Requirement of the accounting software* having a feature of audit trail has been incorporated as a proviso to Rule 3(1) of the Account Rules and have been prescribed only in the context of books of account**. This is evidenced by the fact that as per the proviso to the Rule, the accounting software should be capable of creating an edit log of “each change made in books of account.”. Applicability of Account Rules will commence on or after April 1, 2023.
*Accounting Software is a computer program or system that enables recording, maintenance and reporting of books of account and relevant ecosystem applicable to business requirements. The functionality of such accounting software differs from product to product. Every organization today employs multiple software for accounting, its operations and other requirements like consolidation, collection of data.
**Books of Account as per Section 2(13) of the Companies Act, 2013 includes records maintained in respect of—
(i) all sums of money received and expended by a company and matters in relation to which the receipts and expenditure take place;
(ii) all sales and purchases of goods and services by the company;
(iii) the assets and liabilities of the company; and
(iv) the items of cost as may be prescribed under section 148 in the case of a company which belongs to any class of companies specified under that section;
Any software that maintains records or transactions that fall under the definition of Books of Account as per the section 2(13) of the Act will be considered as accounting software for purpose of Rule 11(g). For e.g., if sales are recorded in a standalone software and only consolidated entries are recorded monthly into the software used to maintain the general ledger, the sales software should also have the audit trail feature since sales invoices would be covered under Books of Account as defined under section 2(13) of the Act.
What if books of account are entirely maintained manually
The assessment and reporting responsibility under Rule 11(g) will not be applicable and accordingly, same would need to be reported as statement of fact by the auditor against this clause.
In case of CFS (consolidated financial statements),
the principal auditor should apply professional judgment and comply with applicable Standards on Auditing, in particular, SA 600, “Using the Work of Another Auditor” while assessing the matters reported by the auditors of components that are Indian companies. Statutory requirement for Auditor
Section 143(3) of Companies Act, 2013 (“the Act”) provides various matters on which auditors are required to report. Clause (j) of Section 143(3) states that auditor’s report shall also state such other matters as may be prescribed. These matters are prescribed under Rule 11 of the Companies (Audit and Auditors) Rules, 2014.
Rule 11(g) casts responsibility on the auditor in terms of reporting on audit trail by making a specific assertion in the audit report under the section ‘Report on Other Legal and Regulatory Requirements’. In addition to requiring auditor to comment on whether the company is using an accounting software which has a feature of recording audit trail, the auditor is expected to verify the following aspects:
It’s also possible that we may have outsources some part to service provider entity(ies) for e.g., Payroll work, in such case, the company’s management and the auditor may consider using independent auditor’s report of service organisation (e.g., Service Organisation Control Type 2 (SOC 2)/SAE 3402, “Assurance Reports on Controls at a Service Organization”) for compliance with audit trail requirements. The independent auditor’s report should specifically cover the maintenance of audit trail in line with the requirements of the Act.
As part of the audit approach, the auditor would need to ensure that the management assumes the primary responsibility to
(a) when changes were made,
(b) who made those changes,
(c) what data was changed,
In respect of preservation of audit trails: Section 128(5) of the Act requires books of account to be preserved by companies for a minimum period of eight years. Accordingly, company would need to retain audit trail for a minimum period of eight years i.e., effective from the date of applicability of the Account Rules (i.e., currently April 1, 2023, onwards). Inquire with management to understand the procedures implemented by the company to preserve the records as per the statutory record retention period. The auditor may review, on a sample basis, the audit trail records maintained by management for each applicable year and evaluate management controls for maintenance of such records without any alteration and retrievability of logs maintained for the required period of retention.
The auditor is expected to evaluate the reporting implications specifically giving due consideration to SA 250, “Consideration of Laws and Regulations in an Audit of Financial Statements”.
In respect of audit trail, following are likely to be expected scenarios:
i. Management may maintain adequate audit trail as required by the Account Rules.
ii. Management may not have identified all records/transactions for which audit trail should be maintained.
iii. The accounting software does not have the feature to maintain audit trail, or it was not enabled throughout the audit period.
Scenarios (ii) and (iii) mentioned above would result in a modified /adverse reporting against this clause.
Obtaining Written Representation
Auditor shall obtain written representations from management on the following aspects:
Auditor may document the work performed on audit trail such that it provides:
In this regard, auditor may comply with requirements of SA 230, “Audit Documentation” to the extent applicable.
The views contained in this article are personal and the contents of this document are solely for informational purpose and it does not constitute professional advice that may be required before acting on any matter.
The Learner can be reached at firstname.lastname@example.org.