Implementation Guide on

Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014 (Revised 2024 Edition)

  

The Institute of Chartered Accountants of India

(Set up by an Act of Parliament) New Delhi

 

 

 

 

© The Institute of Chartered Accountants of India.

 

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior permission, in writing, from the publisher.

 

 

 

First Edition Revised Edition

 

: March 2023

: January 2024

 

 

Committee : Auditing and Assurance Standards Board

 

 

Email : aasb@icai.in

 

 

Website : www.icai.org

 

 

Price : Rs. 200/-

 

 

Published by       :   The Publication and CDS Directorate on

behalf of The Institute of Chartered Accountants of India, ICAI Bhawan, Post Box No. 7100, Indraprastha Marg, New Delhi – 110 002.

 

 

 

 

 Foreword 

 

 

The Ministry of Corporate Affairs introduced Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014 that requires the auditor to report on the use of accounting software by a company, for maintaining its books of account which has audit trail (edit log) recording facility and the same has been operated throughout the year for all the transections recorded in the software. Additionally, the auditor has to report that audit trail feature has not been tampered with and the audit trail has been preserved by the company as per the statutory requirements for retention of records. In March 2023, the Auditing and Assurance Standard Board (AASB) of the Institute of Chartered Accountants of India (ICAI) issued an “Implementation Guide on Reporting under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014” to provide guidance to the members on the above said reporting requirement. Subsequently, the AASB received various practical queries from the members that requires further clarification/guidance on the above said reporting requirement.

 

I am happy to note that the Auditing and Assurance Standards Board has brought out this revised edition of publication, “Implementation Guide on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014”. This revised edition has a separate section of Frequently Asked Questions (FAQs) that covers various practical situations which may be faced by the members while reporting under Rule 11(g). This revised Implementation Guide will enable the members to comply with the reporting requirement of Rule 11(g) more effectively.

 

I compliment CA. (Dr.) Sanjeev Kumar Singhal, Chairman, CA. Vishal Doshi, Vice-Chairman and all other members of the Auditing and Assurance Standards Board of ICAI for their efforts in bringing out this revised Implementation Guide for the benefit of the members at large.

 

 

 

 

I am confident that the members and other interested readers would find this revised Implementation Guide immensely useful.

 

 

 

February 1, 2024 New Delhi

CA. Aniket Sunil Talati

President, ICAI

 

 

 

 

Preface

 

 

The Companies (Audit and Auditors) Amendment Rules, 2021 dated 24^th March 2021 made various changes in Rule 11 of the Companies (Audit and Auditors) Rules, 2014. These changes include new Rule 11(g) which requires reporting on use of accounting software by companies which has audit trail feature. In March 2023, the Auditing and Assurance Standards Board (AASB) of ICAI issued the “Implementation Guide on Reporting under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014” (“The Implementation Guide”) to provide guidance to the members on this new reporting requirement.

After issuance of the Implementation Guide, AASB received various practical queries from the members on this reporting requirement. AASB examined these queries. AASB decided to develop FAQs on these queries and include these FAQs in the Implementation Guide to provide necessary guidance to the members.

It gives us immense pleasure to place in hands of the members, this revised edition of publication, “Implementation Guide on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014” brought out by the Auditing and Assurance Standards Board. The revised Implementation Guide includes a new section on FAQs. These FAQs were initially developed by a study group constituted by the Board for this purpose and thereafter these FAQs were finalised with the contribution of the Board members. The revised Implementation Guide contains detailed guidance on various aspects of this reporting requirement. The revised Implementation Guide will enable auditors of companies to comply with this reporting requirement effectively.

We would like to thank CA. Aniket Sunil Talati, President, ICAI and CA. Ranjeet Kumar Agarwal, Vice-President, ICAI for their guidance and support in various endeavours of the Board.

 

 

 

 

We are extremely grateful to all members of the study group viz. CA. Chandrashekhar Vasant Chitale (Convenor), CA. Kusai Goawala, CA. Jayesh Doshi, CA. Ashish Khandelwal, CA. Hemant Joshi, CA. Bageshri Milind Kshirsagar, CA. Umesh Abhyankar, CA. Deepa Agarwal, CA. Ridhima Dubey and Shri K T Saravanabhava for their contribution in developing and finalising the FAQs.

We wish to place on record high appreciation of all members of the Board for their active contribution in finalising the revised Implementation Guide. We appreciate the contribution made by CA. Megha Saxena, Secretary, AASB and other staff of AASB in finalising the revised Implementation Guide.

We are confident that the revised Implementation Guide would be well received by the members and other interested readers.

 

 

 

 

 

CA. Vishal Doshi Vice Chairman, AASB

CA. (Dr.) Sanjeev Kumar Singhal

Chairman, AASB

Contents

 

Foreword Preface

Page No.

 

Section 1: Implementation Guide						1-26
Introduction of Rule 11(g) of Companies (Audit and Auditors) Rules, 2014						1
Introduction Guide	and	Scope	of	the	Implementation	2
Management’s Responsibility						3
Auditor’s Responsibility						4
Applicability						6
Preservation of Audit Trails						7
Audit Approach						8
Illustrative Wordings for Reporting						12
Special Consideration in case of Fraud Scenarios						16
Reporting under Rule 11(g) vis-à-vis Reporting under Section 143(3)(i)						17
Obtaining Written Representations						18
Audit Documentation						19
Glossary of Terms						20
Appendix I: Illustrative table showing the accounting software used by the Company						22
Appendix II: Illustrative Management Representation Letter						23
Section 2: Frequently Asked Questions (FAQs)						27-56

 

Introduction of Rule 11(g) of Companies (Audit and Auditors) Rules, 2014

1. Section 143(3) of the Companies Act, 2013 provides various matters on which auditors are required to report in their auditor’s report. Clause (j) of Section 143(3) states that auditor’s report shall also state such other matters as may be prescribed. Rule 11 of the Companies (Audit and Auditors) Rules, 2014 specifies such other matters that are to be reported by the auditor.
2. The Ministry of Corporate Affairs (MCA) vide its notification No. GSR 206(E) dated March 24, 2021 has issued the “Companies (Audit and Auditors) Amendment Rules, 2021” read with sub-section 3 of Section 143 of the Companies Act, 2013 (hereinafter referred as “the Act”) introducing new Rule 11(e), new Rule 11(f) and new Rule 11(g) and deleting Rule 11(d).

Rule 11(g) is reproduced below:

“Whether the company, in respect of financial years commencing on or after the 1st April, 2022, has used such accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has been operated throughout the year for all transactions recorded in the software and the audit trail feature has not been tampered with and the audit trail has been preserved by the company as per the statutory requirements for record retention.”

1. The requirement was initially made applicable for the financial year commencing on or after the 1^st day of April 2021 vide notification G.S.R. 206(E) dated March 24, 2021. However the applicability was deferred to financial year commencing on or after April 1, 2022, vide MCA notification G.S.R. 248(E) dated April 1, 2021. It may be noted that a new requirement for companies has been prescribed under the proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 requiring companies, which use accounting software for maintaining their books of account, to use only such accounting software which has audit trail feature. This requirement for companies was initially made

 

applicable for financial year commencing on or after April 1, 2021. However, its applicability has been deferred two times and this requirement is finally applicable from April 1, 2023.

 

Text of Proviso to Rule 3(1) of Companies (Accounts) Rules, 2014	Text of Rule 11(g) of Companies (Audit and Auditors) Rules, 2014
Provided that for the financial	Whether the company, in
year commencing on or after	respect of financial years
the 1st day of April 2023, every	commencing on or after the 1st
company which uses	April, 2022,   has   used   such
accounting software for	accounting software for
maintaining its books of	maintaining its books of account
account, shall use only such	which has a feature of recording
accounting software which has	audit trail (edit log) facility and
a feature of recording audit trail	the same has been operated
of each and every transaction,	throughout the year for all
creating an edit log of each	transactions   recorded in the
change made in the books of	software and   the audit trail
account along with the date	feature has not been tampered
when such changes were made	with and the audit trail has been
and ensuring that the audit trail	preserved by the company as
cannot be disabled.	per the statutory requirements
	for record retention.

 

Introduction and Scope of the Implementation Guide

1. The purpose of this Implementation Guide is to enable the auditors to comply with the reporting requirements of Rule 11(g). It should be noted that this Implementation Guide provides the principle based guidance for reporting under Rule 11(g) and auditors are expected to exercise their professional judgement while reporting under Rule 11(g).

 

1. Globally, no similar reporting obligation exists for the auditors and accordingly there is no international guidance available on the subject to prescribe specific guidance to enable the auditor to obtain reasonable assurance and report accordingly under this clause. The auditor is expected to perform procedures in accordance with Standards on Auditing (which includes inquiry, observation, and examination, as applicable).
2. In the above backdrop, this Implementation Guide has been developed to provide detailed guidance for the auditors to enable compliance with reporting requirement under Rule 11(g).
3. Proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014¹ (hereinafter referred as “the Account Rules”) states that for the financial year commencing on or after the 1st day of April 2023, every company which uses accounting software for maintaining its books of account, shall use only such accounting software which has a feature of recording audit trail of each and every transaction, creating an edit log of each change made in the books of account along with the date when such changes were made and ensuring that the audit trail cannot be disabled.
4. The amendments require every company that uses an accounting software to use such software that has a feature of audit trail which cannot be disabled. The management has a responsibility for effective implementation of the requirements prescribed by the account rules i.e., every company which uses an accounting software for maintaining its books of account, should use only such accounting software which has the following features:

A. Management’s Responsibility

• Records an audit trail of each and every transaction, creating an edit log of each change made in the books of account along with the date when such changes were made; and
• Ensuring that audit trail is not disabled.

 

¹ Inserted by the Companies (Accounts) Amendment Rules 2021 vide notification G.S.R. 205(E) dated 24^th March 2021 w.e.f.1^st April 2021. Substituted for 1^st day of April 2022 by the Companies (Accounts) Second Amendment Rules 2021 vide notification G.S.R. 247(E) dated 1^st April 2021 and again substituted for “1^st day of April 2023” by the Companies (Accounts) Second Amendment Rules, 2022 vide notification G.S.R. 235(E) dated 31^st March 2022.

 

Thus, it is the management, who is primarily responsible for ensuring selection of the appropriate accounting software for ensuring compliance with applicable laws and regulations (including those related to retention of audit logs).

1. It should be noted that the accounting software may be hosted and maintained in India or outside India or may be on- premise or on cloud or subscribed to as Software as a Service (SaaS) software. Further, a company may be using a software which is maintained at a service organisation. For example, the company may have outsourced its payroll processing with a shared service centre and the shared service centre may use its own software to process payroll for the company.
2. Rule 11(g) casts responsibility on the auditor in terms of reporting on audit trail by making a specific assertion in the audit report under the section ‘Report on Other Legal and Regulatory Requirements’. This has been explained in the paragraph below.
3. To elaborate, in addition to requiring auditor to comment on whether the company is using an accounting software which has a feature of recording audit trail, the auditor is expected to verify the following aspects:

B. Auditor’s Responsibility

• whether the audit trail feature is configurable (i.e., if it can be disabled or tampered with)?
• whether the audit trail feature was enabled/operated throughout the year?
• whether all transactions² recorded in the software are covered in the audit trail feature?
• whether the audit trail has been preserved as per statutory requirements for record retention?

 

² Proviso to Rule 3(1) of Companies (Accounts) Rules 2014 prescribes requirement of audit trail only in the context of books of account by stating that accounting software should be capable of creating an edit log of “each change made in books of account.” The auditor’s responsibilities have been prescribed for “all transactions recorded in the software.” Accordingly, the auditor’s responsibility under Rule 11(g) is restricted to transactions which have been recorded in the accounting software and subsequent changes made to those transactions (which is demonstrated through rectification/ additional entities).

 

It may be noted that any software used to maintain books of account will be covered within the ambit of this Rule. For e.g., if sales are recorded in a standalone software and only consolidated entries are recorded monthly into the software used to maintain the general ledger, the sales software should also have the audit trail feature since sales invoices would be covered under Books of Account as defined under section 2(13) of the Act. Auditors would need to evaluate whether management has also considered such software in their compliance to the Account Rules. Accordingly, any software that maintains records or transactions that fall under the definition of Books of Account as per the section 2(13) of the Act will be considered as accounting software for this purpose.

1. It may be noted that the requirement of the accounting software having a feature of audit trail has been incorporated as a proviso to Rule 3(1) of the Account Rules and has been prescribed only in the context of books of account. This is evidenced by the fact that as per the proviso to the Rule, the accounting software should be capable of creating an edit log of “each change made in books of account.”

However, Rule 11(g) requires the auditor to comment as to whether the company has used such accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has been operated throughout the year for all transactions recorded in the software and the audit trail feature has not been tampered with and the audit trail has been preserved by the company as per the statutory requirements for record retention.

By reading of the Account Rules, it may be noted that companies are required to maintain audit trail (edit log) for each change made in the books of account. Accordingly, the term ‘all transactions recorded in the software’ used in Rule 11(g) would refer to all transactions that result in change to the books of account.

For example, creation of a user in the accounting software may be construed as a transaction in the software. However, creating a user account in the accounting software would not change the records of books of account as defined in Section 2(13) of the Act

 

whereas adding a new journal entry or changing an existing journal entry will be construed as a change made in books of account.

1. Giving due cognizance to the definition of “books of account” as envisaged under Section 2(13) of the Act and Rule 3 of the Account Rules which provides for the management responsibilities for maintenance of books of account and other relevant books and papers maintained in electronic mode, the auditor would be expected to check whether the audit trail is enabled for such transactions which result in a change to the books of account.
2. Considering the applicability date of Rule 11(g), it implies that the auditor is not required to assess appropriateness of audit trail of previous years and the assessment will be only for prospective financial years. As per the requirements as mentioned in paragraph 3 above, audit reporting will be triggered for financial years commencing on or after April 1, 2022, however, the applicability of the Account Rules will commence on or after April 1, 2023. Thus, there is likely to be a scenario for the financial year 2022-23 where in absence of compliance requirement for the companies, auditors would not be able to report under Rule 11(g).
3. The reporting requirements have been prescribed for audit of financial statements prepared under the Act. Accordingly, auditors of all class of companies including section 8 companies would be required to report on these matters. As per the Companies (Registration of Foreign Companies) Rules, 2014, the provisions of “Chapter X of the Act: Audit and Auditors” and Rules made there under apply, mutatis mutandis, to a foreign company as defined in the Act. Accordingly, the above reporting requirements would be applicable to the auditors of foreign companies as well.
4. The requirements of audit trail are applicable to the extent a company maintains its records in the electronic mode by using an accounting software. Thus, where the books of account are

C. Applicability

 

entirely maintained manually – the assessment and reporting responsibility under Rule 11(g) will not be applicable and accordingly, same would need to be reported as statement of fact by the auditor against this clause.

1. The auditor is required to comment on the above matters both in case of reporting on standalone financial statements and consolidated financial statements. However, while reporting on consolidated financial statements, the auditor may observe that certain components included in the consolidated financial statements are (a) either not companies under the Act, or (b) some components are incorporated outside India. The auditors of such components are not required to report on these matters since the provisions of the Act do not apply to them.
2. It may be noted that section 129(4) of the Act which prescribes the requirements for consolidated financial statements including their audits has specifically stated that the provisions of the Act shall, mutatis mutandis, apply to the consolidated financial statements implying that necessary changes are required to be made to interpret the requirements in respect of consolidated financial statements and their audit. Accordingly, in line with the approach adopted in case of reporting on the consolidated financial statements on the clauses of section 143(3) of the Act, the reporting on compliance with Rule 11(g) would also be on the basis of the reports of the statutory auditors of subsidiaries, associates and joint ventures that are companies defined under the Act. The auditors of the parent company should apply professional judgment and comply with applicable Standards on Auditing, in particular, SA 600, “Using the Work of Another Auditor” while assessing the matters reported by the auditors of subsidiaries, associates and joint ventures that are Indian companies.
3. The auditor is required to comment whether ‘the audit trail has been preserved by the company as per the statutory

D. Preservation of Audit Trails

 

requirements for record retention’. Considering the requirement of Section 128(5) of the Act, which requires books of account to be preserved by companies for a minimum period of eight years, the company would need to retain audit trail for a minimum period of eight years³ i.e., effective from the date of applicability of the Account Rules (i.e., April 1, 2023, onwards).

E. Audit Approach

1. As part of the audit approach, the auditor would need to ensure that the management assumes the primary responsibility to:

• identify the records and transactions that constitute books of account under section 2(13) of the Act;
• identify the software i.e., IT environment including applications, web-portals, databases, interfaces, data warehouses, data lakes, cloud infrastructure, or any other IT component used for processing and or storing data for creation and maintenance of books of account;
• ensure such software have the audit trail feature;
• ensure that the audit trail captures changes to each and every transaction of books of account; information that needs to be captured may include the following:
  • when changes were made,
  • who made those changes,
  • what data was changed,
  • ensure that the audit trail feature is always enabled (not disabled);
  • ensure that the audit trail is enabled at the database level (if applicable) for logging any direct data changes;
  • ensure that the audit trail is appropriately protected from any modification;

 

 

 

³ Year would imply ‘Financial Year’.

 

• ensure that the audit trail is retained as per statutory requirements for record retention;
• ensure that controls over maintenance and monitoring of audit trail and its feature are designed and operating effectively throughout the period of reporting.

In order to demonstrate that the audit trail feature was functional, operated and was not disabled, a company would have to design and implement specific internal controls (predominantly IT controls) which in turn, would be evaluated by the auditors, as appropriate. An illustrative list of internal controls which may be required to be implemented and operated are given below:

• Controls to ensure that the audit trail feature has not been disabled or deactivated.
• Controls to ensure that User IDs are assigned to each individual and that User IDs are not shared.
• Controls to ensure that changes to the configurations of the audit trail are authorized and logs of such changes are maintained.
• Controls to ensure that access to the audit trail (and backups) is disabled or restricted and access logs, whenever the audit trails have been accessed, are maintained.
• Controls to ensure that periodic backups of the audit trails are taken and archived as per the statutory period specified under Section 128 of the Act.

1. In respect of identification of relevant transactions in context of maintenance of books of account, the auditor may consider performing the following procedures:

• Assess management’s identification of records and transactions where audit trail needs to be captured and verify, on a test basis, whether the audit trail has been configured and enabled for the identified accounting software.
• Evaluate the management’s approach regarding identification of accounting software which have been considered for the

 

purposes of maintenance of audit trail. Refer Appendix I for an illustrative table.

• Inquire with the management on how they evaluated changes that are required for the maintenance of audit trail as part of changes or upgrades to the accounting software.
• Where applicable, consider involvement of specialists or experts in the field of Information Technology to assist in evaluation of management controls and configurations in the accounting software with regard to audit trail.

1. In case of accounting software supported by service providers, the company’s management and the auditor may consider using independent auditor’s report of service organisation (e.g., Service Organisation Control Type 2 (SOC 2)/SAE 3402, “Assurance Reports on Controls At a Service Organization”) for compliance with audit trail requirements. The independent auditor’s report should specifically cover the maintenance of audit trail in line with the requirements of the Act.
2. Most of the commonly used accounting software, including Enterprise Resource Planning (ERP) software, have an audit trail feature that can be enabled or disabled at the discretion of the company. The management of the company may have put in place certain controls such as restricting access to the administrators and monitoring changes to configurations that may impact the audit trail. Auditors are accordingly expected to evaluate management’s policies in this regard and test such controls to determine whether the feature of audit trails have been implemented and operating effectively throughout the reporting period.
3. It is expected that management ensures that the administrative access to the audit trail is restricted to authorized representatives.
4. In this regard, the auditor may take into consideration the following aspects for every accounting software which is used in maintaining the “books of account” for the purpose of reporting:

 

1. the software configuration that controls enabling or disabling of the audit trail and whether audit trail was enabled throughout the period.
2. the access to such configurations.
3. any changes to the audit trail configuration during the period of audit (during the financial year and also from the date of financial statements but before the date of auditor’s report).
4. the periodic review mechanism implemented and operated by management for any changes to the audit trail configuration.
5. the completeness and accuracy of audit trail or edit logs that are generated through the software functionalities or directly recorded in the underlying database i.e., whether it captures the user ID that made the change, the date and time of change and what fields were changed by reviewing the reports or trails generated, on a test basis, to capture the required information or when the audit trail feature was disabled, etc.
6. any testing management has performed to assess the completeness and accuracy of the audit trail.
7. In respect of preservation of audit trails, inquire with management to understand the procedures implemented by the company to preserve the records as per the statutory record retention period. The auditor may review, on a sample basis, the audit trail records maintained by management for each applicable year and evaluate management controls for maintenance of such records without any alteration and retrievability of logs maintained for the required period of retention.
8. Unlike reporting on internal financial controls over financial reporting, Rule 11(g) requires the auditor to report that the feature of recording audit trail (edit log) facility has “operated throughout the year for all transactions recorded in the accounting software”.

Based on procedures performed, the auditor is expected to evaluate the reporting implications specifically giving due consideration to SA 250, “Consideration of Laws and Regulations in an Audit of Financial Statements”.

 

In respect of audit trail, following are likely to be expected scenarios:

1. Management may maintain adequate audit trail as required by the Account Rules.
2. Management may not have identified all records/transactions for which audit trail should be maintained.
3. The accounting software does not have the feature to maintain audit trail, or it was not enabled throughout the audit period.

Scenarios (ii) and (iii) mentioned above would result in a modified/ adverse reporting against this clause.

Illustrative Wordings for Reporting

Illustrative reporting in case of Standalone Financial Statements

1. Based on our examination which included test checks, the company has used an accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit we did not come across any instance of audit trail feature being tampered with. [Additionally, the audit trail has been preserved by the company as per the statutory requirements for record retention.]⁴
2. Based on our examination which included test checks and that performed by the respective auditors of the subsidiaries, associates and joint ventures/joint operations which are

Illustrative reporting in case of Consolidated Financial Statements

Unmodified reporting

 

⁴ This reporting would be relevant from the second year. In the first year of applicability, this sentence would not be reported upon.

 

companies incorporated in India whose financial statements have been audited under the Act, the company, subsidiaries, associates and joint ventures/joint operations have used an accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit, we and respective auditors of the above referred subsidiaries, associates and joint ventures/joint operations did not come across any instance of audit trail feature being tampered with. [Additionally, the audit trail has been preserved by the company and above referred subsidiaries, associates and joint ventures/joint operations as per the statutory requirements for record retention.]⁵

Modified reporting

1. Based on our examination, which included test checks, and that performed by the respective auditors of the subsidiaries, associates and joint ventures/joint operations which are companies incorporated in India whose financial statements have been audited under the Act, except for the instances mentioned below, the company, subsidiaries, associates and joint ventures/joint operations have used an accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit, we and respective auditors of the above referred subsidiaries, associates and joint ventures/joint operations did not come across any instance of audit trail feature being tampered with. [Additionally, the audit trail has been preserved by the Company and above referred subsidiaries, associates and joint ventures/joint operations as per the statutory requirements for record retention]⁶

 

 

⁵ This reporting would be relevant from the second year. In the first year of applicability, this sentence would not be reported upon.

⁶ This reporting would be relevant from the second year. In the first year of applicability, this sentence would not be reported upon.

 

Instances of accounting software for	No of   instances   without
maintaining its books of account	mentioning name   of   the
which did not had a feature of	components. Example “In
recording audit trail (edit log) facility	respectof[…]of
and the same was not operated	subsidiaries”
throughout the year for all relevant
transactions recorded in the
software
Instances of audit trail feature being
tampered with
Instances of non-preservation of the
audit trail

 

In respect of financial year 2022-23, where management has not been mandated to use the accounting software with requisite audit trail facility, the reporting against this clause can be as illustrated below:

As proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 is applicable for the company only w.e.f. April 1, 2023, reporting under this clause is not applicable.

Illustrative wordings for modified reporting

1. It may be noted that the reporting under this Rule requires factual reporting. In case a company has exceptions in complying to the Account Rules, the auditor may use the language as given in examples below.

Examples of such circumstances where exceptions would need to be reported.

 

Nature of exception	Illustrative wordings
1. Audit trail feature was	“Based on   our   examination,   the
disabled for one of the	company, has used accounting
books of account/	software for maintaining its books of
records or for an	account which has a feature of
accounting software -	recording audit trail (edit log) facility
(e.g., property, plant	except in respect of maintenance of

 

and equipment	property, plant and equipment
software did not have	records wherein the accounting
audit trail feature)	software did not have the audit trail
	feature enabled throughout the year.
	Further, the audit trail facility has
	been operating throughout the year
	for all relevant transactions recorded
	in the software except for the
	instances reported below…...
	Further, during the course of our
	audit we did not come across any
	instance of audit trail feature being
	tampered with.”
2. Audit Trail feature is not operating effectively during the reporting period	“………except that the audit trail feature of YYY software used by the company to maintain payroll records did not operate throughout the year…..”
	“…..except that no audit trail enabled at the database level for accounting software AAA (database SQL) and BBB (database db2) to log any direct data changes………”
3. Accounting software is	“Based on   our   examination,   the
maintained by third	company, has used an accounting
party and auditor is	software ABC which is operated by
unable to assess	a third party software service
whether audit trail	provider, for maintaining its books of
feature can be disabled	account and in absence of [state the
during the reporting	type of control report] we are unable
period	to comment whether audit trail
	feature of the said software was
	enabled and operated throughout
	the year for all relevant transactions
	recorded in the software or whether
	there were any instances of the

 

	audit trail feature been tampered with.”
4. The audit trail has not been preserved by the company as per the statutory requirements for record retention.	“……….the audit trail has not been preserved by the company as per the statutory requirements for record retention” Note: This illustration is relevant from second year of reporting and onwards.
5. Migration from one software to the other happened during the year or higher version of software installed and auditor is unable to obtain sufficient and appropriate evidence	The Company has migrated to [name of the software] from [old software/manual] during the year and is in the process of establishing necessary controls and documentations regarding audit trail. Consequently, we are unable to comment on audit trail feature of the said software.

 

Where the feature of audit trail has not operated throughout the year, the auditor would need to appropriately modify the comment while reporting under this clause and evaluate implication on the Other Legal and Regulatory reporting requirements, and the main audit opinion issued under SA 700(Revised), “Forming an Opinion and Reporting on Financial Statements”.

Special Consideration in case of Fraud Scenarios

1. An auditor may come across a scenario where occurrence of an error or fraud could not be established due to lack of maintenance, availability or retrievability of audit trails.

In evaluating the severity of a deficiency for such instances specifically in cases of fraud, the auditor should primarily consider two factors (a) the likelihood that the deficiency will result in a material misstatement, and (b) the magnitude of such an outcome.

 

In a nutshell, this scenario would, in essence, call for performing an assessment of risk of material misstatements due to fraud and would consider both qualitative and quantitative factors in assessing a deficiency or combination of deficiencies as a significant deficiency or material weakness and would accordingly require application of professional judgement while linking the reporting against Rule 11(g) and section 143(12) of the Act/clause

(x) of the Companies (Auditor’s Report) Order 2020 (as the case may be).

Reporting under Rule 11(g) vis-à-vis Reporting under Section 143(3)(i)

1. Section 143(3)(i) of the Act, where applicable under the provisions of the Act, requires the auditor to state in his audit report whether the company has adequate internal financial controls with reference to financial statements in place and the operating effectiveness of such controls. Guidance in this regard has been prescribed vide “Guidance Note on Audit of Internal Financial Controls Over Financial Reporting (the Guidance Note) issued by ICAI.

Paragraph 52 of the Guidance Note uses expression ‘audit trail’ to describe the control activities in relation to policies and procedures related to information processing system that may be relevant to an audit. However, the Guidance Note does not entail any detailed audit procedures in respect of reporting against Rule 11(g).

Accordingly, where the feature of audit trail has not operated throughout the year, the auditor may need to appropriately modify his comment while reporting under Rule 11(g) depending upon the further testing/examination as may be required to conclude the wider impact on the reporting implication.

Given below is an example of a scenario wherein management is unable to rely on the automated controls in an accounting software:

[This scenario presupposes a modified IFCoFR report due to inability of management to rely on the automated controls, where reporting under Section 143(3)(i) is applicable for the company]

 

“The company has used an accounting software for maintaining its books of account however for the reasons stated in [refer the reporting of IFCoFR] management is unable to rely on automated controls related to financial reporting in the accounting software and consequently we are unable to comment on audit trail requirements of the said software as envisaged under Rule 11(g).”

However, it should be noted that mere non-availability of audit trail does not necessarily imply failure or material weakness in the operating effectiveness of internal financial controls over financial reporting.

Obtaining Written Representations

1. The auditor shall obtain written representations from management on the following aspects:

• Acknowledging management's responsibility for establishing and maintaining adequate controls for identifying, maintaining, controlling, and monitoring of audit trails as per the requirements on a consistent basis.
• Stating that management has performed an evaluation and assessed the adequacy and effectiveness of the company's procedures for complying to the requirements prescribed for audit trails.
• Stating management's conclusion, as set forth in its assessment, about the adequacy and effectiveness of the company's procedures in relation to audit trails.
• Stating that management has disclosed to the auditor all deficiencies in the design or operation of controls maintained for audit trails identified as part of management's evaluation.
• Describing instances where identification of fraud, if any, resulting in a material misstatement to the company's financial statements is identified while reviewing and testing the samples related to the disablement of audit trail facility of the accounting software.
• Stating whether control deficiencies identified and communicated to the audit committee in relation to audit trail

 

during previous engagements have been resolved, and specifically identifying any deficiency that have not been resolved.

SA 580, “Written Representations” explains matters such as who may sign the representation letter, the period to be covered by the representation letter, and when to obtain an updated representation letter. Inability to obtain written representations from management including management's refusal to furnish them, constitutes a limitation on the scope of the audit. When the scope of the audit is limited, the auditor may either disclaim the audit opinion or resign from the engagement in accordance with Standards on Auditing.

Since the primary responsibility for establishing and maintaining audit trails is that of the management and the board of directors of the company, the management should ensure that the board of directors approving the financial statements of the company also takes on record the policies and procedures as laid down by the management in respect of assertion and conclusion on the adequacy and operating effectiveness of audit trails. Additionally, the board should also take on record the deficiencies, significant deficiencies and material weaknesses identified by the management, internal auditors, and the auditor.

Refer Appendix II for an illustrative Management Representation Letter.

Audit Documentation

1. The auditor may document the work performed on audit trail such that it provides:

(a) a sufficient and appropriate record of the basis for the auditor’s reporting under Rule 11(g); and

(b) evidence that the audit was planned and performed in accordance with this Implementation Guide, applicable Standards on Auditing and applicable legal and regulatory requirements.

In this regard, the auditor may comply with the requirements of SA 230, “Audit Documentation” to the extent applicable.

 

 

 

 

 Glossary of Terms

 

 

Audit Trail⁷ (or Edit Log) is a visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source.

Audit trails are a chronological record of the changes that have been made to the data. Any change to data including creating new data, updating or deleting data that must be recorded.

Records maintained as audit trail may include the following information:

• when changes were made i.e., date and time (timestamp)
• who made the change i.e., User Id
• what data was changed i.e., data/transaction reference; success/failure

Audit trails may be enabled at the accounting software level depending on the features available in such software or same may be captured directly in the database underlying such accounting software.

Accounting Software is a computer program or system that enables recording, maintenance and reporting of books of account and relevant ecosystem applicable to business requirements. The functionality of such accounting software differs from product to product. Every organization today employs multiple software for accounting, its operations and other requirements like consolidation, collection of data. For the purposes of this Implementation Guide, only the accounting software which is relevant for maintaining books of account should be considered for enabling of audit trail.

"Books of Account" as per Section 2(13) of the Act includes records maintained in respect of—

 

⁷ Terms Audit Trail, Edit Log or Audit Log are used interchangeably and to carry the same meaning for the purposes of this Implementation Guide.

 

(i) all sums of money received and expended by a company and matters in relation to which the receipts and expenditure take place;

(ii) all sales and purchases of goods and services by the company;

(iii) the assets and liabilities of the company; and

(iv) the items of cost as may be prescribed under section 148 in the case of a company which belongs to any class of companies specified under that section;

Service Provider – An organization supplying services to one or more (internal or external) Customers.

Software as a Service a method of software delivery using licensing arrangements in which software is accessed online via a subscription, rather than bought and installed on individual computers.

 

 

 

 

 Appendix I

 

 

Illustrativetableshowingtheaccounting software used by the Company

 

Name	Records	Hosting	Maintain-	Data-	Operat-	Audit
of the	maintain-	Location	ed In-	base	ing	Trail
Accou-	ed		house or		System	enab-
nting	(Books		Outsour-			led
Soft-	of		ced
ware	account)
e.g.,	Journal	Company	In-house	XYZ	Windows	Yes
XYZ	entries,	Data			10
	sub-	Center,
	ledgers	Bangalore
	and
	general
	ledger
e.g.,	Sales	SaaS / On	Outsourc-	PQR	Windows	Yes
PQR	Invoices,	Cloud	ed		10
	Inventory,		Maintained
	Customer		by ABC
	Ledger		Corp
e.g.,	Manufact-	Company	In-house	ABC	Windows	Yes
ABC	uring Cost	Data			10
	Records	Center,
		Bangalore

 

 

 

 Appendix II

 

 

Illustrative Management Representation Letter

The following illustrative letter includes written representations that are required by this Implementation Guide, SA 580, “Written Representations” and other Standards on Auditing as applicable. It is assumed in this illustration that the relevant accounting software meets the essential characteristics as specified by the Account Rules; and that there are no exceptions to the requested written representations. If there are exceptions, the representations would need to be modified to reflect the exceptions.

(Entity Letterhead)

(To Auditor) (Date)

This representation letter is provided in conjunction with your audit of the standalone/ consolidated financial statements of the Company for the year ended March 31, 20XX, for the purpose of reporting as to whether the accounting software used by the Company for maintaining its books of account, has a feature of recording audit trail of each and every transaction, creating an edit log of each change made in the books of account along with the date when such changes were made and ensuring that the audit trail cannot be disabled.

We confirm that to the best of our knowledge and belief, having made such inquiries as we considered necessary for the purpose of appropriately informing ourselves:

1. We are responsible for establishing and maintaining adequate and effective controls based on [mention control criteria] in respect of use of accounting software that entails the requisite features as specified by the Account Rules.

 

 

 

 

1. We have performed an evaluation and made an assessment of the adequacy and effectiveness of the company's accounting software in term of recording audit trail of each and every transaction.
2. We have not used the procedures performed by you during the audit as part of the basis for our assessment of the effectiveness of audit trails of accounting software.
3. Based on the assessment carried out by us and the evaluation of the results of the assessment, we conclude that the Company uses accounting software for maintaining its books of account which has a feature of recording audit trail of each and every transaction, creating an edit log of each change made in the books of account along with the date when such changes were made and ensuring that the audit trail cannot be disabled and the audit trail been preserved by the company as per the statutory requirements for record retention except for the below mentioned exceptions noted during our assessment and evaluation.
   1. (brief of deficiencies)
   2. (brief of the impact)
4. We have disclosed to you all deficiencies identified as part of management's evaluation, including separately disclosing to you all such deficiencies that we believe to be significant deficiencies or would lead to material weaknesses in internal financial controls.
5. There were no instances of fraud resulting in a material misstatement to the company's financial statements and any other fraud that does not result in a material misstatement to the company's financial statements but involves senior management or management or other employees who have a significant role in the company's internal financial controls. (or) The following instances of fraud that resulted in material misstatement of financial statements in earlier years and frauds involving senior

 

 

Implementation Guide on Reporting on Audit Trail

 

management or management or other employees who have a significant role in the company's internal financial controls were noted: (list instances and amounts involved).

1. The deficiencies identified in the previous engagement and communicated to the Company and those charged with governance have been remediated, except for the following: ( ) (This issue is not applicable in the first year)
2. There have been no communications from regulatory agencies concerning non-compliance with or deficiencies in accounting software.
   1. We have provided you with:

• All information, such as records (including SOC report) and documentation, and other matters that are relevant to your assessment of accounting software;
• Additional information that you have requested from us;
• Unrestricted access to those within the entity.
• Audit reports of the component auditors, including their report under Section 143(3)(i) of the Act for the following subsidiary companies, jointly controlled companies and associate companies to whom reporting under Section 143(3)(i) is applicable.
• There are no other subsidiary companies, jointly controlled companies and associate companies of the company to whom reporting under Section 143(3)(i) is applicable and whose auditors have not issued their report under Section 143(3)(i) of the Act.
• In the case of the following subsidiary companies, jointly controlled companies and associate companies of the company to whom reporting under Section 143(3)(i) is applicable, the respective component’s year end is other than that of the Company:

 

25

 

With respect to these components, we have provided to you the audit reports of the component auditors, including their report under Section 143(3)(i) of the Act for their respective financial year under the Act that has been considered in the preparation of the consolidated financial statements of the Company.

1. There are no changes in the accounting software from March 31, 20XX [balance sheet date] till the date of this representation letter. (or) The following changes have been made to the accounting software since March 31, 20XX [balance sheet date] and the date of this representation letter: (list changes and reason for the change).
2. These changes include corrective actions taken by us with regard to significant deficiencies with respect to the following: (list significant deficiencies).
3. The following changes to accounting software have been proposed as on date of this representation letter but have not yet been implemented: (list proposed changes and reason for the proposed change).
4. The changes to the accounting software since March 31, 20XX [balance sheet date] and the proposed changes that are under consideration by the Company do not impact our assessment, evaluation and conclusion of the accounting software as at March 31, 20XX [balance sheet date].
5. [Any other matters that the auditor may consider appropriate.]

For and on behalf of ABC Company Limited

………………………………………………………………………… (Signature) (Signature)

Name and Designation Name and Designation

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Frequently Asked Questions (FAQs)

 

 

Question 1: Exemption to small and medium companies from maintaining books of account in accounting software with audit trail feature

Is there any exemption to small and medium companies from complying with the requirement to maintain books of account in accounting software with audit trail feature?

Response:

Technical Guidance

Section 128 (1) of the Companies Act, 2013

Every company shall prepare and keep at its registered office books of account and other relevant books and papers and financial statement for every financial year which give a true and fair view of the state of the affairs of the company, including that of its branch office or offices, if any, and explain the transactions effected both at the registered office and its branches and such books shall be kept on accrual basis and according to the double entry system of accounting:

Provided that all or any of the books of account aforesaid and other relevant papers may be kept at such other place in India as the Board of Directors may decide and where such a decision is taken, the company shall, within seven days thereof, file with the Registrar a notice in writing giving the full address of that other place:

Provided further that the company may keep such books of account or other relevant papers in electronic mode in such manner as may be prescribed.

Rule 3(1) of Companies (Accounts) Rules, 2014

The books of account and other relevant books and papers maintained in electronic mode shall remain accessible in India, at all times so as to be usable for subsequent reference.

 

Provided that for the financial year commencing on or after the 1st day of April, 2023, every company which uses accounting software for maintaining its books of account, shall use only such accounting software which has a feature of recording audit trail of each and every transaction, creating an edit log of each change made in books of account along with the date when such changes were made and ensuring that the audit trail cannot be disabled.

Text of Rule 11(g) of Companies (Audit and Auditors) Rules, 2014

Whether the company, in respect of financial years commencing on or after the 1st April, 2022, has used such accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has been operated throughout the year for all transactions recorded in the software and the audit trail feature has not been tampered with and the audit trail has been preserved by the company as per the statutory requirements for record retention.

Analysis and Conclusion

As per Section 128(1) of the Companies Act, 2013, every company is required to prepare and keep the books of account and other relevant books and papers and financial statements for every financial year which give a true and fair view of the state of the affairs of the company. Further, this Section gives an option to companies to maintain such books of account in electronic mode.

In case company maintains its books of account in electronic mode, then it is required to comply with the requirements of Rule 3 of the Companies (Accounts) Rules, 2014. In case of non- compliance with Rule 3(1), auditor of the company would need to appropriately modify the comment while reporting under Rule 11(g).

This requirement is applicable to all companies and there is no exemption given to small and medium companies.

If a company (irrespective of its size and nature i.e. small company, medium company, private company, public company) is

 

maintaining its books of account in the electronic mode, then it is required to use an accounting software with audit trail feature.

Question 2: Requirement to report on the audit trail feature in the limited review report

Is there any requirement for the auditor to report in his/ her limited review report of a listed company whether the company has used such accounting software for maintaining its books of account which has a feature of recording audit trail facility and the same has been operated throughout the year for all the transactions recorded in the software and the audit trail has not been tampered with and the audit trail has been preserved by the company as per the statutory requirements for record retention?

Response:

Presently, there is no requirement prescribed under the Companies Act, 2013 and the Rules made thereunder or any of the SEBI Regulations for the auditors to report on the audit trail feature of accounting software while issuing their limited review report on the limited review of financial results of a listed company.

Question 3: Accounting software which does not allow modification

What is the reporting implication for the auditor in case of absence of audit trail in the accounting software which does not allow subsequent modification to the transactions/ journal entries posted initially?

Response:

Technical Guidance

Text of Proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014

Provided that for the financial year commencing on or after the 1st day of April 2023, every company which uses accounting software for maintaining its books of account, shall use only such accounting software which has a feature of recording audit trail of

 

each and every transaction, creating an edit log of each change made in the books of account along with the date when such changes were made and ensuring that the audit trail cannot be disabled.

Paragraph 8 of the Implementation Guide

The amendments require every company that uses an accounting software to use such software that has a feature of audit trail which cannot be disabled. The management has a responsibility for effective implementation of the requirements prescribed by the account rules i.e., every company which uses an accounting software for maintaining its books of account, should use only such accounting software which has the following features:

- Records an audit trail of each and every transaction, creating an edit log of each change made in the books of account along with the date when such changes were made; and

- Ensuring that audit trail is not disabled.

Thus, it is the management, who is primarily responsible for ensuring selection of the appropriate accounting software for ensuring compliance with applicable laws and regulations (including those related to retention of audit logs).

Extracts from Paragraph 12 of the Implementation Guide

By reading of the Account Rules, it may be noted that companies are required to maintain audit trail (edit log) for each change made in the books of account. Accordingly, the term ‘all transactions recorded in the software’ used in Rule 11(g) would refer to all transactions that result in change to the books of account. For example, creation of a user in the accounting software may be construed as a transaction in the software. However, creating a user account in the accounting software would not change the records of books of account as defined in Section 2(13) of the Act whereas adding a new journal entry or changing an existing

 

journal entry will be construed as a change made in books of account.

Text of Rule 11(g) of Companies (Audit and Auditors) Rules, 2014

Whether the company, in respect of financial years commencing on or after the 1st April, 2022, has used such accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has been operated throughout the year for all transactions recorded in the software and the audit trail feature has not been tampered with and the audit trail has been preserved by the company as per the statutory requirements for record retention.

Analysis and Conclusion

On the basis of above guidance, if the company is using accounting software for maintaining its books of account, then such software must have an audit trail feature in it which is required to record audit trail of each and every transaction that results in a change to the books of account along with the date when such changes were made.

Irrespective of the fact whether the already posted journal entry could be edited or not, accounting software used by the company is required to have an audit trail feature. In case, the audit trail feature is not present, then Rule 3(1) of the Companies (Accounts) Rules, 2014 is not complied with.

Question 4: Technical glitches in accounting software

If during any part of the financial year, company encounters any technical glitch due to which audit trail feature remains non- functional or is not able to function properly, how will this be reported by the auditor under Rule 11(g)?

Response:

It is the primary responsibility of the management to maintain books of account in the accounting software which has an audit trail feature enabled throughout the financial year.

 

If a company encounters technical glitches/ limitations in the accounting software during any part of the financial year due to which audit trail feature remains non-functional or is not able to function properly, this does not give any exemption to the management regarding the aforesaid responsibility.

In case audit trail feature remains non-functional during any part of the year or is not able to function properly, the auditor would need to appropriately modify the comment while reporting under Rule 11(g).

Question 5: Use of specialist or expert by the auditor

Can auditor use an IT expert or specialist while auditing and reporting on the audit trail feature of an accounting software?

Response:

Technical Guidance

Paragraph 21 of the Implementation Guide

In respect of identification of relevant transactions in context of maintenance of books of account, the auditor may consider performing the following procedures:

- Assess management’s identification of records and transactions where audit trail needs to be captured and verify, on a test basis, whether the audit trail has been configured and enabled for the identified accounting software.

- Evaluate the management’s approach regarding identification of accounting software which have been considered for the purposes of maintenance of audit trail. Refer Appendix I for an illustrative table.

- Inquire with the management on how they evaluated changes that are required for the maintenance of audit trail as part of changes or upgrades to the accounting software.

- Where applicable, consider involvement of specialists or experts in the field of Information Technology to assist in evaluation of management controls and configurations in the accounting software with regard to audit trail.

 

Analysis and Conclusion

On the basis of above guidance, the auditor can consider the involvement of specialist or expert in the field of information technology to assist in evaluation of management controls and configurations in the accounting software regarding audit trail.

While doing so, statutory auditor of the company is required to comply with the requirements of SA 620, “Using the Work of an Auditor’s Expert”.

It is pertinent to note that the ultimate responsibility for reporting on the audit trail feature lies with the auditor only.

Question 6: Implication of audit trail feature not operational throughout the year

In case there are no transactions in a company from 01 April 20XX to 30 June 20XX, is it necessary to have audit trail feature enabled in the accounting software used for maintaining books of account?

Or

In case audit trail feature has not been enabled since commencement of relevant financial year and only enabled at any time before the year end, will it be considered as non-compliance?

Or

How can an auditor ensure that audit trail feature was enabled throughout the financial year without any interruption?

Response:

Technical Guidance

Rule 3(1) of Companies (Accounts) Rules, 2014

The books of account and other relevant books and papers maintained in electronic mode shall remain accessible in India, at all times so as to be usable for subsequent reference.

Provided that for the financial year commencing on or after the 1^st day of April, 2023, every company which uses accounting software for maintaining its books of account, shall use only such

 

accounting software which has a feature of recording audit trail of each and every transaction, creating an edit log of each change made in books of account along with the date when such changes were made and ensuring that the audit trail cannot be disabled.

Text of Rule 11(g) of Companies (Audit and Auditors) Rules, 2014

Whether the company, in respect of financial years commencing on or after the 1^st April, 2022, has used such accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has been operated throughout the year for all transactions recorded in the software and the audit trail feature has not been tampered with and the audit trail has been preserved by the company as per the statutory requirements for record retention.

Paragraph 20 of the Implementation Guide

As part of the audit approach, the auditor would need to ensure that the management assumes the primary responsibility to:

- identify the records and transactions that constitute books of account under section 2(13) of the Act;

- identify the software i.e., IT environment including applications, web-portals, databases, Interfaces, Data Warehouses, data lakes, cloud infrastructure, or any other IT component used for processing and or storing data for creation and maintenance of books of account;

- ensure such software have the audit trail feature;

- ensure that the audit trail captures changes to each and every transaction of books of account; information that needs to be captured may include the following:

• when changes were made,
• who made those changes,
• what data was changed,

 

- ensure that the audit trail feature is always enabled (not disabled);

- ensure that the audit trail is enabled at the database level (if applicable) for logging any direct data changes;

- ensure that the audit trail is appropriately protected from any modification;

- ensure that the audit trail is retained as per statutory requirements for record retention;

- ensure that controls over maintenance and monitoring of audit trail and its feature are designed and operating effectively throughout the period of reporting.

In order to demonstrate that the audit trail feature was functional, operated and was not disabled, a company would have to design and implement specific internal controls (predominantly IT controls) which in turn, would be evaluated by the auditors, as appropriate. An illustrative list of internal controls which may be required to be implemented and operated are given below:

- Controls to ensure that the audit trail feature has not been disabled or deactivated.

- Controls to ensure that User IDs are assigned to each individual and that User IDs are not shared.

- Controls to ensure that changes to the configurations of the audit trail are authorized and logs of such changes are maintained.

- Controls to ensure that access to the audit trail (and backups) is disabled or restricted and access logs, whenever the audit trails have been accessed, are maintained.

- Controls to ensure that periodic backups of the audit trails are taken and archived as per the statutory period specified under Section 128 of the Act.

Paragraph 27 of the Implementation Guide

Unlike reporting on internal financial controls over financial reporting, Rule 11(g) requires the auditor to report that the feature

 

of recording audit trail (edit log) facility has “operated throughout the year for all transactions recorded in the accounting software”.

Based on procedures performed, the auditor is expected to evaluate the reporting implications specifically giving due consideration to SA 250, “Consideration of Laws and Regulations in an Audit of Financial Statements”.

In respect of audit trail, following are likely to be expected scenarios:

1. Management may maintain adequate audit trail as required by the Account Rules.
2. Management may not have identified all records/transactions for which audit trail should be maintained.
3. The accounting software does not have the feature to maintain audit trail, or it was not enabled throughout the audit period.

Scenarios (ii) and (iii) mentioned above would result in a modified

/adverse reporting against this clause. Analysis and Conclusion

On the basis of above guidance, it can be said that it is primary responsibility of the management to maintain books of account in the accounting software which has an audit trail feature enabled throughout the financial year. In order to demonstrate that the audit trail feature was functional, operated and was not disabled, management needs to design and implement specific internal controls (predominantly IT controls) which in turn, would be evaluated by the auditors, as appropriate. The illustrative list of the controls which an auditor needs to assess is mentioned in the abovementioned guidance.

Further, the absence of transactions during any part of the year will not be considered as a reason for not enabling audit trail feature. In case the books of account are not maintained in accounting software having audit trail feature, or the audit trail feature remains non-functional during any part of the year, the

 

auditor would need to appropriately modify the comment while reporting under Rule 11(g).The same also has an impact on reporting under Section 143(3)(b) and Section 143(3)(h) of the Companies Act, 2013 (Please refer FAQ no. 24).

Question 7: Failure of General IT Controls

If during audit, auditor assesses that the General IT controls are not present or these controls are observed to be not effective, should the auditor rely on the audit trail feature of the accounting software?

Response:

Technical Guidance

Paragraph IG 4.7 of Guidance Note on Audit of Internal Financial Controls Over Financial Reporting

General IT controls are policies and procedures that relate to many applications and support the effective functioning of application controls. They apply to mainframe, miniframe, and end-user environments. General IT controls that maintain the integrity of information and security of data commonly include controls over the following:

- Data centre and network operations.

- System software acquisition, change, and maintenance.

- Program change.

- Access security.

- Applicationsystemacquisition,development,and maintenance.

Paragraph IG 19.34 of Guidance Note on Audit of Internal Financial Controls Over Financial Reporting

IT general controls support operation of the application controls by ensuring the proper access to, and functioning of, the company’s IT systems. Deficiencies in the IT general controls may result in

 

deficiencies in the operation of the automated or IT dependent controls. One of the factors in the auditor’s evaluation of the identified deficiencies in the IT general controls is the interaction of an IT general control and the related automated or IT- dependent controls.

In some situations, an automated or IT-dependent control might be effective even if deficiencies exist in IT general controls. For example, despite the presence of deficient program change controls, the auditor might directly test the related automated or IT-dependent manual control, giving consideration to the risk associated with the deficient change controls in his or her risk assessment and audit strategy. If the testing results were satisfactory, the auditor could conclude that the automated or IT- dependent manual controls operated effectively at that point in time e.g., as of the issuer’s fiscal year end. On the other hand, deficient program change controls might result in unauthorised changes to application controls, in which case the auditor could conclude that the application controls are ineffective.

Analysis and Conclusion

On the basis of above guidance, General IT controls are those controls which relate to many applications/ software and help in proper functioning of IT-dependent controls relevant for the audit including reporting on internal financial controls over financial reporting. In case the auditor assesses that General IT controls are not present or not effective, then the auditor needs to assess the risk this may pose on audit trail configurations and preservation of audit trail records. In case the auditor evaluates that the failure of General IT controls poses a risk over the effective operation of audit trail configurations and the auditor is unable to obtain sufficient and appropriate audit evidence for continued operation of audit trail feature during the year, then the auditor would need to appropriately modify the comment while reporting under Rule 11(g).

 

Question 8: Reliance on information system audit report like SOC 2, etc. (where applicable)

Can auditor rely on independent information system audit report of service organization (example SOC 2)?

Response:

Technical Guidance

Text of Rule 11(g) of Companies (Audit and Auditors) Rules, 2014

Whether the company, in respect of financial years commencing on or after the 1^st April, 2022, has used such accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has been operated throughout the year for all transactions recorded in the software and the audit trail feature has not been tampered with and the audit trail has been preserved by the company as per the statutory requirements for record retention.

Paragraph 20 of the Implementation Guide

As part of the audit approach, the auditor would need to ensure that the management assumes the primary responsibility to:

- identify the records and transactions that constitute books of account under section 2(13) of the Act;

- identify the software i.e., IT environment including applications, web-portals, databases, Interfaces, Data Warehouses, data lakes, cloud infrastructure, or any other IT component used for processing and or storing data for creation and maintenance of books of account;

- ensure such software have the audit trail feature;

- ensure that the audit trail captures changes to each and every transaction of books of account; information that needs to be captured may include the following:

 

• when changes were made,
• who made those changes,
• what data was changed,

- ensure that the audit trail feature is always enabled (not disabled);

- ensure that the audit trail is enabled at the database level (if applicable) for logging any direct data changes;

- ensure that the audit trail is appropriately protected from any modification;

- ensure that the audit trail is retained as per statutory requirements for record retention;

- ensure that controls over maintenance and monitoring of audit trail and its feature are designed and operating effectively throughout the period of reporting.

In order to demonstrate that the audit trail feature was functional, operated and was not disabled, a company would have to design and implement specific internal controls (predominantly IT controls) which in turn, would be evaluated by the auditors, as appropriate. An illustrative list of internal controls which may be required to be implemented and operated are given below:

- Controls to ensure that the audit trail feature has not been disabled or deactivated.

- Controls to ensure that User IDs are assigned to each individual and that User IDs are not shared.

- Controls to ensure that changes to the configurations of the audit trail are authorized and logs of such changes are maintained.

- Controls to ensure that access to the audit trail (and backups) is disabled or restricted and access logs, whenever the audit trails have been accessed, are maintained.

 

- Controls to ensure that periodic backups of the audit trails are taken and archived as per the statutory period specified under Section 128 of the Act.

Paragraph 21 of the Implementation Guide

In respect of identification of relevant transactions in context of maintenance of books of account, the auditor may consider performing the following procedures:

- Assess management’s identification of records and transactions where audit trail needs to be captured and verify, on a test basis, whether the audit trail has been configured and enabled for the identified accounting software.

- Evaluate the management’s approach regarding identification of accounting software which have been considered for the purposes of maintenance of audit trail. Refer Appendix I for an illustrative table.

- Inquire with the management on how they evaluated changes that are required for the maintenance of audit trail as part of changes or upgrades to the accounting software.

- Where applicable, consider involvement of specialists or experts in the field of Information Technology to assist in evaluation of management controls and configurations in the accounting software with regard to audit trail.

Paragraph 22 of the Implementation Guide

In case of accounting software supported by service providers, the company’s management and the auditor may consider using independent auditor’s report of service organisation (e.g., Service Organisation Control Type 2 (SOC 2)/SAE 3402, “Assurance Reports on Controls At a Service Organization”) for compliance with audit trail requirements. The independent auditor’s report should specifically cover the maintenance of audit trail in line with the requirements of the Act.

 

Analysis and Conclusion

It is the primary responsibility of the management to ensure that audit trail feature is operating throughout the year. In order to demonstrate that the audit trail feature was functional, operated and was not disabled during any part of the financial year, a company would have to design and implement specific internal controls (predominantly IT controls) which in turn, would be evaluated by the auditors, as appropriate.

In case where accounting software is provided by a service provider, the auditor may consider using independent auditor’s report on service organisation (for example, SOC 1/SOC 2/ SAE 3402) for compliance with audit trail requirements. The independent auditor’s report should specifically cover the maintenance of audit trail in line with the requirements of the Companies Act, 2013 and should cover the period of the company’s reporting. While doing so, statutory auditor of the company is required to comply with the requirements of SA 402, “Audit Considerations Relating to an Entity Using a Service Organisation”.

It is pertinent to note that the ultimate responsibility to report on the audit trail feature of the accounting software lies with the company’s auditor.

Question 9: Is reporting on audit trail should be done based on each and every change made by the company or reporting should be done on materiality concept?

Response Technical Guidance

Text of Rule 11(g) of Companies (Audit and Auditors) Rules, 2014

Whether the company, in respect of financial years commencing on or after the 1^st April, 2022, has used such accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has been

 

operated throughout the year for all transactions recorded in the software and the audit trail feature has not been tampered with and the audit trail has been preserved by the company as per the statutory requirements for record retention.

Analysis and Conclusion

Rule 11(g) states that the audit trail is required for each and every transaction, creating an edit log of each change made in books of account. So, the reporting will apply for all transactions irrespective of the amount involved.

Reporting on audit trail is a factual reporting. The auditor’s reporting is based on test checks which would require application of concept of materiality for purpose of sample selection. Please refer paragraph 28 of the Implementation Guide for illustrative reporting.

Question 10: There is a scenario where after completion of 100% checking of records, nothing adverse is found by the auditor regarding financial statements, however, accounting software of company is not audit trail enabled. In such scenario, whether the auditor should modify the comment while reporting under Rule 11(g)?

Response:

Reporting on audit trail is independent of any adverse findings regarding financial statements. If audit trail as required by Rule 3(1) of the Companies (Accounts) Rules, 2014 is not maintained, the auditor would need to appropriately modify the comment while reporting under Rule 11(g) even if nothing adverse regarding financial statements is found.

Question 11: If software is not able to retain the edit log because of software limitation, what will be reporting on audit trail?

Response:

 

As per requirement of Rule 3(1) of the Companies (Accounts) Rules, 2014, accounting software should have the feature to retain

 

edit log. If software is not able to retain the edit log because of software limitation, it means that the software does not have proper audit trail feature. In such situation, the auditor would need to appropriately modify the comment while reporting under Rule 11(g). Please refer paragraphs 30-31 of the Implementation Guide “Illustrative wordings for modified reporting” for detailed guidance.

Question 12: Is there requirement for the auditor to report about effective date of audit trail implementation in the company?

Response:

 

There is no requirement of reporting about effective date of audit trail implementation in the company as per Rule 11 (g). However, if audit trail does not operate throughout the relevant reporting period, the auditor would need to appropriately modify the comment while reporting under Rule 11(g).

Question 13: Whether banks and NBFCs are covered under audit trail requirement?

Response:

 

All companies (including banks and NBFCs) incorporated under the Companies Act, 2013 are required to comply with audit trail requirement, so there is no exemption for such banks and NBFCs from audit trail requirement.

Question 14: Are auditors required to comment on details of audit trail logs?

Response:

 

As per Rule 11(g), the auditor needs to comment only on the below cited aspects:

 

• Whether the company has used such accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility.
• Whether the audit trail operated throughout the year for all transactions recorded in the software.
• Whether audit trail feature has not been tampered with.
• Whether audit trail has been preserved by the company as per statutory requirements for record retention.

Accordingly, there is no requirement for auditors to comment on the details of audit trail logs.

Question 15: Is audit trail required to be enabled at database level even if access to database in an ERP is restricted to only one user and the log of such user making any such change is enabled?

Response:

 

The access to the database to one or more users should be decided by the company depending on its operating and business needs after appropriately designing the internal controls and ensuring the operating effectiveness of such controls. Changes made directly at the database level will impact the books of account and hence audit trail is required to be enabled at the database level also.

Question 16: Does the auditor need to do testing in the ERP of the company or the auditor can simply rely on representation from the management?

Response:

The auditor is required to carry out necessary audit procedures and obtain sufficient and appropriate audit evidence for their reporting under Rule 11(g). The auditor cannot simply rely on representation from the management.

 

The nature, timing and the extent of the auditor's procedures will depend on various factors e.g. the company's accounting software, auditor’s understanding of the audit trail configurations, design and operating effectiveness of internal controls over audit trail.

Detailed guidance for statutory auditors of companies is given in the Implementation Guide.

Question 17: In case log of entire chain of changes are not maintained, however, software maintains only log of last/latest changes, will this be adequate? Or absence of log of entire chain of changes will result into modified comment while reporting under Rule 11(g)?

Response:

As per requirement of Rule 3(1) of the Companies (Accounts) Rules, 2014, each and every change should be logged and should be available in the logs. Retaining only the last/ latest changes will not serve the purpose of compliance with audit trail requirements. Accordingly, the auditor would need to appropriately modify the comment while reporting under Rule 11(g).

Question 18: If the audit trail is recorded at back-end on a server/ cloud maintained outside India, then whether audit trail is also required to remain accessible in India at all times as per Rule 3 of the Companies (Accounts) Rules, 2014?

or

Would audit trail be subject to the amended requirements of the Companies (Accounts) Rules, 2014 on backup of books of account and other books and papers of the company maintained in electronic mode?

Response:

Audit trail requirements are applicable even for accounting software maintained outside India if the company is incorporated in India. Further, in case the auditor is relying on the work of

 

another auditor, then audit trail feature requirement should form part of SOC/SAE report. In case the other auditor does not report on this requirement, then the auditor needs to consider the impact on their reporting under Rule 11(g).

The amended Rule 3 of the Companies (Accounts) Rules, 2014 requires that “the back-up of books of account and other books and papers of the company maintained in electronic mode including at a place outside India, if any, shall be kept in servers physically located in India on a daily basis.” These would include audit trail records as well since audit trail is required for books of account and the audit trail records would fall under the definition of books of account and other books and papers. Accordingly, audit trail records would require daily backup to be maintained in a server physically located in India.

The audit trail records should remain accessible in India at all times in same manner and form to ensure compliance with requirements of Rule 3 of the Companies (Accounts) Rules, 2014.

Question 19: Where the independent auditor’s report of service organisation that includes the maintenance of audit trail, is not co-terminus with the company’s financial year (e.g. such SOC 2/SAE 3402 report is for the period till December 31, 2023 whereas the company’s financial year ends on March 31, 2024) - how should the auditor of the company consider such SOC 2/SAE 3402 report for their reporting under Rule 11(g)?

Response:

Rule 11(g) requires the auditor to report explicitly that the audit trail operated throughout the year and hence the auditor would require sufficient and appropriate audit evidence that the audit trail operated throughout the year. Where the accounting software is maintained by third party service organisation and the auditor of the company is unable to obtain sufficient and appropriate audit evidence for the full reporting period with regard to maintenance of

 

audit trail, the auditor would need to appropriately modify the comment while reporting under Rule 11(g).

Question 20: Will maintaining a backup of ERP in a server situated in India is sufficient to be compliant with the requirement of audit trail?

Response:

No, backup requirements are different from the audit trail requirements. Companies that use accounting software to maintain their books of account are required to comply with audit trail requirements irrespective of whether backup of such data exists in India.

If ERP software does not have audit trail feature, then maintaining its backup would not be sufficient to ensure compliance with audit trail requirements. As per requirement of the Companies (Accounts) Rules, 2014, accounting software having audit trail feature is required to be implemented from 1^st April 2023 and in case of any non-compliance, the auditor would need to appropriately modify the comment while reporting under Rule 11(g).

Question 21: Whether a single report showing all edits done during the year containing all details as required is sufficient for the audit trail purpose?

Response:

A single report produced by a company’s accounting software showing all edits done during the year containing all details as required may not be practically possible considering the volume of transactions and changes made thereto during the year in a company. However, if the company’s accounting software produces a single report detailing all changes to books of account and the auditor is able to obtain sufficient and appropriate audit evidence to support their reporting on audit trail then that may be sufficient for the purpose.

 

Question 22: If a company having ERP accounting software is not generating edit log except for generating the date wise voucher listing. Whether voucher listing can be considered as audit trail considering substance over form?

Response:

 

As per paragraph 8 of the Implementtion Guide, it is the primary responsibility of the management to ensure that the accounting software used by the company records an audit trail of each and every transaction, creating an edit log of each change made in the books of account along with the date when such changes were made.

As per paragraph 20 of the Implementation Guide, the auditor would need to ensure that the management assumes the primary responsibility to ensure that the audit trail captures changes to each and every transaction of books of account; information that needs to be captured may include the following:

• when changes were made,

 

• who made those changes,

 

• what data was changed,

 

Further, as laid out in the “Glossary of Terms” of the Implementation Guide, audit trail should capture when an entry was added or modified, what fields were modified and who made the entry or modified it. The format of the audit trail will vary between applications since they capture and retain edit logs based on the application/ database design.

A voucher listing may not usually provide information on whether a voucher was changed, how many times it was changed and what changes were made. Hence, a mere voucher listing will not be considered as an audit trail.

 

Question 23: If an accounting software provides error log and this error log is editable, will this satisfy the requirement of audit trail?

Response:

No, an error log would not satisfy the requirements of audit trail. Usually, an error log may not record changes to books of account and may not capture when the record was created/changed.

Question 24: The auditor is required to report as to “whether, in his opinion, proper books of account as required by law have been kept by the company so far as appears from his examination of those books and proper returns adequate for the purposes of his audit have been received from branches not visited by him” under the section “Report on Other Legal and Regulatory Requirements” in the auditor’s report [Section 143(3)(b) of Companies Act, 2013]. The auditor is also required to state any qualification, reservation or adverse remark relating to the maintenance of accounts and other matters connected therewith [Section 143(3)(h) of Companies Act, 2013].

Under Rule 11(g), specific reporting on audit trail is required under the section “Report on Other Legal and Regulatory Requirements” in the auditor’s report.

If the auditor has modified the comment while reporting under Rule 11(g) on audit trail, whether this will also impact the reporting pursuant to Section 143(3)(b) and Section 143(3)(h)?

Response:

Yes, the requirement of accounting software having audit trail feature has been added in the proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 which deals with ‘Manner of Books of Account to be Kept in Electronic Mode’. Hence, any modified comment while reporting under Rule 11(g) will have to be considered while reporting under Section 143(3)(b) and Section 143(3)(h) in accordance with the provisions of the Companies Act, 2013.

 

For example, if the audit trail was not operating for part of the year or throughout the year, the auditor will also be required to consider this while reporting under Section 143(3)(b) and Section 143(3)(h) in addition to reporting under Rule 11(g).

Given below is an example for illustrative reporting.

Example - Audit Trail feature is not operating effectively during the reporting period.

Illustrative reporting in the “Section - Report on Other Legal and Regulatory Requirements” in auditor’s report

Rule 11 (g)

Based on our examination which included test checks, the company has used an accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software except that the audit trail feature of YYY software used by the company to maintain payroll records did not operate throughout the year. Further, during the course of our audit we did not come across any instance of audit trail feature being tampered with. [Additionally, the audit trail has been preserved by the company as per the statutory requirements for record retention]⁸.

Section 143(3)(b) – Company has maintained proper books of account except for audit trail

In our opinion, proper books of account as required by law have been kept by the company so far as it appears from our examination of those books [and proper returns adequate for the purposes of our audit have been received from the branches not visited by us] except for the matters stated in the paragraph (…) below on reporting under Rule 11(g).

 

 

⁸ Reporting on Rule 11(g) is applicable from the financial year 2023-24. Accordingly, this reporting w.r.t. preservation of audit trail would be relevant from the second year i.e. financial year 2024-25.

 

Section 143(3)(h)

The [qualification/ adverse remark/ reservation]⁹ relating to the maintenance of accounts and other matters connected therewith are as stated in the paragraph (…) above on reporting under Section 143(3)(b) and paragraph (…) below on reporting under Rule 11(g).

Question 25: Whether ‘books of account’ maintained in accounting software would include following:

(a) Master data (e.g., vendor records)

(b) Purchase Order/ Sales Order

(c) Records of Property, Plant and Equipment/Intangible Assets

(d) Use of Spreadsheets Response:

(a) Master Data

The definition of books of account under Section 2(13) of the Companies Act, 2013 does not distinguish between master data and transaction data. Usually, in accounting software, a payment made to a vendor will not have the complete details in the transaction record and a reference to the related master record will be necessary. Hence, vendor master data will be required to be considered as part of books of account.

As the changes to the master data are linked to the transactions recorded in the books of account, the changes to such master data for vendors/ customers should also have an audit trail.

(b) Purchase Order/ Sales Order

In case of a purchase order, a goods receipt entry or a vendor invoice recording entry will capture the liability to be recorded in the books of account.

 

⁹ Select whichever is applicable.

 

Purchase orders/ contracts are used by companies as control/ governance mechanism to establish the contractual obligations of the parties.

Where the terms of such purchases are agreed at the time of receipt or at the time of booking the invoice and thus depending upon the likely interface/ input to the ‘books of account’, one may conclude it to be part of accounting software requiring existence of an audit trail feature.

The above assessment would also hold good for sales order and price master. Thus, depending upon circumstances as may apply to an engagement, the auditor would need to exercise their judgement in this regard.

(c) Records ofProperty, Plant and Equipment /Intangible assets

Property, plant and equipment /intangible assets register may be classified as accounting software, if the same provides direct and auto feed to the accounting software (accounting software as identified by management) in terms of depreciation, profit or loss on sale of property, plant and equipment/intangible assets, etc. In such case, the register should be treated as part of books of account and it will attract the audit trail requirement.

(d) Use of Spreadsheets

Any software used to maintain the books of account is termed as accounting software (also refer to definition of the term ‘Accounting Software’ in the ‘Glossary of Terms’ in the Implementation Guide). If a company uses end-user computing tools, like spreadsheets, then those tools may be classified as accounting software if the same provides direct and auto feed to the accounting software (accounting software as identified by management). In such case, the spreadsheet should be treated as part of books of account and the spreadsheet will attract the audit trail requirement.