Audit Trail – Mandatory requirement of Companies Act, 2013

The Ministry of Corporate Affairs (MCA) vide its notification No. GSR 206(E) dated March 24, 2021 has issued the ‘Companies (Audit and Auditors) Amendment Rules, 2021’ (hereinafter referred as ‘Audit Rules’) read with sub-section 3 of Section 143 of the Companies Act, 2013 (hereinafter referred as “the Act”) introducing new Rule 11(e), new Rule 11(f) and new Rule 11(g) and deleting Rule 11(d) Rule 11(g) says that-

“Whether the company, in respect of financial years commencing on or after the 1st April, 2023,

• has used such accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility
• and the same has been operated throughout the year for all transactions recorded in the software and
• audit trail feature has not been tampered with and the audit trail has been preserved by the company as per the statutory requirements for record retention.

Responsibilities regarding the implementation of Audit Trail requirement.

1. Management is primarily responsible for the implementation and maintenance of audit trail feature in the accounting software.

2. Records an audit trail of each and every transaction, creating an edit log of each change made in the books of account along with the date when such changes were made; and

3. Ensuring that audit trail is not disabled.

Auditor’s responsibility-

Rule 11(g) casts responsibility on the auditor in terms of reporting on audit trail by making a specific assertion in the audit report under the section ‘Report on Other Legal and Regulator requirements’.

This has been explained in the paragraph below.

to elaborate, in addition to requiring auditor to comment on whether the company is using an accounting software which has a feature of recording audit trail, the auditor is expected to verify the following aspects:

1. whether the audit trail feature is configurable (i.e., if it can be disabled or tampered with)?

2. whether the audit trail feature was enabled/operated throughout the year?

3. whether all transactions2 recorded in the software are covered in the audit trail feature?

4. whether the audit trail has been preserved as per statutory requirements for record retention?

Audit approach-

1. Audit procedure to be performed-

• identify the records and transactions that constitute books of account under section 2(13) of the Act;
• identify the software i.e., IT environment including applications, web-portals, databases, Interfaces, Data Warehouses, data lakes, cloud infrastructure, or any other IT component used for processing and or storing data for creation and maintenance of books of account;
• ensure such software have the audit trail feature
• ensure that the audit trail captures changes to each and every transaction of books of account; information that needs to be captured may include the following:

1- when changes were made,

2-who made those changes,

3-what data was changed?

• ensure that the audit trail feature is always enabled (not disabled);
• ensure that the audit trail is enabled at the database level (if applicable) for logging any direct data changes;
• ensure that the audit trail is appropriately protected from any modification;
• ensure that the audit trail is retained as per statutory requirements for record retention
• ensure that controls over maintenance and monitoring of audit trail and its feature are designed and operating effectively throughout the period of reporting.

2. Auditor is required to obtain the written representation from the management.

Note-

• Mere non-availability of audit train feature in the accounting system does not indicate the material weakness in the internal control of the entity.
• Entity may use various accounting software and auditor has to verify all these software and report in accordance with the rule 11(g) for example- Entity uses following different software- 1) Sales 2) Payroll Processing 3) others.

Audit documentation-

The auditor may document the work performed on audit trail such that it provides:

(a) a sufficient and appropriate record of the basis for the auditor’s reporting under Rule 11(g); and

(b) evidence that the audit was planned and performed in accordance with this Implementation Guide, applicable Standards on Auditing and applicable legal and regulatory requirements in this regard, the auditor may comply with the requirements of SA 230, “Audit Documentation” to the extent applicable.