File No.NF-20011/3/2020-O/o CGM(AK)
Government of India
National Financial Reporting Authority
7th Floor, Hindustan Times House,
Kasturba Gandhi Marg, New Delhi
Subject: Draft Procedure for Submission of Audit Files to NFRA.
In pursuance of the duties cast upon it under the Companies Act, 2013, and NFRA Rules, 2018, NFRA proposes to prescribe the procedures to be followed by all entities regulated by NFRA for submission of Audit Files to NFRA. NFRA invites comments from regulated entities on the procedure described in this draft document in Annexure A. Your comments should be mailed to [email protected] before 31st of May 2020. The email shall contain full contact details of the sender including name, mobile number, professional address and membership number. Comments without these minimum identification requirements will not be considered.
Draft Procedure for Submission of Audit Files to NFRA.
These procedures are applicable to all audit firms/ chartered accountants (referred to as entities in these procedures) covered under the jurisdiction of the National Financial Reporting Authority (NFRA) as laid down vide Section 132 of the Companies Act, 2013, read with NFRA Rules 2018. These procedures govern the submission of Audit Files to NFRA and are issued under the mandate given to NFRA by the Companies Act 2013, and to discharge the functional responsibilities defined under NFRA Rules 2018, particularly under Rule 8 (1).
2. Audit Files are defined by para 6(b) of SA 230 Audit Documentation. It may be noted that the SAs are prescribed/deemed to have been prescribed by the Central Government in exercise of its powers under sec 143(10) of the Companies Act, 2013. The SAs are, therefore, subordinate legislation. Failure to comply with the SAs will amount to violation of the provisions of law.
3. It may also be noted that one of the purposes of audit documentation is “Enabling the conduct of external inspections in accordance with applicable legal, regulatory or other requirements.”
4. The generic procedural requirements described in this document are not a full specification for the Audit Files. They form a baseline which sets out the minimum requirements necessary to be complied with by entities while submitting Audit Files to NFRA for any purposes.
5. As required by law, all entities must establish policies and procedures to ensure that Audit Files are organised, and maintained, in a manner completely consistent with the law, and are retained and accessible as long as prescribed. Similarly, Audit File management requirements should be incorporated into the entity’s IT policies, wherever applicable.
6. The Audit File has to be submitted in an electronic format to NFRA. Though entities are free to follow electronic, manual or hybrid methods of maintaining audit files, the final Audit File submitted to NFRA has to be compiled in an electronic format conforming to the minimum requirements mentioned in this document. Care should be taken to maintain the integrity, authenticity, readability and completeness of the records while converting to/preserving in an electronic format. The original formats should not be changed except as provided in this document. Wherever hard copies/physical files/records are maintained; the entity shall take measures to ensure the integrity of such records. The hard copies shall be serially numbered, dated and signed and sealed, wherever applicable. A log register shall be maintained in such cases and the copies of the log register shall form part of the submission to NFRA. All such hardcopies or physical files maintained shall be scanned to a PDF format with a scanning density of a minimum of 300 dots per inch (dpi).
7. NFRA will only accept files in the formats of Portable Document Format (PDF), MS Word, MS Excel or MS PowerPoint, or any equivalent file formats, or any combination of the same. Other file formats (e.g.: MOV, AVI, MP4 etc.) will be accepted in the original/native format if the conversion of such files into PDF is either not possible or such conversion will compromise the integrity/ authenticity/ readability/ completeness of such files/information in the files.
8. The Audit File submitted to NFRA in the formats specified in para 7 should contain an Index page in PDF format at the beginning. The index should list out the contents of the Audit File, grouped and sorted in a logical order. The submission must then maintain the referential integrity of all index data in subsequent sections.
9. Many entities use some documents/records management systems, or proprietary IT applications, for creation/collation/ management/preservation of Audit Files. Such applications must be able to export whole electronic folders of records of an Audit File along with the meta data, into a single PDF file such that the content and appearance of the electronic records are not degraded. All components of an electronic Audit File should be exported as an integral unit; for example, including emails with associated file attachments. All metadata associated with an electronic record should be linked to the record to which it belongs. Optionally, the metadata and other application related data can be presented in a PDF format with proper reference to the subsequent sections/folders/records that contain other records forming part of the Audit File. All pages of the PDF shall be serially numbered. Care should be taken to ensure that all the data related to the Audit File is exported to the output folders and is transferred to NFRA in its entirety. No additional documents or data will be allowed to be added to the Audit File after it is submitted to NFRA.
10. Such IT applications must have an audit trail (logs) built into the system, which tracks actions taken on electronic records, access, management, archiving, disposal, application related events, coding changes, version changes etc. to demonstrate authenticity and integrity of the Audit Files throughout the file lifecycle. The exported report as mentioned in para 9 shall contain the log reports of record addition, modification, deletion, archiving, retrieval, re-archiving, user logins, reviews, sign offs, and any modifications to the sign offs at appropriate sections of the output folder, linked to the record to which it belongs. The audit trail shall be unalterable and capable of recording all the actions that are taken upon an electronic record/IT application/meta data or software structure. The trail shall contain, inter alia, the details of the user initiating the action, the action taken and the date and time of the event.
11. In case an audit trail/log is not maintained in the existing application used by the entities or there is no log register, the fact shall be mentioned in the submitted Audit File. This will be viewed as an inherent weakness of the quality control policies of the entity.
12. All the records i.e., the reports/records exported from the IT application, electronic files directly obtained and kept at various electronic/digital storage locations, scanned PDFs of hard copies, copies of the log register, audit trail etc. shall be arranged in sequential order after the index page referred to in para 8.
13. Once the files are so indexed, sorted and arranged in sequential order, the files shall be placed in a single folder in the same order. The folder shall be compressed to reduce the size using WinZip or WinRAR or similar commonly used applications. When using compression to reduce file size, entities should use lossless compression to maintain the integrity of source data. Lossless compression produces smaller file sizes without removing any information. By use of lossless compression, the file size can be reduced to 85% to 90% of actual file size. The compressed file(s) should be uploaded to the specified File Transfer Protocol (FTP) location provided by NFRA. The auditor may install any commonly used FTP client for this purpose.
14. The covering letter/email accompanying the Audit File shall include the total number of pages in the attached Audit File, the total number of records/files/folders attached and the total size in MB of the attached audit file. The covering letter shall also contain a brief description about the entity’s policies, practices and tools used for maintaining Audit Files.
15. These procedures will be applicable till such time as they are not expressly revoked/amended/modified by NFRA.
16. The above procedures are applicable only with respect to the manner and form in which Audit Files need to be submitted to NFRA. They do not cover anything related to the Integrity of Audit Files, records/document management aspects, and the minimum functional and security requirements of the IT platforms used for Audit Documentation. Separate procedures/guidelines will be issued in this regard.