Understanding of Audit Trail
An audit trail (also called audit log) is defined as a step-by-step sequential record which provides evidence of the documented history of financial transactions to its source.
It includes details such as who initiated the transactions when they occurred, and any subsequent changes made to them.
Introduction of Rule 11(g) of Companies (Audit and Auditors) Rules, 2014
In the intricate framework of corporate governance, rules and regulations serve as the guiding principles that ensure transparency, accountability, and integrity within organizations. Among these, Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014 holds significant importance.
The Ministry of Corporate Affairs (MCA) vide its notification No. GSR 206(E) dated March 24, 2021, has issued the “Companies (Audit and Auditors) Amendment Rules, 2021” read with sub-section 3 of Section 143 of the Companies Act, 2013 (hereinafter referred as “the Act”) introducing new Rule 11(e), new Rule 11(f) and new Rule 11(g) and deleting Rule 11(d).
Rule 11(g) mandates that companies, beginning from April 1, 2022, must utilize accounting software with audit trail capabilities for maintaining their books of account. This software should consistently record audit trails for all transactions throughout the year, without any tampering. The company is also required to preserve these audit trails as per statutory record retention requirements.
Originally, this requirement was set to be enforced for financial years starting on or after April 1, 2021, as per notification G.S.R. 206(E) dated March 24, 2021. However, a new stipulation under the proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014, mandated that companies using accounting software for bookkeeping must opt for software equipped with audit trail features. Initially applicable from April 1, 2021, the implementation of this requirement was deferred twice, and it is now in effect from April 1, 2023.
Importance of Audit Trail
The Companies Act, 2013 mandates that every company maintain proper books of accounts and other relevant documents to ensure transparency and accountability in its financial affairs.
An audit trail plays a crucial role in fulfilling this requirement by providing a detailed record of all financial transactions undertaken by the company.
Below are several critical rationales for the necessity of upholding an audit trail according to the Companies Act, 2013.
- Ensuring Compliance
Companies are required to comply with various statutory and regulatory requirements prescribed under the Companies Act, 2013. An audit trail helps in demonstrating compliance with these requirements by providing an accurate record of financial transactions.
- Detecting and Preventing Fraud
Detecting fraud promptly allows for quick intervention and the implementation of mitigation strategies, thereby reducing financial losses and preserving the company’s reputation. Maintaining an audit trail is therefore essential for protecting company assets and upholding stakeholder trust.
- Legal Requirements
In the event of legal disputes or regulatory investigations, an audit trail serves as crucial evidence to support the company’s financial transactions and decisions. It provides a reliable source of information to defend the company’s actions and decisions in a court of law.
The Triple ‘W’ Approach
Audit trail is based on Triple ‘W’ Approach i.e. When, Who What!
- => when changes were made i.e., Date and Time (Time Stamp)
- => who made those changes i.e., User ID
3.=> what data was changed i.e., transaction reference; success/failure Responsibility– It is responsibility of the management to implement Audit trail and it is responsibility of auditor to check and verify the effective implementation.
Management responsibility
The Company’s IT systems and controls should enable the audit trail to be functional and operational with respect to the various records under the Books of Accounts and the same shall be preserved. Auditor’s responsibility is to evaluate and report whether the same is appropriate. Further, the Company will utilise the internal control systems which is already there which will be leveraged to comply with the audit trail. Thus, the Company has to design and implement specific internal controls which will also be evaluated by the Auditor while reporting about the Audit Trail. Specifically, the Management will be responsible for compliance of the following:
- Identifying the software, including IT systems, databases, and portals, to ensure that they are used for processing and storing data in accordance with audit trail requirements as per maintained Books of Accounts.
- Identifying the various records, books, data, and transactions constituting the Books of Accounts under Section 2(13) of the Companies Act.
- To ensure that the audit trail feature remains continuously active and enabled.
- To ensure that the audit trail captures changes to every recorded transaction in the books of account.
- If the accounting software is supported by service providers, then the Management may ask for Independent Auditor’s report of the service provider on reports on controls etc. with reference to compliance requirements.
- Management should periodically review the audit trail requirements with discussion with the Auditors so that facilitate the Auditors to evaluate properly the requirements under audit trail.
Auditor’s Responsibility- Reporting Obligations
Rule 11(g) places the responsibility on the auditor to report on the audit trail by requiring a specific assertion in the audit report within the section titled ‘Report on Other Legal and Regulatory Requirements’. This has been explained in the paragraph below.
In addition to requiring an auditor to comment whether the company is using an accounting software which has a feature of recording audit trail, the auditor is expected to verify the following aspects:
- Whether the audit trail feature is configurable (i.e., if it can be disabled or tampered with)?
- Whether the audit trail feature was enabled/operated throughout the year?
- Whether all transactions recorded in the software area covered in the audit trail feature?
- Whether the audit trail has been preserved as per statutory requirements for record retention.
The Auditor has to report whether the management has maintained adequate audit trail as required by the law. Further, the Auditor has to evaluate the reporting implications in case of non-compliance by the Company or management as per Audit Procedures. The Auditor has to report whether the accounting software has been enabled throughout the audit period to record the audit trail. The Auditor has to report these and if there is any non-compliance with modifications as per the guidance and guidelines issued by the Institute of Chartered Accountants of India (ICAI).
Further, the Auditor will also require the Company to submit written representation acknowledging management’s responsibility for establishing and maintaining adequate controls including internal controls for identifying, maintaining, controlling and monitoring of audit trails as per the requirements of law and whether the company has done it on a consistent basis.
Audit approach
- The Auditor shall ensure that the management takes primary responsibility for:
- Identifying the records and transactions that constitute books of accounts.
- Identifying the software.
- Ensuring existence of Audit Trail feature.
- Ensuring audit trail captures all changes of when, who, what; is always enabled; protected from any modifications; retained as per statutory requirements.
- Ensuring that controls over audit trail are designed and operating effectively.
- The Auditor shall primarily check the following controls for checking the validity of the Audit Trail:
- Controls to ensure that audit trail feature is not disabled or deactivated.
- Controls to ensure that User IDs are assigned to each user and are not shared.
- Controls to ensure that no unauthorised changes are made, and logs are maintained.
- Controls to ensure that access to the logs is restricted.
- Controls to ensure that periodic back-ups are taken and archived.
- The Auditor shall also evaluate:
- Assess management’s identification of records and transactions where audit trail needs to verify.
- Evaluate management’s approach regarding identification of accounting software.
- Inquire with the management how they evaluated changes required for maintenance of audit trail.
- Involve specialists or IT experts, wherever required.
- Other points:
- In case of accounting software supported by service providers, the Company’s management and the auditor may consider using independent auditor’s report of service organisation (i.e., SOC 2)
- Inquire with management to understand the procedures implemented to preserve the records as per the statutory record retention period.
Preservation of Audit Trail
The mandate for an audit trail came into effect on April 1, 2023. In accordance with Section 128(5) of the Companies Act, a company must retain its books of accounts for a minimum period of eight years. Consequently, the retention period for the audit trail should commence from April 1, 2023, and extend for eight years thereafter. The auditor will scrutinize the procedures and processes to verify that the logs have been maintained for the stipulated period. Additionally, the auditor is obligated to report whether the company has preserved the audit trail in compliance with statutory requirements.
Challenges that may arise
Potential challenges that could emerge within an audit trail framework include:
- Increased demands for storage capacity and the requisite infrastructure to support it.
2.Necessity for renegotiating intricate contracts pertaining to third-party vendor assistance.
3.Effective management of log tables without resorting to alterations or disabling functionality.
4.Ensuring adequate control and oversight of administrative privilege utilization.
5.Conducting thorough analysis or routine monitoring procedures based on generated logs.
Conclusion
In conclusion, both the auditor and management bear shared responsibility for the establishment, maintenance, and scrutiny of an effective audit trail. While management is accountable for implementing robust internal controls, ensuring the integrity and continuity of the audit trail, and complying with legal requirements, the auditor is tasked with evaluating the adequacy of these measures and reporting any deviations or deficiencies. Collaboration between the auditor and management is essential to ensure the integrity of financial records, adherence to regulatory standards, and the overall effectiveness of the audit process.