a.) Additional Reporting for Statutory Auditors: As per the Companies (Audit and Auditors) Rules, 2014, additional reporting requirements have been imposed on auditors by the Ministry of Corporate Affairs via its notification dated March 24, 2021, as reproduced below by inserting Rule 11(g) in the said rules, which are practically applicable from FY 2023–2024 on account of deferment notifications issued:-
“Whether the company, in respect of financial years commencing on or after April 1, 2022, has used such accounting software for maintaining its books of account, which has a feature of recording audit trail (edit log) facilities, and the same has been operated throughout the year for all transactions recorded in the software, the audit trail feature has not been tampered with, and the audit trail has been preserved by the company as per the statutory requirements for record retention.”
For this, ICAI has issued an implementation guide on reporting under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014, dated March 2023.It is important to highlight here that globally, no similar reporting obligation exists for the auditors, and accordingly, there is no international guidance available on the subject to prescribe specific guidance to enable the auditor to obtain reasonable assurance and report accordingly under this clause.
b.) Management Responsibility: It is the management who is primarily responsible for ensuring the selection of the appropriate accounting software for ensuring compliance with applicable laws and regulations (including those related to the retention of audit logs). Legal provision for the same has been given below:-
Proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 (hereinafter referred to as “the Account Rules”) states that for the financial year commencing on or after the 1st day of April 2023, every company that uses accounting software for maintaining its books of account shall use only such accounting software that has the feature of recording audit trail of each and every transaction, creating an edit log of each change made in the books of account along with the date when such changes were made, and ensuring that the audit trail cannot be disabled.
Considering the additional requirement of an audit trail, the following are the checkpoints for verification and reporting as derived from the implementation guide by ICAI:
1. Whether the audit trail (edit log) feature is configurable (i.e., if it can be disabled or tampered with)?
The necessary controls must be checked for this. There should be adequate controls for access to audit trails, changes to the configuration of audit trails, and user IDs.
2. Whether the audit trail feature was enabled or operated throughout the year?
3. Are all transactions recorded in the software covered by the audit trail feature?
The term ‘all transactions recorded in the software’ would refer to all transactions that result in changes to the books of account.
4. Whether the audit trail has been preserved as per statutory requirements for record retention?
Considering the requirement of Section 128(5) of the Act, which requires books of account to be preserved by companies for a minimum period of eight years, the company would need to retain audit trail for a minimum period of eight years, i.e., effective from the date of applicability of the Account Rules (i.e., currently April 1, 2023, onwards).
In the case of accounting software supported by service providers, the company’s management and the auditor may consider using an independent auditor’s report of service organization (e.g., Service Organization Control Type 2 (SOC 2)/SAE 3402, “Assurance Reports on Controls at a Service Organization”) for compliance with audit trail requirements.
Also, the MRL format has been given for this process in the implementation guide issued by ICAI, attached for ready reference.
The back-up of the books of account and other books and papers of the company maintained in electronic mode, including at a place outside India, if any, shall be kept on servers physically located in India on a daily basis. (Relevant notification has been attached for ready reference.). Hence, the audit needs to cover this additional requirement as well, and accordingly, appropriate reporting has to be done.