[FAQs] Statutory Auditor’s Duty to Report Audit Trails
- Blog|Advisory|Account & Audit|
- 57 Min Read
- By Taxmann
- |
- Last Updated on 25 April, 2024
The duty of the statutory auditor to report on an audit trail involves assessing and reporting whether the accounting software used by the company to maintain its books of account has an audit trail feature that meets specific criteria. Under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014, this duty includes verifying: – Audit Trail Feature: The auditor must report whether the company's accounting software has a feature for recording an audit trail (edit log) that is non-configurable and has been operational throughout the year for all transactions recorded in the software – Operation Throughout the Year: The auditor needs to confirm that the audit trail feature was enabled and operated throughout the financial year for all transactions recorded in the accounting software – Tamper-proof: It must be reported whether the audit trail feature has been tampered with or not. The feature should be designed in such a way that it cannot be disabled or altered – Preservation of Audit Trail: The auditor must assess and report whether the audit trail has been preserved by the company as per the statutory requirements for record retention. This duty emphasizes the importance of transparency and accountability in financial reporting by ensuring that all transactions are recorded accurately and any changes are logged and traceable. The audit trail helps in detecting and preventing errors and fraud, thereby enhancing the reliability of the financial statements.
Table of Contents
- Applicability of Rule 11(g)
- Audit trail
- Audit Trail vs Internal Financial Controls
- Accounting Software
- Books of account
- Management Responsibilities when books of account maintained in electronic mode
- Audit Procedures
- Audit Trails & Frauds
- Audit Documentation
- Reporting in Independent Auditor’s Report
- Conclusion: Key Takeaways
1. Applicability of Rule 11(g)
FAQ 1. When is the statutory auditor of a company required by Rule 11(g) to report on an audit trial in his audit report?
Clause (j) of Section 143(3) of the Companies Act, 2013 (‘the Act’) states that the auditor’s report shall also state such other matters as may be prescribed. Rule 11 of the Companies (Audit and Auditors) Rules, 2014 prescribes other matters that are required to be reported upon by the auditor of a Company under Section 143(3)(j). Clause (g) of Rule 11 [Rule 11(g)] requires the auditor of a Company to report whether the accounting software used by the Company to maintain books of account has an audit trail feature. Rule 11(g) is reproduced below:
“Whether the company, in respect of financial years commencing on or after the 1st April, 2022, has used such accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has been operated throughout the year for all transactions recorded in the software and the audit trail feature has not been tampered with and the audit trail has been preserved by the company as per the statutory requirements for record retention.”
The following points emerge from Rule 11(g)
- If the Company maintains books of the account entirely in manual mode without using any accounting software, reporting under Rule 11(g) is not applicable.
- Where the company has used any accounting software to maintain its books of account in respect of financial years commencing on or after 01.04.2022, Rule 11(g) requires the company’s auditor to report on the accounting software’s audit trail feature in his audit report by making a specific assertion in this regard.
FAQ 2. What if books of account are maintained and written up manually by the Company, and then entries are made from these books at the year-end in the software, and the books of account and balance sheet and P&L account are then printed out from the software? Will the auditor have to report under Rule 11(g) in such a case?
No. Here, the software is used not for maintaining books of account but only for printing them out and for finalising balance sheets and P&Ls from the manually maintained books of account. Therefore, Rule 11(g) and Proviso to Rule 3(1) [FAQ 5 below] are not applicable to such a case
FAQ 3. What are the duties of an auditor of a company to report as regards audit trail?
Where the company has used any accounting software to maintain its books of account in respect of financial years commencing on or after 01.04.22, the auditor is required by Rule 11(g) to report whether the accounting software used by the company is one that satisfies the following conditions:
(a) It has a feature of recording audit trail (edit log facility);
(b) the audit trail (edit log) facility has been operated throughout the year for all transactions recorded in the software;
(c) the audit trail feature has not been tampered with; and
(d) the audit trail has been preserved by the company as per the statutory requirements for record retention.
In terms of Rule 11(g), the auditor is expected to verify the following:
- Non-Configurable: The audit trail feature must be non-configurable. That is to say, the audit trail should not be capable of being disabled and should not be capable of being tampered with.
- Enabled throughout the year: Verify whether the audit trail feature was enabled/ operated throughout the year.
- Auditor’s responsibility is limited to transactions that have been recorded in the accounting software and subsequent changes made to those transactions: whether all transactions recorded in the software are covered in the audit trail feature? Proviso to Rule 3(1) of Companies (Accounts) Rules 2014 prescribes the requirement of an audit trail only in the context of books of account by stating that accounting software should be capable of creating an edit log of “each change made in books of account.” The auditor’s responsibilities have been prescribed for “all transactions recorded in the software.” Accordingly, the auditor’s responsibility under Rule 11(g) is restricted to transactions that have been recorded in the accounting software and subsequent changes made to those transactions (which is demonstrated through rectification/ additional entities).
- Compliance with statutory record retention requirements: Has the audit trail been preserved as per statutory requirements for record retention under Section 128(5) of the Companies Act, 2013?
FAQ 4. Is the auditor required to comment on the operating effectiveness of the audit trail?
Unlike Section 143(3)(i) which requires the auditor to comment on the operating effectiveness of internal controls, there is no requirement to report on operative effectiveness of the audit trail.
FAQ 5. Is there any statutory obligation on the Company to implement safeguards, controls, and audit trails where the Company uses accounting software to maintain its books of account? Or is the obligation only on the auditor to report on whether or not the accounting software used by the Company has an audit trail feature?
Proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 states that for the financial year commencing on or after the 1st day of April 2023, every company that uses accounting software for maintaining its books of account shall use only such accounting software which satisfies the following conditions:
- It records an audit trail of each and every transaction,
- An edit log is created of each change made in the books of account along with the date when such changes were made and
- Ensuring that the audit trail cannot be disabled.
In short, every company that uses accounting software to maintain books of account should ensure that the accounting software used has an audit trail feature that cannot be disabled.
The following points emerge from the proviso:
- The accounting software that a Company uses should create an edit log of each transaction with changes made in the books of accounts.
- The accounting software should capture the details of the date such changes (edits) are made and ensure the edit trail cannot be disabled.
- The accounting software should maintain the edit log of every transition, from recording to tracking any changes that may take place.
FAQ 6. If accounting software used for maintaining books of account does not have a built-in audit trail feature but maintains an audit trail manually by management, will it satisfy the requirements regarding audit trails of Rule 11(g) and Proviso to Rule 3(1)?
No. These Rules envisage an audit trail, which is a built-in feature of the accounting software used by the Company. If the audit trail feature is not built into the software and is maintained manually, the requirements of these Rules are not satisfied.
FAQ 7. Companies are required to implement the audit trail feature in the accounting software used by the Company only with effect from Financial Year 2023-24. However, the auditor is required to report whether the accounting software has an audit trail with effect from FY 2022-23. What is the auditor to do for the audit report of a Company for FY 2022-23?
As the Compliance requirement with regard to audit trail is applicable to Companies with effect from 01.04.2023 (FY 2023-24) only, the auditor of a Company will not be able to report on the audit trail feature of accounting software in his audit report for the financial year 2022-23. In his audit report for the financial year 2022-23, the auditor of a Company may state that the requirement to report on the audit trail is not applicable as the requirement for companies to implement the audit trail feature in the accounting software pursuant to the proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 is applicable only with effect from 01.04.2023.
In the audit report for FY 2022-23, the auditor may report as under:
“As proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 is applicable for the company only w.e.f. April 1, 2023, reporting under this clause is not applicable.”
FAQ 8. Whether a company is legally obliged to use an accounting software for maintaining the books of account?
No. The Company is well within its rights to maintain its books of accounts entirely manually. If it uses an accounting software, it is required to comply with the proviso to Rule 3(1).
Section 128(1) of the Act requires every company to prepare and keep the books of account and other relevant books and papers and financial statements for every financial year which give a true and fair view of the state of the affairs of the company. Further, this Section gives an option to companies to maintain such books of account in electronic mode. If the Company opts to maintain its books of account in electronic mode, then it is required to comply with the requirements of Rule 3 of the Companies (Accounts) Rules, 2014. If a company (irrespective of its size and nature, i.e. small company, medium company, private company, public company) is maintaining its books of account in the electronic mode, then it is required to use accounting software with an audit trail feature.
If a Company does not comply with the Proviso to Rule 3(1), the Company’s auditor must appropriately modify his comment while reporting under Rule 11(g).
FAQ 9. Is the auditor required to report on the audit trail feature in his/ her limited review report of a listed company?
The Companies Act, 2013, and the Rules made thereunder specify requirements with regard to the contents of the audit reports. The Act and the Rules are silent on the contents of a limited review report. The SEBI Regulations do not require the auditors to report on the audit trail feature of accounting software while issuing their limited review report on the financial results of a listed company. Thus, at present, there is no requirement for an auditor to report on an audit trail in a limited review report of a listed company.
FAQ 10. Does the reporting requirement under Rule 11(g) apply to audit reports of all companies, or is there an exemption for certain categories of companies?
Rule 11(g) applies to the audit report of every company that uses accounting software to maintain its books of account. If a company uses accounting software to maintain its books of account, the auditor is required by Rule 11(g) to report on the audit trail irrespective of the company’s size and class.
Rule 11(g) does not exempt audit reports of any class of companies. The reporting requirement under Rule 11(g) is triggered for companies of any class or size, including if accounting software is used by the Company to maintain its books of account.
FAQ 11. Whether there is any exemption from Rule 11(g) in respect of Section 8 company?
The reporting requirement in Rule 11(g) is triggered when any Company uses an accounting software for maintaining its books of account. Accordingly, auditors of all classes of companies, including Section 8 companies, are required to report on the audit trail as required by Rule 11(g).
FAQ 12. Is there any exemption from Rule 11(g) regarding audit reports of One-Person Companies (OPCs)?
No. Rule 11(g) applies to the audit report of every company that uses accounting software to maintain its books of account. If a company uses accounting software to maintain its books of account, the auditor is required by Rule 11(g) to report on the audit trail irrespective of the company’s size and class.
Rule 11(g) does not exempt audit reports of any class of companies. The reporting requirement under Rule 11(g) is triggered for companies of any class or size, including if accounting software is used by the Company to maintain its books of account.
FAQ 13. Is there any exemption from Rule 11(g) for the audit report of a small company as defined in Section 2(85) of the Act?
No. Rule 11(g) applies to the audit report of every company that uses accounting software to maintain its books of account. If a company uses accounting software to maintain its books of account, the auditor is required by Rule 11(g) to report on the audit trail irrespective of the company’s size and class.
Rule 11(g) does not exempt audit reports of any class of companies. The reporting requirement under Rule 11(g) is triggered for companies of any class or size, including if accounting software is used by the Company to maintain its books of account.
FAQ 14. Whether reporting requirement under Rule 11(g) applies to audit reports of foreign companies?
In terms of Rule 5(2) of the Companies (Registration of Foreign Companies) Rules, 2014, the provisions of “Chapter X of the Act: Audit and Auditors” and the Rules made thereunder apply mutatis mutandis to a foreign company as defined in the Act. Therefore, reporting requirements under Rule 11(g) shall apply to a foreign company as defined in Section 2(42) of the Act.
FAQ 15. Whether banks and NBFCs are covered under the audit trail requirement?
The audit trail requirement applies to all companies (including banks and NBFCs) incorporated under the Companies Act, 2013 if they maintain books of account in electronic mode. So, there is no exemption for the auditors of such banks and NBFCs from reporting on audit trail requirements. However, the audit trail requirement is not applicable to banks/ NBFCs not incorporated under the Companies Act (e.g. nationalised banks, SBI, etc) unless the Central Government exercises its powers under Section 1(4) of the Act and extends the audit trail requirement to them which the Central Government has not yet done.
FAQ 16. What if the company has outsourced the maintenance of its books of account, and the service organization to whom it is outsourced uses accounting software to maintain the company’s books of account?
Rule 11(g) applies if accounting software is used for the maintenance of the company’s books of account. It does not matter whether the software is used in-house by the Company or by a service organization to whom the company has outsourced the maintenance of books of account.
Where accounting software is provided by a service provider(service organization), the statutory auditor of the Company may, for the purposes of reporting on audit trail, rely on an independent auditor’s report on the service organisation provided it satisfies the following three criteria:
- The independent auditor’s report is issued in terms of Standards such as SOC 1/SOC 2/ SAE 3402
- The report specifically covers the maintenance of the audit trail in line with the requirements of the Companies Act, 2013 and
- The report covers the period of the company’s reporting.
The following points are noteworthy:
- The statutory auditor of the company shall comply with the requirements of SA 402, “Audit Considerations Relating to an Entity Using a Service Organisation”, while relying on an independent auditor’s report on the service organisation.
- The ultimate responsibility to report on the audit trail feature of the accounting software lies with the statutory auditor of the company.
FAQ 17. Does it affect the auditor’s obligation to report under Rule 11(g) if accounting software is hosted and maintained in India or outside India?
No, not at all. The auditor’s obligation under Rule 11(g) applies regardless of whether the accounting software may be hosted and maintained in India or outside India. Further, it makes no difference whether the accounting software may be on-premise, in the cloud, or subscribed to as Software as a Service (SaaS) software.
FAQ 18. Does the auditor’s reporting obligation under Rule 11(g) apply to audit reports on standalone financial statements only, or does it also apply to audit reports on consolidated financial statements?
Rule 11(g) applies to reporting on both standalone financial statements and consolidated financial statements.
Section 129(4) of the Act specifically provides that the provisions of the Act shall, mutatis mutandis, apply to the consolidated financial statements. It means that the requirements of the Act will apply to CFS with necessary changes. Accordingly, in line with the approach adopted in the case of reporting on the consolidated financial statements on the other clauses of section 143(3) of the Act, the reporting under Rule 11(g) would also be on the basis of the reports of the statutory auditors of subsidiaries, associates and joint ventures that are companies defined under the Act (Indian companies). The auditors of the parent company should apply professional judgment and comply with applicable Standards on Auditing, in particular, SA 600, “Using the Work of Another Auditor” while assessing the matters reported by the auditors of subsidiaries, associates and joint ventures that are Indian companies.
FAQ 19. What if consolidated financial statements include some components whose auditors are not statutorily required to report on the audit trail?
Reporting under Rule 11(g) is not required by the auditor in respect of the following components included in the consolidated financial statements:
- Components that are not companies under the Act [e.g. Limited Liability Partnerships (LLPs]; and
- Components incorporated outside India.
While reporting on the consolidated financial statements, the auditor is not required to report in respect of such components. While reporting on the audit trail in his report on consolidated financial statements, the auditor may state clearly that his remarks on the audit trail cover only
“the subsidiaries, associates and joint ventures/joint operations which are companies incorporated in India whose financial statements have been audited under the Act”
An illustrative wording of remarks under Rule 11(g) to be used in audit reports on CFS is as under:
“Based on our examination carried out in accordance with the Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) issued by the Institute of Chartered Accountants of India, which included test checks and that performed by the respective auditors of the subsidiaries, associates and joint ventures/joint operations which are companies incorporated in India whose financial statements have been audited under the Act, we report that the company and the above referred subsidiaries, associates and joint ventures/joint operations have used an accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit, we and respective auditors of the above referred subsidiaries, associates and joint ventures/joint operations did not come across any instance of audit trail feature being tampered with.”
FAQ 20. Is the auditor required to make any adverse remarks pursuant to Rule 11(g) if the company does not use accounting software to maintain its books of accounts?
No. The Company is well within its rights to maintain its books of accounts entirely manually. If it uses an accounting software, it is required to comply with the proviso to Rule 3(1).
Section 128(1) of the Act requires every company to prepare and keep the books of account and other relevant books and papers and financial statements for every financial year which give a true and fair view of the state of the affairs of the company. Further, this Section gives an option to companies to maintain such books of account in electronic mode. If the Company opts to maintain its books of account in electronic mode, then it is required to comply with the requirements of Rule 3 of the Companies (Accounts) Rules, 2014. If a company (irrespective of its size and nature, i.e. small company, medium company, private company, public company) is maintaining its books of account in the electronic mode, then it is required to use accounting software with an audit trail feature.
If a Company does not comply with the Proviso to Rule 3(1), the Company’s auditor must appropriately modify his comment while reporting under Rule 11(g).
2. Audit trail
FAQ 21. Is there any statutory definition of “audit trail” in the Companies Act, 2013 or the Rules thereunder?
Neither the Act nor Rule 11 (g) defines the term “audit trail.” However, one can discern the nature and features of an audit trail from a conjoint reading of Proviso to Rule 3(1) and Rule 11(g).
FAQ 22. What is an “Audit Trail”?
The following definitions of the term “audit trail” are noteworthy:
- An audit trail is a sequential record detailing the history and events related to a specific transaction or ledger entry.
- An audit trail is a detailed, chronological record whereby accounting records, project details, transactions, user activity, or other financial data are tracked and traced. An audit trail is a date and time-stamped record of the history and details around a transaction, work event, product development step, control execution, or financial ledger entry. Almost any type of work activity or process can be captured in an audit trail, whether automated or manual.
- An audit trail is a comprehensive record encompassing all events or transactions within a system, network or application. It is a chronological record that tracks who, what, when, and where of all the activities within a system.
From the above definitions and a conjoint reading of Proviso to Rule 3(1) and Rule 11(g), it is clear that
(a) An audit trail is a chronological, date, and time-stamped record of a specific transaction from the time its entry is made in the accounting software through various changes to it until its deletion which is a built-in feature of the accounting software used.
(b) If an audit trail is not a built-in feature of the accounting software, and the audit trail is maintained separately manually, the requirements of Rule 11(g) and Proviso to Rule 3(1) are not satisfied
(c) When you enter a transaction in the accounting software, it will maintain a record by creating an edit log/audit log.
(d) The software will also record any further edits made to the details, such as a change in the amount or change in the name against which the entry is made, along with the user who made the changes and the time it was changed, by creating an edit log.
(e) If a transaction is deleted, the software will also track that by creating an edit log. Accounting software’s built-in audit trail feature keeps a record of everything since the original entry was made. That is to say, a record of all edit logs created right from the entry of a transaction in the accounting software until its deletion will be maintained in chronological sequence with date-stamp and time-stamp. This chronological series of edit log/audit log records maintained by the accounting software is the “audit trail”.
The FAQs given in Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) (hereinafter referred to as ‘the Implementation Guide on Audit Trail’ for brevity sake) clarify that the following do not qualify as “audit trail”:
- Back-ups
- Voucher listings – A mere voucher listing is not an audit trail.
- Error Logs
- Feature in accounting software that does not allow subsequent modification to the transactions/ journal entries posted initially
- The log of the last/latest changes is only maintained and the log of the entire chain of changes is not maintained.
The Glossary in the Implementation Guidance on Audit Trail gives a positive definition of an audit trail which sets out the following features of an audit trail as under:
- Visible trail of evidence providing traceability of information contained in reports to the original input source
- Chronological record of all changes to data-creating new data or updating data or deleting data
- Information to be contained in records maintained as an audit trail
- Enabled at accounting software level or directly captured in the underlying database
The above features of the audit trail are explained as follows:
Visible trail of evidence providing traceability- An Audit Trail (or Edit Log) is a visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source.
A chronological record of changes to data- Audit trails are a chronological record of the changes that have been made to the data. Any change to data, including creating new data, updating data, or deleting data, must be recorded.
Contents of records maintained as audit trail- Records maintained as an audit trail should include the following information:
- Timestamp i.e., date and time of changes
- User ID of the person who made the change
- What data was changed i.e., data/transaction reference;
- Success/failure
Enabled at what level- Depending on the features available in accounting software, Audit trails may be enabled at the accounting software level or captured directly in the database underlying such accounting software.
FAQ 23. What is an “Edit log” or “Audit log”?
As per the Glossary of IG, these terms are synonyms of “Audit Trail. However, there is a distinction. The audit log/edit log is a record of transaction entry, of each change made to data since entry and of deletion of data. A chronological series of all edit logs/audit logs of changes to data right from the entry of the transaction to its deletion constitutes an audit trail.
FAQ 24. What are the various types of audit trails and which type of audit trail is envisaged by Rule 11(g) and Proviso to Rule 3(1)?
As per the website there are 4 types of audit trails as under:
- System audit trail
- Transaction audit trail
- Access audit trail
- Change audit trail
System audit trail
- A System audit trail records all system-level events, such as System startups and shutdowns, User logins and logouts, system configurations, and security-related events.
- System audit trails are essential to detect system-level attacks, such as unauthorised access, malware infections, and Configuration changes.
Transaction audit trail
- A transaction audit trail records all transaction-level events, such as data entry, updations, deletions and transfers.
- Transaction audit trails are essential for detecting and investigating data manipulation, fraud and theft.
Access audit trail
- An access audit trail records all access level events such as File and folder access network connections and remote access.
Change audit trail
- A change audit trail records all changes made to the system or application, Change audit Trails are essential for detecting and investigating system vulnerabilities, misconfigurations and errors.
Rule 11(g) and Proviso to Rule 3(1) only cover “Transaction audit trail”.
FAQ 25. What Audit trail (edit log) features should one look for in an accounting software to be compliant with Proviso to Rule 3(1) and Rule 11(g)?
According to Tally Solutions, an accounting software should have the following key features in order for it to be compliant with Proviso to Rule 3(1) and Rule 11(g):
- Date-stamp
The audit trail (edit log) feature of the accounting software used by a Company should have the time and date log within the accounting software. The audit trail (edit log) should record all the details of actions performed in the software in a date-wise manner. The accounting software should keep records of all the edits made in the books of accounts and shouldn’t be disabled.
- Track all transactional changes
The accounting software should monitor and track all the changes made to the transaction and capture such details in the audit log. Essentially, the software should track and log changes from creation to alteration to deletion of transactions.
- The Edit log feature shouldn’t be disabled
The audit trail feature should always be enabled to remain compliant with Rule 11(g) and Proviso to Rule 3(1).
- Technical Log vs. audit log
Don’t confuse audit logs with software logging. While opting for accounting software, businesses must ensure that the system has respective logs for software issues and a dedicated audit trail to remain compliant with Rule 11(g) and Proviso to Rule 3(1).
- Capture User details
The accounting software should capture username details from creation to alteration to deletion.
- Software should provide version differences
The accounting software should provide you with version differences that help you understand various elements, such as modifications or any changes that were made.
- Sequential order
The accounting software should provide a detailed insight into chronological history by date and time is crucial.
3. Audit Trail vs Internal Financial Controls
FAQ 26. Is there any distinction between “audit trail” and “internal control”?
The “audit trail” may be likened to a CCTV camera in a house. “Internal control may be likened to the overall security measures taken to prevent housebreaks, including strong doors, collapsible gates, burglar alarms, and durable locks. While CCTV cameras cannot prevent housebreaks, they can certainly record and capture what happens when all other security measures fail to prevent them provided the CCTV cameras are functioning all the time and don’t get disabled.
Case Study on the respective roles of Internal Financial controls and Audit Trail: Vendor master data may be updated with Udyam Registration Numbers of MSE Suppliers so that Micro or Small Enterprise (MSE) suppliers’ payments can be processed on a priority basis to avoid disallowance under Section 43B(h) of the Income-Tax Act,1961 and to avoid interest liability under Section 16 of MSMED Act and disallowance of such interest under Section 23 of MSMED Act .
Internal control is laying down the norms that the Vendor master data in the accounting software be updated with the Udyam Registration Number(URN) of a supplier who is a MSE only after the same is verified and validated on the Udyam Portal. Validation may be by using an Application Programming Interface (API). Or validation should be done by an authorised official on the Udyam Portal and a screenshot of the validation be maintained. It may so happen that this internal control is absent or breached. The Vendor master data may get updated with the fake URN of a non-MSE supplier with the connivance of that supplier so that his payments get processed on priority and the employee/official of the company who updated the vendor master gets bribes for this favour. Later on, the auditors / internal auditors, while test-checking URNs on the Udyam Portal, may uncover these fake URNs updated in vendor masters without validating them on the Udyam Portal.
Audit Trail in the accounting software will help to know who updated the Vendor Masters with fake URNs and when it was updated. Internal controls over the validation of URNs before updating them on Vendor Masters will help prevent fraud in the first place. Internal control has a preventive role while the audit trail records what changes have been made to data, when and by whom.
IFCoFR Reporting vs Audit Trail Reporting: While the audit trail is required to be reported upon under Section 143(3)(h) read with Rule 11(g), internal control is required to be reported upon under Section 143(3)(i). While Rule 11(g) is applicable to a company using accounting software to maintain books of account regardless of the class of company to which it belongs, Section 143(3)(i) applies to every company, regardless of whether the company uses accounting software or not, unless exempted by the Notification No GSR 464(E), dated 5-6-2015, as amended by Notification No. GSR 583(E), dated 13-6-2017. The following private companies are exempt from the applicability of Section 143(3)(i):
- One Person Company(OPC)
- Small Company
- Private Company which has a turnover less than ₹50 crores as per the latest audited financial statement and which has aggregate borrowings from banks or financial institutions or any body-corporate at any point of time during the financial year less than ₹25 crores
Section 143(3)(i) of the Act, with respect to the Companies to which it applies, requires the auditor to state in his audit report whether the company has adequate internal financial controls with reference to financial statements in place and the operating effectiveness of such controls. Section 143(3)(i) does not require the auditor to state whether the internal financial controls have operated throughout the year under audit. Mere non-availability of an audit trail does not necessarily imply failure or material weakness in the operating effectiveness of internal financial controls over financial reporting. However, where the auditor has to issue a modified report on IFCoFR under Section 143(3)(i)due to the inability of management to rely on the automated controls, the auditor will have to disclaim an opinion on audit trails. Illustrative wordings for modified remarks under Rule 11(g) is as under:
“The company has used an accounting software for maintaining its books of account however for the reasons stated in [refer the reporting of IFCoFR] management is unable to rely on automated controls related to financial reporting in the accounting software and consequently we are unable to comment on audit trail requirements of the said software as envisaged under Rule 11(g).”
4. Accounting Software
FAQ 27. What is “accounting software”?
Accounting Software is a computer program or system that enables the recording, maintenance and reporting of books of account and relevant ecosystems applicable to business requirements. From a Rule 11(g) perspective, only the accounting software that is used for maintaining books of account should be considered for enabling an audit trail. Any software used to maintain books of account will be covered within the ambit of this Rule. For example, if sales are recorded in a standalone software and only consolidated entries are recorded monthly into the software used to maintain the general ledger, the sales software should also have the audit trail feature since sales invoices would be covered under Books of Account as defined under section 2(13) of the Act.
Accordingly, any software that maintains records or transactions that fall under the definition of Books of Account as per section 2(13) of the Act will be considered as accounting software for this purpose. The requirement of the accounting software to have a feature of audit trail has been incorporated as a proviso to Rule 3(1) of the Account Rules and has been prescribed only in the context of books of account. This is evidenced by the fact that as per the proviso to the Rule, the accounting software should be capable of creating an edit log of “each change made in books of account.”
FAQ 28. Whether end-user computing tools, like spreadsheets, should be regarded as “accounting software” for the purposes of Proviso to Rule 3(1) and Rule 11(g)?
Any software used to maintain the books of account is to be treated as accounting software for the purposes of Proviso to Rule 3(1) and Rule 11(g). Therefore, as regards treating spreadsheets used as accounting software for audit trail requirement purposes, the following points may be noted:
- If a company uses end-user computing tools, like spreadsheets, then those tools are to be treated as accounting software if there is direct auto-feed posting of entries from the spreadsheets to the accounting software ( the accounting software as identified by management). In such a case, the spreadsheet should be treated as part of the books of account, and the spreadsheet will attract the audit trail requirement.
- If End-user computing tools like spreadsheets are merely used to record transactions or for preparing workings/ calculations of amounts to be recorded without any auto-posting of accounting entries directly from the spreadsheets to the accounting software, the spreadsheets used should not be treated as “accounting software” and would not attract the audit trail. For instance, it may be used for preparing workings of foreign exchange gain/loss or amortization or tax liability to be recorded in another accounting software (accounting software as identified by management) using the amounts computed in a spreadsheet. However, there is no auto-posting directly to the accounting software from such a spreadsheet. In such case, the spreadsheet should not be treated as part of books of account and the spreadsheet will not attract the audit trail requirement.
The auditor should evaluate the facts regarding the usage of end-user computing tools in the light of the above points and accordingly report.
5. Books of account
FAQ 29. What is “Books of Account”?
As per Section 2(13) of the Act, the term “books of account” includes records maintained in respect of—
(i) Receipts and Payments: all sums of money received and expended by a company and matters in relation to which the receipts and expenditure take place;
(ii) Sales and Purchases: all sales and purchases of goods and services by the company;
(iii) Assets and Liabilities: the assets and liabilities of the company; and
(iv) Mandatory cost records under Section 148: the items of cost as may be prescribed under section 148 in the case of a company that belongs to any class of companies specified under that section.
FAQ 30. Whether ‘books of account’ maintained in accounting software would include the following:
(a) Master data (e.g., vendor records)
(b) Purchase Order/ Sales Order
(c) Records of Property, Plant and Equipment/Intangible Assets
(a) Master Data: No distinction between master data and transaction data is made in the definition of “books of account” given in Section 2(13) of the Act. A reference to the master record is necessary as, usually, in an accounting software, a transaction record will not have the complete details of a payment made to a vendor. Further, changes to the master data are linked to the transactions recorded in the books of account. Hence, the vendor master data is to be treated as part of the books of account. Therefore, the changes to such master data for vendors should also have an audit trail.
(b) Purchase Order/ Sales Order: Depending upon circumstances that may apply to an engagement, the auditor would need to exercise his professional judgement as to whether these constitute books of account.
(c) Records of Property, Plant and Equipment /Intangible assets: If Property, plant and equipment /intangible assets register provides direct and auto feed to the accounting software (accounting software as identified by management) in terms of depreciation, profit or loss on sale of property, plant and equipment/intangible assets, etc., the register is part of books of account and the audit trail requirement will apply to the PPE Register/ Intangible Assets Register. The statutory auditor of a Company will have to factor in compliance with audit trail requirement by PPE Register/Intangible Assets Register while reporting under CARO 2020 as to whether “proper records” have been maintained in respect of PPE/Intangible Assets.
FAQ 31. Under the Act, what is the period for which a company is required to preserve an audit trail?
Rule 11(g) requires the auditor to state whether ‘the audit trail has been preserved by the company as per the statutory requirements for record retention’. Section 128(5) of the Act contains the statutory requirements for the period of record retention. Section 128(5) requires the companies to preserve books of account for a minimum period of eight years. Therefore, the company would need to retain the audit trail for a minimum period of eight years (financial years).
FAQ 32. Does the requirement that a company shall retain an audit trail for 8 years apply to the audit trail of financial years prior to 01.04.2023?
The requirement to retain an audit trail for a minimum period of eight years (financial years) applies to begin with the financial year 2023-24 since proviso to Rule 3(1) applies “for the financial year commencing on or after the 1st day of April 2023”.
6. Management Responsibilities when books of account maintained in electronic mode
FAQ 33. If a Company uses accounting software for maintaining its books of account, what are the responsibilities of the Management in this regard?
If the Company uses accounting software for maintaining its books of account, Management has a responsibility to effectively comply with the requirements of Rule 3(1) in this regard. The requirements of the proviso to Rule 3(1) are to be complied with regardless of whether the accounting software may be hosted and maintained in India or outside India or may be on-premise or on the cloud or subscribed to as Software as a Service (SaaS) software
In other words, the Management of every company which uses an accounting software is required to ensure only such accounting software is used which has the following features:
- It records an audit trail of each and every transaction,
- It creates an edit log of each change made in the books of account along with the date when such changes were made; and
- It ensures that the audit trail is not disabled.
Thus, it is the Management that is primarily responsible for the selection of the appropriate accounting software for ensuring compliance with applicable laws and regulations (including those related to the retention of edit logs). The scope of Management’s primary responsibility covers the following:
- Identify “books of account” under Section 2(13): identify the records and transactions that constitute books of account under section 2(13) of the Act
- Identify the accounting software: identify the software i.e., IT environment including applications, web portals, databases, interfaces, data warehouses, data lakes, cloud infrastructure, or any other IT component used for processing and or storing data for creation and maintenance of books of account.
- Audit trail in accounting software: ensure such software have the audit trail feature;
- Audit trail captures each and every change and contains information related to change: ensure that the audit trail captures changes to each and every transaction of books of account; information that needs to be captured may include (a) date stamp and timestamp of every change, (b) the UserId of the person making the changes and (c) what data was changed
- Not disabled: ensure that the audit trail feature is always enabled (not disabled);
- Audit trail at database level: ensure that the audit trail is enabled at the database level (if applicable) for logging any direct data changes;
- Protection from modification: ensure that the audit trail is appropriately protected from any modification;
- Compliance with statutory record retention norms: ensure that the audit trail is retained as per statutory requirements for record retention under Section 128(5) of a minimum of 8 financial years;
- Controls: ensure that controls over maintenance and monitoring of audit trail
In order to demonstrate that the audit trail feature was functional, operated and was not disabled, a company would have to design and implement specific internal controls (predominantly IT controls) which in turn, would be evaluated by the auditors, as appropriate. An illustrative list of internal controls which may be required to be implemented and operated are given below:
- Controls to ensure that the audit trail feature has not been disabled or deactivated.
- Controls to ensure that User IDs are assigned to each individual and that User IDs are not shared.
- Controls to ensure that changes to the configurations of the audit trail are authorized and logs of such changes are maintained.
- Controls to ensure that access to the audit trail (and backups) is disabled or restricted and access logs, whenever the audit trails have been accessed, are maintained.
- Controls to ensure that periodic backups of the audit trails are taken and archived as per the statutory period specified under Section 128 of the Act.
- Audit trail operating effectively throughout the period of reporting: ensure its features are designed and operating effectively throughout the period of reporting.
The auditor would need to ensure that the management assumes the primary responsibility regarding the above.
FAQ 34. How auditor can ensure that management assumes the primary responsibility for matters covered in FAQ 33 above?
The auditor can make the Management of the Company aware of their responsibilities listed in FAQ 33 above by incorporating them in an Audit Engagement Letter (AEL) or in an Update/Revision to the AEL. Issued by him to Company and getting the same acknowledged by the Management of Company or Those Charged with Governance of the Company. [See Standard on Auditing SA 210 Agreeing the Terms of Audit Engagement
FAQ 35. How the auditor of a company can ensure that the Responsibilities of Management as regards the audit trail can be made known to users of financial statements?
The auditor can state the respective responsibilities of Management and the Auditor as regards the audit trail in the Independent Auditor’s Report. If auditor deems fit to state the respective responsibilities for the audit trail in the Independent Auditor’s Report, then,
- Management’s responsibilities for the audit trail is to be stated under the paragraph with the heading “Management’s Responsibility for the Standalone Financial Statements”/ “Management’s Responsibility for the Consolidated Financial Statements”.
- Auditor’s responsibilities for the audit trail is to be stated under the paragraph with the heading “Auditor’s Responsibility for the Audit of the Standalone Financial Statements”/ “Management’s Responsibility for the Consolidated Financial Statements”.
FAQ 36. Can you illustrate how the Company’s management is to identify the accounting software used by the Company?
An Illustrative table showing identification by Management of accounting software used by the Company is given below:
Name of the Accounting Software | Particulars | Hosting Location | Maintained In-house or Outsourced | Database | Operating System | Audit Trail enabled |
e.g., ABC | Journal entries, sub-ledgers and general ledger | Company Data Center, Bangalore | In-house | ABC | Windows 10 | Yes |
e.g., XYZ
|
Sales Invoices, Inventory, Customer Ledger | SaaS / On Cloud | Outsourced Maintained by ABC Corp | XYZ | Windows 10 | Yes |
e.g., PQR | Manufacturing Cost Records | Company Data Center, Bangalore | In-house | PQR | Windows 10 | Yes |
e.g. DEF | Plant, Property and Equipment Register | Company Data Center, Bangalore | In-house | DEF | Windows 10 | Yes |
FAQ 37. Can the auditor of a Company rely on Management’s identification of accounting software and limit his verification and reporting to the accounting software identified by the Company?
No. The auditor will have to use his professional judgment in the facts of the case to assess whether Management has correctly identified the accounting software used by the Company. For example, he has to assess whether any end-user computing tools used by the Company, like spreadsheets, which may not have been covered by Management’s Identification, are also to be regarded as part of “accounting software”.
FAQ 38. Would the above responsibilities of Management under Proviso to Rule 3(1) [FAQ 33 above] apply if the Company outsources the maintenance of its books of account to a service organisation and service organisation uses an accounting software to maintain company’s books of account?
The above responsibilities of Management apply regardless of whether books of account are maintained in-house by the Company using accounting software or are outsourced to a service organisation, and accounting software is used by the service organisation to maintain the company’s books of account.
7. Audit Procedures
FAQ 39. Can the auditor simply rely on written representation from management for reporting under Rule 11(g)?
No, the auditor cannot simply rely on written representations from the management as the basis for his reporting under Rule 11(g). SA 580 Written Representations provides clearly that written representations do not provide sufficient appropriate audit evidence on their own about any of the matters with which they deal. Further, the fact of receipt of reliable written representations does not affect the nature or extent of other audit evidence that the auditor is required to obtain regarding the fulfilment of management’s responsibilities, or about specific assertions.
Lord Denning observed in Candler v. Crane, Christmas & Co.
“………. The one man (in a one man company) who gives them (auditors) wrong information will not complain if they do not verify it. He wanted their backing for the misleading information he gives them and he can only get it if they accept his word without verification. It is just what he wants so as to gain his own ends…….”.
Therefore, auditor should not blindly rely on management representations. If he blindly relies on written representations from Management without carrying out audit procedures for verification, his report or certificate becomes a “snare” to the users as observed by Lord Denning in the above case. Auditors should take reasonable care and skill before relying on management representations. The auditor is not absolved of his duties by obtaining written representations. In Kingston Cotton Mill Co. (No. 2) [1896] 2 Ch. 279 (CA), it was held as under:
- The auditor is justified in believing tried servants of the company in whom confidence is placed by the company.
- The auditor is entitled to assume that they are honest and to rely upon their representations, provided he takes reasonable care. – Kingston Cotton Mill Co. (No. 2) [1896] 2 Ch. 279 (CA).
Thus, the auditor is required to carry out necessary audit procedures and obtain sufficient and appropriate audit evidence for their reporting under Rule 11(g).
FAQ 40. What audit procedures must the auditor perform to obtain sufficient appropriate audit evidence for reporting under Rule 11(g)?
The auditor needs to perform the following procedures for obtaining sufficient appropriate evidence for reporting under Rule 11(g):
- Management’s identification of records and transactions: Assess management’s identification of records and transactions where an audit trail needs to be captured.
- Configured and enabled: Verify, on a test basis, whether the audit trail has been configured and enabled for the identified accounting software.
- Evaluate Management’s identification of ‘accounting software’: Evaluate management’s approach to identifying the accounting software that has been considered for the purposes of maintaining the audit trail.
- Inquiries of Management: Inquire with management about how they evaluated changes required for maintaining the audit trail as part of changes or upgrades to the accounting software.
- Use of IT Specialists/experts: Consider involving specialists or experts in the field of Information Technology to assist in evaluating management controls and configurations in the accounting software regarding the audit trail.
- Type 2 report from an independent auditor: In the case of accounting software supported by service providers, consider using an independent auditor’s report of the service organisation (e.g., Service Organisation Control Type 2 (SOC 2)/SAE 3402, :“Assurance Reports on Controls At a Service Organization”) for compliance with audit trail requirements. Verify that the independent auditor’s report specifically covers the maintenance of the audit trail in line with the requirements of the Act and covers the period of the company’s reporting. The statutory auditor of the company shall comply with the requirements of SA 402, “Audit Considerations Relating to an Entity Using a Service Organisation”, while relying on an independent auditor’s report on the service organisation. However, the ultimate responsibility to report on the audit trail feature of the accounting software lies with the statutory auditor of the company.
- Test the controls put in place by Management: Most of the commonly used accounting software, including Enterprise Resource Planning (ERP) software, have an audit trail feature that can be enabled or disabled at the discretion of the company. Auditors should evaluate controls/policies put in place by Management in this regard such as restricting access to the administrators and monitoring changes to configurations that may impact the audit trail and test such controls to determine whether the feature of audit trails have been implemented and operating effectively throughout the reporting period.
- Controls restricting audit trail access to authorised persons: It is expected that management ensures that the administrative access to the audit trail is restricted to authorized representatives. In this regard, the auditor may take into consideration the following aspects for every accounting software which is used in maintaining the “books of account” for the purpose of reporting:
(a) the software configuration that controls enabling or disabling of the audit trail and whether audit trail was enabled throughout the period.
(b) the access to such configurations.
(c) any changes to the audit trail configuration during the period of audit (during the financial year and also from the date of financial statements but before the date of auditor’s report).
(d) the periodic review mechanism implemented and operated by management for any changes to the audit trail configuration.
(e) the completeness and accuracy of audit trail or edit logs that are generated through the software functionalities or directly recorded in the underlying database i.e., whether it captures the user ID that made the change, the date and time of change and what fields were changed by reviewing the reports or trails generated, on a test basis, to capture the required information or when the audit trail feature was disabled, etc.
(f) any testing management has performed to assess the completeness and accuracy of the audit trail.
- Procedures to preserve audit trail records for 8 financial years: Inquire with management to understand the procedures implemented by the company to preserve the records as per the statutory record retention period (8 financial years).
- Review of audit trail records on a sample basis: Review, on a sample basis, the audit trail records maintained by management for each applicable year. Evaluate management controls for maintaining such records without alteration and retrieving logs maintained for the required period of retention.
- Reporting implications under SA 250: Based on procedures performed, the auditor is expected to evaluate the reporting implications specifically giving due consideration to SA 250, “Consideration of Laws and Regulations in an Audit of Financial Statements”.
- Auditor’s duties in Fraud Scenarios: In a scenario where the occurrence of an error or fraud could not be established due to lack of maintenance, availability or retrievability of audit trails, . in evaluating the severity of a deficiency for such instances, specifically in cases of fraud, the auditor should primarily consider two factors: (a) the likelihood that the deficiency will result in a material misstatement and (b) the magnitude of such an outcome. The auditor should perform an assessment of risk of material misstatements due to fraud and consider both qualitative and quantitative factors in assessing a deficiency or combination of deficiencies as a significant deficiency or material weakness and would accordingly require application of professional judgement while linking the reporting against Rule 11(g) and section 143(12) of the Act/clause (x) of the Companies (Auditor’s Report) Order 2020 (as the case may be).
- Written Representations from Management: Obtain written representations from management confirming/stating the following :
(a) Acknowledgement of management’s responsibility for establishing and maintaining adequate controls for identifying, maintaining, controlling, and monitoring audit trails consistent with the requirements.
(b) Stating that management has performed an evaluation and assessed the adequacy and effectiveness of the company’s procedures for complying to the requirements prescribed for audit trails.
(c) Stating management’s conclusion, as set forth in its assessment, about the adequacy and effectiveness of the company’s procedures regarding audit trails.
(d) Stating that management has disclosed to the auditor all deficiencies in the design or operation of controls maintained for audit trails identified as part of management’s evaluation.
(e) Describing instances where identification of fraud, if any, resulting in a material misstatement to the company’s financial statements is identified while reviewing and testing the
(f) samples related to the disablement of audit trail facility of the accounting software.
(g) Stating whether control deficiencies identified and communicated to the audit committee in relation to audit trail during previous engagements have been resolved, and specifically identifying any deficiency that have not been resolved.
- Limitation on Scope if written representations not furnished by Management: SA 580, “Written Representations,” explains matters such as who may sign the representation letter, the period to be covered by the representation letter, and when to obtain an updated representation letter. The inability to obtain written representations from management, including management’s refusal to furnish them, constitutes a limitation on the scope of the audit. When the scope of the audit is limited, the auditor may either disclaim the audit opinion or resign from the engagement in accordance with Standards on Auditing.
- Verify Minutes of Board Meetings: Verify from the Minutes of Board Meetings that the Board of Directors approving the financial statements of the company also takes on record the policies and procedures as laid down by the management in respect of assertion and conclusion on the adequacy and operating effectiveness of audit trials. Additionally, the board should also take on record the deficiencies, significant deficiencies and material weaknesses identified by the management, internal auditors, and the auditor.
FAQ 41. Can an auditor use an IT expert or specialist while auditing and reporting on an accounting software’s audit trail feature?
The auditor can consider involving a specialist or expert in information technology to assist in evaluating management controls and configurations in the accounting software regarding the audit trail. While doing so, he must factor the following points:
- The auditor must comply with SA 620, “Using the Work of an Auditor’s Expert.”
- The auditor must ensure to insert suitable clauses in Audit Engagement Letter (AEL) regarding hiring of auditor’s expert by him and the expert’s/ specialist’s bill to be paid/borne by the client.
- The auditor must also insert suitable clauses in written agreement with the specialist/expert that the engagement is on the understanding that the client will bear the fees of the specialist/expert.
- However, notwithstanding the auditor’s reliance on the work of the expert/specialist, the ultimate responsibility for reporting on the audit trail feature lies with the auditor only.
FAQ 42. Can the auditor rely on the independent information system audit report of a service organization (example SOC 2) where the company outsources the maintenance of books of account?
Where accounting software is provided by a service provider(service organization), the statutory auditor of the Company may, for the purposes of reporting on audit trail, rely on an independent auditor’s report on the service organisation provided it satisfies the following three criteria:
- The independent auditor’s report is issued in terms of Standards such as SOC 1/SOC 2/ SAE 3402
- The report specifically covers the maintenance of the audit trail in line with the requirements of the Companies Act, 2013 and
- The report covers the period of the company’s reporting.
The following points are noteworthy:
- The statutory auditor of the company shall comply with the requirements of SA 402, “Audit Considerations Relating to an Entity Using a Service Organisation”, while relying on an independent auditor’s report on the service organisation.
- The ultimate responsibility to report on the audit trail feature of the accounting software lies with the statutory auditor of the company.
8. Audit Trails & Frauds
FAQ 43. Whether Audit Trails can prevent frauds?
Audit Trails cannot prevent frauds. However, the lack of audit trails can result in fraud remaining undetected for long periods of time. No system of internal financial control is fool-proof. Every system of internal control is prone to violation or breach. Lack of audit trails can be a huge fraud risk factor as the case study in FAQ 25 would show. The auditor will have to factor the absence of an audit trail as a fraud risk factor in his risk assessment and perform suitable response procedures. [SA 315, SA 330 and SA 240]
FAQ 44. What is the auditor of a Company to do in a scenario where the occurrence of an error or fraud could not be established due to lack of maintenance, availability or retrievability of audit trails?
In such a scenario, the auditor should primarily consider two factors: (a) the likelihood that the deficiency will result in a material misstatement and (b) the magnitude of such an outcome.
The auditor would have to:
- Perform an assessment of the risk of material misstatements due to fraud;
- Consider both qualitative and quantitative factors in assessing a deficiency or combination of deficiencies as a significant deficiency or material weakness and
- Apply professional judgement while linking the reporting against Rule 11(g) and section 143(12) of the Act/clause (x) of the Companies (Auditor’s Report) Order 2020 (as the case may be).
9. Audit Documentation
FAQ 45. What audit documentation should the auditor maintain as regards work performed by him on the audit trail?
The work performed on the audit trail must be documented by the auditor as under:
(a) Documentation should be prepared contemporaneously while doing the work.
(b) Documentation on work on the audit trail must provide a sufficient and appropriate record of the basis for the auditor’s reporting under Rule 11(g); and
(c) Documentation must provide evidence that the audit was planned and performed in accordance with the Implementation Guide on Audit Trail, applicable Standards on Auditing and applicable legal and regulatory requirements.
(d) The auditor must comply with the requirements of SA 230, “Audit Documentation” to the extent applicable.
(e) The audit documentation on the audit trail work should speak for itself.
10. Reporting in Independent Auditor’s Report
FAQ 46. In which section of the audit report is the statutory auditor of a company required to make his comments under Rule 11(g) as regards the audit trail?
The comment regarding the audit trail is to be made in the audit report under the section ‘Report on Other Legal and Regulatory Requirements’.
FAQ 47. When is the auditor required to give a modified/adverse opinion while reporting on the audit trail under Rule 11(g)
In respect of the audit trail, the following are likely to be expected scenarios:
i. Management may maintain an adequate audit trail as required by the Account Rules.
ii. Management may not have identified all records/transactions for which audit trail should be maintained.
iii. The accounting software does not have the feature to maintain an audit trail, or it was not enabled throughout the audit period.
Scenarios (ii) and (iii) mentioned above would result in a modified/ adverse reporting against Rule 11(g).
FAQ 48. What is the auditor to do if the accounting software does not have an audit trail feature and does not allow subsequent modification to the transactions/ journal entries posted initially?
In terms of the proviso to Rule 3(1) and Rule 11(g), if the company is using accounting software for maintaining its books of account, then such software must have an audit trail feature in it. This is irrespective of whether the already posted journal entry could be edited or not. If the audit trail feature is not present, then Rule 3(1) of the Companies (Accounts) Rules, 2014 is not complied with and auditor would have to suitably modify his comment pursuant to Rule 11(g).
FAQ 49. How is the auditor to report under Rule 11(g) if the audit trail did not function during any part of the year under audit due to any technical glitch?
The auditor would need to appropriately modify his comment under Rule 11(g) if the audit trail feature remains non-functional during any part of the year or is unable to function properly due to technical glitches or otherwise.
FAQ 50. Is it necessary to enable the audit trail in accounting software for any part of the year in which there were no transactions?
The absence of transactions during any part of the year is no reason for not enabling the audit trail feature.
If the audit trail feature is not enabled/remains non-functional during any part of the year, the auditor would need to appropriately modify the comment under Rule 11(g) even if there were no transactions during that part of the year. In such a case, the auditor would also need to modify his comments pursuant to Section 143(3)(b) (as to whether proper books of account as required by law have been maintained) and Section 143(3)(h) (any qualification, reservation or adverse remark relating to the maintenance of accounts and other matters connected therewith).
FAQ 51. What is the auditor to do in case the audit trail feature has not been enabled since the commencement of the relevant financial year and is only enabled at any time before the year-end?
If the audit trail feature remains non-functional during any part of the year, the auditor will need to appropriately modify his comment under Rule 11(g). The auditor would also need to modify his comments pursuant to Sections 143(3)(b) and 143(3)(h).
FAQ 52. If, during an audit, the auditor assesses that the General IT controls are not present or are observed to be ineffective, should the auditor rely on the accounting software’s audit trail feature?
If the auditor’s evaluation is that there is a failure or absence of General IT controls and the same poses a risk over the effective operation of audit trail configurations, and the auditor is unable to obtain sufficient and appropriate audit evidence for the continued operation of the audit trail feature during the year, then the auditor would need to appropriately modify the comment while reporting under Rule 11(g). The auditor would also need to modify his comments pursuant to Sections 143(3)(b) and 143(3)(h).
FAQ 53. Whether reporting on the audit trail under Rule 11(g) should be based on the materiality concept?
Rule 11(g) states that an audit trail is required for every transaction and that an edit log is to be created by the accounting software for each change made in the books of account. So, the audit trail requirements for the reporting under Rule 3(1) and Rule 11(g) will apply to all transactions irrespective of the amount involved are applicable to all transactions irrespective of the amount involved. There is no concept of materiality involved here. However, the auditor’s reporting is based on test checks. The concept of materiality would apply for the purpose of sample selection for the test checks.
FAQ 54. Should the auditor make adverse remarks regarding the audit trail in accounting software not being enabled even when 100% checking has been done, and nothing adverse has been found by the auditor regarding financial statements?
The reporting requirement under Rule 11(g) on the audit trial is applicable regardless of whether there are any adverse findings of the auditor regarding the financial statements. Even if nothing adverse regarding financial statements is found, the auditor would need to appropriately modify the comment under Rule 11(g) and also modify his comments under Sections 143(3)(b) and 143(3)(h) if an audit trail as required by Rule 3(1) of the Companies (Accounts) Rules, 2014 is not maintained.
FAQ 55. Is the auditor required to make adverse comments in a case where accounting software is unable to retain the edit log because of a software limitation?
As per the proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014, accounting software should be able to retain an edit log. If the accounting software is not able to retain the edit log because of software limitations or otherwise, it means that the software does not have a proper audit trail feature and the auditor would need to appropriately modify his comment under Rule 11(g).
FAQ 56. If the auditor has modified the comment while reporting under Rule 11(g) on the audit trail, what other reporting requirements under Section 143 of the Act are impacted?
The requirement that accounting software have an audit trail feature is contained in the proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014, which deals with the ‘Manner of Books of Account to be Kept in Electronic Mode’. Hence, any modified comment made while reporting under Rule 11(g) will have to be considered while reporting under Section 143(3)(b) of the Act (as to whether proper books of account as required by law have been maintained) and under Section 143(3)(h) of the Act (any qualification, reservation or adverse remark relating to the maintenance of accounts and other matters connected therewith).
FAQ 57. Is the auditor required to report the effective date of implementation of the audit trail in his comments made pursuant to Rule 11(g)?
Rule 11(g) does not require the auditor to report the effective date of implementation of the audit trial. However, the auditor would need to modify his comment appropriately while reporting under Rule 11(g), section 143(3)(b)and section 143(3)(h) if the audit trail does not operate throughout the relevant reporting period.
FAQ 58. Are auditors required to comment on details of audit trail logs?
Rule 11(g) requires the auditor to report only on the following aspects:
- Whether the company has used accounting software for maintaining its books of account that has a facility for recording an audit trail (edit log).
- Whether the audit trail operated throughout the year for all transactions recorded in the software.
- Whether the audit trail feature has not been tampered with.
- Whether the audit trail has been preserved by the company as per statutory requirements for record retention.
Thus, Rule 11 does not require the auditor to comment on the details of audit trail logs.
FAQ 59. Is an audit trail required to be enabled at the database level even if access to the database in an ERP is restricted to only one user and the log of such user making any such change is enabled?
Changes made directly at the database level will impact the books of account. Therefore, the audit trail is required to be enabled at the database level also.
FAQ 60. What if the log of the entire chain of changes is not maintained, and the software maintains only the log of the last/latest changes? Is this adequate? Or is the auditor required to modify his comment under Rule 11(g)?
As per the requirement of proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014, each and every change should be logged and should be available in the logs. Retaining only the last/ latest changes is not sufficient compliance with audit trail requirements of Rule 3(1) and Rule 11(g). Accordingly, the auditor would need to appropriately modify the comment while reporting under Rule 11(g) and would also need to modify his comments under Sections 143(3)(b) and 143(3)(h).
FAQ 61. If the audit trail is recorded at the back end on a server/ cloud maintained outside India, then is it also required to remain accessible in India at all times as per Rule 3 of the Companies (Accounts) Rules, 2014?
If the company is incorporated in India, the audit trail requirements would apply even to accounting software maintained outside India. The proviso to Rule 3(5) of the Companies (Accounts) Rules, 2014 requires that “the back-up of books of account and other books and papers of the company maintained in electronic mode including at a place outside India, if any, shall be kept in servers physically located in India on a daily basis.” These above requirements of Rule 3 apply to audit trail records as well since the audit trail records fall under the definition of books of account and other books and papers. Accordingly, the audit trail records would require daily backup to be maintained in a server physically located in India. Thus, the audit trail records should remain accessible in India at all times as per Rule 3 of the Companies (Accounts) Rules, 2014.
Further, if the auditor is relying on another auditor’s work, the audit trail feature requirement should be part of the SOC/SAE 3402 report. If the other auditor does not report on this requirement, the auditor needs to consider the impact on their reporting under Rule 11(g).
FAQ 62. Suppose the independent auditor’s report of a service organisation that includes the maintenance of an audit trail is not co-terminus with the company’s financial year (e.g., such SOC 2/SAE 3402 report is for the period until December 31, 2023), whereas the company’s financial year ends on March 31, 2024). How should the company’s auditor consider such SOC 2/SAE 3402 reports for their reporting under Rule 11(g)?
Rule 11(g) requires the auditor to report explicitly that the audit trail operated throughout the year, and hence, the auditor would require sufficient and appropriate audit evidence that the audit trail operated throughout the year. Where the accounting software is maintained by a third-party service organisation and the auditor of the company is unable to obtain sufficient and appropriate audit evidence for the full reporting period with regard to maintenance of the audit trail, the auditor would need to appropriately modify the comment while reporting under Rule 11(g). The auditor would also need to modify his comments under Sections 143(3)(b) and 143(3)(h).
FAQ 63. Will maintaining an ERP backup on a server situated in India be sufficient to comply with the requirement of an audit trail?
No, “audit trail” is not the same as “back-up”. A back-up does not qualify as an audit trail. Companies that use accounting software to maintain their books of account are required to comply with audit trail requirements irrespective of whether a backup of such data exists in India. If ERP software does not have an audit trail feature, then maintaining its backup would not amount to sufficient compliance with audit trail requirements. As per the proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014, the audit trail feature in accounting software used by a company is required to be implemented from 1st April 2023 and in case of any non-compliance, the auditor would need to appropriately modify the comment while reporting under Rule 11(g) and would also need to modify his comments pursuant to Sections 143(3)(b) and 143(3)(h).
FAQ 64. Whether a single report showing all edits done during the year containing all details as required is sufficient for the audit trail purpose?
If the company’s accounting software produces a single report detailing all changes to books of account and the auditor is able to obtain sufficient and appropriate audit evidence to support his reporting under Rule 11(g) on the audit trail, then such a single report may be sufficient for Rule 11(g) and Rule 3(1) purposes. The auditor needs to exercise his professional judgement in this regard. However, it does not appear practically possible for such a single report to be generated considering the volume of transactions and the changes made thereto during the year.
FAQ 65. If a company using ERP accounting software does not generate an edit log except for generating the date-wise voucher listing, can the voucher listing be considered an audit trail, considering substance over form?
An audit trail, by definition, should capture the following information:
- when an entry was added or modified (date-stamp and time-stamp),
- what fields were modified and
- who made the entry or modified it(User ID of the person making the entry/the change).
As a voucher listing may not usually provide information on whether a voucher was changed, how many times it was changed and what changes were made, a mere voucher listing will not be considered as an audit trail.
FAQ 66. If accounting software provides an error log and this error log is editable, will this satisfy the requirement of an audit trail?
No, an error log would not satisfy the requirements of the audit trail. Usually, an error log may not record changes to books of account and may not capture when the record was created/changed.
FAQ 67. What is the first year of applicability of the reporting requirement under Rule 11(g) for existing companies using accounting software for maintaining books of account?
The first year of applicability for such existing companies is FY 2023-24
FAQ 68. What is the first year of applicability of the reporting requirement under Rule 11(g) for new companies?
The first year of applicability for a new company is the first year in which it starts maintaining books of account by using an accounting software.
FAQ 69. Can you give Illustrative wording for unmodified remarks under Rule 11(g) regarding the audit trail in an Independent Auditor’s Report on Standalone Financial Statements for an existing Company in the first year of applicability, i.e. FY 2023-24?
The following is an example of unmodified remarks regarding the audit trail in the Independent Auditor’s Report on Standalone Financial Statements for FY 2023-24:
“Based on our examination carried out in accordance with the Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) issued by the Institute of Chartered Accountants of India, which included test checks, we report that the company has used an accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit we did not come across any instance of audit trail feature being tampered with. Our examination of the audit trail was in the context of an audit of financial statements carried out in accordance with the Standard of Auditing and only to the extent required by Rule 11(g) of the Companies (Audit and Auditors) Rules,2014. We have not carried out any audit or examination of the audit trail beyond the matters required by the aforesaid Rule 11(g) nor have we carried out any standalone audit or examination of the audit trail.”
FAQ 70. Can you give an Illustrative wording for unmodified remarks under Rule 11(g) regarding the audit trail in Independent Auditor’s Report on Standalone Financial Statements to be used in audit reports to be followed from the 2nd year onwards (i.e. after the first year of applicability)?
An illustrative wording of remarks under Rule 11(g) to be used from 2nd year onwards is as under
“Based on our examination carried out in accordance with the Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) issued by the Institute of Chartered Accountants of India, which included test checks, we report that the company has used an accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit we did not come across any instance of audit trail feature being tampered with. Additionally, the audit trail has been preserved by the company as per the statutory requirements for record retention. Our examination of the audit trail was in the context of an audit of financial statements carried out in accordance with the Standard of Auditing and only to the extent required by Rule 11(g) of the Companies (Audit and Auditors) Rules,2014. We have not carried out any audit or examination of the audit trail beyond the matters required by the aforesaid Rule 11(g) nor have we carried out any standalone audit or examination of the audit trail”
FAQ 71. Can you give Illustrative wording for unmodified remarks under Rule 11(g) regarding the audit trail in Independent Auditor’s Report on Consolidated Financial Statements in the first year of applicability?
An illustrative wording of remarks under Rule 11(g) to be used in audit reports on CFS is as under:
“Based on our examination carried out in accordance with the Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) issued by the Institute of Chartered Accountants of India, which included test checks and that performed by the respective auditors of the subsidiaries, associates and joint ventures/joint operations which are companies incorporated in India whose financial statements have been audited under the Act, we report that the company and the above referred subsidiaries, associates and joint ventures/joint operations have used an accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit, we and respective auditors of the above referred subsidiaries, associates and joint ventures/joint operations did not come across any instance of audit trail feature being tampered with.”
FAQ 72. Can you give an Illustrative wording for unmodified remarks under Rule 11(g) regarding audit trail in Independent Auditor’s Report on Consolidated Financial Statements to be followed from the 2nd year onwards (ie after the first year of applicability)?
An illustrative wording of remarks under Rule 11(g) to be used in audit reports on CFS from 2nd Year onwards, is as under:
“Based on our examination carried out in accordance with the Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) issued by the Institute of Chartered Accountants of India, which included test checks and that performed by the respective auditors of the subsidiaries, associates and joint ventures/joint operations which are companies incorporated in India whose financial statements have been audited under the Act, we report that the company and the above-referred subsidiaries, associates and joint ventures/joint operations have used an accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit, we and the respective auditors of the above-referred subsidiaries, associates and joint ventures/joint operations did not come across any instance of the audit trail feature being tampered with. Additionally, the audit trail has been preserved by the company and above referred subsidiaries, associates and joint ventures/joint operations as per the statutory requirements for record retention”
FAQ 73. Give illustrative wordings for modified remarks under Rule 11(g) in the audit report on SFS in a situation where audit trail feature was disabled for one of the books of account/ records or for an accounting software – (e.g., property, plant and equipment software)
Illustrative reporting in the “Section – Report on Other Legal and Regulatory Requirements” in the auditor’s report pursuant to Rule 11(g), Section 143(3)(b) and Section 143(3)(h) is given hereunder-
An illustrative wording of remarks under Rule 11(g) to be used in audit reports in such a situation is given hereunder:
“Based on our examination carried out in accordance with the Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) issued by the Institute of Chartered Accountants of India, the company has used accounting software for maintaining its books of account, which has a feature of recording audit trail (edit log) facility except in respect of maintenance of property, plant and equipment records wherein the accounting software did not have the audit trail feature enabled throughout the year. Further, the audit trail facility has been operating throughout the year for all relevant transactions recorded in the software except for the instances reported below…… Further, during the course of our audit we did not come across any instance of audit trail feature being tampered with. [Additionally, the audit trail has been preserved by the company as per the statutory requirements for record retention]”
An illustrative wording of remarks to be made pursuant to Section 143(3)(b) as to whether the Company has maintained proper books of account as required by law, is as under
“In our opinion, proper books of account as required by law have been kept by the company so far as it appears from our examination of those books [and proper returns adequate for the purposes of our audit have been received from the branches not visited by us] except for the matters stated in the paragraph (…) below on reporting under Rule 11(g).”
An illustrative wording of remarks to be made pursuant to Section 143(3)(h), is as under:
“The qualification relating to the maintenance of accounts and other matters connected therewith are as stated in paragraph (…) above on reporting under Section 143(3)(b) and paragraph (…) below on reporting under Rule 11(g).”
Since the matter pertains to records of property, plant and equipment maintained in accounting software, in the case of a company to which CARO 2020 applies, the auditor of the Company would also need to make necessary remarks pursuant to Para 3(i)(a)(A) of the Annexure to the Independent Auditor’s Report on Standalone Financial Statements. The CARO remarks in the Annexure to the audit report may be given as under:
“3(i)(a)(A)Except for the matter stated by us in Paras …., …. and ….. in the “Section – Report on Other Legal and Regulatory Requirements” of our Independent Auditor’s Report, we report that the Company has maintained proper records showing full particulars, including quantitative details and situation of Property, Plant and Equipment Assets”
FAQ 74. Give illustrative wordings for modified remarks under Rule 11(g) in the audit report on SFS in a situation where the audit trail feature was not enabled for an accounting software
An illustrative wording of remarks under Rule 11(g) to be used in audit reports in such a situation is given hereunder:
“Based on our examination carried out in accordance with the Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) issued by the Institute of Chartered Accountants of India, the company has used accounting software for maintaining its books of account, which has a feature of recording audit trail (edit log) facility except that no audit trail enabled at the database level for accounting software AAA (database SQL) and BBB (database db2) to log any direct data changes. Further, the audit trail facility has been operating throughout the year for all relevant transactions recorded in the software except for the instance reported above. Further, during the course of our audit we did not come across any instance of audit trail feature being tampered with. [Additionally, the audit trail has been preserved by the company as per the statutory requirements for record retention] . Our examination of the audit trail was in the context of an audit of financial statements carried out in accordance with the Standard of Auditing and only to the extent required by Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014. We have not carried out any audit or examination of the audit trail beyond the matters required by the aforesaid Rule 11(g) nor have we carried out any standalone audit or examination of the audit trail”
Reporting under Section 143(3)(b) to be done as illustrated in FAQ 73 above
FAQ 75. Give illustrative wordings for modified remarks under Rule 11(g) in the audit report on SFS in a situation where Accounting software is maintained by a third party and the auditor is unable to assess whether the audit trail feature can be disabled during the reporting period
An illustrative wording of remarks under Rule 11(g) to be used in audit reports in such a situation is given hereunder:
“Based on our examination carried out in accordance with the Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) issued by the Institute of Chartered Accountants of India, the company has used an accounting software ABC which is operated by a third party software service provider, for maintaining its books of account and in absence of a Type 2 Control Report from a practising Chartered Accountant complying with SAE 3402/SOC1/SOC2, we are unable to comment whether audit trail feature of the said software was enabled and operated throughout the year for all relevant transactions recorded in the software or whether there were any instances of the audit trail feature been tampered with. [Additionally, the audit trail has been preserved by the company as per the statutory requirements for record retention] Our examination of the audit trail was in the context of an audit of financial statements carried out in accordance with the Standard of Auditing and only to the extent required by Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014. We have not carried out any audit or examination of the audit trail beyond the matters required by the aforesaid Rule 11(g) nor have we carried out any standalone audit or examination of the audit trail”
Reporting under Section 143(3)(b) to be done as illustrated in FAQ 73 above.
An illustrative wording of remarks to be made pursuant to Section 143(3)(h), is as under:
The reservations relating to the maintenance of accounts and other matters connected therewith are as stated in paragraph (…) above on reporting under Section 143(3)(b) and paragraph (…) below on reporting under Rule 11(g).
FAQ 76. Give illustrative wordings for modified remarks under Rule 11(g) in the audit report on SFS in a situation where Migration from one software to the other happened during the year or higher version of software installed and the auditor is unable to obtain sufficient and appropriate evidence
An illustrative wording of remarks under Rule 11(g) to be used in audit reports in such a situation is given hereunder:
“Based on our examination carried out in accordance with the Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) issued by the Institute of Chartered Accountants of India, we report that the Company has migrated to [name of the software] from [old software/manual] during the year and is in the process of establishing necessary controls and documentation regarding the audit trail. Consequently, we are unable to comment on the audit trail feature of the said software.”
An illustrative wording of remarks to be made pursuant to Section 143(3)(b) as to whether the Company has maintained proper books of account as required by law, is as under
“In our opinion, proper books of account as required by law have been kept by the company so far as it appears from our examination of those books [and proper returns adequate for the purposes of our audit have been received from the branches not visited by us] except for the matters stated in the paragraph (…) below on reporting under Rule 11(g).”
Reporting under Section 143(3)(b) to be done as illustrated in FAQ 73 above.
An illustrative wording of remarks to be made pursuant to Section 143(3)(h), is as under:
The reservations relating to the maintenance of accounts and other matters connected therewith are as stated in paragraph (…) above on reporting under Section 143(3)(b) and paragraph (…) below on reporting under Rule 11(g).
FAQ 77. Give illustrative wordings of modification when the audit trail has not been preserved by the company as per the statutory requirements for record retention.
Modification in this regard will not apply in the first year of Rule 11(g) ‘s applicability. It will apply from the second year onwards.
An illustrative wording of remarks under Rule 11(g) to be used in audit reports in such a situation is given hereunder:
“Based on our examination carried out in accordance with the Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) issued by the Institute of Chartered Accountants of India, which included test checks, we report that the company has used an accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit we did not come across any instance of audit trail feature being tampered with. However, the audit trail for FYs….to …. have not been preserved by the company as per the statutory requirements for record retention.”
FAQ 78. Give illustrative wordings of modified opinion under Rule 11(g) in audit report of consolidated financial statements
An illustrative wording of modified remarks under Rule 11(g) to be used in audit reports of consolidated financial statements is given hereunder:
“Based on our examination carried out in accordance with the Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) issued by the Institute of Chartered Accountants of India, which included test checks, and that performed by the respective auditors of the subsidiaries, associates and joint ventures/joint operations which are companies incorporated in India whose financial statements have been audited under the Act, except for the instances mentioned below, we report that the company and the above-referred subsidiaries, associates and joint ventures/joint operations have used an accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit, we and the respective auditors of the above-referred subsidiaries, associates and joint ventures/joint operations did not come across any instance of the audit trail feature being tampered with. [Additionally, the audit trail has been preserved by the Company and above referred subsidiaries, associates and joint ventures/joint operations as per the statutory requirements for record retention]”
Instances of accounting software for maintaining its books of account did not have a feature of recording audit trail (edit log) facility and the same was not operated throughout the year for all relevant transactions recorded in the software | No of instances without mentioning name of the components. Example “In respect of […] of subsidiaries” |
Instances of audit trail feature being tampered with | |
Instances of non-preservation of the audit trail |
11. Conclusion: Key Takeaways
The following are the conclusions/key takeaways emerging from provisions relating to audit trail and recommendations of Implementation Guidance issued by ICAI:
- If the Company maintains books of the account entirely in manual mode without using any accounting software, reporting under Rule 11(g) is not applicable.
- Where the company has used any accounting software to maintain its books of account, Rule 11(g) requires the company’s auditor to report on the accounting software’s audit trail feature in his audit report by making a specific assertion in this regard. Reporting requirement applicable with effect from FY 2023-24.
- Audit trail requirement not applicable if software is used not for maintaining books of account but only for printing them out and for finalising balance sheets and P&Ls from the manually maintained books of account.
- Rules 3(1) and 11(g) envisage an audit trail, which is a built-in feature of the accounting software used by the Company. If the audit trail feature is not built into the software and is maintained manually, the requirements of these Rules are not satisfied.
- A company is not legally obliged to use an accounting software for maintaining the books of account. The Company is well within its rights to maintain its books of accounts entirely manually. If it uses an accounting software, it is required to comply with the proviso to Rule 3(1).
- At present, there is no requirement for an auditor to report on an audit trail in a limited review report of a listed company.
- Rule 11(g) applies to the audit report of every company that uses accounting software to maintain its books of account. If a company uses accounting software to maintain its books of account, the auditor is required by Rule 11(g) to report on the audit trail irrespective of the company’s size and class.
- Rule 11(g) does not exempt audit reports of any class of companies. The reporting requirement under Rule 11(g) is triggered for companies of any class or size, including if accounting software is used by the Company to maintain its books of account.
- All companies (including banks and NBFCs) incorporated under the Companies Act, 2013 are required to comply with the audit trail requirement if they maintain books of account in electronic mode
- Back-ups, Voucher listings, Error Logs, Feature in accounting software that does not allow subsequent modification to the transactions/ journal entries posted initially and log of the last/latest changes do not qualify as “audit trail”.
- Reporting requirement under Rule 11(g) applies if any accounting software is used for maintenance of books of account of the Company. It does not matter whether the accounting software is so used by the Company in-house or the use of accounting software is by a service organization to whom the company has outsourced maintenance of books of account.
- The auditor’s obligation under Rule 11(g) applies regardless of whether the accounting software may be hosted and maintained in India or outside India. Further, it makes no difference whether the accounting software may be on-premise, in the cloud, or subscribed to as Software as a Service (SaaS) software.
- An audit trail is a chronological, date, and time-stamped record of a specific transaction from the time its entry is made in the accounting software through various changes to it until its deletion which is a built-in feature of the accounting software used.
- The auditor’s responsibility is limited to transactions that have been recorded in the accounting software and subsequent changes made to those transactions- The auditor has to verify whether all transactions recorded in the software are covered in the audit trail feature. Proviso to Rule 3(1) of Companies (Accounts) Rules 2014 prescribes the requirement of an audit trail only in the context of books of account by stating that accounting software should be capable of creating an edit log of “each change made in books of account.” The auditor’s responsibilities have been prescribed for “all transactions recorded in the software.” Accordingly, the auditor’s responsibility under Rule 11(g) is restricted to transactions that have been recorded in the accounting software and subsequent changes made to those transactions (which is demonstrated through rectification/ additional entities).
- The auditor cannot simply rely on written representations from the management as the basis for his reporting under Rule 11(g).
- Modified opinions on audit trail under Rule 11(g) will also result in modified opinions under Section 143(3)(b) and under Section 143(3)(h)
- Audit Trail and Internal Financial Controls are distinct concepts. Neither is a replacement for the other. IFCs have a preventive role. Audit trails record what happened.
- Audit Trails cannot prevent fraud. However, a lack of audit trails can result in fraud remaining undetected for long periods of time. No system of internal financial control is fool-proof and every system of internal control is prone to violation or breach. Lack of audit trails can be a huge fraud risk factor
Disclaimer: The content/information published on the website is only for general information of the user and shall not be construed as legal advice. While the Taxmann has exercised reasonable efforts to ensure the veracity of information/content published, Taxmann shall be under no liability in any manner whatsoever for incorrect information, if any.
Taxmann Publications has a dedicated in-house Research & Editorial Team. This team consists of a team of Chartered Accountants, Company Secretaries, and Lawyers. This team works under the guidance and supervision of editor-in-chief Mr Rakesh Bhargava.
The Research and Editorial Team is responsible for developing reliable and accurate content for the readers. The team follows the six-sigma approach to achieve the benchmark of zero error in its publications and research platforms. The team ensures that the following publication guidelines are thoroughly followed while developing the content:
- The statutory material is obtained only from the authorized and reliable sources
- All the latest developments in the judicial and legislative fields are covered
- Prepare the analytical write-ups on current, controversial, and important issues to help the readers to understand the concept and its implications
- Every content published by Taxmann is complete, accurate and lucid
- All evidence-based statements are supported with proper reference to Section, Circular No., Notification No. or citations
- The golden rules of grammar, style and consistency are thoroughly followed
- Font and size that’s easy to read and remain consistent across all imprint and digital publications are applied