Explore the mandatory audit trail requirement for all companies from April 1, 2023. Learn about the amendments, implications, and responsibilities for companies and auditors.
This short article is on the subject of mandatory requirement for all companies (big or small) to record transactions in a software which has audit trail feature. The requirement also extends to auditors of such companies who are required to give details of existence of such audit trail in their report to the shareholders of companies.
The Companies (Accounts) Rules, 2014 & Companies (Audit and Auditors) Rules, 2014 have been amended to facilitate audit trail related matters. The actual amendment and its implication are discussed in brief hereunder.
Companies (Accounts) Rules, 2014 (“Accounts rules”) has been amended to enable the above. This rule (Accounts rules) requires that with effect from 1st April 2023 every company which uses accounting software for maintaining books of accounts shall use such accounting software which has
a) the feature of recording audit trail of each and every transaction,
b) creating an edit log of each change made in books of accounts along with
c) date when such change was made and
d) ensure that the audit trail cannot be disabled.
It also provides the following:
a) the books of accounts shall remain accessible in India at all times.
b) that the back-up of the books of account and other books and papers of the company maintained in electronic mode, including at a place outside India, if any, shall be kept in servers physically located in India on a daily basis.
Companies (Audit and Auditors) Rules, 2014 (Audit rules) has been amended on 24-03-2021 whereby an additional reporting point has been incorporated in Auditors report which is as under (this point has been split into various components for clear understanding of the requirement:
“Whether the company has used such accounting software for maintaining its books of accounts which has a feature of
- recording audit trail (edit log) facility and
- the same has been operated throughout the year
- for all transactions recorded in the software and
- the audit trail feature has not been tampered with and
- the audit trail has been preserved by the company as per statutory record for record retention.
This additional clause was initially made applicable from 1st April 2021, then postponed to 1st April 2022 and now is applicable from 1st April 2023.
This clause casts an onerous responsibility on auditors of the company to report in specific on the above points. For this purpose, companies must record entries in their “books of accounts” from 1st April 2023 in such a way that details of transactions along with who recorded and when (date and time) of recording the transaction has to be preserved. Apart from this, if the transactions undergo a modification or deletion, such details along with date and time of such action also needs to be preserved chronologically.
The rules are however silent on the following aspects:
a) The Rules don’t specify the fields or data sets for which audit trails are required to be maintained – whether transactional data and/or data pertaining to the transaction.
b) The word accounting software has not been defined anywhere in the act/rules. Will it include fixed asset registers, HR related documents and data/software, time sheets of employees, purchase orders, changes to vendor master data, or any other software with which the basic accounting software has an interface. If it so includes then an audit trail for all those associated software will also have to be verified.
c) Accounts rules requires back up to be maintained on a daily basis, does it mean that audit trail back up also needs to be taken on daily basis? Doing so would require huge IT space for which companies need to plan in advance.
d) The accounts rules mandate that companies should use accounting software which has a feature of recording audit trail….. In case a company is not able to procure such a software or has procured midway will it be construed as non-compliance with the Companies Act, 2013 for which the company, its Directors and its KMP may be penalized.
Some thoughts on audit trail and audit requirements
1) No other country in the world has such a mandatory requirement for maintaining books of accounts and for auditors of companies to comment on audit trail. A spate of failures of financial institutions and large corporations has led the government to bring about these measures whereby the government hopes to get details of transactions which have been deleted/modified. One is not sure how such audit trail data would even be helpful as companies will only give justification as to why the deletion or modification was done, if at all the audit trail data is available to government authorities when it is required.
2) Work of finance professionals is going to increase as they have to pass entries with 100% accuracy first time around. Any modification/deletion will leave an audit trail scar for them to answer.
3) This requirement casts a huge responsibility for small companies who cannot afford such a software and even if they can afford the cost of maintaining books of accounts in such a software is going to be a challenge in terms of cost and finding right man-power.
4) Already this audit trail requirement has been postponed twice, so one needs to watch the space for notification/guidance from MCA or ICAI and typically this is going to come (if at all) only on 31st March 2023 (Friday). If it does not come, then ALL companies will be caught in the wrong foot from the first day of the new financial year if they are not adequately prepared.
5) IT systems of companies was subject to audit by auditors only in large companies, now with the introduction of audit trail and reporting thereon, auditors will have to do an audit of IT environment of all companies. This is going to consume more audit time and will result in higher audit cost for companies.
6) Auditors should be equipped (in terms of IT knowledge and related resources) for performing this kind of audit and of course that is going to come only from 1st April 2024, so auditors might have some time to catch up.
7) ALL companies will have to immediately take a look at their accounting software and check if it has all these features. They will have to get in touch with their auditors and understand their requirements as lack of such co-ordination will lead to missed communication during audit time.
8) Considering huge compliance requirements for companies, small companies can seriously consider converting to LLP as almost none of the provisions of Companies Act, 2013 would be applicable to LLP (barring few which do not have major implications) and LLP seems to be a more tax efficient vehicle as well.
9) All companies should get in touch with their auditors before 31st March 2023, present to the auditors the plan of action to comply with the Rules and discuss with the auditors on what their approach is going to be while reporting on this specific clause in the audit report. This will ensure that auditor and auditee are on the same page from day one.
Dear Narasimhan,
Many large accounting systems (ERP systems) consist of multiple smaller modules such as HR, accounts payable, treasury, expense systems etc. The core module for an accounting system would normally be considered the general ledger. Is the act intended to focus on the general ledger or all modules that feed into an accounting system or the general ledger? Would a change to master data such as customer information or supplier information be considered a transactional change requiring an audit log? Would a change to a voucher, that is still pending entry into the general Ledger be considered a transactional change requiring an audit log?
Your expert option would be much appreciated.
There is a confusion in the applicability of this reporting. MCA amended the Accounts rule to extend the applicability of requirement of audit trail w.e.f 1 April 2023. However no extension has been brought to the Audit and Auditors Rule, wherein the reporting requirement is still w.e.f 1 April 2022. Please clarify
Hi, the Audit rules were amended by MCA vide notification G.S.R. 248(E) dated 1
st April, 2021 wherein the following words have been substituted…Whether
the company, in respect of financial years commencing on or after the 1st April, 2022″. This amendment would cover a situation where if the Accounts rules gets amended in this regard, it would have an automatic effect on the Audit rules.
It is not cleat wheather compnanies have to perform ‘day end’ of the accounts each and every day like banks do.
what about the vouchers which are pending with other department for verifivation and confirmations.
Hi, I understand this predicament. To the extent bills/invoices and vouchers are approved and received by the accounts team, it is better that the accounts team does the accounting immediately. Preferably, the accounting date would be the date of the transaction and not day of accounting. If the delay is going to be a day or two and if there is a valid explanation for the delay it should not be a problem. Matching dates with gstr 2a and payment of tds etc would be practical difficulties to be taken care of. Further statutory auditors are not going to look into reasons for delay. If you see their report all that is required of them to report is whether the accounting s/w has audit trail feature, whether the feature was there throughout the year for all the transactions and has not been tampered with. Hope this helps!
J. Narasimhan, author of the post