Who is responsible for the maintenance & preservation of audit trail?

In continuation of my previous article on Auditor's Responsibility in respect of Audit Trail effective from April 1, 2023, in which I made an attempt to discuss the auditors part. With this article, I intend to discuss the responsibility casted upon the Management for effective maintenance and safe custody or preservation of records including Audit Trail.

1. WHO IS RESPONSIBLE FOR THE MAINTENANCE OF AUDIT TRAIL?

It is the management, who is primarily responsible for ensuring selection of the appropriate accounting software for ensuring compliance with applicable laws and regulations including –

• operation of Audit Trail* throughout the year for all transactions recorded in the software,  
• audit trail feature has not been tampered with,
• those related to the retention of audit logs.

Giving due cognizance to the definition of "books of account" as envisaged under Section 2(13) of the Act and Rule 3 of the Account Rules which provides for the management responsibilities for maintenance of books of account and other relevant books and papers maintained in electronic mode.

*Audit Trail (Applicable from April 1, 2023)

Every company which uses an accounting software* for maintaining its books of account**, should use only such accounting software which has the following features:

• Records an audit trail of each and every transaction, creating an edit log of each change made in the books of account along with the date when such changes were made; and
• Ensuring that audit trail is not disabled.    

The management assumes primary responsibility

• To identify records and transactions that constitute books of account under section 2(13) of the Act
• To identify accounting software(s) used for creation and maintenance of books of account
• To ensure such software have audit trail feature
• To ensure that audit trail captures changes to each and every transaction
• To ensure that audit trail feature is always enabled 
• To Ensure that audit trail is enabled at database level for logging any direct data changes
• To ensure that audit trail is appropriately protected from any modification
• To ensure that audit trail is retained as per statutory requirements for record retention
• To ensure that adequate and effective controls over maintenance and monitoring of audit trail and its feature are designed and operating effectively throughout period of reporting
• That audit trail has not tampered or damaged in any manner.
• To perform an evaluation and assessment of the adequacy and effectiveness of the company's procedures for complying to the requirements prescribed for audit trails. 
• whether control deficiencies identified and communicated to the audit committee in relation to audit trail during previous engagements and how they have been resolved, and specifically identifying any deficiency that have not been resolved.
• To describe instances where identification of fraud, if any, resulting in a material misstatement to the company's financial statements is identified while reviewing and testing the samples related to the disablement of audit trail facility of the accounting software.

The amendments require every company (Be it Private, Public or OPC, Section 8 or Foreign Co) that uses an accounting software to use such software that has a feature of audit trail which cannot be disabled. The management has a responsibility for the effective implementation of the requirements prescribed by account rules. Companies are required to maintain audit trail (edit log) for each change made in the books of account.

In order to demonstrate that the audit trail feature was functional, operated and was not disabled, a company would have to design and implement specific internal controls (predominantly IT controls) which in turn, would be evaluated by the auditors, as appropriate.

2. Location of Software

As we know that accounting software may be hosted and maintained in India or outside India or may be on-premise or on cloud or subscribed to as Software as a Service (SaaS) software. It may be noted that any software used to maintain books of account anywhere will be covered within the ambit of this Rule.

3. Preservation of Audit Trails

When it comes to the preservation of records, it is the management, who is primarily responsible for the safe custody or preservation of book of accounts or Audit trails for a minimum period of 8 years, effective from April 1, 2023.

However, where an investigation has been ordered in respect of the company under Chapter XIV, the Central Government may direct that the books of account may be kept for such longer period as it may deem fit.

4. Penalties for Non-Compliance

If the managing director, the whole-time director in charge of finance, the Chief Financial Officer or any other person of a company charged by the Board with the duty of complying with the provisions of this section, contravenes such provisions, such managing director, whole-time director in charge of finance, Chief Financial officer or such other person of the company shall be punishable with fine which shall not be less than Rs. 50000(fifty thousand rupees but which may extend to Rs. 500000(five lakh rupees) The views contained in this article are personal and the contents of this document are solely for informational purpose and it does not constitute professional advice that may be required before acting upon any matter.

The author can also be reached at capraveenbisht@yahoo.in. Special thanks to CA Ambuj Shkula for helping me writing this article. He can be reached at ca.ambujshukla@gmail.com.