Audit trail – Implementation challenges and learnings from first year

Audit trail – Implementation challenges and learnings from first year

The Amendment in Rule 3(1) of the Companies (Accounts) Rules, 2014 (Accounts Rules) requires that all companies which uses accounting software for maintaining their books of account should use only such accounting software which has a feature of recording audit trail. This amendment is applicable from the financial year beginning on or after 01 April 2023. An audit trail has not been defined in the Companies Act, 2013 or in the Rules but the Implementation Guide on Reporting on Audit Trail issued by the Institute of Chartered Accountants of India (ICAI) defines it as a visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source. Audit trails are a chronological record of the changes that have been made to the data. Any change to data including creating new data, updating or deleting data that must be recorded. This feature should remain enabled throughout the financial year and should record the audit trail of every transaction by creating an edit log of each change made in the books of account along with the date when such changes were made and who made such change. It should also be ensured that the trail cannot be disabled. Further, the audit trail is required to be preserved by the companies for a minimum period of eight years i.e. all the companies will be required to preserve the audit trail for the year ended March 2024 for a period of eight years and so on.

Primary responsibility for compliance with the Companies Accounts Rules - Management

Rule 3(1) of Companies (Accounts) Rules, 2014 puts onus on the management to comply with the provisions of the audit trail. It is their primary responsibility to ensure selection of the appropriate accounting software for maintaining its books of account, which has a feature of recording audit Assurance EYe January 2025 28 Content trail of each and every transaction, creating an edit log of each change made in the books of account along with the date when such were made and ensuring that the audit trail cannot be disabled. To demonstrate that the audit trail feature was functional, operated and was not disabled, a company would have to design and implement specific internal controls (predominantly IT controls) which in turn, would be evaluated by the auditors, as appropriate. Further, management may decide to use a software which is maintained at a service organization.

Auditor’s responsibility

Section 143(3) of the Companies Act, 2013 provides various matters on which auditors are required to report in their auditor’s report. Clause (j) of Section 143(3) states that auditor’s report shall also state such other matters as may be prescribed. Rule 11 of the Companies (Audit and Auditors) Rules, 2014 (‘Audit Rules’) specifies such other matters that are to be reported by the auditor. Rule 11(g) of the said Rules mandates the auditor to report on the following:

First year of implementation of rule 3(1) of Companies (Accounts) Rules, 2014 and rule 11(g) of Companies (Audit and Auditors) Rules, 2014

First year of reporting has already been completed since the above amendment came into effect. The first year was a challenging year for some of the companies in terms of implementing the requirements of the Accounts Rules. Some of the challenges which led to reporting implications in the first year are summarized below :

Identification of software

Companies use multiple software within the entire business chain which have interface with the main accounting system and the robustness of these software varies depending on business needs, costs, etc. For processing salary, a company may use a software different from accounting of the same. The challenge comes in whether the software for processing salary also requires audit trail or not. Another example is POS system at the retail outlets, petrol pumps etc.

There would be many companies which operate as part of international chains. For e.g., a company in the business of hotels run by an international chain generally uses robust software created for room revenues, food, and beverage etc., which are tested centrally. Local companies which own the hotels may not be permitted to make any changes to this software and the extent of data visibility at the backend in terms of trails etc., may be visible only centrally at the Parent level of these operating international chains. It may be extremely difficult for local companies to get access to such data.

However, the ICAI guide provides that any software used to maintain books of account will be covered within the ambit of this rule. If sales are recorded in a standalone software and only consolidated entries are recorded monthly into the software used to maintain the general ledger, the sales software should also have the audit trail feature since sales invoice would be covered under books of account under section 2(13) of the Act. Therefore, reference was made to the definition of the books of account for identification of the software which should be covered within the ambit of audit trail provisions.

Use of end user computing files like spreadsheets

These tools generally don’t have any audit trail feature. ICAI in its FAQs have clarified that “If a company uses end-user computing tools, like spreadsheets, then those tools may be classified as accounting software if the same provides direct and auto feed to the accounting software (accounting software as identified by management). In such case, the spreadsheet should be treated as part of books of account and the spreadsheet will attract the audit trail requirement”.

ICAI guide included clarification on use of spreadsheets for maintenance of books of account which was referred to by the companies and auditors while reporting for the first year of audit trail provisions. However, the intent of the rules is to ensure that the companies use accounting software for maintenance of books of account which has a feature of audit trail in accordance with the requirement of the rules.

Maintenance of audit trail for database level change.

The Companies Act Rules do not define scope of the audit trail feature. Further, while it is expected that each accounting software has its own way of capturing audit trails, no uniform manner of recording audit trail has been mandated under law. Also, the requirement of maintaining audit trails is applicable to all transactions recorded in the software. The ICAI Guide includes database level changes under the ambit of such audit trail requirements, which caused challenge for companies to comply with the requirement to have audit trail for all transactions recorded in the software due to limitation in some of the software. It has been clarified in the guide that audit trail is required to be enabled at ‘database’ level even if access to database January 2025 29 Content in an ERP is restricted to only one user and log of such user making any such changes is enabled. The Guide envisages that changes made directly at the database level will impact the books of account and hence audit trail is required to be enabled at the database level also.

Some of the companies have represented that a complete audit trail is maintained in such ERPs for all changes carried out to the books of account (as well as other data) through the application interface. However, an enabling audit trail for all the tables at the database level often results in sub optimal performance of the system, resulting in potential business disruption. Hence, audit trail is enabled for only for critical tables (which form part of the books of account) in the database while other tables are not enabled. While the management of the company may have put in place certain controls such as restricting access to the administrators and monitoring changes to configurations that may impact the audit trail, the auditor will be required to consider the requirement specified in the implementation guide for enablement of audit trail at ‘database’ level.

The absence of edit logs at the database level led to modifications in the report under the section ‘Report on Other Legal and Regulatory Requirements’. Considering this will be the second year of implementation, companies are expected to better prepare for complying with these requirements. The auditors will consider the impact of the previous year’s modification in the audit report for the current year.

Increasing costs of upgrades and storag.

Considering the requirement of Section 128(5) of the Act, which requires books of account to be preserved by companies for a minimum period of eight years, the company would need to retain audit trail for a minimum period of eight years i.e., effective from the date of applicability of the Account Rules (i.e., April 1, 2023, onwards). Further FAQ 18 of the ICAI guide also states that “The amended Rule 3 of the Companies (Accounts) Rules, 2014 requires that the back-up of books of account and other books and papers of the company maintained in electronic mode including at a place outside India, if any, shall be kept in servers physically located in India on a daily basis. These would include audit trail records as well since audit trail is required for books of account and the audit trail records would fall under the definition of books of account and other books and papers. Accordingly, audit trail records would require daily backup to be maintained in a server physically located in India.” This will be quite challenging for small or medium-sized companies to maintain hundreds to thousands of logs on a daily basis, which could be lengthy to store as they increase in size.

The additional feature of the audit trail and retaining the audit logs for a period of eight years will lead to additional costs for the companies.

Many companies have chosen to provide a note relating to their responsibility on the compliance with the audit trail provisions in the notes to the financial statements for the financial year ending 31 March 2024. The notes also explain how they have implemented the requirements pertaining to Rule (3) of Accounts Rules. Such disclosures were referred to by the auditor while reporting (clean/modified) in the audit report under the section ‘Report on Other Legal and Regulatory Requirements’. Few examples of note included in the financial statements are given below:

Example 1

Pursuant to amendment by the Ministry of Corporate Affairs (MCA) in the Companies (Accounts) Rules 2014, the associate companies (XX Private Limited & YY Private Limited) are using accounting ERP systems for maintaining its books of account and other relevant books in electronic form in a server physically located in India for it to remain accessible in India at all times. Pursuant to amendment by the Ministry of Corporate Affairs (MCA) in the Companies Amendment Rules 2021, the company is using an accounting software for maintaining its books of accountant which has a feature of recording audit trail edit log facility and that has been operative throughout the financial year for all relevant transactions recorded in the software impacting books of account at application level.

Example 2

The Company has used accounting software for maintaining its books of account, which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, there are no instance of audit trail feature being tampered.

Example 3

As per Section 128 of the Companies Act, 2013 read with proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 with reference to use of accounting software by the Group for maintaining its books of account, has a feature of recording audit trail of each and every transaction, creating an edit log of each change made in the books of account along with the date when such change were made and ensuring that the audit trail cannot be disabled is applicable with effect from the financial year beginning on 1 April 2023. The Group uses an accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the accounting software. However, the audit trail (edit logs) feature for any direct changes made at the database level was not Assurance EYe enabled for accounting software used for maintenance of books of account and other software used for processing financial information for XXX claims. The management has implemented recording of edit logs at database level for all accounting software w.e.f. April 2024, except for the software used for XXX information, for which management is attempting to migrate to a new accounting software in the financial year 2024-25.

Non-compliance with provisions of audit trail

Penal provisions

Non-compliance with the audit trail provision will attract penalty under section 128(6) of the Act. It is provided that if the managing director, the whole-time director, Chief Financial Officer or any other person of a company charged by the Board with the duty of complying with the provisions of this section, contravenes such provisions, such managing director, whole-time director in charge of finance, Chief Financial officer or such other person of the company shall be punishable with fine which shall not be less than fifty thousand rupees but which may extend to INR5 lakh.

Implications on auditor’s reporting

The Institute of Chartered Accountants of India (ICAI) has issued an Implementation Guide on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014 which provides guidance for auditors to comply with the reporting requirements of Rule 11(g). In case the books of account are not maintained in accounting software having audit trail feature, or the audit trail feature remains non-functional during any part of the year, the auditor would need to appropriately modify the comment while reporting under Rule 11(g).

The same will also have an impact on reporting under Section 143(3)(b) of the Companies Act, 2013, wherein the auditor has to state whether the company has maintained proper books of account.

Also, the auditor needs to report any qualification, reservation or adverse remark relating to the maintenance of accounts and other matters connected therewith under section 143(3)(h) of the Act.

The ICAI Guide also provides for illustrative wordings of the audit report – unmodified and modified reporting.

What is next?

Since this is the second year of reporting, all companies should evaluate the challenges faced in the first year of reporting, ensuring that all new accounting software deployed during the year have the requisite functional parameters and attributes which would be considered as being compliant with the requirements and where it is necessary to engage with service providers to implement changes to ensure compliance. Management also needs to focus its attention on remediating the audit modifications relating to the audit trail during the first year of reporting and the impact of such modifications in the second year.

The intent of the regulator is clear — the integration of the audit trail in accounting software will not only help verify and track transactions but also make the whole system smooth and transparent.