I am writing to bring to your attention the recent updates regarding the Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014, for the year 2024. It is crucial that we adhere to these updates in our audit reports to ensure compliance and maintain the highest standards of our profession.
Reporting Paras in Audit Report SA 700/705
1. Instances of Unmodified opinion para:
i. Based on our examination, which included test checks, the Company has used accounting software for maintaining its books of account for the financial year ended March 31, 2024, which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit we did not come across any instance of the audit trail feature being tampered with.
As proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 is applicable from April 1, 2023, reporting under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014 on preservation of audit trail as per the statutory requirements for record retention is not applicable for the financial year ended March 31, 2024.
ii. Proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 for maintaining books of account using accounting software which has a feature of recording audit trail (edit log) facility is applicable to the Company with effect from April 1, 2023. Based on our examination which included test checks, the company has used accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit we did not come across any instance of audit trail feature being tampered.
As proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 is applicable from April 1, 2023, reporting under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014 on preservation of audit trail as per the statutory requirements for record retention is not applicable for the financial year ended March 31, 2024.
2. Instance of Modified opinion
i. Based on our examination which included test checks, except for the instances mentioned below, the Company has used accounting software for maintaining its books of account, which have a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the respective software:
The feature of recording audit trail (edit log) facility was not enabled at the application layer of the accounting software relating to revenue, trade receivables and general ledger for the period 1 April 2023 to 13 November 2023 and relating to property, plant and equipment for the period 1 April 2023 to 14 December 2023.
The feature of recording audit trail (edit log) facility was not enabled at the database level to log any direct data changes for the accounting software used for maintaining the books of account.
Further, for the periods where audit trail (edit log) facility was enabled and operated throughout the year for the respective accounting software, we did not come across any instance of the audit trail feature being tampered with.
As proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 is applicable from April 1, 2023, reporting under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014 on preservation of audit trail as per the statutory requirements for record retention is not applicable for the financial year ended March 31, 2024.
ii. Based on our examination which included test checks and in accordance with requirements of the Implementation Guide on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014, except for the instances mentioned below, the Company has used accounting software for maintaining its books of account, which have a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the respective software:
The feature of recording audit trail (edit log) facility was not enabled at the database layer to log any direct data changes for the accounting software used for trade scheme masters.
We are unable to comment if the audit trail (edit log) facility was enabled at the database layer to log any direct data changes for accounting software operated by a third-party service provider and used for maintaining purchase orders in absence of independent auditor’s report in relation to controls at the third-party service provider.
Further, where audit trail (edit log) facility was enabled and operated throughout the year, we did not come across any instance of audit trail feature being tampered with during the course of our audit.
As proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 is applicable from April 1, 2023, reporting under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014 on preservation of audit trail as per the statutory requirements for record retention is not applicable for the financial year ended March 31, 2024.
3. Reporting Paras in Audit Report SA 700 where the books of accounts are maintained manually
Where the books of account are entirely maintained manually – the assessment and reporting responsibility under Rule 11(g) is not applicable.
Important Frequently Asked Questions (FAQs)
Q.1 Whether banks and NBFCs are covered under audit trail requirement?
Ans: All companies (including banks and NBFCs) incorporated under the Companies Act, 2013 are required to comply with audit trail requirement, so there is no exemption for such banks and NBFCs from audit trail requirement.
Q.2 Are auditors required to comment on details of audit trail logs?
Ans: As per Rule 11(g), the auditor needs to comment only on the below cited aspects:
Whether the company has used such accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility.
Whether the audit trail operated throughout the year for all transactions recorded in the software.
Whether audit trail feature has not been tampered with.
Whether audit trail has been preserved by the company as per statutory requirements for record retention.
Accordingly, there is no requirement for auditors to comment on the details of audit trail logs.
Q.3 Is audit trail required to be enabled at database level even if access to database in an ERP is restricted to only one user and the log of such user making any such change is enabled?
Ans: The access to the database to one or more users should be decided by the company depending on its operating and business needs after appropriately designing the internal controls and ensuring the operating effectiveness of such controls. Changes made directly at the database level will impact the books of account and hence audit trail is required to be enabled at the database level also.
Q.4 Does the auditor need to do testing in the ERP of the company or the auditor can simply rely on representation from the management?
Ans: The auditor is required to carry out necessary audit procedures and obtain sufficient and appropriate audit evidence for their reporting under Rule 11(g). The auditor cannot simply rely on Representation from the management. The nature, timing and the extent of the auditor’s procedures will depend on various factors e.g. the company’s accounting software, auditor’s understanding of the audit trail configurations, design and operating effectiveness of internal controls over audit trail. Detailed guidance for statutory auditors of companies is given in the Implementation Guide.
Q.5 In case log of entire chain of changes are not maintained, however, software maintains only log of last/latest changes, will this be adequate? Or absence of log of entire chain of changes will result into modified comment while reporting under Rule 11(g)?
Ans: As per requirement of Rule 3(1) of the Companies (Accounts) Rules, 2014, each and every change should be logged and should be available in the logs. Retaining only the last/ latest changes will not serve the purpose of compliance with audit trail requirements. Accordingly, the auditor would need to appropriately modify the comment while reporting under Rule 11(g).
Q.6 Where the independent auditor’s report of service organization that includes the maintenance of audit trail, is not co-terminus with the company’s financial year (e.g. such SOC 2/SAE 3402 report is for the period till December 31, 2023 whereas the company’s financial year Ends on March 31, 2024) – how should the auditor of the company consider such SOC 2/SAE 3402 report for their reporting under Rule 11(g)?
Ans: Rule 11(g) requires the auditor to report explicitly that the audit trail operated throughout the year and hence the auditor would require sufficient and appropriate audit evidence that the audit trail operated throughout the year. Where the accounting software is maintained by third party service organization and the auditor of the company is unable to obtain sufficient and appropriate audit evidence for the full reporting period with regard to maintenance of audit trail, the auditor would need to appropriately modify the comment while reporting under Rule 11(g).
Q.7 Will maintaining a backup of ERP in a server situated in India is sufficient to be compliant with the requirement of audit trail?
Ans: No, backup requirements are different from the audit trail requirements. Companies that use accounting software to maintain their books of account are required to comply with audit trail requirements irrespective of whether backup of such data exists in India. If ERP software does not have audit trail feature, then maintaining its backup would not be sufficient to ensure compliance with audit trail requirements. As per requirement of the Companies (Accounts) Rules, 2014, accounting software having audit trail feature is required to be implemented from 1st April 2023 and in case of any non-compliance, the auditor would need to appropriately modify the comment while reporting under Rule 11(g).
Q.8 Whether a single report showing all edits done during the year containing all details as required is sufficient for the audit trail purpose?
Ans: A single report produced by a company’s accounting software showing all edits done during the year containing all details as required may not be practically possible considering the volume of transactions and changes made thereto during the year in a company. However, if the company’s accounting software produces a single report detailing all changes to books of account and the auditor is able to obtain sufficient and appropriate audit evidence to support their reporting on audit trail then that may be sufficient for the purpose.
Q.9 If an accounting software provides error log and this error log is editable, will this satisfy the requirement of audit trail?
Ans: No, an error log would not satisfy the requirements of audit trail. Usually, an error log may not record changes to books of account and may not capture when the record was created/changed.
Q.10 The auditor is required to report as to “whether, in his opinion, proper books of account as required by law have been kept by the company so far as appears from his examination of those books and proper returns adequate for the purposes of his audit have been received from branches not visited by him” under the section “Report on Other Legal and Regulatory Requirements” in the auditor’s report [Section 143(3) (b) of Companies Act, 2013]. The auditor is Also required to state any qualification, reservation or adverse remark relating to the maintenance of accounts and other matters connected therewith [Section 143(3) (h) of Companies Act, 2013]. Under Rule 11(g), specific reporting on audit trail is required under the section “Report on Other Legal and Regulatory Requirements” in the auditor’s report. If the auditor has modified the comment while reporting under Rule 11(g) on audit trail, whether this will also impact the reporting pursuant to Section 143(3) (b) and Section 143(3) (h)?
Ans: Yes, the requirement of accounting software having audit trail feature has been added in the proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 which deals with ‘Manner of Books of Account to be Kept in Electronic Mode’. Hence, any modified comment while reporting under Rule 11(g) will have to be considered while reporting under Section 143(3) (b) and Section 143(3) (h) in accordance with the provisions of the Companies Act, 2013. For example, if the audit trail was not operating for part of the year or throughout the year, the auditor will also be required to consider this while reporting under Section 143(3) (b) and Section 143(3) (h) in addition to reporting under Rule 11(g).