Implementation & Guidance on Audit Trail
A. Management’s Responsibility
Proviso to Rule 3(1) of the Companies (Accounts) Rules, 20141 (hereinafter referred as “the Account Rules”) states that for the financial year commencing on or after the 1st day of April 2023, every company which uses accounting software for maintaining its books of account, shall use only such accounting software which has a feature of recording audit trail of each and every transaction, creating an edit log of each change made in the books of account along with the date when such changes were made and ensuring that the audit trail cannot be disabled.
Every company which uses an accounting software for maintaining its books of account, should use only such accounting software which has the following features:
· Records an audit trail of each and every transaction, creating an edit log of each change made in the books of account along with the date when such changes were made; and
· Ensuring that audit trail is not disabled. Thus, it is the management, who is primarily responsible for ensuring selection of the appropriate accounting software for ensuring compliance with applicable laws and regulations (including those related to retention of audit logs).
B. Auditor’s Responsibility
The auditor is expected to verify the following aspects:
- Whether the audit trail feature is configurable (i.e., if it can be disabled or tampered with)?
- Whether the audit trail feature was enabled/operated throughout the year? whether all transactions2 recorded in the software are covered in the audit trail feature?
- Whether the audit trail has been preserved as per statutory requirements for record retention?
It may be noted that any software used to maintain books of account will be covered within the ambit of this Rule.
For e.g., if sales are recorded in a standalone software and only consolidated entries are recorded monthly into the software used to maintain the general ledger, the sales software should also have the audit trail feature since sales invoices would be covered under Books of Account as defined under section 2(13) of the Act. Auditors would need to evaluate whether management has also considered such software in their compliance to the Account Rules. Accordingly, any software that maintains records or transactions that fall under the definition of Books of Account as per the section 2(13) of the Act will be considered as accounting software for this purpose.
For example, creation of a user in the accounting software may be construed as a transaction in the software. However, creating a user account in the accounting software would not change the records of books of account as defined in Section 2(13) of the Act whereas adding a new journal entry or changing an existing journal entry will be construed as a change made in books of account.
Giving due cognizance to the definition of “books of account” as envisaged under Section 2(13) of the Act and Rule 3 of the Account Rules which provides for the management responsibilities for maintenance of books of account and other relevant books and papers maintained in electronic mode, the auditor would be expected to check whether the audit trail is enabled for such transactions which result in a change to the books of account