The Ministry of Corporate Affairs (MCA) has mandated all companies, regardless of size or complexity, to incorporate an audit trail feature in their accounting software, aiming to bolster accountability and transparency. Originally slated for implementation in the financial year starting April 2021, the requirement was deferred twice and is now enforced from April 1, 2023. This initiative aligns with MCA’s efforts, including Revised Schedule III and CARO 2020, towards greater transparency and accountability. While such requirements aren’t common globally, MCA’s move, positions it as a pioneer in ensuring detailed transaction records to aid stakeholders, including auditors, in identifying financial irregularities and improving financial reporting and compliance framework.
Understanding the Essence of Audit Trail:
An audit trail is defined as a step-by-step sequential record that provides evidence of the documented history of financial transactions to its source. Audit trails are a chronological record of the changes that have been made to the data. Any change to data including creating new data, updating or deleting existing data, must be recorded. Records maintained as audit trail may include the following information:
- Date and time (timestamp) when changes were made
- Login credentials of the user who made the changes
- Details of changes made (transaction reference)
Regulatory Mandate for Audit Trail:
MCA has amended Companies (Accounts) Rules, 2014 by prescribing the following under the proviso to Rule 3(1):
“Provided that for the financial year commencing on or after the 1st day of April 2023, every company which uses accounting software for maintaining its books of account shall use only such accounting software which has a feature of recording audit trail of every transaction, creating an edit log of each change made in the books of account along with the date when such changes were made and ensuring that the audit trail cannot be disabled.’’ The requirement of maintaining an audit trail applies to all companies, excluding LLPs and partnership firms. This requirement is applicable when a company maintains its records electronically using accounting software. It necessitates companies to document every transaction impacting their books of account. In cases where accounting tasks are outsourced, management must verify that the service provider uses software with an audit trail feature, and the auditor must comment on internal control related to edit logs. The audit trail should include the date and ID of the person making changes, along with details of the changes made. Identifying which software qualifies as the official accounting record can pose challenges and may necessitate managerial discretion.
Responsibility of Auditor in Reporting:
MCA has inserted Rule 11(g) under ‘Companies (Audit and Auditors) Amendment Rules, 2021’, requiring the auditor to report on:
“Whether the company, in respect of financial years commencing on or after the 1st April 2022, has used such accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has been operated throughout the year for all transactions recorded in the software and the audit trail feature has not been tampered with and the audit trail has been preserved by the company as per the statutory requirements for record retention.”
The above reporting places a significant burden on auditors by requiring them to make a specific assertion regarding the audit trail in their audit reports. Further, it is pertinent to note that the auditor is required to report for transactions on or after 1st April 2022. However, as the amendment to maintain the audit trail was made effective on April 01, 2023, the auditor in the audit report for the financial year March 31, 2023, should mention the fact that reporting is not applicable in the current year. In addition, the auditor is required to comment on whether the company is using accounting software that has a feature of recording audit trail, by verifying the following aspects:
- whether the audit trail feature configurable (i.e., if it can be disabled or tampered with)?
- whether the audit trail feature enabled/operated throughout the year?
- whether all transactions recorded in the software covered in the audit trail feature?
- whether the audit trail been preserved as per statutory requirements for record retention?
The auditor must verify the appropriateness and completeness of management’s assessment of the software used for maintaining the books of account. In cases where multiple software are used, the auditor must ensure the completeness of the list identified by management for audit trail maintenance. For small companies using excel sheets for various records, the auditor needs to assess whether these sheets constitute part of the accounting software and if the audit trail can be established effectively. If processes are outsourced, such as payroll, the auditor should consider independent auditor’s reports of service organizations to ensure compliance with audit trail requirements. It’s essential for auditors to verify if the audit trail feature was enabled throughout the year and assess the control environment around its maintenance. In cases of complex ERPs, IT experts’ involvement may be necessary. Auditors should ensure that the “who, when, and what” changes are appropriately logged and verify them to mitigate fraud risks. If the audit trail is disabled or tampered with, auditors must assess its impact on the risk of material misstatement due to fraud and adjust audit strategies accordingly. They should also evaluate the repercussions of failing to adhere to laws and regulations, reporting any instances of audit trail manipulation or deactivation in the audit report. Though the Company Account Rules do not specifically talk about the retention of audit trail, it would be primarily the responsibility of management to ensure that the trail is retained and preserved for a statutory period i.e. 8 years, and the auditor needs to comment on whether management is preserving the trail as per statutory requirements of record retention.
Benefits and Challenges in the Implementation:
Implementing an end-to-end audit trail for transactions offers a systematic approach to bookkeeping and aids in detecting financial irregularities early on. It serves as a valuable tool for internal risk assessment, enabling management to identify and mitigate potential risks proactively. The audit trail fosters discipline in accounting practices, discouraging backdating of transactions and manipulation of financial records. It promotes transparency, accountability, and good corporate governance within organizations, enhancing trust among stakeholders. For auditors, the audit trail provides deeper insights into transactions, facilitating more effective risk assessment and ensuring a true and fair view for stakeholders. However, maintaining an audit trail presents challenges for both companies and auditors. It generates large volumes of data, leading to increased storage costs and making it difficult to sift through relevant information, particularly for companies using multiple software. Large multinational corporations with legacy systems may face significant hurdles in transitioning to compliant software due to cost and time constraints, especially if decisions are dictated by global headquarters. Compliance with audit trail requirements imposes an additional financial burden on small companies, requiring significant resources and expertise to establish and maintain effective systems. Overall, while audit trail requirements promote transparency and accountability, their implementation poses logistical and financial challenges for companies and auditors alike.
Way Forward:
The mandatory implementation of the audit trail by the Ministry of Corporate Affairs (MCA) poses challenges for companies adopting it in the financial year 2023-24. Auditors will need to modify their reporting to include assessments of the maintained audit trail throughout the year. Reviewing the nature of changes in the trail becomes crucial for auditors, impacting risk assessment, particularly concerning fraud risk. While the primary objective of audits is not fraud detection, the availability of the trail increases stakeholders’ expectations for auditors to exercise judgment and raise red flags promptly. The audit trail serves as a potent tool for regulators to identify irregularities, emphasizing the need for auditors to be diligent, especially in companies with extensive audit trail data and multiple software systems. Overall, the mandatory audit trail marks a progressive step towards a more disciplined era of accounting.
