ARORA PREM AND ASSOCIATESThe FAQs on Audit Trial - Part - II
Our Blogs
The FAQs on Audit Trial - Part - II
Part II- FAQ's 39 to 80
FAQ 39. Would the above responsibilities of Management under Proviso to Rule 3(1) [FAQ 34 above] apply if the Company outsources the maintenance of its books of account to a service organisation and service organisation uses an accounting software to maintain company's books of account?
The above responsibilities of Management apply regardless of whether books of account are maintained in-house by the Company using accounting software or are outsourced to a service organisation, and accounting software is used by the service organisation to maintain the company's books of account.
(G) AUDIT PROCEDURES
FAQ 40. Can the auditor simply rely on written representation from management for reporting under Rule 11(g)?
No, the auditor cannot simply rely on written representations from the management as the basis for his reporting under Rule 11(g). SA 580 Written Representations provides clearly that written representations do not provide sufficient appropriate audit evidence on their own about any of the matters with which they deal. Further, the fact of receipt of reliable written representations does not affect the nature or extent of other audit evidence that the auditor is required to obtain regarding the fulfilment of management's responsibilities, or about specific assertions.
Lord Denning observed in Candler v. Crane, Christmas & Co. ".......... The one man (in a one man company) who gives them (auditors) wrong information will not complain if they do not verify it. He wanted their backing for the misleading information he gives them and he can only get it if they accept his word without verification. It is just what he wants so as to gain his own ends.......".
Therefore, auditor should not blindly rely on management representations. If he blindly relies on written representations from Management without carrying out audit procedures for verification, his report or certificate becomes a "snare" to the users as observed by Lord Denning in the above case. Auditors should take reasonable care and skill before relying on management representations. The auditor is not absolved of his duties by obtaining written representations. In Kingston Cotton Mill Co. (No. 2) [1896] 2 Ch. 279 (CA), it was held as under:
|
♦ |
|
The auditor is justified in believing tried servants of the company in whom confidence is placed by the company. |
|
♦ |
|
The auditor is entitled to assume that they are honest and to rely upon their representations, provided he takes reasonable care. - Kingston Cotton Mill Co. (No. 2) [1896] 2 Ch. 279 (CA). |
Thus, the auditor is required to carry out necessary audit procedures and obtain sufficient and appropriate audit evidence for their reporting under Rule 11(g).[See FAQ 41 below]
FAQ 41. What audit procedures must the auditor perform to obtain sufficient appropriate audit evidence for reporting under Rule 11(g)?
The auditor needs to perform the following procedures for obtaining sufficient appropriate evidence for reporting under Rule 11(g):
|
♦ |
|
Management's identification of records and transactions: Assess management's identification of records and transactions where an audit trail needs to be captured. |
|
♦ |
|
Configured and enabled: Verify, on a test basis, whether the audit trail has been configured and enabled for the identified accounting software. |
|
♦ |
|
Evaluate Management's identification of 'accounting software': Evaluate management's approach to identifying the accounting software that has been considered for the purposes of maintaining the audit trail. |
|
♦ |
|
Inquiries of Management: Inquire with management about how they evaluated changes required for maintaining the audit trail as part of changes or upgrades to the accounting software. |
|
♦ |
|
Use of IT Specialists/experts: Consider involving specialists or experts in the field of Information Technology to assist in evaluating management controls and configurations in the accounting software regarding the audit trail. |
|
♦ |
|
Type 2 report from an independent auditor: In the case of accounting software supported by service providers, consider using an independent auditor's report of the service organisation (e.g., Service Organisation Control Type 2 (SOC 2)/SAE 3402, :"Assurance Reports on Controls At a Service Organization") for compliance with audit trail requirements. Verify that the independent auditor's report specifically covers the maintenance of the audit trail in line with the requirements of the Act and covers the period of the company's reporting. The statutory auditor of the company shall comply with the requirements of SA 402, "Audit Considerations Relating to an Entity Using a Service Organisation", while relying on an independent auditor's report on the service organisation. However, the ultimate responsibility to report on the audit trail feature of the accounting software lies with the statutory auditor of the company. |
|
♦ |
|
Test the controls put in place by Management: Most of the commonly used accounting software, including Enterprise Resource Planning (ERP) software, have an audit trail feature that can be enabled or disabled at the discretion of the company. Auditors should evaluate controls/policies put in place by Management in this regard such as restricting access to the administrators and monitoring changes to configurations that may impact the audit trail and test such controls to determine whether the feature of audit trails have been implemented and operating effectively throughout the reporting period. |
|
♦ |
|
Controls restricting audit trail access to authorised persons: It is expected that management ensures that the administrative access to the audit trail is restricted to authorized representatives. In this regard, the auditor may take into consideration the following aspects for every accounting software which is used in maintaining the "books of account" for the purpose of reporting: |
|
(a) |
|
the software configuration that controls enabling or disabling of the audit trail and whether audit trail was enabled throughout the period. |
|
(b) |
|
the access to such configurations. |
|
(c) |
|
any changes to the audit trail configuration during the period of audit (during the financial year and also from the date of financial statements but before the date of auditor's report). |
|
(d) |
|
the periodic review mechanism implemented and operated by management for any changes to the audit trail configuration. |
|
(e) |
|
the completeness and accuracy of audit trail or edit logs that are generated through the software functionalities or directly recorded in the underlying database i.e., whether it captures the user ID that made the change, the date and time of change and what fields were changed by reviewing the reports or trails generated, on a test basis, to capture the required information or when the audit trail feature was disabled, etc. |
|
(f) |
|
any testing management has performed to assess the completeness and accuracy of the audit trail. |
|
♦ |
|
Procedures to preserve audit trail records for 8 financial years: Inquire with management to understand the procedures implemented by the company to preserve the records as per the statutory record retention period (8 financial years). |
|
♦ |
|
Review of audit trail records on a sample basis: Review, on a sample basis, the audit trail records maintained by management for each applicable year. Evaluate management controls for maintaining such records without alteration and retrieving logs maintained for the required period of retention. |
|
♦ |
|
Reporting implications under SA 250: Based on procedures performed, the auditor is expected to evaluate the reporting implications specifically giving due consideration to SA 250, "Consideration of Laws and Regulations in an Audit of Financial Statements". |
|
♦ |
|
Auditor's duties in Fraud Scenarios: In a scenario where the occurrence of an error or fraud could not be established due to lack of maintenance, availability or retrievability of audit trails, . in evaluating the severity of a deficiency for such instances, specifically in cases of fraud, the auditor should primarily consider two factors: (a) the likelihood that the deficiency will result in a material misstatement and (b) the magnitude of such an outcome. The auditor should perform an assessment of risk of material misstatements due to fraud and consider both qualitative and quantitative factors in assessing a deficiency or combination of deficiencies as a significant deficiency or material weakness and would accordingly require application of professional judgement while linking the reporting against Rule 11(g) and section 143(12) of the Act/clause (x) of the Companies (Auditor's Report) Order 2020 (as the case may be). |
|
♦ |
|
Written Representations from Management :Obtain written representations from management confirming/stating the following : |
|
(a) |
|
Acknowledgement of management's responsibility for establishing and maintaining adequate controls for identifying, maintaining, controlling, and monitoring audit trails consistent with the requirements. |
|
(b) |
|
Stating that management has performed an evaluation and assessed the adequacy and effectiveness of the company's procedures for complying to the requirements prescribed for audit trails. |
|
(c) |
|
Stating management's conclusion, as set forth in its assessment, about the adequacy and effectiveness of the company's procedures regarding audit trails. |
|
(d) |
|
Stating that management has disclosed to the auditor all deficiencies in the design or operation of controls maintained for audit trails identified as part of management's evaluation. |
|
(e) |
|
Describing instances where identification of fraud, if any, resulting in a material misstatement to the company's financial statements is identified while reviewing and testing the |
|
(f) |
|
samples related to the disablement of audit trail facility of the accounting software. |
|
(g) |
|
Stating whether control deficiencies identified and communicated to the audit committee in relation to audit trail during previous engagements have been resolved, and specifically identifying any deficiency that have not been resolved. |
|
♦ |
|
Limitation on Scope if written representations not furnished by Management:SA 580, "Written Representations," explains matters such as who may sign the representation letter, the period to be covered by the representation letter, and when to obtain an updated representation letter. The inability to obtain written representations from management, including management's refusal to furnish them, constitutes a limitation on the scope of the audit. When the scope of the audit is limited, the auditor may either disclaim the audit opinion or resign from the engagement in accordance with Standards on Auditing. |
|
♦ |
|
Verify Minutes of Board Meetings: Verify from the Minutes of Board Meetings that the Board of Directors approving the financial statements of the company also takes on record the policies and procedures as laid down by the management in respect of assertion and conclusion on the adequacy and operating effectiveness of audit trials. Additionally, the board should also take on record the deficiencies, significant deficiencies and material weaknesses identified by the management, internal auditors, and the auditor. |
FAQ 42. Can an auditor use an IT expert or specialist while auditing and reporting on an accounting software's audit trail feature?
The auditor can consider involving a specialist or expert in information technology to assist in evaluating management controls and configurations in the accounting software regarding the audit trail. While doing so, he must factor the following points:
|
♦ |
|
The auditor must comply with SA 620, "Using the Work of an Auditor's Expert." |
|
♦ |
|
The auditor must ensure to insert suitable clauses in Audit Engagement Letter (AEL) regarding hiring of auditor's expert by him and the expert's/ specialist's bill to be paid/borne by the client. |
|
♦ |
|
The auditor must also insert suitable clauses in written agreement with the specialist/expert that the engagement is on the understanding that the client will bear the fees of the specialist/expert. |
|
♦ |
|
However, notwithstanding the auditor's reliance on the work of the expert/specialist, the ultimate responsibility for reporting on the audit trail feature lies with the auditor only. |
FAQ 43. Can the auditor rely on the independent information system audit report of a service organization (example SOC 2) where the company outsources the maintenance of books of account?
Where accounting software is provided by a service provider(service organization), the statutory auditor of the Company may, for the purposes of reporting on audit trail, rely on an independent auditor's report on the service organisation provided it satisfies the following three criteria:
|
♦ |
|
The independent auditor's report is issued in terms of Standards such as SOC 1/SOC 2/ SAE 3402 |
|
♦ |
|
The report specifically covers the maintenance of the audit trail in line with the requirements of the Companies Act, 2013 and |
|
♦ |
|
The report covers the period of the company's reporting. |
The following points are noteworthy:
|
♦ |
|
The statutory auditor of the company shall comply with the requirements of SA 402, "Audit Considerations Relating to an Entity Using a Service Organisation", while relying on an independent auditor's report on the service organisation. |
|
♦ |
|
The ultimate responsibility to report on the audit trail feature of the accounting software lies with the statutory auditor of the company. |
(H) AUDIT TRAILS & FRAUDS
FAQ 44. Whether Audit Trails can prevent frauds?
Audit Trails cannot prevent frauds. However, the lack of audit trails can result in fraud remaining undetected for long periods of time. No system of internal financial control is fool-proof. Every system of internal control is prone to violation or breach. Lack of audit trails can be a huge fraud risk factor as the case study in FAQ 26 would show. The auditor will have to factor the absence of an audit trail as a fraud risk factor in his risk assessment and perform suitable response procedures. [SA 315, SA 330 and SA 240]
FAQ 45. What is the auditor of a Company to do in a scenario where the occurrence of an error or fraud could not be established due to lack of maintenance, availability or retrievability of audit trails?
In such a scenario, the auditor should primarily consider two factors: (a) the likelihood that the deficiency will result in a material misstatement and (b) the magnitude of such an outcome.
The auditor would have to:
|
♦ |
|
Perform an assessment of the risk of material misstatements due to fraud; |
|
♦ |
|
Consider both qualitative and quantitative factors in assessing a deficiency or combination of deficiencies as a significant deficiency or material weakness and |
|
♦ |
|
Apply professional judgement while linking the reporting against Rule 11(g) and section 143(12) of the Act/clause (x) of the Companies (Auditor's Report) Order 2020 (as the case may be). |
(I) AUDIT DOCUMENTATION
FAQ 46. What audit documentation should the auditor maintain as regards work performed by him on the audit trail?
The work performed on the audit trail must be documented by the auditor as under:
|
(a) |
|
Documentation should be prepared contemporaneously while doing the work. |
|
(b) |
|
Documentation on work on the audit trail must provide a sufficient and appropriate record of the basis for the auditor's reporting under Rule 11(g); and |
|
(c) |
|
Documentation must provide evidence that the audit was planned and performed in accordance with the Implementation Guide on Audit Trail, applicable Standards on Auditing and applicable legal and regulatory requirements. |
|
(d) |
|
The auditor must comply with the requirements of SA 230, "Audit Documentation" to the extent applicable. |
|
(e) |
|
The audit documentation on the audit trail work should speak for itself. |
(J) REPORTING IN INDEPENDENT AUDITOR'S REPORT
FAQ 47. In which section of the audit report is the statutory auditor of a company required to make his comments under Rule 11(g) as regards the audit trail?
The comment regarding the audit trail is to be made in the audit report under the section 'Report on Other Legal and Regulatory Requirements'.
FAQ 48. When is the auditor required to give a modified/adverse opinion while reporting on the audit trail under Rule 11(g)
In respect of the audit trail, the following are likely to be expected scenarios:
|
i. |
|
Management may maintain an adequate audit trail as required by the Account Rules. |
|
ii. |
|
Management may not have identified all records/transactions for which audit trail should be maintained. |
|
iii. |
|
The accounting software does not have the feature to maintain an audit trail, or it was not enabled throughout the audit period. |
Scenarios (ii) and (iii) mentioned above would result in a modified/ adverse reporting against Rule 11(g).
FAQ 49. What is the auditor to do if the accounting software does not have an audit trail feature and does not allow subsequent modification to the transactions/ journal entries posted initially?
In terms of the proviso to Rule 3(1) and Rule 11(g), if the company is using accounting software for maintaining its books of account, then such software must have an audit trail feature in it. This is irrespective of whether the already posted journal entry could be edited or not. If the audit trail feature is not present, then Rule 3(1) of the Companies (Accounts) Rules, 2014 is not complied with and auditor would have to suitably modify his comment pursuant to Rule 11(g).
FAQ 50. How is the auditor to report under Rule 11(g) if the audit trail did not function during any part of the year under audit due to any technical glitch?
The auditor would need to appropriately modify his comment under Rule 11(g) if the audit trail feature remains non-functional during any part of the year or is unable to function properly due to technical glitches or otherwise.
FAQ 51. Is it necessary to enable the audit trail in accounting software for any part of the year in which there were no transactions?
The absence of transactions during any part of the year is no reason for not enabling the audit trail feature.
If the audit trail feature is not enabled/remains non-functional during any part of the year, the auditor would need to appropriately modify the comment under Rule 11(g) even if there were no transactions during that part of the year. In such a case, the auditor would also need to modify his comments pursuant to Section 143(3)(b) (as to whether proper books of account as required by law have been maintained) and Section 143(3)(h) (any qualification, reservation or adverse remark relating to the maintenance of accounts and other matters connected therewith).
FAQ 52. What is the auditor to do in case the audit trail feature has not been enabled since the commencement of the relevant financial year and is only enabled at any time before the year-end?
If the audit trail feature remains non-functional during any part of the year, the auditor will need to appropriately modify his comment under Rule 11(g). The auditor would also need to modify his comments pursuant to Sections 143(3)(b) and 143(3)(h).
FAQ 53. If, during an audit, the auditor assesses that the General IT controls are not present or are observed to be ineffective, should the auditor rely on the accounting software's audit trail feature?
If the auditor's evaluation is that there is a failure or absence of General IT controls and the same poses a risk over the effective operation of audit trail configurations, and the auditor is unable to obtain sufficient and appropriate audit evidence for the continued operation of the audit trail feature during the year, then the auditor would need to appropriately modify the comment while reporting under Rule 11(g). The auditor would also need to modify his comments pursuant to Sections 143(3)(b) and 143(3)(h).
FAQ 54. Whether reporting on the audit trail under Rule 11(g) should be based on the materiality concept?
Rule 11(g) states that an audit trail is required for every transaction and that an edit log is to be created by the accounting software for each change made in the books of account. So, the audit trail requirements for the reporting under Rule 3(1) and Rule 11(g) will apply to all transactions irrespective of the amount involved are applicable to all transactions irrespective of the amount involved. There is no concept of materiality involved here. However, the auditor's reporting is based on test checks. The concept of materiality would apply for the purpose of sample selection for the test checks.
FAQ 55. Should the auditor make adverse remarks regarding the audit trail in accounting software not being enabled even when 100% checking has been done, and nothing adverse has been found by the auditor regarding financial statements?
The reporting requirement under Rule 11(g) on the audit trial is applicable regardless of whether there are any adverse findings of the auditor regarding the financial statements. Even if nothing adverse regarding financial statements is found, the auditor would need to appropriately modify the comment under Rule 11(g) and also modify his comments under Sections 143(3)(b) and 143(3)(h) if an audit trail as required by Rule 3(1) of the Companies (Accounts) Rules, 2014 is not maintained.
FAQ 56. Is the auditor required to make adverse comments in a case where accounting software is unable to retain the edit log because of a software limitation?
As per the proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014, accounting software should be able to retain an edit log. If the accounting software is not able to retain the edit log because of software limitations or otherwise, it means that the software does not have a proper audit trail feature and the auditor would need to appropriately modify his comment under Rule 11(g).
FAQ 57. If the auditor has modified the comment while reporting under Rule 11(g) on the audit trail, what other reporting requirements under Section 143 of the Act are impacted?
The requirement that accounting software have an audit trail feature is contained in the proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014, which deals with the 'Manner of Books of Account to be Kept in Electronic Mode'. Hence, any modified comment made while reporting under Rule 11(g) will have to be considered while reporting under Section 143(3)(b) of the Act(as to whether proper books of account as required by law have been maintained) and under Section 143(3)(h) of the Act (any qualification, reservation or adverse remark relating to the maintenance of accounts and other matters connected therewith).
FAQ 58. Is the auditor required to report the effective date of implementation of the audit trail in his comments made pursuant to Rule 11(g)?
Rule 11(g) does not require the auditor to report the effective date of implementation of the audit trial. However, the auditor would need to modify his comment appropriately while reporting under Rule 11(g), section 143(3)(b)and section 143(3)(h) if the audit trail does not operate throughout the relevant reporting period.
FAQ 59. Are auditors required to comment on details of audit trail logs?
Rule 11(g) requires the auditor to report only on the following aspects:
|
♦ |
|
Whether the company has used accounting software for maintaining its books of account that has a facility for recording an audit trail (edit log). |
|
♦ |
|
Whether the audit trail operated throughout the year for all transactions recorded in the software. |
|
♦ |
|
Whether the audit trail feature has not been tampered with. |
|
♦ |
|
Whether the audit trail has been preserved by the company as per statutory requirements for record retention. |
Thus, Rule 11 does not require the auditor to comment on the details of audit trail logs.
FAQ 60. Is an audit trail required to be enabled at the database level even if access to the database in an ERP is restricted to only one user and the log of such user making any such change is enabled?
Changes made directly at the database level will impact the books of account. Therefore, the audit trail is required to be enabled at the database level also.
FAQ 61. What if the log of the entire chain of changes is not maintained, and the software maintains only the log of the last/latest changes? Is this adequate? Or is the auditor required to modify his comment under Rule 11(g)?
As per the requirement of proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014, each and every change should be logged and should be available in the logs. Retaining only the last/ latest changes is not sufficient compliance with audit trail requirements of Rule 3(1) and Rule 11(g). Accordingly, the auditor would need to appropriately modify the comment while reporting under Rule 11(g) and would also need to modify his comments under Sections 143(3)(b) and 143(3)(h).
FAQ 62. If the audit trail is recorded at the back end on a server/ cloud maintained outside India, then is it also required to remain accessible in India at all times as per Rule 3 of the Companies (Accounts) Rules, 2014?
If the company is incorporated in India, the audit trail requirements would apply even to accounting software maintained outside India. The proviso to Rule 3(5) of the Companies (Accounts) Rules, 2014 requires that "the back-up of books of account and other books and papers of the company maintained in electronic mode including at a place outside India, if any, shall be kept in servers physically located in India on a daily basis." These above requirements of Rule 3 apply to audit trail records as well since the audit trail records fall under the definition of books of account and other books and papers. Accordingly, the audit trail records would require daily backup to be maintained in a server physically located in India. Thus, the audit trail records should remain accessible in India at all times as per Rule 3 of the Companies (Accounts) Rules, 2014.
Further, if the auditor is relying on another auditor's work, the audit trail feature requirement should be part of the SOC/SAE 3402 report. If the other auditor does not report on this requirement, the auditor needs to consider the impact on their reporting under Rule 11(g).
FAQ 63. Suppose the independent auditor's report of a service organisation that includes the maintenance of an audit trail is not co-terminus with the company's financial year (e.g., such SOC 2/SAE 3402 report is for the period until December 31, 2023), whereas the company's financial year ends on March 31, 2024). How should the company's auditor consider such SOC 2/SAE 3402 reports for their reporting under Rule 11(g)?
Rule 11(g) requires the auditor to report explicitly that the audit trail operated throughout the year, and hence, the auditor would require sufficient and appropriate audit evidence that the audit trail operated throughout the year. Where the accounting software is maintained by a third-party service organisation and the auditor of the company is unable to obtain sufficient and appropriate audit evidence for the full reporting period with regard to maintenance of the audit trail, the auditor would need to appropriately modify the comment while reporting under Rule 11(g). The auditor would also need to modify his comments under Sections 143(3)(b) and 143(3)(h).
FAQ 64. Will maintaining an ERP backup on a server situated in India be sufficient to comply with the requirement of an audit trail?
No, "audit trail" is not the same as "back-up". A back-up does not qualify as an audit trail. Companies that use accounting software to maintain their books of account are required to comply with audit trail requirements irrespective of whether a backup of such data exists in India. If ERP software does not have an audit trail feature, then maintaining its backup would not amount to sufficient compliance with audit trail requirements. As per the proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014, the audit trail feature in accounting software used by a company is required to be implemented from 1st April 2023 and in case of any non-compliance, the auditor would need to appropriately modify the comment while reporting under Rule 11(g) and would also need to modify his comments pursuant to Sections 143(3)(b) and 143(3)(h).
FAQ 65. Whether a single report showing all edits done during the year containing all details as required is sufficient for the audit trail purpose?
If the company's accounting software produces a single report detailing all changes to books of account and the auditor is able to obtain sufficient and appropriate audit evidence to support his reporting under Rule 11(g) on the audit trail, then such a single report may be sufficient for Rule 11(g) and Rule 3(1) purposes. The auditor needs to exercise his professional judgement in this regard. However, it does not appear practically possible for such a single report to be generated considering the volume of transactions and the changes made thereto during the year.
FAQ 66. If a company using ERP accounting software does not generate an edit log except for generating the date-wise voucher listing, can the voucher listing be considered an audit trail, considering substance over form?
An audit trail, by definition, should capture the following information:
|
♦ |
|
when an entry was added or modified (date-stamp and time-stamp), |
|
♦ |
|
what fields were modified and |
|
♦ |
|
who made the entry or modified it(User ID of the person making the entry/the change). |
As a voucher listing may not usually provide information on whether a voucher was changed, how many times it was changed and what changes were made, a mere voucher listing will not be considered as an audit trail.
FAQ 67. If accounting software provides an error log and this error log is editable, will this satisfy the requirement of an audit trail?
No, an error log would not satisfy the requirements of the audit trail. Usually, an error log may not record changes to books of account and may not capture when the record was created/changed.
FAQ 68. What is the first year of applicability of the reporting requirement under Rule 11(g) for existing companies using accounting software for maintaining books of account?
The first year of applicability for such existing companies is FY 2023-24
FAQ 69. What is the first year of applicability of the reporting requirement under Rule 11(g) for new companies?
The first year of applicability for a new company is the first year in which it starts maintaining books of account by using an accounting software.
FAQ 70. Can you give Illustrative wording for unmodified remarks under Rule 11(g) regarding the audit trail in an Independent Auditor's Report on Standalone Financial Statements for an existing Company in the first year of applicability, i.e. FY 2023-24?
The following is an example of unmodified remarks regarding the audit trail in the Independent Auditor's Report on Standalone Financial Statements for FY 2023-24:
"Based on our examination carried out in accordance with the Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) issued by the Institute of Chartered Accountants of India, which included test checks, we report that the company has used an accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit we did not come across any instance of audit trail feature being tampered with. Our examination of the audit trail was in the context of an audit of financial statements carried out in accordance with the Standard of Auditing and only to the extent required by Rule 11(g) of the Companies (Audit and Auditors) Rules,2014. We have not carried out any audit or examination of the audit trail beyond the matters required by the aforesaid Rule 11(g) nor have we carried out any standalone audit or examination of the audit trail. "
FAQ 71. Can you give an Illustrative wording for unmodified remarks under Rule 11(g) regarding the audit trail in an Independent Auditor's Report on Standalone Financial Statements for a new Company in the first year of its applicability?
The illustrative wording in FAQ 70 above is applicable.
FAQ 72. Can you give an Illustrative wording for unmodified remarks under Rule 11(g) regarding the audit trail in Independent Auditor's Report on Standalone Financial Statements to be used in audit reports to be followed from the 2nd year onwards (i.e. after the first year of applicability)?
An illustrative wording of remarks under Rule 11(g) to be used from 2nd year onwards is as under
"Based on our examination carried out in accordance with the Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) issued by the Institute of Chartered Accountants of India, which included test checks, we report that the company has used an accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit we did not come across any instance of audit trail feature being tampered with. Additionally, the audit trail has been preserved by the company as per the statutory requirements for record retention. Our examination of the audit trail was in the context of an audit of financial statements carried out in accordance with the Standard of Auditing and only to the extent required by Rule 11(g) of the Companies (Audit and Auditors) Rules,2014. We have not carried out any audit or examination of the audit trail beyond the matters required by the aforesaid Rule 11(g) nor have we carried out any standalone audit or examination of the audit trail"
FAQ 73. Can you give Illustrative wording for unmodified remarks under Rule 11(g) regarding the audit trail in Independent Auditor's Report on Consolidated Financial Statements in the first year of applicability?
An illustrative wording of remarks under Rule 11(g) to be used in audit reports on CFS is as under:
"Based on our examination carried out in accordance with the Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) issued by the Institute of Chartered Accountants of India, which included test checks and that performed by the respective auditors of the subsidiaries, associates and joint ventures/joint operations which are companies incorporated in India whose financial statements have been audited under the Act, we report that the company and the above referred subsidiaries, associates and joint ventures/joint operations have used an accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit, we and respective auditors of the above referred subsidiaries, associates and joint ventures/joint operations did not come across any instance of audit trail feature being tampered with. "
FAQ 74. Can you give an Illustrative wording for unmodified remarks under Rule 11(g) regarding audit trail in Independent Auditor's Report on Consolidated Financial Statements to be followed from the 2nd year onwards (ie after the first year of applicability)?
An illustrative wording of remarks under Rule 11(g) to be used in audit reports on CFS from 2nd Year onwards, is as under:
"Based on our examination carried out in accordance with the Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) issued by the Institute of Chartered Accountants of India, which included test checks and that performed by the respective auditors of the subsidiaries, associates and joint ventures/joint operations which are companies incorporated in India whose financial statements have been audited under the Act, we report that the company and the above-referred subsidiaries, associates and joint ventures/joint operations have used an accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit, we and the respective auditors of the above-referred subsidiaries, associates and joint ventures/joint operations did not come across any instance of the audit trail feature being tampered with. Additionally, the audit trail has been preserved by the company and above referred subsidiaries, associates and joint ventures/joint operations as per the statutory requirements for record retention"
FAQ 75. Give illustrative wordings for modified remarks under Rule 11(g) in the audit report on SFS in a situation where audit trail feature was disabled for one of the books of account/ records or for an accounting software - (e.g., property, plant and equipment software)
Illustrative reporting in the "Section - Report on Other Legal and Regulatory Requirements" in the auditor's report pursuant to Rule 11(g), Section 143(3)(b) and Section 143(3)(h) is given hereunder-
An illustrative wording of remarks under Rule 11(g) to be used in audit reports in such a situation is given hereunder:
"Based on our examination carried out in accordance with the Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) issued by the Institute of Chartered Accountants of India, the company has used accounting software for maintaining its books of account, which has a feature of recording audit trail (edit log) facility except in respect of maintenance of property, plant and equipment records wherein the accounting software did not have the audit trail feature enabled throughout the year. Further, the audit trail facility has been operating throughout the year for all relevant transactions recorded in the software except for the instances reported below…... Further, during the course of our audit we did not come across any instance of audit trail feature being tampered with. [Additionally, the audit trail has been preserved by the company as per the statutory requirements for record retention]"
An illustrative wording of remarks to be made pursuant to Section 143(3)(b) as to whether the Company has maintained proper books of account as required by law, is as under"
"In our opinion, proper books of account as required by law have been kept by the company so far as it appears from our examination of those books [and proper returns adequate for the purposes of our audit have been received from the branches not visited by us] except for the matters stated in the paragraph (…) below on reporting under Rule 11(g)."
An illustrative wording of remarks to be made pursuant to Section 143(3)(h), is as under:
"The qualification relating to the maintenance of accounts and other matters connected therewith are as stated in paragraph (…) above on reporting under Section 143(3)(b) and paragraph (…) below on reporting under Rule 11(g)."
Since the matter pertains to records of property, plant and equipment maintained in accounting software, in the case of a company to which CARO 2020 applies, the auditor of the Company would also need to make necessary remarks pursuant to Para 3(i)(a)(A) of the Annexure to the Independent Auditor's Report on Standalone Financial Statements. The CARO remarks in the Annexure to the audit report may be given as under:
"3(i)(a)(A)Except for the matter stated by us in Paras …., …. and ….. in the "Section - Report on Other Legal and Regulatory Requirements" of our Independent Auditor's Report, we report that the Company has maintained proper records showing full particulars, including quantitative details and situation of Property, Plant and Equipment Assets"
FAQ 76. Give illustrative wordings for modified remarks under Rule 11(g) in the audit report on SFS in a situation where the audit trail feature was not enabled for an accounting software
An illustrative wording of remarks under Rule 11(g) to be used in audit reports in such a situation is given hereunder:
"Based on our examination carried out in accordance with the Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) issued by the Institute of Chartered Accountants of India, the company has used accounting software for maintaining its books of account, which has a feature of recording audit trail (edit log) facility except that no audit trail enabled at the database level for accounting software AAA (database SQL) and BBB (database db2) to log any direct data changes. Further, the audit trail facility has been operating throughout the year for all relevant transactions recorded in the software except for the instance reported above. Further, during the course of our audit we did not come across any instance of audit trail feature being tampered with. [Additionally, the audit trail has been preserved by the company as per the statutory requirements for record retention]. Our examination of the audit trail was in the context of an audit of financial statements carried out in accordance with the Standard of Auditing and only to the extent required by Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014. We have not carried out any audit or examination of the audit trail beyond the matters required by the aforesaid Rule 11(g) nor have we carried out any standalone audit or examination of the audit trail"
Reporting under Section 143(3)(b) and Section 143(3)(h) to be done as illustrated in FAQ 75 above.
FAQ 77. Give illustrative wordings for modified remarks under Rule 11(g) in the audit report on SFS in a situation where Accounting software is maintained by a third party and the auditor is unable to assess whether the audit trail feature can be disabled during the reporting period
An illustrative wording of remarks under Rule 11(g) to be used in audit reports in such a situation is given hereunder:
"Based on our examination carried out in accordance with the Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) issued by the Institute of Chartered Accountants of India, the company has used an accounting software ABC which is operated by a third party software service provider, for maintaining its books of account and in absence of a Type 2 Control Report from a practising Chartered Accountant complying with SAE 3402/SOC1/SOC2, we are unable to comment whether audit trail feature of the said software was enabled and operated throughout the year for all relevant transactions recorded in the software or whether there were any instances of the audit trail feature been tampered with. [Additionally, the audit trail has been preserved by the company as per the statutory requirements for record retention] Our examination of the audit trail was in the context of an audit of financial statements carried out in accordance with the Standard of Auditing and only to the extent required by Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014. We have not carried out any audit or examination of the audit trail beyond the matters required by the aforesaid Rule 11(g) nor have we carried out any standalone audit or examination of the audit trail"
Reporting under Section 143(3)(b) to be done as illustrated in FAQ 75 above.
An illustrative wording of remarks to be made pursuant to Section 143(3)(h), is as under:
The reservations relating to the maintenance of accounts and other matters connected therewith are as stated in paragraph (…) above on reporting under Section 143(3)(b) and paragraph (…) below on reporting under Rule 11(g).
FAQ 78. Give illustrative wordings for modified remarks under Rule 11(g) in the audit report on SFS in a situation where Migration from one software to the other happened during the year or higher version of software installed and the auditor is unable to obtain sufficient and appropriate evidence
An illustrative wording of remarks under Rule 11(g) to be used in audit reports in such a situation is given hereunder:
"Based on our examination carried out in accordance with the Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) issued by the Institute of Chartered Accountants of India, we report that the Company has migrated to [name of the software] from [old software/manual] during the year and is in the process of establishing necessary controls and documentation regarding the audit trail. Consequently, we are unable to comment on the audit trail feature of the said software."
An illustrative wording of remarks to be made pursuant to Section 143(3)(b) as to whether the Company has maintained proper books of account as required by law, is as under"
"In our opinion, proper books of account as required by law have been kept by the company so far as it appears from our examination of those books [and proper returns adequate for the purposes of our audit have been received from the branches not visited by us] except for the matters stated in the paragraph (…) below on reporting under Rule 11(g)."
Reporting under Section 143(3)(b) to be done as illustrated in FAQ 75 above.
An illustrative wording of remarks to be made pursuant to Section 143(3)(h), is as under:
The reservations relating to the maintenance of accounts and other matters connected therewith are as stated in paragraph (…) above on reporting under Section 143(3)(b) and paragraph (…) below on reporting under Rule 11(g).
FAQ 79. Give illustrative wordings of modification when the audit trail has not been preserved by the company as per the statutory requirements for record retention.
Modification in this regard will not apply in the first year of Rule 11(g) 's applicability. It will apply from the second year onwards.
An illustrative wording of remarks under Rule 11(g) to be used in audit reports in such a situation is given hereunder:
"Based on our examination carried out in accordance with the Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) issued by the Institute of Chartered Accountants of India, which included test checks, we report that the company has used an accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit we did not come across any instance of audit trail feature being tampered with. However, the audit trail for FYs….to …. have not been preserved by the company as per the statutory requirements for record retention."
FAQ 80. Give illustrative wordings of modified opinion under Rule 11(g) in audit report of consolidated financial statements
An illustrative wording of modified remarks under Rule 11(g) to be used in audit reports of consolidated financial statements is given hereunder:
"Based on our examination carried out in accordance with the Implementation Guidance on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules,2014 (Revised 2024 Edition) issued by the Institute of Chartered Accountants of India, which included test checks, and that performed by the respective auditors of the subsidiaries, associates and joint ventures/joint operations which are companies incorporated in India whose financial statements have been audited under the Act, except for the instances mentioned below, we report that the company and the above-referred subsidiaries, associates and joint ventures/joint operations have used an accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit, we and the respective auditors of the above-referred subsidiaries, associates and joint ventures/joint operations did not come across any instance of the audit trail feature being tampered with. [Additionally, the audit trail has been preserved by the Company and above referred subsidiaries, associates and joint ventures/joint operations as per the statutory requirements for record retention]"
|
Instances of accounting software for maintaining its books of account did not have a feature of recording audit trail (edit log) facility and the same was not operated throughout the year for all relevant transactions recorded in the software |
No of instances without mentioning name of the components. Example "In respect of […] of subsidiaries" |
|
Instances of audit trail feature being tampered with |
|
|
Instances of non-preservation of the audit trail |
|
(K) CONCLUSION/ KEY TAKEAWAYS
The following are the conclusions/key takeaways emerging from provisions relating to audit trail and recommendations of Implementation Guidance issued by ICAI:
<