Auditor's Responsibility in respect of Audit Trail effective from 1st April 2023

Requirement of the accounting software* having a feature of audit trail has been incorporated as a proviso to Rule 3(1) of the Account Rules and have been prescribed only in the context of books of account**. This is evidenced by the fact that as per the proviso to the Rule, the accounting software should be capable of creating an edit log of "each change made in books of account.".Applicability of Account Rules will commence on or after April 1, 2023.

Important definitions

*Accounting Software is a computer program or system that enables recording, maintenance and reporting of books of account and relevant ecosystems applicable to business requirements. The functionality of such accounting software differs from product to product. Every organization today employs multiple software for accounting, its operations and other requirements like consolidation, collection of data. 

**Books of Account as per Section 2(13) of the Companies Act, 2013 includes records maintained in respect of -

(i) all sums of money received and expended by a company and matters in relation to which the receipts and expenditure take place;

(ii) all sales and purchases of goods and services by the company;

(iii)  the assets and liabilities of the company; and

(iv) the items of cost as may be prescribed under section 148 in the case of a company that belongs to any class of companies specified under that section;

Any software that maintains records or transactions that fall under the definition of Books of Account as per section 2(13) of the Act will be considered as accounting software for purpose of Rule 11(g). For e.g., if sales are recorded in a standalone software and only consolidated entries are recorded monthly into the software used to maintain the general ledger, the sales software should also have the audit trail feature since sales invoices would be covered under Books of Account as defined under section 2(13) of the Act.

What if books of account are entirely maintained manually?

The assessment and reporting responsibility under Rule 11(g) will not be applicable and accordingly, same would need to be reported as statement of fact by the auditor against this clause.

In case of CFS (consolidated financial statements)

the principal auditor should apply professional judgment and comply with applicable Standards on Auditing, in particular, SA 600, "Using the Work of Another Auditor" while assessing the matters reported by the auditors of components that are Indian companies.

Statutory Requirement for Auditor

Section 143(3) of Companies Act, 2013 ("the Act") provides various matters on which auditors are required to report. Clause (j) of Section 143(3) states that auditor’s report shall also state such other matters as may be prescribed. These matters are prescribed under Rule 11 of the Companies (Audit and Auditors) Rules, 2014. 

Rule 11(g) casts responsibility on the auditor in terms of reporting on audit trail by making a specific assertion in the audit report under the section ‘Report on Other Legal and Regulatory Requirements’.In addition to requiring auditor to comment on whether the company is using an accounting software which has a feature of recording audit trail, the auditor is expected to verify the following aspects:

• whether the audit trail feature is configurable (i.e., if it can be disabled or tampered with)?
• whether the audit trail feature was enabled/operated throughout the year?
• whether all transactions recorded in the software are covered in the audit trail feature?
• whether the audit trail has been preserved as per statutory requirements for record retention?

It's also possible that we may have outsources some part to service provider entity(ies) for e.g., Payroll work, in such case, the company’s management and the auditor may consider using independent auditor’s report of service organisation (e.g., Service Organisation Control Type 2 (SOC 2)/SAE 3402, "Assurance Reports on Controls at a Service Organization") for compliance with audit trail requirements. The independent auditor’s report should specifically cover the maintenance of audit trail in line with the requirements of the Act.

Audit Approach

As part of the audit approach, the auditor would need to ensure that the management assumes the primary responsibility to

• identify the records and transactions that constitute books of account under section 2(13) of the Act;
• identify the software i.e., IT environment including applications, web-portals, databases, Interfaces, Data Warehouses, data lakes, cloud infrastructure, or any other IT component used for processing and or storing data for creation and maintenance of books of account;
• ensure such software have the audit trail feature;
• ensure that the audit trail captures changes to each and every transaction of books of account; information that needs to be captured may include the following:

(a) when changes were made,

(b) who made those changes,

(c) what data was changed,

• ensure that the audit trail feature is always enabled (not disabled);
• ensure that the audit trail is enabled at the database level (if applicable) for logging any direct data changes;
• ensure that the audit trail is appropriately protected from any modification;
• ensure that the audit trail is retained as per statutory requirements for record retention;
• ensure that controls over maintenance and monitoring of audit trail and its feature are designed and operating effectively throughout the period of reporting.

In respect of the preservation of audit trails

Section 128(5) of the Act requires books of account to be preserved by companies for a minimum period of eight years. Accordingly, the company would need to retain audit trail for a minimum period of eight years i.e., effective from the date of applicability of the Account Rules (i.e., currently April 1, 2023, onwards). Inquire with management to understand the procedures implemented by the company to preserve the records as per the statutory record retention period. The auditor may review, on a sample basis, the audit trail records maintained by management for each applicable year and evaluate management controls for the maintenance of such records without any alteration and retrievability of logs maintained for the required period of retention.

The auditor is expected to evaluate the reporting implications specifically giving due consideration to SA 250, "Consideration of Laws and Regulations in an Audit of Financial Statements".

Some Possibilities In respect of audit trail, the following are likely to be expected scenarios

1. Management may maintain adequate audit trail as required by the Account Rules.
2. Management may not have identified all records/transactions for which audit trail should be maintained.
3. The accounting software does not have the feature to maintain audit trail, or it was not enabled throughout the audit period.

Scenarios (ii) and (iii) mentioned above would result in a modified /adverse reporting against this clause.

Obtaining Written Representation

Auditor shall obtain written representations from management on the following aspects:

• for establishing and maintaining adequate controls for identifying, maintaining, controlling, and monitoring of audit trails on a consistent basis.
• Stating that management has performed an evaluation and assessed the adequacy and effectiveness of the company's procedures for complying to the requirements prescribed for audit trails. 
• Stating management's conclusion, as set forth in its assessment, about the adequacy and effectiveness of the company's procedures w.r.t. audit trails.
• Stating that management has disclosed to the auditor all deficiencies in the design or operation of controls maintained for audit trails identified as part of management's evaluation.
• whether control deficiencies identified and communicated to the audit committee in relation to audit trail during previous engagements have been resolved, and specifically identifying any deficiency that have not been resolved.
• Describing instances where identification of fraud, if any, resulting in a material misstatement to the company's financial statements is identified while reviewing and testing the samples related to the disablement of audit trail facility of the accounting software.

Audit Documentation

Auditor may document the work performed on audit trail such that it provides:

• A sufficient and appropriate record of basis for auditor’s reporting under Rule 11(g); and 
• evidence that audit was planned and performed in accordance with this Implementation Guide, applicable Standards on Auditing and applicable legal and regulatory requirements.

In this regard, auditor may comply with requirements of SA 230, "Audit Documentation" to the extent applicable.

The views contained in this article are personal and the contents of this document are solely for informational purpose and it does not constitute professional advice that may be required before acting on any matter.

The author can also be reached at capraveenbisht@yahoo.in.