Mandatory Audit Trail in Accounting Software: A Game-Changer for Corporate Governance

The Companies Act, 2013 requires auditors to report on certain matters in their audit report, including any other matters prescribed by the Ministry of Corporate Affairs. In 2021, new rules were introduced requiring companies to use accounting software with an audit trail feature and to preserve the audit trail as per statutory requirements. This requirement was initially applicable from April 1, 2021, but its implementation was deferred twice and is now applicable from April 1, 2023. Ie Starting from April 1, 2023, all companies, regardless of their size or purpose, must use software that has a feature to record an audit trail for every transaction made. This means that every change made to the digital records of financial transactions must be recorded, along with the date when the changes were made. Additionally, the audit trail feature cannot be turned off or disabled. This rule applies to non-profit companies registered under Section 8 of the Indian Companies Act 2023 as well.

What is an audit trail?

An audit trail is a documented record of the sequence of activities and events that are associated with a specific transaction, process or system. In the context of accounting, an audit trail provides a clear and complete record of all transactions, from their origin to their final disposition, so that the accuracy and completeness of the financial information can be verified. The audit trail typically includes information such as the date and time of the transaction, the person or system that initiated the transaction, the nature and amount of the transaction, any approvals or authorizations that were required, and any subsequent modifications or updates to the transaction. The trail can also include other relevant information, such as the source documents, supporting evidence, and any correspondence related to the transaction. An audit trail is an important control mechanism in accounting and finance, as it provides a basis for verifying the accuracy and completeness of financial information. It also helps to prevent fraud, errors, and other irregularities by providing a clear record of all transactions. Audit trails are typically maintained using electronic systems, such as accounting software, which record and store transaction data in a secure and accessible format.

Why Audit Trail?

1. Verification of transactions: The primary purpose of an audit trail is to provide evidence to verify the accuracy and completeness of transactions. By tracing a transaction through the various stages of processing, an auditor can ensure that it was authorized, recorded, and processed correctly.
2. Detecting errors and fraud: An audit trail helps to detect errors and fraudulent activities by providing a complete record of all transactions. Any inconsistencies or irregularities can be identified and investigated promptly, reducing the risk of losses or reputational damage.
3. Monitoring compliance: An audit trail helps to monitor compliance with laws, regulations, and internal policies by providing evidence of adherence to these standards. This helps to identify areas where compliance may be lacking, enabling corrective action to be taken.
4. Supporting legal and regulatory requirements: Audit trails are often required by laws and regulations, as well as by auditors, to ensure that financial information is accurate and complete. An audit trail provides the necessary evidence to support legal and regulatory compliance.
5. Providing a historical record: An audit trail provides a historical record of transactions that can be used for analysis and decision-making. By reviewing past transactions, organizations can identify trends and patterns, make informed decisions, and improve their operations.

Benefits of Audit Trail

1. Improved accountability: An audit trail provides a clear and complete record of all transactions, making it easier to identify who initiated a transaction, who approved it, and who was responsible for its processing. This improves accountability and transparency, reducing the risk of fraud and errors.
2. Enhanced transparency: An audit trail provides a detailed record of all transactions, making it easier to identify any discrepancies or irregularities. This enhances transparency, providing stakeholders with confidence in the integrity of the financial reporting process.
3. Increased efficiency: An audit trail provides a complete record of all transactions, making it easier to identify and resolve any issues or errors that may occur. This can increase efficiency and reduce the time and resources required for reconciliation and investigation.
4. Improved compliance: An audit trail helps organizations to comply with laws and regulations by providing evidence of adherence to established policies and procedures. This reduces the risk of legal or regulatory sanctions and helps to protect the organization's reputation.
5. Better decision-making: An audit trail provides a historical record of transactions, making it easier to identify trends and patterns, and to analyze the effectiveness of internal controls. This helps management to make better decisions and to improve the overall performance of the organization.

Disadvantages of audit trail

1. Increased data storage requirements: Maintaining an audit trail requires storing a large amount of data, which can be costly in terms of storage space and maintenance.
2. Increased complexity: Managing an audit trail can be complex, particularly in large organizations with multiple systems and processes. This can result in increased complexity and administrative overhead.
3. Reduced system performance: Depending on the size and complexity of the audit trail, it can affect the performance of the system. This can be particularly true for systems that are processing large volumes of transactions.
4. Potential for manipulation: Audit trails can be vulnerable to manipulation if the system is not designed or implemented correctly. It is important to ensure that appropriate controls are in place to prevent unauthorized changes to the audit trail.
5. False sense of security: While an audit trail can provide valuable information, it is not a guarantee against fraud or errors. It is important to remember that an audit trail is only as good as the controls in place to ensure its integrity.

Management Responsibility

For the financial year starting on or after April 1, 2023, companies using accounting software must use software that has an audit trail feature that cannot be disabled. It is the responsibility of the management to select appropriate software and ensure compliance with applicable laws and regulations related to retaining audit logs. The accounting software can be hosted and maintained in India or outside, on-premise or on cloud, or subscribed to as Software as a Service (SaaS). If a company outsources its payroll processing to a shared service center, the center may use its own software to process payroll for the company. Management also issue representation letter in this regard to auditors. The representation letter is a document provided by a company's management to an auditor in connection with the audit of the company's financial statements. The letter confirms certain information related to the company's accounting software and internal controls, and the management's responsibility for establishing and maintaining such controls. The letter also discloses any deficiencies in the company's internal controls and provides information about fraud or regulatory non-compliance. The letter also confirms that the accounting software has the required features as specified by the Accounting Rules, and that the company has evaluated the adequacy and effectiveness of the software in terms of recording an audit trail of each and every transaction. Finally, the letter discloses any changes that have been made or are proposed to be made to the accounting software, and confirms that these changes do not impact the auditor's evaluation of the software as at the balance sheet date.

Auditors responsibility

It is responsibility of auditors to report on the audit trail of a company's accounting software, as required by Rule 11(g). The audit trail feature should be capable of recording all transactions, should not be tampered with, and should be preserved as per statutory requirements. This requirement only applies to software used to maintain books of account, which includes all transactions that result in a change to the books of account as defined by the Companies Act. Auditors are expected to check if the audit trail is enabled for such transactions. Auditors only need to assess the appropriateness of the audit trail for financial years starting on or after April 1, 2023. The reporting requirements apply to all companies, including foreign ones, that maintain their records electronically. Auditors must report on these matters for both standalone and consolidated financial statements, but they don't have to report on components that are not companies under the Act or incorporated outside India. When reporting on consolidated financial statements, auditors can rely on the reports of the statutory auditors of subsidiaries, associates, and joint ventures that are companies defined under the Act, but they must use professional judgment and comply with applicable auditing standards.

ICAI issued recently a guidance note on this which explains the auditor's responsibilities in evaluating the adequacy of the company's internal controls and processes for maintaining audit trails of transactions for a minimum period of eight years, in accordance with statutory requirements. The auditor is expected to ensure that the management has assumed primary responsibility for identifying the software, including applications, web portals, databases, interfaces, data warehouses, cloud infrastructure, or any other IT component used for processing and/or storing data for creation and maintenance of books of account. The auditor should evaluate management's approach regarding the identification of relevant transactions in the context of maintenance of books of account and verify whether the audit trail has been configured and enabled for the identified accounting software. The auditor may also consider using an independent auditor's report of a service organization for compliance with audit trail requirements. The guidance also provides an illustrative list of internal controls, such as controls to ensure that the audit trail feature has not been disabled or deactivated, that User IDs are assigned to each individual and that User IDs are not shared, and that changes to the configurations of the audit trail are authorized and logs of such changes are maintained, to assist the company in designing and implementing specific internal controls for maintaining audit trails of transactions.

Challenges of Implementing an Audit Trail System

1. Desktop application

If you use desktop accounting software, you may need to reinstall newer versions of the software that have an Audit Trail feature. However, with cloud accounting software, you won't need to change your hardware requirements, and the software gets updated automatically.

2. Limitations of Implementing Audit Trail in Existing Software

If the old accounting software doesn't have an Audit Trail, it can be difficult to reconstruct transaction history in the correct order. This can make it harder to follow regulations and meet audit requirements. Foreign companies must follow local financial authority rules, and if they're registered under the MCA, their accounting software should have an Audit Trail feature.

3. Database Storage Architecture

Storing a record of every transaction and version history requires careful database and storage architecture. For desktop applications, keeping long-term audit logs can be difficult because of limited storage space.

4. Location and Backup problems

To maintain the security of audit trail information, it should be stored in a safe place and backed up regularly. The audit trail should provide enough details to identify the events and their causes, and it should be tamper-proof to ensure only authorized users can access it. It also requires a method to track transactions and user access for official purposes, which can be useful for reporting and problem-solving in the future.

5. Interlinkages of transactions

The audit trail should include records of all transactions, both manual and automatic, such as invoices, billing, inventory management, exchange gains or losses, and adjustments.

What are the essential components of a reliable accounting audit trail feature?

A good accounting audit trail feature should contain sufficient information to establish what events occurred and who or what caused them. This includes details such as the date and time of the transaction, the user who made the transaction, the source of the transaction, and any related documents. It should also track any changes made to the transaction, including the before and after values. The audit trail should be tamper-proof and accessible only by authorized users for official purposes. Additionally, the audit trail should be stored in a secure location and backed up regularly to ensure its availability for historical reporting and problem-solving in the future.

Conclusion

In conclusion, the introduction of new rules by the Ministry of Corporate Affairs requiring companies to use accounting software with an audit trail feature highlights the importance of maintaining an accurate and secure record of financial transactions. While the implementation of these rules has been deferred twice, companies should still prioritize implementing an audit trail feature in their accounting software to comply with regulatory requirements and ensure the integrity of their financial reporting.

The author is a Chartered Accountant with 2 decades of experience into Accounting, Taxation, Auditing, Risk & Compliance, Credit Controls, Due diligence. Currently, the author is the founder and managing partner at RRL Global services.