The FAQs on Audit Trial - Part - I

The FAQs on requirement on auditor to report on audit trial in the audit report of a company, under Rule 11(g) of the the Companies (Audit and Auditors) Rules, 2014, are arranged as under in 80 possible FAQ's in two parts:

Part I- FAQ's 01 to 39

S. No.	Particulars	Reference
(A)	Applicability of Rule 11(g)	[FAQs 1 to 21]
(B)	Audit trail	[FAQs 22 to 26]
(C)	Audit Trail vs Internal Financial Controls	[FAQ 27]
(D)	Accounting Software	[FAQs 28 & 29]
(E)	Books of account	[FAQS 30 to 33]
(F)	Management Responsibilities when books of account maintained in electronic mode	[FAQs 34 to 39]
(G)	Audit Procedures	[FAQs 40 to 43]
(H)	Audit Trails & Frauds	[FAQs 44 & 45]
(I)	Audit Documentation	[FAQ 46]
(J)	Reporting in Independent Auditor's Report	[FAQs 47 to 80]
(K)	Conclusion: Key Takeaways

(A) APPLICABILITY OF RULE 11(g)

FAQ 1. When is the statutory auditor of a company required by Rule 11(g) to report on an audit trial in his audit report?

Clause (j) of Section 143(3) of the Companies Act, 2013 ('the Act') states that the auditor's report shall also state such other matters as may be prescribed. Rule 11 of the Companies (Audit and Auditors) Rules, 2014 prescribes other matters that are required to be reported upon by the auditor of a Company under Section 143(3)(j). Clause (g) of Rule 11 [Rule 11(g)] requires the auditor of a Company to report whether the accounting software used by the Company to maintain books of account has an audit trail feature. Rule 11(g) is reproduced below:

"Whether the company, in respect of financial years commencing on or after the 1st April, 2022, has used such accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has been operated throughout the year for all transactions recorded in the software and the audit trail feature has not been tampered with and the audit trail has been preserved by the company as per the statutory requirements for record retention."

The following points emerge from Rule 11(g)

♦		If the Company maintains books of the account entirely in manual mode without using any accounting software, reporting under Rule 11(g) is not applicable.
♦		Where the company has used any accounting software to maintain its books of account in respect of financial years commencing on or after 01.04.2022, Rule 11(g) requires the company's auditor to report on the accounting software's audit trail feature in his audit report by making a specific assertion in this regard.

FAQ 2. What if books of account are maintained and written up manually by the Company, and then entries are made from these books at the year-end in the software, and the books of account and balance sheet and P&L account are then printed out from the software? Will the auditor have to report under Rule 11(g) in such a case?

No. Here, the software is used not for maintaining books of account but only for printing them out and for finalising balance sheets and P&Ls from the manually maintained books of account. Therefore, Rule 11(g) and Proviso to Rule 3(1) [FAQ 5 below] are not applicable to such a case

FAQ 3. What are the duties of an auditor of a company to report as regards audit trail?

Where the company has used any accounting software to maintain its books of account in respect of financial years commencing on or after 01.04.22, the auditor is required by Rule 11(g) to report whether the accounting software used by the company is one that satisfies the following conditions:

(a)		It has a feature of recording audit trail (edit log facility);
(b)		the audit trail (edit log) facility has been operated throughout the year for all transactions recorded in the software;
(c)		the audit trail feature has not been tampered with; and
(d)		the audit trail has been preserved by the company as per the statutory requirements for record retention.

In terms of Rule 11(g), the auditor is expected to verify the following:

♦		Non-Configurable: The audit trail feature must be non-configurable. That is to say, the audit trail should not be capable of being disabled and should not be capable of being tampered with.
♦		Enabled throughout the year: Verify whether the audit trail feature was enabled/ operated throughout the year.
♦		Auditor's responsibility is limited to transactions that have been recorded in the accounting software and subsequent changes made to those transactions- whether all transactions recorded in the software are covered in the audit trail feature? Proviso to Rule 3(1) of Companies (Accounts) Rules 2014 prescribes the requirement of an audit trail only in the context of books of account by stating that accounting software should be capable of creating an edit log of "each change made in books of account." The auditor's responsibilities have been prescribed for "all transactions recorded in the software." Accordingly, the auditor's responsibility under Rule 11(g) is restricted to transactions that have been recorded in the accounting software and subsequent changes made to those transactions (which is demonstrated through rectification/ additional entities).
♦		Compliance with statutory record retention requirements: Has the audit trail been preserved as per statutory requirements for record retention under Section 128(5) of the Companies Act, 2013?

FAQ 4. Is the auditor required to comment on the operating effectiveness of the audit trail?

Unlike Section 143(3)(i) which requires the auditor to comment on the operating effectiveness of internal controls, there is no requirement to report on operative effectiveness of the audit trail.

FAQ 5. Is there any statutory obligation on the Company to implement safeguards, controls, and audit trails where the Company uses accounting software to maintain its books of account? Or is the obligation only on the auditor to report on whether or not the accounting software used by the Company has an audit trail feature?

Proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 states that for the financial year commencing on or after the 1st day of April 2023, every company that uses accounting software for maintaining its books of account shall use only such accounting software which satisfies the following conditions:

♦		It records an audit trail of each and every transaction,
♦		An edit log is created of each change made in the books of account along with the date when such changes were made and
♦		Ensuring that the audit trail cannot be disabled.

In short, every company that uses accounting software to maintain books of account should ensure that the accounting software used has an audit trail feature that cannot be disabled.

The following points emerge from the proviso:

♦		The accounting software that a Company uses should create an edit log of each transaction with changes made in the books of accounts.
♦		The accounting software should capture the details of the date such changes (edits) are made and ensure the edit trail cannot be disabled.
♦		The accounting software should maintain the edit log of every transition, from recording to tracking any changes that may take place.

FAQ 6. If accounting software used for maintaining books of account does not have a built-in audit trail feature but maintains an audit trail manually by management, will it satisfy the requirements regarding audit trails of Rule 11(g) and Proviso to Rule 3(1)?

No. These Rules envisage an audit trail, which is a built-in feature of the accounting software used by the Company. If the audit trail feature is not built into the software and is maintained manually, the requirements of these Rules are not satisfied.

FAQ 7. Companies are required to implement the audit trail feature in the accounting software used by the Company only with effect from Financial Year 2023-24. However, the auditor is required to report whether the accounting software has an audit trail with effect from FY 2022-23. What is the auditor to do for the audit report of a Company for FY 2022-23?

As the Compliance requirement with regard to audit trail is applicable to Companies with effect from 01.04.2023 (FY 2023-24) only, the auditor of a Company will not be able to report on the audit trail feature of accounting software in his audit report for the financial year 2022-23. In his audit report for the financial year 2022-23, the auditor of a Company may state that the requirement to report on the audit trail is not applicable as the requirement for companies to implement the audit trail feature in the accounting software pursuant to the proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 is applicable only with effect from 01.04.2023.

In the audit report for FY 2022-23, the auditor may report as under:

"As proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 is applicable for the company only w.e.f. April 1, 2023, reporting under this clause is not applicable."

FAQ 8. What is an "audit trail?" What is accounting software? What is a "books of account?"

See [FAQs 22 to 34]

FAQ 9. Whether a company is legally obliged to use an accounting software for maintaining the books of account?

No. The Company is well within its rights to maintain its books of accounts entirely manually. If it uses an accounting software, it is required to comply with the proviso to Rule 3(1).

Section 128(1) of the Act requires every company to prepare and keep the books of account and other relevant books and papers and financial statements for every financial year which give a true and fair view of the state of the affairs of the company. Further, this Section gives an option to companies to maintain such books of account in electronic mode. If the Company opts to maintain its books of account in electronic mode, then it is required to comply with the requirements of Rule 3 of the Companies (Accounts) Rules, 2014. If a company (irrespective of its size and nature, i.e. small company, medium company, private company, public company) is maintaining its books of account in the electronic mode, then it is required to use accounting software with an audit trail feature.

If a Company does not comply with the Proviso to Rule 3(1), the Company's auditor must appropriately modify his comment while reporting under Rule 11(g).

FAQ 10. Is the auditor required to report on the audit trail feature in his/ her limited review report of a listed company?

The Companies Act, 2013, and the Rules made thereunder specify requirements with regard to the contents of the audit reports. The Act and the Rules are silent on the contents of a limited review report. The SEBI Regulations do not require the auditors to report on the audit trail feature of accounting software while issuing their limited review report on the financial results of a listed company. Thus, at present, there is no requirement for an auditor to report on an audit trail in a limited review report of a listed company.

FAQ 11. Does the reporting requirement under Rule 11(g) apply to audit reports of all companies, or is there an exemption for certain categories of companies?

Rule 11(g) applies to the audit report of every company that uses accounting software to maintain its books of account. If a company uses accounting software to maintain its books of account, the auditor is required by Rule 11(g) to report on the audit trail irrespective of the company's size and class.

Rule 11(g) does not exempt audit reports of any class of companies. The reporting requirement under Rule 11(g) is triggered for companies of any class or size, including if accounting software is used by the Company to maintain its books of account.

FAQ 12. Whether there is any exemption from Rule 11(g) in respect of Section 8 company?

The reporting requirement in Rule 11(g) is triggered when any Company uses an accounting software for maintaining its books of account. Accordingly, auditors of all classes of companies, including Section 8 companies, are required to report on the audit trail as required by Rule 11(g).

FAQ 13. Is there any exemption from Rule 11(g) regarding audit reports of One-Person Companies (OPCs)?

No. See FAQ 11 above

FAQ 14. Is there any exemption from Rule 11(g) for the audit report of a small company as defined in Section 2(85) of the Act?

No.See FAQ 11 above

FAQ 15. Whether reporting requirement under Rule 11(g) applies to audit reports of foreign companies?

In terms of Rule 5(2) of the Companies (Registration of Foreign Companies) Rules, 2014, the provisions of "Chapter X of the Act: Audit and Auditors" and the Rules made thereunder apply mutatis mutandis to a foreign company as defined in the Act. Therefore, reporting requirements under Rule 11(g) shall apply to a foreign company as defined in Section 2(42) of the Act.

FAQ 16. Whether banks and NBFCs are covered under the audit trail requirement?

The audit trail requirement applies to all companies (including banks and NBFCs) incorporated under the Companies Act, 2013 if they maintain books of account in electronic mode. So, there is no exemption for the auditors of such banks and NBFCs from reporting on audit trail requirements. However, the audit trail requirement is not applicable to banks/ NBFCs not incorporated under the Companies Act (e.g. nationalised banks, SBI, etc) unless the Central Government exercises its powers under Section 1(4) of the Act and extends the audit trail requirement to them which the Central Government has not yet done.

FAQ 17. What if the company has outsourced the maintenance of its books of account, and the service organization to whom it is outsourced uses accounting software to maintain the company's books of account?

Rule 11(g) applies if accounting software is used for the maintenance of the company's books of account. It does not matter whether the software is used in-house by the Company or by a service organization to whom the company has outsourced the maintenance of books of account.

[See also FAQ 43]

FAQ 18. Does it affect the auditor's obligation to report under Rule 11(g) if accounting software is hosted and maintained in India or outside India?

No, not at all. The auditor's obligation under Rule 11(g) applies regardless of whether the accounting software may be hosted and maintained in India or outside India. Further, it makes no difference whether the accounting software may be on-premise, in the cloud, or subscribed to as Software as a Service (SaaS) software.

FAQ 19. Does the auditor's reporting obligation under Rule 11(g) apply to audit reports on standalone financial statements only, or does it also apply to audit reports on consolidated financial statements?

Rule 11(g) applies to reporting on both standalone financial statements and consolidated financial statements.

Section 129(4) of the Act specifically provides that the provisions of the Act shall, mutatis mutandis, apply to the consolidated financial statements. It means that the requirements of the Act will apply to CFS with necessary changes. Accordingly, in line with the approach adopted in the case of reporting on the consolidated financial statements on the other clauses of section 143(3) of the Act, the reporting under Rule 11(g) would also be on the basis of the reports of the statutory auditors of subsidiaries, associates and joint ventures that are companies defined under the Act (Indian companies). The auditors of the parent company should apply professional judgment and comply with applicable Standards on Auditing, in particular, SA 600, "Using the Work of Another Auditor" while assessing the matters reported by the auditors of subsidiaries, associates and joint ventures that are Indian companies.

FAQ 20. What if consolidated financial statements include some components whose auditors are not statutorily required to report on the audit trail?

Reporting under Rule 11(g) is not required by the auditor in respect of the following components included in the consolidated financial statements:

♦		Components that are not companies under the Act [e.g. Limited Liability Partnerships (LLPs]; and
♦		Components incorporated outside India.

While reporting on the consolidated financial statements, the auditor is not required to report in respect of such components. While reporting on the audit trail in his report on consolidated financial statements, the auditor may state clearly that his remarks on the audit trail cover only "the subsidiaries, associates and joint ventures/joint operations which are companies incorporated in India whose financial statements have been audited under the Act" [See FAQ 73 below]

FAQ 21. Is the auditor required to make any adverse remarks pursuant to Rule 11(g) if the company does not use accounting software to maintain its books of accounts?

No. See FAQ 9 above

(B) AUDIT TRAIL

FAQ 22. Is there any statutory definition of "audit trail" in the Companies Act, 2013 or the Rules thereunder?

Neither the Act nor Rule 11 (g) defines the term "audit trail." However, one can discern the nature and features of an audit trail from a conjoint reading of Proviso to Rule 3(1) and Rule 11(g).

FAQ 23. What is an "Audit Trail"?

The following definitions of the term "audit trail" are noteworthy:

♦		An audit trail is a sequential record detailing the history and events related to a specific transaction or ledger entry. [https://www.investopedia.com/terms/a/audittrail.asp]
♦		An audit trail is a detailed, chronological record whereby accounting records, project details, transactions, user activity, or other financial data are tracked and traced. An audit trail is a date and time-stamped record of the history and details around a transaction, work event, product development step, control execution, or financial ledger entry. Almost any type of work activity or process can be captured in an audit trail, whether automated or manual. [https://www.auditboard.com/blog/what-is-an-audit-trail/]
♦		An audit trail is a comprehensive record encompassing all events or transactions within a system, network or application. It is a chronological record that tracks who, what, when, and where of all the activities within a system. [https://finprov.com/what-is-an-audit-trail/]

From the above definitions and a conjoint reading of Proviso to Rule 3(1) and Rule 11(g), it is clear that

(a)		An audit trail is a chronological, date, and time-stamped record of a specific transaction from the time its entry is made in the accounting software through various changes to it until its deletion which is a built-in feature of the accounting software used.
(b)		If an audit trail is not a built-in feature of the accounting software, and the audit trail is maintained separately manually, the requirements of Rule 11(g) and Proviso to Rule 3(1) are not satisfied
(c)		When you enter a transaction in the accounting software, it will maintain a record by creating an edit log/audit log.
(d)		The software will also record any further edits made to the details, such as a change in the amount or change in the name against which the entry is made, along with the user who made the changes and the time it was changed, by creating an edit log.
(e)		If a transaction is deleted, the software will also track that by creating an edit log. Accounting software's built-in audit trail feature keeps a record of everything since the original entry was made. That is to say, a record of all edit logs created right from the entry of a transaction in the accounting software until its deletion will be maintained in chronological sequence with date-stamp and time-stamp. This chronological series of edit log/audit log records maintained by the accounting software is the "audit trail".

The FAQs given in Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition)(hereinafter referred to as 'the Implementation Guide on Audit Trail' for brevity sake) clarify that the following do not qualify as "audit trail":

♦		Back-ups
♦		Voucher listings - A mere voucher listing is not an audit trail.
♦		Error Logs
♦		Feature in accounting software that does not allow subsequent modification to the transactions/ journal entries posted initially
♦		The log of the last/latest changes is only maintained and the log of the entire chain of changes is not maintained.

The Glossary in the Implementation Guidance on Audit Trail gives a positive definition of an audit trail which sets out the following features of an audit trail as under:

♦		Visible trail of evidence providing traceability of information contained in reports to the original input source
♦		Chronological record of all changes to data-creating new data or updating data or deleting data
♦		Information to be contained in records maintained as an audit trail
♦		Enabled at accounting software level or directly captured in the underlying database

The above features of the audit trail are explained as follows:

Visible trail of evidence providing traceability- An Audit Trail (or Edit Log) is a visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source.

A chronological record of changes to data—Audit trails are a chronological record of the changes that have been made to the data. Any change to data, including creating new data, updating data, or deleting data, must be recorded.

Contents of records maintained as audit trail- Records maintained as an audit trail should include the following information:

♦		Timestamp i.e., date and time of changes
♦		User ID of the person who made the change
♦		What data was changed i.e., data/transaction reference;
♦		Success/failure

Enabled at what level—Depending on the features available in accounting software, Audit trails may be enabled at the accounting software level or captured directly in the database underlying such accounting software.

FAQ 24. What is an "Edit log" or "Audit log"?

As per the Glossary of IG, these terms are synonyms of "Audit Trail . However, there is a distinction. The audit log/edit log is a record of transaction entry, of each change made to data since entry and of deletion of data. A chronological series of all edit logs/audit logs of changes to data right from the entry of the transaction to its deletion constitutes an audit trail.

FAQ 25. What are the various types of audit trails and which type of audit trail is envisaged by Rule 11(g) and Proviso to Rule 3(1)?

As per the website https://finprov.com/what-is-an-audit-trail/ there are 4 types of audit trails as under:

♦		System audit trail
♦		Transaction audit trail
♦		Access audit trail
♦		Change audit trail

System audit trail

♦		A System audit trail records all system-level events, such as System startups and shutdowns, User logins and logouts, system configurations, and security-related events.
♦		System audit trails are essential to detect system-level attacks, such as unauthorised access, malware infections, and Configuration changes.

Transaction audit trail

♦		A transaction audit trail records all transaction-level events, such as data entry, updations, deletions and transfers.
♦		Transaction audit trails are essential for detecting and investigating data manipulation, fraud and theft.

Access audit trail

♦

An access audit trail records all access level events such as File and folder access network connections and remote access.

Change audit trail

♦

A change audit trail records all changes made to the system or application, Change audit Trails are essential for detecting and investigating system vulnerabilities, misconfigurations and errors.

Rule 11(g) and Proviso to Rule 3(1) only cover "Transaction audit trail".

FAQ 26. What Audit trail (edit log) features should one look for in an accounting software to be compliant with Proviso to Rule 3(1) and Rule 11(g)?

According to www.tallysolutions.com , an accounting software should have the following key features in order for it to be compliant with Proviso to Rule 3(1) and Rule 11(g):

♦		Date-stamp
		The audit trail (edit log) feature of the accounting software used by a Company should have the time and date log within the accounting software. The audit trail (edit log) should record all the details of actions performed in the software in a date-wise manner. The accounting software should keep records of all the edits made in the books of accounts and shouldn't be disabled.
♦		Track all transactional changes
		The accounting software should monitor and track all the changes made to the transaction and capture such details in the audit log. Essentially, the software should track and log changes from creation to alteration to deletion of transactions.
♦		The Edit log feature shouldn't be disabled
		The audit trail feature should always be enabled to remain compliant with Rule 11(g) and Proviso to Rule 3(1).
♦		Technical Log vs. audit log
		Don't confuse audit logs with software logging. While opting for accounting software, businesses must ensure that the system has respective logs for software issues and a dedicated audit trail to remain compliant with Rule 11(g) and Proviso to Rule 3(1).
		Technical Log vs. audit log
♦		Capture User details
		The accounting software should capture username details from creation to alteration to deletion.
♦		Software should provide version differences
		The accounting software should provide you with version differences that help you understand various elements, such as modifications or any changes that were made.
♦		Sequential order
		The accounting software should provide a detailed insight into chronological history by date and time is crucial.

(C) AUDIT TRAIL vs INTERNAL CONTROL

FAQ 27. Is there any distinction between "audit trail" and "internal control"?

The "audit trail" may be likened to a CCTV camera in a house. "Internal control may be likened to the overall security measures taken to prevent housebreaks, including strong doors, collapsible gates, burglar alarms, and durable locks. While CCTV cameras cannot prevent housebreaks, they can certainly record and capture what happens when all other security measures fail to prevent them provided the CCTV cameras are functioning all the time and don't get disabled.

Case Study on the respective roles of Internal Financial controls and Audit Trail- Vendor master data may be updated with Udyam Registration Numbers of MSE Suppliers so that Micro or Small Enterprise (MSE) suppliers' payments can be processed on a priority basis to avoid disallowance under Section 43B(h) of the Income-Tax Act,1961 and to avoid interest liability under Section 16 of MSMED Act and disallowance of such interest under Section 23 of MSMED Act .

Internal control is laying down the norms that the Vendor master data in the accounting software be updated with the Udyam Registration Number(URN) of a supplier who is a MSE only after the same is verified and validated on the Udyam Portal. Validation may be by using an Application Programming Interface (API). Or validation should be done by an authorised official on the Udyam Portal and a screenshot of the validation be maintained. It may so happen that this internal control is absent or breached. The Vendor master data may get updated with the fake URN of a non-MSE supplier with the connivance of that supplier so that his payments get processed on priority and the employee/official of the company who updated the vendor master gets bribes for this favour. Later on, the auditors / internal auditors, while test-checking URNs on the Udyam Portal, may uncover these fake URNs updated in vendor masters without validating them on the Udyam Portal.

Audit Trail in the accounting software will help to know who updated the Vendor Masters with fake URNs and when it was updated. Internal controls over the validation of URNs before updating them on Vendor Masters will help prevent fraud in the first place. Internal control has a preventive role while the audit trail records what changes have been made to data, when and by whom.

IFCoFR Reporting vs Audit Trail Reporting: While the audit trail is required to be reported upon under Section 143(3)(h) read with Rule 11(g), internal control is required to be reported upon under Section 143(3)(i). While Rule 11(g) is applicable to a company using accounting software to maintain books of account regardless of the class of company to which it belongs, Section 143(3)(i) applies to every company, regardless of whether the company uses accounting software or not, unless exempted by the Notification No GSR 464(E), dated 5-6-2015, as amended by Notification No. GSR 583(E), dated 13-6-2017. The following private companies are exempt from the applicability of Section 143(3)(i):

♦		One Person Company(OPC)
♦		Small Company
♦		Private Company which has a turnover less than ?50 crores as per the latest audited financial statement and which has aggregate borrowings from banks or financial institutions or any body-corporate at any point of time during the financial year less than ?25 crores

Section 143(3)(i) of the Act, with respect to the Companies to which it applies, requires the auditor to state in his audit report whether the company has adequate internal financial controls with reference to financial statements in place and the operating effectiveness of such controls. Section 143(3)(i) does not require the auditor to state whether the internal financial controls have operated throughout the year under audit. Mere non-availability of an audit trail does not necessarily imply failure or material weakness in the operating effectiveness of internal financial controls over financial reporting. However, where the auditor has to issue a modified report on IFCoFR under Section 143(3)(i)due to the inability of management to rely on the automated controls, the auditor will have to disclaim an opinion on audit trails. Illustrative wordings for modified remarks under Rule 11(g) is as under:

"The company has used an accounting software for maintaining its books of account however for the reasons stated in [refer the reporting of IFCoFR] management is unable to rely on automated controls related to financial reporting in the accounting software and consequently we are unable to comment on audit trail requirements of the said software as envisaged under Rule 11(g)."

(D) ACCOUNTING SOFTWARE

FAQ 28. What is "accounting software"?

Accounting Software is a computer program or system that enables the recording, maintenance and reporting of books of account and relevant ecosystems applicable to business requirements. From a Rule 11(g) perspective, only the accounting software that is used for maintaining books of account should be considered for enabling an audit trail. Any software used to maintain books of account will be covered within the ambit of this Rule. For example, if sales are recorded in a standalone software and only consolidated entries are recorded monthly into the software used to maintain the general ledger, the sales software should also have the audit trail feature since sales invoices would be covered under Books of Account as defined under section 2(13) of the Act.

Accordingly, any software that maintains records or transactions that fall under the definition of Books of Account as per section 2(13) of the Act will be considered as accounting software for this purpose. The requirement of the accounting software to have a feature of audit trail has been incorporated as a proviso to Rule 3(1) of the Account Rules and has been prescribed only in the context of books of account. This is evidenced by the fact that as per the proviso to the Rule, the accounting software should be capable of creating an edit log of "each change made in books of account."

FAQ 29. Whether end-user computing tools, like spreadsheets, should be regarded as "accounting software" for the purposes of Proviso to Rule 3(1) and Rule 11(g)?

Any software used to maintain the books of account is to be treated as accounting software for the purposes of Proviso to Rule 3(1) and Rule 11(g). Therefore, as regards treating spreadsheets used as accounting software for audit trail requirement purposes, the following points may be noted:

♦		If a company uses end-user computing tools, like spreadsheets, then those tools are to be treated as accounting software if there is direct auto-feed posting of entries from the spreadsheets to the accounting software ( the accounting software as identified by management). In such a case, the spreadsheet should be treated as part of the books of account, and the spreadsheet will attract the audit trail requirement.
♦		If End-user computing tools like spreadsheets are merely used to record transactions or for preparing workings/ calculations of amounts to be recorded without any auto-posting of accounting entries directly from the spreadsheets to the accounting software, the spreadsheets used should not be treated as "accounting software" and would not attract the audit trail. For instance, it may be used for preparing workings of foreign exchange gain/loss or amortization or tax liability to be recorded in another accounting software (accounting software as identified by management) using the amounts computed in a spreadsheet. However, there is no auto-posting directly to the accounting software from such a spreadsheet. In such case, the spreadsheet should not be treated as part of books of account and the spreadsheet will not attract the audit trail requirement.

The auditor should evaluate the facts regarding the usage of end-user computing tools in the light of the above points and accordingly report.

(E) BOOKS OF ACCOUNT

FAQ 30. What is "Books of Account"?

As per Section 2(13) of the Act, the term "books of account" includes records maintained in respect of—

(i)		Receipts and Payments: all sums of money received and expended by a company and matters in relation to which the receipts and expenditure take place;
(ii)		Sales and Purchases: all sales and purchases of goods and services by the company;
(iii)		Assets and Liabilities: the assets and liabilities of the company; and
(iv)		Mandatory cost records under Section 148: the items of cost as may be prescribed under section 148 in the case of a company that belongs to any class of companies specified under that section.

FAQ 31. Whether 'books of account' maintained in accounting software would include the following:

(a)		Master data (e.g., vendor records)
(b)		Purchase Order/ Sales Order
(c)		Records of Property, Plant and Equipment/Intangible Assets

 

(a)		Master Data- No distinction between master data and transaction data is made in the definition of "books of account" given in Section 2(13) of the Act. A reference to the master record is necessary as, usually, in an accounting software, a transaction record will not have the complete details of a payment made to a vendor. Further, changes to the master data are linked to the transactions recorded in the books of account. Hence, the vendor master data is to be treated as part of the books of account. Therefore, the changes to such master data for vendors should also have an audit trail.
(b)		Purchase Order/ Sales Order—Depending upon circumstances that may apply to an engagement, the auditor would need to exercise his professional judgement as to whether these constitute books of account.
(c)		Records of Property, Plant and Equipment /Intangible assets- If Property, plant and equipment /intangible assets register provides direct and auto feed to the accounting software (accounting software as identified by management) in terms of depreciation, profit or loss on sale of property, plant and equipment/intangible assets, etc., the register is part of books of account and the audit trail requirement will apply to the PPE Register/ Intangible Assets Register. The statutory auditor of a Company will have to factor in compliance with audit trail requirement by PPE Register/Intangible Assets Register while reporting under CARO 2020 as to whether "proper records" have been maintained in respect of PPE/Intangible Assets.

FAQ 32. Under the Act, what is the period for which a company is required to preserve an audit trail?

Rule 11(g) requires the auditor to state whether 'the audit trail has been preserved by the company as per the statutory requirements for record retention'. Section 128(5) of the Act contains the statutory requirements for the period of record retention. Section 128(5) requires the companies to preserve books of account for a minimum period of eight years. Therefore, the company would need to retain the audit trail for a minimum period of eight years (financial years).

FAQ 33. Does the requirement that a company shall retain an audit trail for 8 years apply to the audit trail of financial years prior to 01.04.2023?

The requirement to retain an audit trail for a minimum period of eight years (financial years) applies to begin with the financial year 2023-24 since proviso to Rule 3(1) applies "for the financial year commencing on or after the 1st day of April 2023".

(F) MANAGEMENT RESPONSIBILITIES WHEN BOOKS OF ACCOUNT MAINTAINED IN ELECTRONIC MODE

FAQ 34. If a Company uses accounting software for maintaining its books of account, what are the responsibilities of the Management in this regard?

If the Company uses accounting software for maintaining its books of account, Management has a responsibility to effectively comply with the requirements of Rule 3(1) in this regard. The requirements of the proviso to Rule 3(1) are to be complied with regardless of whether the accounting software may be hosted and maintained in India or outside India or may be on-premise or on the cloud or subscribed to as Software as a Service (SaaS) software

In other words, the Management of every company which uses an accounting software is required to ensure only such accounting software is used which has the following features:

♦		It records an audit trail of each and every transaction,
♦		It creates an edit log of each change made in the books of account along with the date when such changes were made; and
♦		It ensures that the audit trail is not disabled.

Thus, it is the Management that is primarily responsible for the selection of the appropriate accounting software for ensuring compliance with applicable laws and regulations (including those related to the retention of edit logs). The scope of Management's primary responsibility covers the following:

♦		Identify "books of account" under Section 2(13): identify the records and transactions that constitute books of account under section 2(13) of the Act
♦		Identify the accounting software: identify the software i.e., IT environment including applications, web portals, databases, interfaces, data warehouses, data lakes, cloud infrastructure, or any other IT component used for processing and or storing data for creation and maintenance of books of account[See Illustrative Table of identification of accounting software given below in FAQ 37];
♦		Audit trail in accounting software: ensure such software have the audit trail feature;
♦		Audit trail captures each and every change and contains information related to change: ensure that the audit trail captures changes to each and every transaction of books of account; information that needs to be captured may include (a) date stamp and timestamp of every change, (b) the UserId of the person making the changes and (c) what data was changed
♦		Not disabled: ensure that the audit trail feature is always enabled (not disabled);
♦		Audit trail at database level: ensure that the audit trail is enabled at the database level (if applicable) for logging any direct data changes;
♦		Protection from modification: ensure that the audit trail is appropriately protected from any modification;
♦		Compliance with statutory record retention norms: ensure that the audit trail is retained as per statutory requirements for record retention under Section 128(5) of a minimum of 8 financial years;
♦		Controls: ensure that controls over maintenance and monitoring of audit trail

In order to demonstrate that the audit trail feature was functional, operated and was not disabled, a company would have to design and implement specific internal controls (predominantly IT controls) which in turn, would be evaluated by the auditors, as appropriate. An illustrative list of internal controls which may be required to be implemented and operated are given below:

♦		Controls to ensure that the audit trail feature has not been disabled or deactivated.
♦		Controls to ensure that User IDs are assigned to each individual and that User IDs are not shared.
♦		Controls to ensure that changes to the configurations of the audit trail are authorized and logs of such changes are maintained.
♦		Controls to ensure that access to the audit trail (and backups) is disabled or restricted and access logs, whenever the audit trails have been accessed, are maintained.
♦		Controls to ensure that periodic backups of the audit trails are taken and archived as per the statutory period specified under Section 128 of the Act.
♦		Audit trail operating effectively throughout the period of reporting: ensure its features are designed and operating effectively throughout the period of reporting.

The auditor would need to ensure that the management assumes the primary responsibility regarding the above. [See FAQ 35 below]

FAQ 35. How auditor can ensure that management assumes the primary responsibility for matters covered in FAQ 34 above?

The auditor can make the Management of the Company aware of their responsibilities listed in FAQ 34 above by incorporating them in an Audit Engagement Letter (AEL) or in an Update/Revision to the AEL. Issued by him to Company and getting the same acknowledged by the Management of Company or Those Charged with Governance of the Company. [See Standard on Auditing SA 210 Agreeing the Terms of Audit Engagement]

FAQ 36. How the auditor of a company can ensure that the Responsibilities of Management as regards the audit trail can be made known to users of financial statements?

The auditor can state the respective responsibilities of Management and the Auditor as regards the audit trail in the Independent Auditor's Report. If auditor deems fit to state the respective responsibilities for the audit trail in the Independent Auditor's Report, then,

♦		Management's responsibilities for the audit trail is to be stated under the paragraph with the heading "Management's Responsibility for the Standalone Financial Statements"/ "Management's Responsibility for the Consolidated Financial Statements".
♦		Auditor's responsibilities for the audit trail is to be stated under the paragraph with the heading "Auditor's Responsibility for the Audit of the Standalone Financial Statements"/ "Management's Responsibility for the Consolidated Financial Statements".

FAQ 37. Can you illustrate how the Company's management is to identify the accounting software used by the Company?

AnIllustrative table showing identification by Management of accounting software used by the Company is given below:

Name of the Accounting Software	Particulars	Hosting Location	Maintained In-house or Outsourced	Database	Operating System	Audit Trail enabled
e.g., ABC	Journal entries, sub-ledgers and general ledger	Company Data Center, Bangalore	In-house	ABC	Windows 10	Yes
e.g., XYZ	Sales Invoices, Inventory, Customer Ledger	SaaS / On Cloud	Outsourced Maintained by ABC Corp	XYZ	Windows 10	Yes
e.g., PQR	Manufacturing Cost Records	Company Data Center, Bangalore	In-house	PQR	Windows 10	Yes
e.g. DEF	Plant, Property and Equipment Register	Company Data Center, Bangalore	In-house	DEF	Windows 10	Yes

FAQ 38. Can the auditor of a Company rely on Management's identification of accounting software and limit his verification and reporting to the accounting software identified by the Company?

No. The auditor will have to use his professional judgment in the facts of the case to assess whether Management has correctly identified the accounting software used by the Company. For example, he has to assess whether any end-user computing tools used by the Company, like spreadsheets, which may not have been covered by Management's Identification, are also to be regarded as part of "accounting software". [See FAQ 34 above]