Audit trail in software requirements
Scope of the Implementation Guide
An Implementation Guide that provides guidance to auditors on how to comply with reporting requirements under a specific Rule. The purpose of the guide is to help auditors meet their reporting obligations under this Rule, and it emphasizes that auditors should exercise their professional judgment when reporting on such matters.
The audit trail notes that there is no similar reporting obligation for auditors globally, so there is no international guidance available to prescribe specific guidance for compliance. Therefore, the Implementation Guide was developed to provide detailed guidance to auditors on how to obtain reasonable assurance and report accordingly under this specific clause.
To comply with this Rule, auditors are expected to perform procedures in accordance with Standards on Auditing, which include inquiry, observation, and examination, as applicable. The Implementation Guide is meant to provide additional guidance on how to meet these requirements and comply with the reporting obligations under Rule 11(g).
The management’s responsibility for complying with the Companies (Accounts) Rules, 2014, which require every company using accounting software to maintain an audit trail of each and every transaction, creating an edit log of each change made in the books of account along with the date when such changes were made, and ensuring that the audit trail cannot be disabled. The amendments require every company that uses accounting software to use such software that has a feature of audit trail which cannot be disabled.
Audit trail in software is the management’s responsibility to select and implement appropriate accounting software that meets these requirements and complies with applicable laws and regulations. The accounting software may be hosted and maintained in India or outside India or may be on premise or on cloud or subscribed to as Software as a Service (SAAS) software. It is also noted that a company may be using software which is maintained at a service organization.
Overall, the management is primarily responsible for ensuring that the company is using the appropriate accounting software to maintain the required audit trail and edit logs for compliance purposes.
An audit trail is a feature that records a log of all transactions made in accounting software, including any changes or edits made to the records. The purpose of an audit trail is to provide an unalterable record of all transactions made, which can help auditors verify the accuracy of financial statements.
Rule 11(g) of the Account Rules requires auditors to report on the use of accounting software with an audit trail feature. In addition to reporting on whether the company is using accounting software with this feature, auditors are expected to verify whether the audit trail feature is configurable, enabled and operated throughout the year, covers all transactions recorded in the software, and has been preserved as per statutory requirements for record retention.
The audit trail also notes that any software used to maintain books of account will be covered under this rule. This means that any software that records transactions that fall under the definition of Books of Account as per Section 2(13) of the Act will be considered accounting software for this purpose. For example, if a company records sales in a standalone software, and only consolidated entries are recorded monthly into the software used to maintain the general ledger, the sales software should also have an audit trail feature since sales invoices would be covered under Books of Account as defined under section 2(13) of the Act.
The term “all transactions recorded in the software” refers to transactions that result in changes to the books of account. Creating a user account in the accounting software, for example, may be construed as a transaction in the software, but it would not change the records of books of account as defined in Section 2(13) of the Act. On the other hand, adding a new journal entry or changing an existing journal entry will be construed as a change made in books of account.
Overall, auditors are expected to verify and report on the use of accounting software with an audit trail feature, which is essential in ensuring accurate financial reporting. They must also evaluate whether management has considered all software used to maintain books of account in their compliance with the Account Rules.
The audit trail in software highlights that auditors are not required to assess the appropriateness of the audit trail of previous years and that the assessment will only be for prospective financial years.
The audit trail in software also states that the reporting requirements prescribed for audit of financial statements prepared under the Act will be applicable to auditors of all classes of companies, including section 8 companies. The rules also apply to foreign companies as defined in the Act.
The requirements of audit trail are applicable only to companies that maintain their records in electronic form using accounting software. If the books of account are maintained entirely manually, then the assessment and reporting responsibility under Rule 11(g) will not be applicable, and the auditor would need to report the same as a statement of fact against this clause.
Auditors are required to comment on the above matters in both standalone financial statements and consolidated financial statements. However, auditors may observe that certain components included in the consolidated financial statements are not companies under the Act, or some components are incorporated outside India. In such cases, auditors of these components are not required to report on these matters since the provisions of the Act do not apply to them.
It is important to note that section 129(4) of the Act prescribes the requirements for consolidated financial statements, including their audits. The provisions of the Act shall, mutatis mutandis, apply to the consolidated financial statements, implying that necessary changes are required to interpret the requirements in respect of consolidated financial statements and their audit. The reporting on compliance with Rule 11(g) would also be based on the reports of the statutory auditors of subsidiaries, associates, and joint ventures that are companies defined under the Act. The auditors of the parent company should apply professional judgment and comply with applicable Standards on Auditing, in particular, SA 600, “Using the Work of another Auditor,” while assessing the matters reported by the auditors of subsidiaries, associates, and joint ventures that are Indian companies.
Preservation of Audit Trails
Under Rule 11(g), auditors are required to report on whether the company has preserved its audit trail as per the statutory requirements for record retention. The audit trail refers to the electronic record of various activities carried out by the company’s accounting software, such as recording transactions, generating financial statements, and making adjustments.
The Companies Act, 2013 requires companies to preserve their books of account, including vouchers, bills, invoices, and other supporting documents, for a minimum period of eight years. Therefore, the company must retain its audit trail for the same period as the books of account, effective from the date of applicability of the Account Rules, which is currently April 1, 2023, onwards.
The auditor needs to assess whether the company has preserved its audit trail as per the statutory requirements, and if not, then the auditor needs to report the same in their audit report. The audit report must provide a true and fair view of the company’s financial statements and disclose any non-compliances or discrepancies found during the audit.
An audit trail is a record of every change that is made to financial transactions in the company’s books of account, including who made the change, when it was made, and what data was changed.
The management of the company is responsible for identifying the software and IT environment used for processing and storing data for the creation and maintenance of books of account. They must ensure that the audit trail feature is always enabled, captures changes to every transaction, is protected from modification, and is retained as per statutory requirements.
The auditor should assess management’s identification of relevant transactions in the context of maintaining books of account, perform procedures to evaluate management’s approach regarding the identification of accounting software, and consider involving IT specialists or experts to assist in the evaluation of management controls and configurations in the accounting software with regard to the audit trail.
If the company’s accounting software is supported by service providers, the company’s management and the auditor may consider using an independent auditor’s report of service organization for compliance with audit trail requirements.
Audit trail also discusses the importance of restricting access to the audit trail, evaluating management’s policies and controls regarding the audit trail feature, and testing such controls to determine whether the feature of audit trails has been implemented and operating effectively throughout the reporting period.
Finally, the audit trail highlights the importance of preserving audit trails and evaluating the procedures implemented by the company to preserve the records as per the statutory record retention period. The auditor should review audit trail records maintained by management and evaluate management controls for maintenance of such records without alteration and irretrievability of logs maintained for the required period of retention.
Overall, the importance of audit trails and the need for auditors to evaluate the company’s compliance with audit trail requirements in accordance with the Companies Act.
Illustrative Wordings for Reporting
The report states that the company used accounting software for maintaining its books of account with an audit trail feature, and that the audit trail has operated throughout the year for all relevant transactions recorded in the software. The report also confirms that during the audit, no instance of the audit trail feature being tampered with was identified. Additionally, the audit trail has been preserved by the company in accordance with statutory requirements for record retention.
For consolidated financial statements, the report can be unmodified or modified. In the case of unmodified reporting, the auditor confirms that the company and its subsidiaries, associates, and joint ventures/joint operations have used accounting software with an audit trail feature, and that the audit trail has operated throughout the year for all relevant transactions recorded in the software. The auditor also confirms that during the audit, no instance of the audit trail feature being tampered with was identified. Additionally, the audit trail has been preserved by the company, subsidiaries, associates, and joint ventures/joint operations in accordance with statutory requirements for record retention.
In the case of modified reporting, the auditor identifies any instances where the audit trail feature was not used effectively throughout the year, or where it was disabled for certain books of account, records, or accounting software. The auditor then reports these exceptions and confirms that during the audit, no instance of the audit trail feature being tampered with was identified. Additionally, the audit trail has been preserved by the holding company and its subsidiaries, associates, and joint ventures/joint operations in accordance with statutory requirements for record retention.
The audit trail in software also provides examples of circumstances where exceptions would need to be reported, such as when the audit trail feature was disabled for certain books of account or records, or when the accounting software was maintained by a third-party service provider and the auditor was unable to assess whether the audit trail feature was enabled and operating effectively.
Special Consideration in case of Fraud Scenarios
An auditor encounters a situation where an error or fraud may have occurred but cannot be established due to a lack of audit trail documentation. In such cases, the auditor must evaluate the severity of the deficiency, especially in cases of fraud, by considering the likelihood that the deficiency will result in a material misstatement and the magnitude of such an outcome.
To address such situations, the auditor must assess the risk of material misstatements due to fraud and consider both qualitative and quantitative factors to determine if a deficiency or combination of deficiencies constitutes a significant deficiency or material weakness. The auditor must exercise professional judgment while linking the reporting against Rule 11(g) and section 143(12) of the Act/clause (x) of the Companies (Auditor’s Report) Order 2020 (as the case may be). In summary, the auditor must carefully assess the risks and potential impact of the deficiency on the financial statements and report accordingly.
Reporting under Rule 11(g) vis-à-vis Reporting under Section 143(3)(i)
The Companies Act requires auditors to report on the adequacy and effectiveness of the company’s internal financial controls over financial reporting (IFCOFR). This reporting requirement is outlined in Section 143(3)(i) of the Act.
To provide guidance on this reporting requirement, the Institute of Chartered Accountants of India (ICAI) has issued a “Guidance Note on Audit of Internal Financial Controls over Financial Reporting” (the Guidance Note).
The term “audit trail” to describe the control activities related to policies and procedures related to information processing systems that may be relevant to an audit. However, the Guidance Note does not provide detailed audit procedures for reporting under Rule 11(g).
Rule 11(g) requires the auditor to comment on whether the company has adequate internal financial controls and provides a framework for such reporting. The text suggests that if the audit trail is not operating effectively, the auditor may need to modify their comment while reporting under Rule 11(g) after conducting further testing/examination to determine the wider impact on the reporting implication.
The audit trail also provides an example of a scenario where management is unable to rely on automated controls in accounting software due to certain reasons. In such a case, the auditor would provide a modified report on IFCOFR, and while reporting under Rule 11(g), they may need to state that they are unable to comment on the audit trail requirements of the software.
However, the audit trail in software notes that the mere absence of an audit trail does not necessarily imply a failure or material weakness in the operating effectiveness of internal financial controls over financial reporting.
The audit trail is highlights the reporting requirements under Section 143(3)(i) and Rule 11(g) of the Companies Act, provides guidance on reporting, and provides an example of a scenario where a modified report may be required.
Obtaining Written Representations
The auditor needs to obtain written representations from the company’s management regarding their responsibilities for establishing and maintaining adequate controls for identifying, maintaining, controlling, and monitoring audit trails. These written representations should also include management’s assessment of the company’s procedures for complying with the requirements for audit trails and the adequacy and effectiveness of those procedures.
In addition, management should disclose to the auditor any deficiencies in the design or operation of controls maintained for audit trails identified as part of management’s evaluation. Management should also describe any instances of fraud, if any, resulting in a material misstatement to the company’s financial statements that are identified while reviewing and testing the samples related to the disablement of audit trail facility of the accounting software. Management should state whether control deficiencies identified and communicated to the audit committee in relation to audit trails during previous engagements have been resolved, and specifically identify any deficiency that has not been resolved.
SA 580 provides guidance on obtaining these written representations. It explains matters such as who may sign the letter, the period to be covered by the letter, and when to obtain an updated letter. If the auditor is unable to obtain written representations from management, it constitutes a limitation on the scope of the audit. When the scope of the audit is limited, the auditor may either disclaim the audit opinion or resign from the engagement.
The management and board of directors have primary responsibility for establishing and maintaining audit trails. The management should ensure that the board of directors approving the financial statements of the company also takes on record the policies and procedures laid down by the management in respect of assertion and conclusion on the adequacy and operating effectiveness of audit trails. The board should also take on record the deficiencies, significant deficiencies, and material weaknesses identified by the management, internal auditors, and the auditor to address them effectively.
The auditor must ensure that the audit documentation provides sufficient and appropriate evidence to support their reporting under Rule 11(g) and demonstrate that the audit was planned and performed in accordance with applicable standards and legal/regulatory requirements. The auditor may comply with the requirements of SA 230, “Audit Documentation,” as applicable.
The audit trail also provides definitions of relevant terms such as “audit trail,” which refers to a visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source. Audit trails are a chronological record of changes made to data, including new data creation, updates, or deletions. The section further explains that accounting software is a computer program or system that enables recording, maintenance, and reporting of books of account, and relevant ecosystem applicable to business requirements.
The term “books of account” refers to records maintained in respect of all sums of money received and expended by a company, all sales and purchases of goods and services by the company, the assets and liabilities of the company, and the items of cost as may be prescribed under section 148 in the case of a company which belongs to any class of companies specified under that section.
Finally, the audit trail in software defines “service provider” as an organization supplying services to one or more internal or external customers and “Software as a Service” (SAAS) as a method of software delivery use licensing arrangements in which software is accessed online via a subscription rather than bought and installed on individual computers.