LEAVING AUDIT TRAIL IS MANDATORY

FOR ALL COMPANIES FROM 1ST APRIL 2023

– RANDOM THOUGHTS

Mandatory requirement for all companies (big or small) to record transactions in a software which has
audit trail feature. The requirement also extends to auditors of such companies who are required to
give details of existence of such audit trail in their report to the shareholders of companies.

The Companies (Accounts) Rules, 2014 & Companies (Audit and Auditors) Rules, 2014 have
been amended to facilitate audit trail related matters. The actual amendment and its implication are
discussed in brief hereunder.

Companies (Accounts) Rules, 2014 (“Accounts rules”) has been amended to enable the above. This
rule (Accounts rules) requires that with effect from 1st April 2023 every company which uses
accounting software for maintaining books of accounts shall use such accounting software which
has

a) the feature of recording audit trail of each and every transaction,

b) creating an edit log of each change made in books of accounts along with

c) date when such change was made and

d) ensure that the audit trail cannot be disabled.

It also provides the following:

a) the books of accounts shall remain accessible in India at all times.

b) that the back-up of the books of account and other books and papers of the company
maintained in electronic mode, including at a place outside India, if any, shall be kept in servers
physically located in India on a daily basis.
Companies (Audit and Auditors) Rules, 2014 (Audit rules) has been amended on 24-03-2021 whereby
an additional reporting point has been incorporated in Auditors report which is as under (this point has
been split into various components for clear understanding of the requirement:

“Whether the company has used such accounting software for maintaining its books of accounts which
has a feature of

recording audit trail (edit log) facility and

the same has been operated throughout the year
for all transactions recorded in the software and
the audit trail feature has not been tampered with and
the audit trail has been preserved by the company as per statutory record for record retention.

This additional clause was initially made applicable from 1st April 2021, then postponed to 1st April
2022 and now is applicable from 1st April 2023.

This clause casts an onerous responsibility on auditors of the company to report in specific on the
above points. For this purpose, companies must record entries in their “books of accounts” from 1st
April 2023 in such a way that details of transactions along with who recorded and when (date and
time) of recording the transaction has to be preserved. Apart from this, if the transactions undergo a
modification or deletion, such details along with date and time of such action also needs to be
preserved chronologically.

The rules are however silent on the following aspects:

a) The Rules don’t specify the fields or data sets for which audit trails are required to be
maintained – whether transactional data and/or data pertaining to the transaction.

b) The word accounting software has not been defined anywhere in the act/rules. Will it include
fixed asset registers, HR related documents and data/software, time sheets of employees,
purchase orders, changes to vendor master data, or any other software with which the basic
accounting software has an interface. If it so includes then an audit trail for all those associated
software will also have to be verified.

c) Accounts rules requires back up to be maintained on a daily basis, does it mean that audit trail
back up also needs to be taken on daily basis? Doing so would require huge IT space for which
companies need to plan in advance.

d) The accounts rules mandate that companies should use accounting software which has a
feature of recording audit trail….. In case a company is not able to procure such a software or
has procured midway will it be construed as non-compliance with the Companies Act, 2013 for
which the company, its Directors and its KMP may be penalized.
Some thoughts on audit trail and audit requirements

1) No other country in the world has such a mandatory requirement for maintaining books of
accounts and for auditors of companies to comment on audit trail. A spate of failures of financial
institutions and large corporations has led the government to bring about these measures
whereby the government hopes to get details of transactions which have been deleted/modified.
One is not sure how such audit trail data would even be helpful as companies will only give
justification as to why the deletion or modification was done, if at all the audit trail data is
available to government authorities when it is required.

2) Work of finance professionals is going to increase as they have to pass entries with 100%
accuracy first time around. Any modification/deletion will leave an audit trail scar for them to
answer.

3) This requirement casts a huge responsibility for small companies who cannot afford such a
software and even if they can afford the cost of maintaining books of accounts in such a software
is going to be a challenge in terms of cost and finding right man-power.

4) Already this audit trail requirement has been postponed twice, so one needs to watch the
space for notification/guidance from MCA or ICAI and typically this is going to come (if at all) only
on 31st March 2023 (Friday). If it does not come, then ALL companies will be caught in the
wrong foot from the first day of the new financial year if they are not adequately prepared.

5) IT systems of companies was subject to audit by auditors only in large companies, now with
the introduction of audit trail and reporting thereon, auditors will have to do an audit of IT
environment of all companies. This is going to consume more audit time and will result in higher
audit cost for companies.

6) Auditors should be equipped (in terms of IT knowledge and related resources) for performing
this kind of audit and of course that is going to come only from 1st April 2024, so auditors might
have some time to catch up.

7) ALL companies will have to immediately take a look at their accounting software and check if
it has all these features. They will have to get in touch with their auditors and understand their
requirements as lack of such co-ordination will lead to missed communication during audit time.

8) Considering huge compliance requirements for companies, small companies can seriously
consider converting to LLP as almost none of the provisions of Companies Act, 2013 would be
applicable to LLP (barring few which do not have major implications) and LLP seems to be a
more tax efficient vehicle as well.

9) All companies should get in touch with their auditors before 31st March 2023, present to the
auditors the plan of action to comply with the Rules and discuss with the auditors on what their
approach is going to be while reporting on this specific clause in the audit report. This will ensure
that auditor and auditee are on the same page from day one.