Introduction to Amendments to Rule 11(g) of Companies (Audit and Auditors) Rules, 2014
The Ministry of Corporate Affairs (MCA) vide its notification No. GSR 206(E) dated March 24, 2021 has issued the ‘Companies (Audit and Auditors) Amendment Rules, 2021’ (hereinafter referred as “the Audit Rules”) read with sub-section 3 of Section 143 of the Companies Act, 2013 (hereinafter referred as “the Act”) introducing new Rule 11(e), new Rule 11(f) and new Rule 11(g) and deleting Rule 11(d).
Whether the company has used such accounting software for maintaining its books of account that has a feature of recording audit trail (edit log) facility and the same has been used throughout the year for all transactions recorded in the software commencing from 1st April 2022. the audit trail feature has not been altered, and the company has retained the audit trail in accordance with statutory obligations.
The requirement was initially made applicable for the financial year commencing from 1st day of April 2021. However the applicability was deferred to financial year commencing from April 1, 2022, vide MCA notification G.S.R. 248(E) dated April 1, 2021. It may be noted that a new requirement for companies has been prescribed under the proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 requiring companies, which use accounting software for maintaining their books of account, to use only such accounting software which has audit trail feature. This requirement for companies was initially made applicable for financial year commencing from April 1, 2021. However, its applicability has been deferred two times and this requirement is finally applicable from April 1, 2023.
Introduction and Scope of the Implementation Guide
The purpose of this Implementation Guide is to enable the auditors to comply with the reporting requirements of Rule 11(g).It should be noted that while reporting on such matters, auditors are expected to use their professional judgement. This Implementation Guide provides the principle-based guidelines for reporting under the aforementioned Audit Rules.
There isn’t a comparable reporting requirement for auditors anywhere in the world, so there isn’t any international advice on the subject that would specify what the auditor should do to get an acceptable level of assurance and report as such as required by this clause. The auditor is expected to perform procedures in accordance with Standards on Auditing (which includes inquiry, observation, and examination, as applicable).
Management’s Responsibility
The management has a responsibility for effective implementation of the requirements prescribed by account rules.
For the FY commencing from 1st April 2023, every company which uses accounting software for maintaining its books of account, shall use only such accounting software which has a feature of recording audit trail of each and every transaction, creating an edit log of each change made in the books of account along with the date when such changes were made and ensuring that the audit trail cannot be disabled.
The management of the company is primarily responsible to ensure compliance with selecting appropriate accounting software that comply with the rules.
It should be noted that the accounting software may be hosted and maintained in India or outside India or may be on premise or on cloud or subscribed to as Software as a Service (SaaS) software.
A company may be using a software which is maintained at a service organization. For example, the company may have outsourced its payroll processing with a shared service center and the shared service center may use its own software to process payroll for the company.
Auditor’s Responsibility
Rule 11(g) casts responsibility on the auditor in terms of reporting on audit trail by making a specific assertion in the audit report under the section ‘Report on Other Legal and Regulatory Requirements’
In addition to requiring auditor to comment on whether the company is using an accounting software which has a feature of recording audit trail, the auditor is expected to verify the following aspects:
- whether the audit trail feature is configurable.
- whether the audit trail feature was enabled/operated throughout the year?
- whether all transactions recorded in the software are covered in the audit trail feature?
- whether the audit trail has been preserved as per statutory requirements for record retention?
Any software used to maintain books of account will be covered within the ambit of this Rule ( for example if sales are recorded in a standalone software and only consolidated entries are recorded monthly into the software used to maintain the general ledger, the sales software should also have the audit trail feature)
Auditors would need to evaluate whether management has also considered such software in their compliance to the Account Rules.
Applicability
the auditor is not required to assess appropriateness of audit trail of previous years and the assessment will be only for prospective financial years.
Audit reporting will be triggered for financial years commencing From April 1, 2022, however, the applicability of the Account Rules will commence From April 1, 2023.
There is likely to be a scenario for the financial year 2022-23 where in absence of compliance requirement for the companies, auditors would not be able to report under the Audit Rules.
Auditors of all class of companies including section 8 companies would be required to report on these matters including foreign companies as well.
where the books of account are entirely maintained manually – the assessment and reporting responsibility under Rule 11(g) will not be applicable and accordingly, same would need to be reported as statement of fact by the auditor against this clause.
The auditor is required to comment on both in case of standalone financial statements and consolidated financial statements while reporting on consolidated financial statements, the auditor may observe that certain components included in the consolidated financial statements are (a) either not companies under the Act, or (b) some components are incorporated outside India. The auditors of such components are not required to report on these matters since the provisions of the Act do not apply to them.
The reporting on compliance with Rule 11(g) would also be on the basis of the reports of the statutory auditors of subsidiaries, associates and joint ventures that are companies defined under the Act. The auditors of the parent company should apply professional judgment and comply with applicable Standards on Auditing, in particular, SA 600, “Using the Work of Another Auditor” while assessing the matters reported by the auditors of subsidiaries, associates and joint ventures that are Indian companies.
Preservation of Audit Trails
The auditor is required to comment whether ‘the audit trail has been preserved by the company as per the statutory requirements for record retention’.
Considering the requirement of Section 128(5) of the Act, which requires books of account to be preserved by companies for a minimum period of eight years, the company would need to retain audit trail for a minimum period of eight years. (effective from 1st April 2023)
Audit Approach
- the auditor would need to ensure that the management assumes the primary responsibility to:
- identify the records and transactions that constitute books of account under section 2(13) of the Act;
- identify the software.
- ensure such software have the audit trail feature;
- the auditor would need to ensure that the management assumes the primary responsibility to:
- identify the records and transactions that constitute books of account under section 2(13) of the Act;
- identify the software.
- ensure such software have the audit trail feature;
- ensure that the audit trail captures changes to each and every transaction of books of account; such as when changes were made, who made those changes, what data was changed.
- ensure that the audit trail feature is always enabled.
- ensure that the audit trail is enabled at the database level (if applicable) for logging any direct data changes.
- ensure that the audit trail is appropriately protected from any modification;
- ensure that the audit trail is retained as per statutory requirements for record retention;
- ensure that controls over maintenance and monitoring of audit trail and its feature are designed and operating effectively throughout the period of reporting.
In order to demonstrate that the audit trail feature was functional, operated and was not disabled, a company would have to design and implement specific internal controls (predominantly IT controls) which in turn, would be evaluated by the auditors, as appropriate:Controls to ensure that the audit trail feature has not been disabled or deactivated.Controls to ensure that User IDs are assigned to each individual and that User IDs are not shared.
Controls to ensure that changes to the configurations of the audit trail are authorized and logs of such changes are maintained.
Controls to ensure that periodic backups of the audit trails are taken and archived as per the statutory period specified under Section 128 of the Act.
In respect of identification of relevant transactions in context of maintenance of books of account, the auditor may consider performing the following procedures:
- Assess management’s identification of records and transactions where audit trail needs to be captured and verify, on a test basis, whether the audit trail has been configured and enabled for the identified accounting software.
- Evaluate the management’s approach regarding identification of accounting software which have been considered for the purposes of maintenance of audit trail.
- Inquire with the management on how they evaluated changes that are required for the maintenance of audit trail as part of changes or upgrades to the accounting software.
- Where applicable, consider involvement of specialists or experts in the field of Information Technology to assist in evaluation of management controls and configurations in the accounting software with regard to audit trail.
In case of accounting software supported by service providers, the company’s management and the auditor may consider using independent auditor’s report of service organization for compliance with audit trail requirements.
Most of the commonly used accounting software, including Enterprise Resource Planning (ERP) software, have an audit trail feature that can be enabled or disabled at the discretion of the company.The management of the company may have put in place certain controls such as restricting access to the administrators and monitoring changes to configurations that may impact the audit trail.Auditors are accordingly expected to evaluate management’s policies in this regard and test such controls to determine whether the feature of audit trails have been implemented and operating effectively throughout the reporting period.
Management ensures that the administrative access to the audit trail is restricted to authorized representatives.
- the auditor may take into consideration the following aspects for every accounting software which is used in maintaining the “books of account” for the purpose of reporting:
- the software configuration that controls enabling or disabling of the audit trail and whether audit trail was enabled throughout the period.
- the access to such configurations.
- any changes to the audit trail configuration during the period of audit.
- the periodic review mechanism implemented and operated by management for any changes to the audit trail configuration.
the completeness and accuracy of audit trail or edit logs that are generated through the software functionalities or directly recorded in the underlying database whether it captures the user ID that made the change, the date and time of change and what fields were changed by reviewing the reports or trails generated, on a test basis, to capture the required information or when the audit trail feature was disabled, etc.
In respect of preservation of audit trails, inquire with management to understand the procedures implemented by the company to preserve the records as per the statutory record retention period.
The auditor may review, on a sample basis, the audit trail records maintained by management for each applicable year and evaluate management controls for maintenance of such records without any alteration and retrievability of logs maintained for the required period of retention. Rule 11(g) requires the auditor to report that the feature of recording audit trail (edit log) facility has “operated throughout the year for all transactions recorded in the accounting software”.
the auditor is expected to evaluate the reporting implications specifically giving due consideration to SA 250, “Consideration of Laws and Regulations in an Audit of Financial Statements”.
- In respect of audit trail, following are likely to be expected scenarios:
- Management may maintain adequate audit trail as required by the Account Rules.
- Management may not have identified all records/transactions for which audit trail should be maintained.
The accounting software does not have the feature to maintain audit trail, or it was not enabled throughout the audit period.
Source: ICAI Guidelines.