Audit Trail requirement as per Companies Act
In rule 3, in sub-rule (1), the proviso shall be inserted which says, “Provided that for the financial year commencing on or after the 1st day of April 2021, every company which uses accounting software for maintaining its books of account, shall use only such accounting software which has a feature of recording audit trail of each and every transaction, creating an edit log of each change made in books of account along with the date when such changes were made and ensuring that the audit trail cannot be disabled.” In rule 8, in sub-rule (5), after clause (x), the two clauses shall be inserted.
Whats does the new law say regarding Audit Trail.
The Ministry of Corporate Affairs ("MCA"), in its continuing drive to improve transparency and bolster integrity of financial reporting has amended the Companies (Accounts) Rules, 20141 ("Accounts Rules") requiring companies to ensure that the accounting software used to maintain books of accounts has the following features and attributes:
recording audit trails for each & every transaction;
logging the edits made to the book of accounts along with the date when such an edit was made; and
ensuring that the audit trail cannot be dis-abled.
The Companies (Audit and Auditor) Rules, 2014 ("Audit Rules") have been correspondingly modified2 wherein auditors are now required to report, as part of the auditor's report, as to whether, the accounting software used by the company being audited has the feature of recording audit trail (edit logs), the audit trail feature was operational throughout the financial year and had not been "tampered" with and such audit trails have been retained for the period as statutorily prescribed.
The MCA has notified that the aforesaid amendments will be effective from April 1, 20223, which implies that the accounting software employed by companies will need to be compliant with the Accounts Rules from FY 2022-23. The breathing space provided by the MCA ought to be leveraged by the companies to assess whether the accounting software has the requisite functional parameters and attributes which would be considered as being complaint with the Accounts Rules and where necessary, engage with their service providers and/or auditors to implement changes to ensure compliance.
Prima facie the amendments to the Accounts Rules and Audit Rules (collectively referred to as "Rules") are relevant as an immutable audit trail would be critical to establish accountability and act as an impediment to falsification and manipulation of accounting records. However, the Rules are in certain respects ambiguous or lack specificity and this may lead to divergence in interpretation and application of the Rules by auditees and auditors. This article seeks to outline the aforesaid ambiguities as well as discuss steps which companies could undertake ensure effective compliance. It is our hope that the key stakeholders i.e. the companies, auditors and the MCA, do assess these ambiguities and arrive at a common ground before the Rules are implemented from FY 2022-23.
2. Audit Trails – To include or exclude?
The Rules don't specify the fields or data sets for which audit trails are required to be maintained. In relation to a transaction, data would comprise of two types i.e. transactional data (for e.g. amount, accounting date, ledger accounts, narration, i.e. information which is reflected in the financial records) and data pertaining to the transaction (for e.g. identity of the user accounting the transaction or the time on which the transaction was posted). With reference to the latter, while it is obvious that the user identification ("User ID") and transaction timestamp are necessary fields, it may be possible that other fields such as approval information (user ID of the approver and time stamp where transactions are approved) may be required to be logged as a part of the audit trial.
It can be argued that transactional data does not form part of the audit trail as the data is recorded in the books of accounts and replicating this information in the audit trail would not serve any purpose. However, since the Rules also mandate that "edit logs" are to be maintained, one could also argue that the audit trail should provide sufficient information to reconstruct or identify the original data prior to the edit being undertaken. For example, if a transaction is deleted or edited, apart from logging information about who effected the deletion/edit, the audit trail should include sufficient information to either view or trace the transaction which had been deleted.
3. Modification of Audit Trail
Audit Rules stipulate that the auditor should state as to whether, "the audit trail feature has not been tampered with and the audit trail has been preserved by the company". In this regard, there is significant ambiguity on the remit of the word "tampered". Is the requirement for the auditor to assess whether, the accounting software's feature to create audit trails has not been tampered with per se (which would inter alia include unauthorized modifications to the settings of the audit trail) or whether tampering of the audit trail of transactions per se would also be covered (i.e. modification of the audit trail records) ? Considering that modifications to the audit trail would defeat the purpose of maintaining audit trails, it would appear that the reference to tampering would be applicable to both the scenarios stated above.
4. Edits Logs & Audit Trails
The Rules mandate that "edit logs" are to be maintained. The word "edit", when used in a grammatical context would mean a change to existing data and therefore it may be argued that edit logs would be required when an existing transaction has been modified. However, considering that the Account Rules refer to an "edit log of each change made in books of account", it can be construed that edit logs would have to be maintained for all transactions. As such, a harmonious reading could be taken that the terms audit trail and edits logs are synonymous.
5. Audit Trails for non-financial records.
Certain records such as purchase orders or master data, which are not transactions per se, at least from an accounting standpoint, may be relevant from an investigation standpoint. For example, in the event fraudulent payments are effected through modification of bank account, audit trails relating to changes to bank account details would be of significant relevance. As such, it is not clear whether the term "transactions" refers solely to financial transactions per se or whether the term has to be broadly interpreted to include non-financial records or events, such as purchase orders or changes to vendor master data, which are correlated to financial transactions.
6. Internal Controls.
In order to demonstrate that the audit trail feature was functional, operated and was otherwise preserved, a company would have to design and implement specific internal controls (predominantly IT controls) which in turn, would be audited by the auditors. A company may leverage their existent internal control framework to design internal controls, in consultation with their auditors. An illustrative list of internal controls which may be required to be instituted are articulated below:
Controls to ensure that the audit trail feature has not been disabled or deactivated.
Controls to ensure that access to the accounting software is restricted to authorized users.
Controls to ensure that User IDs are assigned to each individual and that User IDs are not shared
Controls to ensure that changes to the configurations of the audit trail are authorized and logs of such changes are maintained.
Controls to ensure that access to the audit trail (and backups) is disabled or restricted and access logs, whenever the audit trails have been accessed, are maintained. Controls to ensure that periodic backups of the audit trails are taken and archived