- May 4, 2024
- Posted by: info
- Category: Blog
The Institute of Chartered Accountants of India (ICAI) has introduced an exhaustive Implementation Guide, outlining the intricate reporting procedures regarding Audit Trail, as mandated by Rule 11(g) of the Companies (Audit & Auditors) Rules 2014, Revised Edition 2024.
In a significant development, the Ministry of Corporate Affairs issued the Companies (Audit and Auditors) Amendment Rules, 2021, via a notification dated March 24, 2021, effecting various modifications to Rule 11 of the Companies (Audit and Auditors) Rules, 2014.
Rule 11(g) compels auditors to meticulously document the utilization of accounting software by corporate entities for ledger maintenance, with a particular focus on functionalities facilitating audit trail preservation. Though initially deferred, the urgency of this mandate was further postponed through a subsequent notification from the MCA dated March 31, 2022, rescheduling the required implementation of audit trail mechanisms within corporate accounting software to the fiscal year commencing on or after April 1, 2023.
In a conscientious response to these nuanced regulatory imperatives, ICAI provided an erudite Implementation Guide in March 2023. This guide aims to furnish insightful guidance to its esteemed cadre of chartered accountants, enabling them to navigate through these obligations.
Navigating Audit Trail Compliance: Management and Auditor Responsibilities
In the realm of financial governance, meticulous record-keeping is paramount. The Companies (Accounts) Rules, 2014 underwent significant amendments, notably through the insertion of Rule 3(1) proviso, mandating companies to employ accounting software equipped with an immutable audit trail feature, effective April 1, 2023. The said proviso provides for ‘only such accounting software which has a feature of recording audit trail of each and every transaction, creating an edit log of each change made in the books of account along with the date when such changes were made and ensuring that the audit trail cannot be disabled’ This directive underscores the vital role of both management and auditors in ensuring adherence to regulatory standards.
Management’s Responsibility:
The onus of compliance primarily rests on management, necessitating the selection of suitable accounting software aligning with the statutory prerequisites. Specifically, management must ensure that the chosen software encompasses the following features:
- Records an audit trail for each transaction and maintains an edit log for changes made in the books of account, inclusive of date and time stamps.
- Ensures the audit trail cannot be disabled, safeguarding data integrity.
Furthermore, it’s imperative to recognize that the software may be hosted domestically or internationally, on-premise, cloud-based, or subscribed to as a service. Regardless of the setup, compliance remains non-negotiable.
Auditor’s Responsibility:
Rule 11(g) assigns auditors a critical role in verifying audit trail integrity and reporting compliance. In addition to confirming the presence of an audit trail feature, auditors must scrutinize its configurability, operational continuity, transaction coverage, and adherence to statutory retention requirements.
A noteworthy feature mentioned in the guide highlights that ‘any software used to maintain books of account will be covered within the ambit of this Rule’.
For instance: A company employs separate software for inventory management distinct from its primary software. While the primary accounting software is responsible for recording financial transactions, the inventory management software tracks stock movements and levels.
In this scenario, it’s crucial for the inventory management software to also incorporate an audit trail feature. Even though it doesn’t directly handle financial transactions, it falls within the ambit of section 2(13) of the Companies Act, 2013. Any discrepancies or alterations in inventory records could have significant implications for financial reporting accuracy.
It is important to note that the accounting software should be capable of creating an edit log of “each change made in books of account.”
Further, it is imperative to note that the term ‘all transactions recorded in the software’ used in Rule 11(g) would refer to all transactions that result in change to the books of account.
For instance: when the firm’s administrator updates employee profiles within the software, such as contact information or department assignments. While these changes are significant for internal management purposes, they do not alter the financial position or performance of the firm and therefore do not constitute transactions impacting the books of account.
Thus, auditors are required to check that Audit trail is enabled for such transactions which result in changes to the books of accounts.
Applicability and Assessment:
Applicability of Rule 11(g) commences with financial years starting April 1, 2023, onwards. Auditors are tasked with assessing prospective compliance, excluding retrospective evaluations. All company classifications, including section 8 and foreign companies, fall under the purview of these reporting requirements.
Further, if a company maintains its books of account manually, Rule 11(g) does not apply, and the auditor must report this as a factual statement against this clause.
Auditors must comment on these matters for both standalone and consolidated financial statements. However, for consolidated statements, auditors may note that certain components may not fall under the Act or may be incorporated outside India, exempting them from reporting requirements.
Section 129(4) of the Act stipulates that provisions apply to consolidated financial statements, necessitating adjustments for interpretation. Compliance with Rule 11(g) for consolidated statements relies on reports from statutory auditors of subsidiaries, associates, and joint ventures under the Act. Auditors of the parent company must exercise professional judgment and adhere to auditing standards when evaluating reports from these entities.
Preservation and Audit Approach:
Preservation of audit trails for a minimum of eight years, as mandated by statutory retention requirements, necessitates meticulous management oversight. Auditors, in evaluating compliance, scrutinize management’s procedural adherence, assess internal controls, and verify the completeness and accuracy of audit logs.
Auditors play a pivotal role in ensuring that management identifies, maintains, and safeguards audit trails for all financial transactions. This involves management’s primary responsibility to:
- Ensure comprehensive identification of records and transactions, select appropriate IT software with audit trail features, maintain continuous enablement and protection, retain trails per statutory rules, and monitor maintenance controls continuously.
- Auditors assess these measures, verify compliance, and report any discrepancies, ensuring the accuracy and reliability of financial reporting including involving IT specialists to evaluate management controls and configurations related to audit trail within the accounting software.
The auditor may further consider requirements of SOC 2/SAE 3402, “Assurance Reports on Controls at a Service Organization” in case of involvement of service organization.
Reporting under Rule 11(g) vis-à-vis Reporting under Section 143(3)(i)
Illustrative considerations in reporting under section 143(3)(i)
- Section 143(3)(i) requires auditors to assess internal financial controls for financial reporting adequacy and effectiveness. While the ICAI’s Guidance Note mentions “audit trail” in system controls, it lacks specific protocols for Rule 11(g) reporting. Auditors may need to adjust Rule 11(g) remarks if the audit trail feature was inactive, considering additional testing implications. An example highlights modified internal control reporting due to reliance issues on automated software controls, affecting Rule 11(g) reporting. However, lacking an audit trail doesn’t necessarily imply deficient financial controls.
Audit Documentation:
The auditor should meticulously document the audit trail procedures to ensure: (a) A comprehensive and fitting record supporting the auditor’s report as per Rule 11(g). (b) Substantiate that the audit was methodically planned and executed adhering to this Implementation Guide, relevant Standards on Auditing, and pertinent legal and regulatory obligations. To achieve this, auditors may adhere to the stipulations outlined in SA 230, “Audit Documentation,” to the extent deemed applicable.
Conclusion:
In conclusion, navigating the complexities of audit trail compliance demands a collaborative effort between management and auditors. Through meticulous adherence to regulatory directives, robust internal controls, and diligent oversight, companies can ensure the integrity of their financial records, fostering transparency and trust in the corporate landscape.