1. Introduction
The Ministry of Corporate Affairs ("MCA") has made changes to the Companies (Accounts) Rules, 2014 ("Accounts Rules") to improve the accuracy of financial reporting. Companies are now required to use accounting software that has certain features, including recording every transaction, keeping a log of any changes made to the books of accounts and when they were made, and making sure that the audit trail cannot be turned off. For this purpose, the following proviso had been inserted in Rule 3(1) of the Accounts Rules vide the Companies (Accounts) Amendment Rules, 2021, w.e.f. 1-4-2021:
"Provided that for the financial year
commencing on or after the 1[1st day of April, 2023], every company which uses accounting software for
maintaining its books of account, shall use only such accounting software which has a feature of recording audit trail of each and every transaction, creating an edit log of each change
made in books
of account along with the date when such changes
were made and ensuring
that the audit trail cannot
be disabled."
The Companies
(Audit and Auditors) Rules, 2014 ("Audit Rules") have also been changed
to match the changes made to the Companies (Accounts) Rules. A new clause (g)
was added to Rule 11 of the Audit Rules. This means that auditors now have to
report in their audit report if the company being audited used accounting
software that recorded audit trails (edit logs) and whether this feature was
used throughout the financial year without any tampering. The audit trails also
need to be kept for the required period as set out in the law. This new Rule
11(g) was added by the Companies (Audit and Auditors) Amendment Rules, 2021 and
came into effect on April 1, 2021. The exact wording of the new rule is shown
below:
“Whether the company, in respect of
financial years commencing on or after the 1st April, 2022, has used such accounting software for
maintaining its books of account which has a feature of recording audit trail (edit log) facility and the
same has been operated throughout the year for all transactions recorded in the software and the audit
trail feature has not been tampered with and the audit trail has been preserved by the company
as per the statutory
requirements for record retention.”
Applicability
|
Responsibility of |
Relevant Provision |
Applicability Date and Remarks |
|
Management of the
Company |
Proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 |
Applicability Date: 1st
day of April
2023
Remarks:
This requirement was inserted by
the Companies (Accounts) Amendment Rules
2021 vide notification G.S.R. 205(E) dated 24th
March 2021 w.e.f.1st April 2021. Then
this was substituted for 1st day of April 2022
by the Companies (Account) Second Amendment Rules
2021
vide |
|
|
|
notification
G.S.R. 247(E) dated 1st April 2021
and again substituted for “1st day of April
2023” by the Companies (Account) Second Amendment Rules, 2022 vide notification G.S.R. 235(E) dated
31st March 2022. |
||
|
|
It may be noted
that this new requirement for companies has been prescribed under the proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 requiring companies, which use accounting software for maintaining their books of account, to use only such accounting software which has audit trail
feature. This requirement for companies was initially made applicable for financial year commencing on or after
April 1, 2021.
However, its applicability has been deferred two times and this requirement is finally applicable
from April 1, 2023. |
|
||
|
Statutory Auditor
of the Company |
Rule 11(g)
of Companies (Audit and Auditors) Rules, 2014 |
Applicability Date: 1st
day of April
2022
Remarks:
This requirement was initially made applicable for the financial year commencing on or after
the 1st day of April
2021 vide notification G.S.R. 206(E) dated March 24, 2021.
However, the applicability was deferred to financial year commencing on or after
April 1, 2022,
vide MCA notification G.S.R. 248(E) dated
April 1, 2021. |
||
1. On which entities audit
trail requirements is applicable
The reporting
requirements have been prescribed for audit of financial statements prepared
under the Act. Accordingly, auditors
of all class of companies including section 8 companies would be required to report on these matters.
As per the Companies (Registration of Foreign Companies) Rules, 2014, the provisions
of “Chapter X of the Act: Audit and Auditors” and Rules made there under apply,
mutatis mutandis, to a foreign
company as defined in the Act. Accordingly, the above reporting requirements would be applicable to the auditors of foreign companies as well. In simple words,
as per the Companies Act 2013, these requirements shall be
applicable to the following companies, including the companies that are managed by State and Central
Government, NGOs who are receiving funds from various stakeholders:
·
All Public and Private
Limited Companies
·
One Person Companies (OPCs)
·
Companies owned by Government of India
·
State Government Companies
·
Not-for-Profit
Companies/Organization [Section 8 companies]
·
Nidhi Companies
The following entities
hence don’t fall under the purview of the audit trail rule:
· Individuals
·
Proprietorship
concerns
·
Partnership firms
·
Limited Liability Partnership
·
HUFs/ AOPs/ BOI
·
Cooperative Societies
·
Societies registered
under Societies Act, 1860
·
Trusts
2. Manual book keeping and audit trail
The
requirements of audit trail are applicable to the extent a company maintains
its records in the electronic form by
using an accounting software. Thus, where the books of account are entirely maintained manually – the assessment and
reporting responsibility under Rule 11(g) will not be applicable and accordingly, same would need to be reported as
statement of fact by the auditor against this clause.
3. Standards on Auditing w.r.t.
audit-trail consideration
Various Standards on Auditing (SAs) may have to be contemplated by the
auditors while reporting for the usage of audit-trail compliant software by the companies.
Such as:
|
Relevant SAs |
Audit Trail connection |
|
|
SA 200 |
Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Standards on Auditing |
Rule 11(g)
of casts responsibility on the auditor in terms of reporting on audit trail by making a specific assertion in the audit report under the section ‘Report on Other Legal and Regulatory Requirements’. |
|
SA 210 |
Agreeing the Terms of Audit Engagements |
While formularising letter of engagement,
the reporting about audit trail
and access to various underlying electronic
records thereto should be clearly
specified |
|
SA 220 |
Quality Control for an Audit of Financial Statements |
Evaluating
the integrity of the principal owners,
key management and those charged
with governance of the entity. This
will assist in n deciding whether to continue
an existing engagement, and when
considering acceptance of a new engagement with
an existing client. |
|
SA 230 |
Audit Documentation |
Recording the identifying characteristics of the audit trail
compliant software |
|
SA 240 |
The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements |
Audit
Procedures Responsive to Assessed
Risks of Material Misstatement Due
to Fraud at the Assertion Level
such as auditor may choose to use computer-assisted audit techniques to gather more evidence |
|
|
|
about data contained in significant accounts or electronic
transaction files. |
|
SA 250 |
Consideration of Laws and Regulations in an Audit
of Financial Statements |
Statutory requirements for record retention vis-Ã -vis audit trail |
|
SA 260 |
Communication with Those Charged with Governance |
The auditor
may confirm that those charged with governance have
the same understanding of the facts and circumstances relevant to specific transactions or events |
|
SA 265 |
Communicating Deficiencies in Internal Control to Those Charged with Governance and Management |
In
determining whether the auditor has identified
one or more deficiencies in internal
control, the auditor may discuss the
relevant facts and circumstances of the
auditor’s findings with the appropriate
level of management. This discussion
provides an opportunity for the
auditor to alert management on a timely basis to the existence of deficiencies
of which management may not have
been previously aware. Certain identified
significant deficiencies in internal
control may call into question the integrity or competence of management. For example, there may be evidence of fraud or intentional non- compliance with laws and regulations by management, or management may exhibit an inability to oversee the preparation of adequate financial statements that may raise doubt about management’s competence. Accordingly, it may not be appropriate to communicate such deficiencies directly to management. |
|
Revised SA 299 |
Joint Audit of Financial Statements |
Identify
division of audit areas and common
audit areas amongst the joint auditors
that define the scope of the work of each
joint auditor |
|
SA 300 |
Planning an Audit of Financial Statements |
Ascertain the nature, timing and extent of resources necessary to perform the engagement. |
|
SA 315 |
Identifying and
Assessing the Risks
of Material Misstatement
Through Understanding the Entity
and Its Environment |
Evaluating
the risks arising say due to inadequate
access controls over automated
records, including controls over
and review of computer systems event logs |
|
SA 320 |
Materiality in Planning and Performing an Audit |
Materiality
and audit risk are considered throughout the audit. The auditor obtains
reasonable assurance by obtaining
sufficient appropriate audit evidence to reduce audit risk to an acceptably low level. The risk of |
|
|
|
tampering
audit trail or non operation of software throughout the year may impact
assessment of materiality |
|
SA 330 |
The Auditor’s Responses to Assessed Risks |
Dealing with
the risks arising say due to inadequate
access controls over automated
records, including controls over
and review of computer systems event logs |
|
SA 402 |
Audit Considerations Relating to an Entity Using a Service Organisation |
Many entities
outsource aspects of their business
to organisations that provide services
ranging from performing a specific
task under the direction of an entity
to replacing an entity’s entire business
units or functions. This Standard
on Auditing (SA) deals with the
user auditor’s responsibility to obtain
sufficient appropriate audit evidence
when a user entity uses the services of one
or more service organisations |
|
SA 450 |
Evaluation of Misstatements Identified During
the Audit |
Misstatements
may result from an inaccuracy in
gathering or processing data from
which the financial statements are prepared. |
|
SA 500 |
Audit Evidence |
Audit
evidence includes both information
contained in the accounting records underlying the financial statements
and information obtained from other
sources. |
|
SA 505 |
External Confirmations |
Audit
evidence obtained as a direct written
response to the auditor from a third
party (the confirming party), in paper
form, or by electronic or other medium
could be helpful in corroborating audit
trail. |
|
SA 510 |
Initial Audit Engagements – Opening Balances |
This Standard
on Auditing (SA) deals with the
auditor’s responsibilities relating
to opening balances when conducting
an initial audit engagement. In
addition to financial statement amounts,
opening balances include matters
requiring disclosure that existed at
the beginning of the period, such as contingencies and commitments. |
|
SA 520 |
Analytical Procedures |
Analytical
procedures also encompass such
investigation as is necessary of identified
fluctuations or relationships that
are inconsistent with other relevant information or that differ from expected values by a
significant amount. This |
|
|
|
could be helpful in corroborating audit trail. |
|
SA 530 |
Audit Sampling |
The
application of audit procedures to less
than 100% of items within a population
of audit relevance such that all
sampling units have a chance of selection
in order to provide the auditor with
a reasonable basis on which to draw
conclusions about the entire population. |
|
SA 540 |
Auditing
Accounting Estimates, Including
Fair Value Accounting Estimates, and
Related Disclosures |
The measurement objective of accounting estimates can vary depending on the applicable financial reporting framework and the financial item being reported. The degree of estimation uncertainty affects, in turn, the risks of material misstatement of accounting estimates, including their susceptibility to unintentional or intentional management bias. |
|
SA 550 |
Related Parties |
The auditor
has a responsibility to perform
audit procedures to identify, assess
and respond to the risks of material
misstatement arising from the entity’s
failure to appropriately account for
or disclose related party relationships,
transactions or balances in accordance
with the requirements of the framework.
The accounting records may be
modified to conceal RPTs and such modification
is nothing but tampering of audit trail |
|
SA 560 |
Subsequent Events |
Respond
appropriately to facts that become
known to the auditor after the date
of the auditor’s report, that, had they
been known to the auditor at that date,
may have caused the auditor to amend the auditor’s report. |
|
SA 570 |
Going Concern |
When
performing risk assessment procedures
as required by SA 315, the auditor
shall consider whether events or conditions
exist that may cast significant doubt
on the entity’s ability to continue as
a going concern. In so doing, the auditor
shall determine whether management
has already performed a preliminary
assessment of the entity’s ability to continue as a going
concern. The
accounting records may be modified to substantiate the management’s assessment about going |
|
|
|
concern and such modification is nothing but tampering of audit trail |
|
SA 580 |
Written Representations |
Take written
representations as to the management’s
assertions. It is the management,
who is primarily responsible for
ensuring selection of the appropriate
accounting software for ensuring
compliance with applicable laws and
regulations (including those related to retention of audit logs). |
|
SA 600 |
Using the Work of Another
Auditor |
Relevant for
the main auditor while reporting on
the consolidated financial statements
after considering the audit report
of subsidiaries, JVs and associates. |
|
SA 610 |
Using the
Work of Internal Auditors |
Relevant for the main auditor while evaluating the
internal auditor’s findings w.r.t. audit
trail |
|
SA 620 |
Using the Work
of an Auditor’s Expert |
Relevant for the main auditor while
evaluating say the system auditor’s
findings w.r.t. audit trail |
4. Meaning of expression ‘all transactions recorded
in the software’
The Implementation Guide for Reporting under Rule
11(g) issued by the Auditing and Assurance Standards Board of the Institute of
Chartered Accountants of India explains that:
· When the software records a transaction that
changes the books of accounts, it counts as "all transactions recorded in
the software." For example, creating a new user in the accounting software
is a transaction, but it doesn't change the books of accounts. Adding or
changing a journal entry, on the other hand, does change the books of accounts.
· The auditor should make sure that the audit trail
is enabled for transactions that change the books of accounts, based on the
definition of "books of account" in Section 2(13) of the Act and Rule
3 of the Account Rules, which explains the management's responsibilities for
maintaining books of accounts and other relevant electronic records..
5. Open Issues
Although the
Implementation Guide (mentioned earlier) has cleared up some issues, it still
hasn't given complete guidance on certain matters. These include:
a) When the
accounting year (FY 2023-24) is different from the auditing year (FY 2022-23) -
a confusing situation
b) Whether the audit trail should be for the books of
accounts or the accounting software
c) Whether it's necessary to review the
suitability of the audit trail retrospectively
d) If different software is
used for keeping the books of accounts and financial statements
e) How to handle consolidated financial
statements
f) Whether it's okay to use
accounting software supported by service providers
g) The internal controls
and audit approach for assessing the suitability of the audit trail in relation
to Section 143(3)(i) of the Companies
Act, 2013
h) How long to keep the
audit trail
i) Whether the audit trail
covers all transactions in the software throughout the year
j) The responsibility of
management and the Directors' Report
k) Risk assessment in the
IT environment
The upcoming audit period is going to be very
challenging for both auditors and the companies being audited. The audit trail
will be put to the test over a period of time.
No comments:
Post a Comment