/ Accounting Services

Audit & Mgt responsibilities with expectation in Audit Trail

audit trail new feature

Overview Audit responsibilities & Mgt expectations in Audit Trail

Audit trail features in accounting software, as per amendments to the Companies (Accounts) Rules, 2014 and Companies (Audit and Auditors) Rules, 2014.  Auditors’ responsibilities and management’s obligations under the revised Rule 3(1) of the Companies (Accounts) Rules, 2014, and Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014, which came into force on April 1, 2023.

Requirements for Companies (Rule 3(1) Proviso, Companies (Accounts) Rules, 2014): The auditor must comment on the audit trail under the “Report on Other Legal and Regulatory Requirements” section of the audit report. Companies must ensure their accounting software complies with audit trail mandates. Auditors must perform procedures to verify effective implementation, consistent operation, and preservation of audit trails and report accordingly. Effective from April 1, 2023, every company using accounting software must ensure the software:

  • Records an audit trail (edit log) of each and every transaction.
  • Captures the date and details of each change made in the books of accounts.
  • Prevents disabling of the audit trail feature.

Auditor’s Responsibilities (under Rule 11(g)) :

As per the revised reporting requirement, the auditor must comment on whether:

  1. The company has used accounting software with an audit trail (edit log) feature.
  2. Audit trail feature was enabled and operated throughout the year.
  3. The audit trail feature was not tampered with or disabled during the year.
  4. Audit trails are preserved as per statutory record retention requirements (i.e., 8 years as per Section 128(5)).

Management Responsibility on Audit Trail Compliance Requirements Under Companies Act, 2013

The management is responsible for selecting appropriate software and implementing this feature to comply with statutory requirements (including retention of audit logs). Auditor’s Reporting Obligation (Rule 11(g), Companies (Audit and Auditors) Rules, 2014) : Applicable from the financial year commencing on or after April 1, 2022, auditors must report on whether:

  • Company used accounting software with an audit trail (edit log) feature.
  • Feature was operated throughout the year for all transactions.
  • Audit trail was not tampered with.
  • The audit trail was preserved as per statutory record retention norms.
  • Management must ensure proper software selection, implementation, and maintenance. Auditors must conduct adequate procedures and documentation to validate:
    • Software compliance.
    • End-to-end operation of audit trail.
    • Retention of edit logs for regulatory reporting

Key responsibility related to audit trail 

  1. Legal Foundation : Companies (Accounts) Rules, 2014 – Rule 3(1) (Proviso)
  • From April 1, 2023, every company using accounting software must ensure:
    • Software records an audit trail (edit log) of every transaction.
    • Each change in books of account is date-stamped.
    • The audit trail feature cannot be disabled.

🔹 Companies (Audit and Auditors) Rules, 2014 – Rule 11(g) : From April 1, 2022, auditors must report whether:

    • The company used software with audit trail.
    • Audit trail was operated throughout the year.
    • The audit trail was not tampered with.
    • Audit trail was preserved as per statutory record retention.
  1. Auditor’s Verification Checklist

Auditors are expected to verify the following:

Requirement Auditor’s Responsibility
 Configurability Confirm whether the audit trail can be disabled or tampered with.
Continuous Operation Check if audit trail was enabled throughout the year.
Transaction Coverage Ensure all transactions affecting books of account are recorded in the audit trail.
Preservation Verify that audit trails are preserved for minimum 8 years, in line with Section 128(5).
  1. Clarification on Software Scope
  • Any software involved in recording data that forms part of the “books of account” (as per Section 2(13)) is within the scope of audit trail requirements. Example:
    • A sales system generating invoices must have audit trail, even if only monthly summaries are posted to the general ledger.
    • Creating a user in accounting software is not covered, as it doesn’t impact the books of account.
    • Editing journal entries, sales, purchases, etc. are covered, as they change financial records.
  1. Preservation of Audit Trails : Under Section 128(5) of the Companies Act:
    • Books of account (and thus audit trails) must be retained for at least 8 years.
    • For audit trails, the 8-year requirement starts from April 1, 2023, i.e., retention must be ensured until at least FY 2030–31.

To support the auditor’s reporting, the management must take primary responsibility to:

  1. Identify records and systems that constitute or impact “Books of Account” as defined in Section 2(13) — including subsidiary ledgers like billing software or CRM if they record financial transactions.
  2. Identify all IT systems used for maintaining such records — including ERP systems, databases, interfaces, data lakes, and cloud platforms.
  3. Ensure the software has audit trail features capturing:
    1. What was changed
    2. When it was changed
    3. Who changed it
  4. Ensure audit trail cannot be disabled, or if configurable, that strong controls exist to monitor and log changes to its configuration.
  5. Enable audit trail at the database level if any manual data alterations are possible.
  6. Protect audit trails from unauthorized access or modification.
  7. Preserve audit trails for a minimum of 8 years starting from April 1, 2023.
  8. Design and operate effective IT General Controls (ITGCs) and Application Controls to ensure audit trail integrity and availability throughout the reporting period. Key Points to Remember
    • Even non-GL software that records financial transactions (like POS or invoice generation tools) are considered part of the accounting ecosystem and must have audit trails enabled.
    • Only changes that affect books of account need to be covered in the audit trail. For example:
      • ✅ Change in journal entry → covered
      • ❌ Creation of user account → not necessarily covered
    • Auditors will test:
      • The effectiveness of internal controls over audit trails
      • Whether access and configuration controls were properly implemented
      • Evidence that audit trails were functional and retained

Illustrative Internal Controls Expected by Auditor

Control Objective Example Control
Prevent deactivation of audit trail Config lock or alert system on audit trail settings
Ensure individual accountability Unique, non-shareable User IDs for all users
Authorize changes to audit settings Approval workflows for config changes + logs maintained
Restrict access to audit trails Role-based access; monitor who views/exports logs
Maintain audit trail backups Scheduled backups; long-term archive retention policy
Detect unauthorized changes Periodic reconciliation of logs with journal entries

Pros :

  • It helps in keeping track of who made changes, when they were made, and what was changed. This can be crucial for regulatory compliance and for maintaining accountability within an organization.
  • By tracking all changes, it can help identify unauthorized or suspicious activity, thereby enhancing the security of the system.
  • If any fraudulent activity occurs, the audit trail can help identify the source and prevent further occurrences.

Cons:

  • Implementing and maintaining audit trails can be expensive. Depending on the system’s complexity, it could require substantial setup, storage, and management resources.
  • Audit trails can sometimes slow down business processes, especially if they are not properly optimized

**********************************************************

If this article has helped you in any way, i would appreciate if you could share/like it or leave a comment. Thank you for visiting my blog.

Legal Disclaimer:
The information / articles & any relies to the comments on this blog are provided purely for informational and educational purposes only & are purely based on my understanding / knowledge. They do noy constitute legal advice or legal opinions. The information / articles and any replies to the comments are intended but not promised or guaranteed to be current, complete, or up-to-date and should in no way be taken as a legal advice or an indication of future results. Therefore, i can not take any responsibility for the results or consequences of any attempt to use or adopt any of the information presented on this blog. You are advised not to act or rely on any information / articles contained without first seeking the advice of a practicing professional.