must be recorded.
Basically, Audit trail based on Triple ‘W’ Approach i.e. When, Who What!
1. => when changes were made i.e, Date and Time (Time Stamp)
2. => who made those changes i.e., User ID
3. => what data was changed i.e., transaction reference; success/failur
Responsibility– It is responsibility of the management to implement Audit trail and it is responsibility of auditor to check and verify the effective implementation.
A. APPLICABILITY OF AUDIT TRAIL:
The Provisions of Audit Trail applicable on all the Companies including Small Company, Section 8 Company, One Person Company, Listed Company, Nidhi Company, Producer Company etc. All the Companies registered under Companies Act required to comply with the provision of the Audit Trail.
Que 1: Whether Audit Trail applicable on the LLP?
Ans: The provisions of Audit Trail applicable only on the Companies. It is not applicable to other entities like LLP, Partnership Firm, Sole prop etc.
Que 2: Whether Audit Trail applicable on the Foreign Company (Branch Office, Liaison Office)?
Ans: As per the Companies (Registration of Foreign Companies) Rules, 2014, the provisions of “Chapter X of the Act: Audit and Auditors” and Rules made there under apply, mutatis mutandis, to a foreign company as defined in the Act. Accordingly, the above reporting requirements would be applicable to the auditors of foreign companies as well.
Que 3: Whether Audit Trail applicable on the Consolidated Financial Statement?
Ans: Audit Trail applicable on both in case of standalone financial statements and consolidated financial statements.
Note: However, while reporting on consolidated financial statements, the auditor may observe that certain components included in the consolidated financial statements are (a) either not companies under the Act, or (b) some components are incorporated outside India. The auditors of such components are not required to report on these matters since the provisions of the Act do not apply to them.
B. TIME PERIOD TO KEPT RECORD OF AUDIT TRAIL:
Section 128(5) of the Act, which requires books of account to be preserved by companies for a minimum period of eight years, the company would need to retain audit trail for a minimum period of eight years i.e., effective from the date of applicability of the Account Rules (i.e., currently April 1, 2023, onwards).
Que 4: Whether any authority asks the Company to produce audit trail with them?
Ans: Authorities are allowed to ask for the Books of Accounts and Books or papers from the Company time to time. Audit trail as part of Books of Account can be ask by the authorities.
C. PLACE TO MAINTAIN SOFTWARE OF AUDIT TRAIL:
The accounting software may be hosted and maintained in India or outside India or may be on premise or on cloud or subscribed to as Software as a Service (SaaS) software.
Further, a company may be using software which is maintained at a service organization.
For example, the company may have outsourced its payroll processing with a shared service center and the shared service center may use its own software to process payroll for the company.
D.BACK UP:
As per provisions of Rule 3 of the Companies (Accounts) Rules the back-up of the books of account and other books and papers of the company maintained in electronic mode, including at a place outside India, if any, shall be kept in servers physically located in India on a daily basis.
One can opine that, according to this amendment Companies are required to take backup of the Books of Accounts and Book & papers on DAILY BASIS if records are maintained in Electronic mode.
E. APPLICABILITY ON SOFTWARES:
It may be noted that any software used to maintain books of account will be covered within the ambit of this Rule. any software that maintains records or transactions that fall under the definition of Books of Account as per the section 2(13) of the Act will be considered as accounting software for this purpose
For e.g., if sales are recorded in a standalone software and only consolidated entries are recorded monthly into the software used to maintain the general ledger, the sales software should also have the audit trail feature since sales invoices would be covered under Books of Account as defined under section 2(13) of the Act.
F. EACH AND EVERY TRANSACTION:
It may be noted that companies are required to maintain audit trail (edit log) for each change made in the books of account. Accordingly, the term ‘all transactions recorded in the software’ would refer to all transactions that result in change to the books of account.
For example, creation of a user in the accounting software may be construed as a transaction in the software. However, creating a user account in the accounting software would not change the records of books of account as defined in Section 2(13) of the Act whereas adding a new journal entry or changing an existing journal entry will be construed as a change made in books of account.
G. MANAGEMENT RESPONSIBILITY:
As per Rule 3(1) of the Companies (Accounts) Rules, 2014 every company which uses accounting software for maintaining its books of account, shall use only such accounting software which has a feature of recording audit trail of each and every transaction, creating an edit log of each change made in the books of account along with the date when such changes were made and ensuring that the audit trail cannot be disabled.
Following are the prime responsibility of the Management:
a) use only such accounting software which has the following features:
-
- Records an audit trail of each and every transaction,
- Creating an edit log of each change made in the books of account
- along with the date when such changes were made; and
b) Ensuring that audit trail is not disabled and there is no option to disabled.
c) Effective Implementation
H. AUDITORS RESPONSIBILITY (Reporting in Audit Report):
Rule 11(g) casts responsibility on the auditor in terms of reporting on audit trail by making a specific assertion in the audit report.
in addition to requiring auditor to comment on whether the company is using an accounting software which has a feature of recording audit trail, the auditor is expected to verify the following aspects:
i. whether the audit trail feature is configurable (i.e., if it can be disabled or tampered with)?
ii. whether the audit trail feature was enabled/operated throughout the year?
iii. whether all transactions2 recorded in the software are covered in the audit trail feature?
iv. whether the audit trail has been preserved as per statutory requirements for record retention?
I. CHECKING PROCESS BY AUDITOR?
i. The auditor may review entries in software, on a sample basis,
ii. The audit trail records maintained by management for each applicable year and
iii. Evaluate Management controls for maintenance of such records without any alteration and retrievability of logs maintained for the required period.
J. AUDIT DOCUMENTATION
The auditor may document the work performed on audit trail such that it provides:
i. a sufficient and appropriate record of the basis for the auditor’s reporting under Rule 11(g); and
ii. evidence that the audit was planned and performed in accordance with this Implementation Guide, applicable Standards on Auditing and applicable legal and regulatory requirements.
******
Author – CS Divesh Goyal, GOYAL DIVESH & ASSOCIATES Company Secretary in Practice from Delhi and can be contacted at csdiveshgoyal@gmail.com).
Author Bio
Hi Divesh,
Is there any threshold limit for this Audit Trail applicability?
Hello Divesh, During the stat Audit, the auditor is demanding the back up ( or the proof of back up) done during FY 22-23. He is demanding the data trail of Dec 22 which was 7 months ago. Our data is backed up daily basis and the service provider only keeps a weeks report ( that is at any point of time, we will have data from inception till the week) In short we will have 7 full back ups. The auditor insists for 7 motnhs old record. Is this a legitimate query ?