Wednesday, 19 April 2023

Audit Trail under the Companies Act, 2013

 

1.  Introduction

 

The Ministry of Corporate Affairs ("MCA") has made changes to the Companies (Accounts) Rules, 2014 ("Accounts Rules") to improve the accuracy of financial reporting. Companies are now required to use accounting software that has certain features, including recording every transaction, keeping a log of any changes made to the books of accounts and when they were made, and making sure that the audit trail cannot be turned off.  For this purpose, the following proviso had been inserted in Rule 3(1) of the Accounts Rules vide the Companies (Accounts) Amendment Rules, 2021, w.e.f. 1-4-2021:

 

"Provided that for the financial year commencing on or after the 1[1st day of April, 2023], every company which uses accounting software for maintaining its books of account, shall use only such accounting software which has a feature of recording audit trail of each and every transaction, creating an edit log of each change made in books of account along with the date when such changes were made and ensuring that the audit trail cannot be disabled."

 

The Companies (Audit and Auditors) Rules, 2014 ("Audit Rules") have also been changed to match the changes made to the Companies (Accounts) Rules. A new clause (g) was added to Rule 11 of the Audit Rules. This means that auditors now have to report in their audit report if the company being audited used accounting software that recorded audit trails (edit logs) and whether this feature was used throughout the financial year without any tampering. The audit trails also need to be kept for the required period as set out in the law. This new Rule 11(g) was added by the Companies (Audit and Auditors) Amendment Rules, 2021 and came into effect on April 1, 2021. The exact wording of the new rule is shown below:

 

“Whether the company, in respect of financial years commencing on or after the 1st April, 2022, has used such accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has been operated throughout the year for all transactions recorded in the software and the audit trail feature has not been tampered with and the audit trail has been preserved by the company as per the statutory requirements for record retention.”

 

Applicability

 

Responsibility of

Relevant Provision

Applicability Date and Remarks

Management of the Company

Proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014

Applicability Date: 1st day of April 2023

 

Remarks: This requirement was inserted by the Companies (Accounts) Amendment Rules 2021 vide notification G.S.R. 205(E) dated 24th March 2021 w.e.f.1st April 2021. Then this was substituted for 1st day of April 2022 by the Companies (Account)

Second   Amendment   Rules   2021   vide

 


 

 

notification G.S.R. 247(E) dated 1st April 2021 and again substituted for “1st day of April 2023” by the Companies (Account) Second Amendment Rules, 2022 vide notification G.S.R. 235(E) dated 31st March 2022.

 

It may be noted that this new requirement for companies has been prescribed under the proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 requiring companies, which use accounting software for maintaining their books of account, to use only such accounting software which has audit trail feature. This requirement for companies was initially made applicable for financial year commencing on or after April 1, 2021. However, its applicability has been deferred two times and this requirement

is finally applicable from April 1, 2023.

 

Statutory Auditor of the Company

Rule 11(g) of Companies (Audit and Auditors) Rules, 2014

Applicability Date: 1st day of April 2022

 

Remarks: This requirement was initially made applicable for the financial year commencing on or after the 1st day of April 2021 vide notification G.S.R. 206(E) dated March 24, 2021. However, the applicability was deferred to financial year commencing on or after April 1, 2022, vide MCA notification G.S.R. 248(E) dated April 1,

2021.

 

 

1.  On which entities audit trail requirements is applicable

 

The reporting requirements have been prescribed for audit of financial statements prepared under the Act. Accordingly, auditors of all class of companies including section 8 companies would be required to report on these matters. As per the Companies (Registration of Foreign Companies) Rules, 2014, the provisions of “Chapter X of the Act: Audit and Auditors” and Rules made there under apply, mutatis mutandis, to a foreign company as defined in the Act. Accordingly, the above reporting requirements would be applicable to the auditors of foreign companies as well. In simple words, as per the Companies Act 2013, these requirements shall be applicable to the following companies, including the companies that are managed by State and Central Government, NGOs who are receiving funds from various stakeholders:

 

·       All Public and Private Limited Companies

·       One Person Companies (OPCs)

·       Companies owned by Government of India

·       State Government Companies

·       Not-for-Profit Companies/Organization [Section 8 companies]

·       Nidhi Companies


The following entities hence don’t fall under the purview of the audit trail rule:

 

·       Individuals

·       Proprietorship concerns

·       Partnership firms

·       Limited Liability Partnership

·       HUFs/ AOPs/ BOI

·       Cooperative Societies

·       Societies registered under Societies Act, 1860

·       Trusts

 

2.  Manual book keeping and audit trail

 

The requirements of audit trail are applicable to the extent a company maintains its records in the electronic form by using an accounting software. Thus, where the books of account are entirely maintained manually – the assessment and reporting responsibility under Rule 11(g) will not be applicable and accordingly, same would need to be reported as statement of fact by the auditor against this clause.

 

3.  Standards on Auditing w.r.t. audit-trail consideration

 

Various Standards on Auditing (SAs) may have to be contemplated by the auditors while reporting for the usage of audit-trail compliant software by the companies. Such as:

 

Relevant SAs

Audit Trail connection

SA 200

Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Standards on Auditing

Rule 11(g) of casts responsibility on the auditor in terms of reporting on audit trail by making a specific assertion in the audit report under the section ‘Report on Other Legal and Regulatory Requirements’.

SA 210

Agreeing the Terms of Audit Engagements

While formularising letter of engagement, the reporting about audit trail and access to various underlying electronic records thereto should be clearly specified

SA 220

Quality Control for an Audit of Financial Statements

Evaluating the integrity of the principal owners, key management and those charged with governance of the entity. This will assist in n deciding whether to continue an existing engagement, and when considering acceptance of a new engagement with an existing client.

SA 230

Audit Documentation

Recording the identifying characteristics of the audit trail compliant software

SA 240

The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements

Audit Procedures Responsive to Assessed Risks of Material Misstatement Due to Fraud at the Assertion Level such as auditor may choose to use computer-assisted audit techniques to gather more evidence


 

 

about data contained in significant accounts or electronic transaction files.

SA 250

Consideration of Laws and Regulations in an Audit of Financial Statements

Statutory requirements for record retention vis-à-vis audit trail

SA 260

Communication with Those Charged with Governance

The auditor may confirm that those charged with governance have the same understanding of the facts and circumstances relevant to specific transactions or events

SA 265

Communicating Deficiencies in Internal Control to Those Charged with Governance and Management

In determining whether the auditor has identified one or more deficiencies in internal control, the auditor may discuss the relevant facts and circumstances of the auditor’s findings with the appropriate level of management. This discussion provides an opportunity for the auditor to alert management on a timely basis to the existence of deficiencies of which management may not have been previously aware. Certain identified significant deficiencies in internal control may call into question the integrity or competence of management. For example, there may be evidence of fraud or intentional non- compliance with laws and regulations by management, or management may exhibit an inability to oversee the preparation of adequate financial statements that may raise doubt about management’s competence.

Accordingly, it may not be appropriate to communicate such deficiencies directly to management.

Revised SA 299

Joint Audit of Financial Statements

Identify division of audit areas and common audit areas amongst the joint auditors that define the scope of the work of each joint auditor

SA 300

Planning an Audit of Financial Statements

Ascertain the nature, timing and extent of resources necessary to perform the engagement.

SA 315

Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment

Evaluating the risks arising say due to inadequate access controls over automated records, including controls over and review of computer systems event logs

SA 320

Materiality in Planning and Performing an Audit

Materiality and audit risk are considered throughout the audit. The auditor obtains reasonable assurance by obtaining sufficient appropriate audit evidence to reduce audit risk to an

acceptably low level. The risk of


 

 

tampering audit trail or non operation of software throughout the year may impact assessment of materiality

SA 330

The Auditor’s Responses to Assessed Risks

Dealing with the risks arising say due to inadequate access controls over automated records, including controls over and review of computer systems event logs

SA 402

Audit Considerations Relating to an Entity Using a Service Organisation

Many entities outsource aspects of their business to organisations that provide services ranging from performing a specific task under the direction of an entity to replacing an entity’s entire business units or functions. This Standard on Auditing (SA) deals with the user auditor’s responsibility to obtain sufficient appropriate audit evidence when a user entity uses the services of one or more service organisations

SA 450

Evaluation of Misstatements Identified During the Audit

Misstatements may result from an inaccuracy in gathering or processing data from which the financial statements are prepared.

SA 500

Audit Evidence

Audit evidence includes both information contained in the accounting records underlying the financial statements and information obtained from other sources.

SA 505

External Confirmations

Audit evidence obtained as a direct written response to the auditor from a third party (the confirming party), in paper form, or by electronic or other medium could be helpful in corroborating audit trail.

SA 510

Initial Audit Engagements – Opening Balances

This Standard on Auditing (SA) deals with the auditor’s responsibilities relating to opening balances when conducting an initial audit engagement. In addition to financial statement amounts, opening balances include matters requiring disclosure that existed at the beginning of the period, such as contingencies and commitments.

SA 520

Analytical Procedures

Analytical procedures also encompass such investigation as is necessary of identified fluctuations or relationships that are inconsistent with other relevant information or that differ from expected

values by a significant amount. This


 

 

could be helpful in corroborating audit trail.

SA 530

Audit Sampling

The application of audit procedures to less than 100% of items within a population of audit relevance such that all sampling units have a chance of selection in order to provide the auditor with a reasonable basis on which to draw conclusions about the entire population.

SA 540

Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures

The measurement objective of accounting estimates can vary depending on the applicable financial reporting framework and the financial item being reported. The degree of estimation uncertainty affects, in turn, the risks of material misstatement of accounting estimates, including their susceptibility to unintentional or intentional management bias.

SA 550

Related Parties

The auditor has a responsibility to perform audit procedures to identify, assess and respond to the risks of material misstatement arising from the entity’s failure to appropriately account for or disclose related party relationships, transactions or balances in accordance with the requirements of the framework. The accounting records may be modified to conceal RPTs and such modification is nothing but tampering of audit trail

SA 560

Subsequent Events

Respond appropriately to facts that become known to the auditor after the date of the auditor’s report, that, had they been known to the auditor at that date, may have caused the auditor to amend the auditor’s report.

SA 570

Going Concern

When performing risk assessment procedures as required by SA 315, the auditor shall consider whether events or conditions exist that may cast significant doubt on the entity’s ability to continue as a going concern. In so doing, the auditor shall determine whether management has already performed a preliminary assessment of the entity’s ability to continue as a going concern.

The accounting records may be

modified to substantiate the management’s assessment about going


 

 

concern and such modification is nothing but tampering of audit trail

SA 580

Written Representations

Take written representations as to the management’s assertions. It is the management, who is primarily responsible for ensuring selection of the appropriate accounting software for ensuring compliance with applicable laws and regulations (including those related to retention of audit logs).

SA 600

Using the Work of Another Auditor

Relevant for the main auditor while reporting on the consolidated financial statements after considering the audit report of subsidiaries, JVs and associates.

SA 610

Using the Work of Internal Auditors

Relevant for the main auditor while evaluating the internal auditor’s findings

w.r.t. audit trail

SA 620

Using the Work of an Auditor’s Expert

Relevant for the main auditor while evaluating say the system auditor’s findings w.r.t. audit trail

4.  Meaning of expression ‘all transactions recorded in the software’

 

The Implementation Guide for Reporting under Rule 11(g) issued by the Auditing and Assurance Standards Board of the Institute of Chartered Accountants of India explains that:

·       When the software records a transaction that changes the books of accounts, it counts as "all transactions recorded in the software." For example, creating a new user in the accounting software is a transaction, but it doesn't change the books of accounts. Adding or changing a journal entry, on the other hand, does change the books of accounts.

·       The auditor should make sure that the audit trail is enabled for transactions that change the books of accounts, based on the definition of "books of account" in Section 2(13) of the Act and Rule 3 of the Account Rules, which explains the management's responsibilities for maintaining books of accounts and other relevant electronic records..

 

5.  Open Issues

 

Although the Implementation Guide (mentioned earlier) has cleared up some issues, it still hasn't given complete guidance on certain matters. These include:

a) When the accounting year (FY 2023-24) is different from the auditing year (FY 2022-23) - a confusing situation  

b) Whether the audit trail should be for the books of accounts or the accounting software

      c) Whether it's necessary to review the suitability of the audit trail retrospectively

      d) If different software is used for keeping the books of accounts and financial statements

      e) How to handle consolidated financial statements

      f) Whether it's okay to use accounting software supported by service providers

      g) The internal controls and audit approach for assessing the suitability of the audit trail in relation to    Section 143(3)(i) of the Companies Act, 2013

      h) How long to keep the audit trail

       i) Whether the audit trail covers all transactions in the software throughout the year

      j) The responsibility of management and the Directors' Report  

      k) Risk assessment in the IT environment

The upcoming audit period is going to be very challenging for both auditors and the companies being audited. The audit trail will be put to the test over a period of time.

No comments:

CBDT issues second round of frequently asked questions in relation to Direct Tax Vivad Se Vishwas Scheme, 2024

  This Tax Alert summarizes Circular No. 19/2024 dated 16 December 2024 (VSV 2- December Circular) issued by the Central Board of Direct Tax...