India Mandates Audit Trail Compliance for All Companies: Understanding the Obligations

Posted by Written by Dezan Shira & Associates Reading Time: 6 minutes

Audit trail is a mandatory compliance requirement in India for all companies registered under the Companies Act, 2013, effective from April 1, 2023 (FY24). This software capability promises to revolutionize audits by addressing traditional limitations and enhancing efficiency across various organizational functions. Additionally, it is applicable in diverse and emerging industries. Amendments to Indian corporate law and implementing rules now mandate the activation of audit trails in business management software.


Compulsory ‘audit trail’ and ‘edit log’ for all companies (including Section 8 companies) in India

The Ministry of Corporate Affairs had introduced the concept of audit trail on March 24, 2021, via amendments to Rule 3(1) of the Companies (Accounts) Rules, 2014. After delays, it finally came into effect as a mandatory compliance requirement from FY 2023-24.

Applicability

Starting April 1, 2023, it is now mandatory for companies in India, regardless of their size, including not-for-profit companies licensed under Section 8 of the Companies Act 2023 (or Section 25 of the Indian Companies Act 1956), to incorporate a built-in mechanism in their software that records an audit trail for every transaction. Thus, all companies under the Companies Act, including one-person-companies (OPC), small, dormant, and foreign companies, are required to maintain the audit trail in India.

Additionally, an edit log must be created for each modification made in electronically maintained books of account, capturing the date of such changes. It is crucial to ensure that the audit trail always remains enabled and cannot be disabled.

Audit trails provide a reliable, time-stamped record that supports transparency, accountability, and operational integrity. – Lalitha Rao, Dezan Shira & Associates India

Auditor’s obligation to ensure compliance with audit trail requirements

Amendments to Rule 11 of the Companies (Audit and Auditors) Rules, 2014, were introduced through the Companies (Audit and Auditors) Amendment Rules, 2021, as per notification G.S.R. 206(E) dated March 24, 2021.

The key changes are as below.

Rule 11: Other matters to be included in the Auditor’s Report

Sub-clause (g) requires the auditor to report:

  • Whether the company has utilized accounting software with an audit trail (edit log) feature for maintaining its books of account.
  • Whether this audit trail feature was operational throughout the year for all recorded transactions.
  • Whether the audit trail has not been tampered with.
  • Whether the audit trail has been preserved according to statutory record retention requirements.

This reporting requirement for statutory auditors, initially intended to apply to financial years beginning on or after April 1, 2021, was deferred and became mandatory for financial years commencing on or after April 1, 2023.

Auditor’s responsibility

Under Rule 11(g), the statutory auditor is required to make specific assertions in the audit report, including:

  • Whether the company’s accounting software maintains an audit trail feature.
  • Whether the audit trail feature was enabled and operational for the entire financial year.
  • Whether all transactions are captured within the audit trail.
  • Whether the audit trail is protected from tampering or disabling.
  • Whether the audit trail is retained in compliance with statutory requirements.

Joint responsibility

The law imposes dual responsibility – the company’s management is responsible for implementing the audit trail (edit log) feature in their accounting software, while the statutory auditor is responsible for verifying its effective implementation. This requirement applies to financial records for years starting on or after April 1, 2023.

Using a third-party service provider

To ensure compliance, it is essential to check with your software service (SaaS) provider and verify whether the mentioned features are available in the software you are using. Additionally, if you rely on third-party service providers for any services offered to your company, have a discussion with them to determine the applicability of the Audit Trail functionality in their software.

Furthermore, engage in discussions with your auditors regarding these requirements or any other specific needs that will aid in achieving due compliance with this new mandate. Collaborating with all relevant stakeholders will help ensure a seamless implementation of the Audit Trail concept and adherence to the regulatory guidelines.

Penalty for non-compliance

Penalties for non-compliance under the Companies Act, 2013, apply to companies, their senior/authorized personnel, and auditors.

  • Companies:

For companies, under Section 128(5), failure to comply with audit trail requirements results in a fine ranging from INR 50,000 to INR 500,000. Continued violations may incur further penalties, especially if financial reporting inaccuracies arise due to tampering or lack of an audit trail.

  • For directors/CFO/authorized personnel:

For directors, CFOs, and other authorized personnel, such as the Managing Director, the Chief Financial Officer (CFO), and other persons charged with the responsibility of complying with the provisions – personal liability can result in fines between INR 50,000 and INR 500,000.

In severe cases of willful non-compliance, imprisonment of up to one year may be imposed alongside financial penalties. This highlights the critical need for companies to ensure compliance with audit trail requirements in their accounting software.

  • For auditors:

Auditors also face penalties under Section 147(2) for failing to report non-compliance or certifying inaccurate financial statements. Fines range from INR 25,000 to INR 500,000 or up to four times the auditor’s remuneration, whichever is lower.

 Repeated violations could lead to disciplinary action from the Institute of Chartered Accountants of India (ICAI), including the suspension of the auditor’s license to practice.

What is an audit trail?

An audit trail is a date and time-stamped record that chronicles the history and details of various events, transactions, and activities. It can apply to a wide range of processes, whether it’s a transaction, work-related task, product development step, control execution, or financial ledger entry. Audit trails can be either automated or manual, and their format may vary across different fields to capture domain-specific information. However, their primary function remains consistent: to track a sequence of events and actions in chronological order.

To summarize, audit trails ensure transparency and accountability across the performance of various organizational functions, including audits, access control, financial reporting, investigations, security, and more. They follow the “3W” approach:

  • When changes were made (date and time).
  • Who made those changes (user ID).
  • What data was changed (transaction reference, success/failure).

FAQs on applicability of audit trail provisions in India

Q1: Which entities are required to comply with the audit trail provisions in India?
A: Audit trail provisions apply to all companies registered under the Companies Act, including small companies, Section 8 companies, one person companies, listed companies, Nidhi companies, and producer companies. However, these provisions do not extend to limited liability partnerships (LLPs), partnership firms, or sole proprietorships.

Q2: Do audit trail provisions apply to foreign companies operating in India?
A: Yes, audit trail provisions apply to foreign companies as defined under the Companies (Registration of Foreign Companies) Rules, 2014. The provisions of Chapter X of the Companies Act regarding audit and auditors are applicable to auditors of foreign companies, including branch and liaison offices.

Q3: What is the duration for which records with an audit trail must be maintained?
A: Companies are required to preserve books of account and the associated audit trail for a minimum of eight years, as per Section 128(5) of the Companies Act. Consequently, the audit trail must be retained for a minimum period of eight years, effective from the date the Account Rules are applicable (currently from April 1, 2023).

Q4: Is an audit trail required for consolidated financial statements?
A: Audit trail provisions apply to both standalone and consolidated financial statements. However, when reporting on consolidated financial statements, auditors may find that certain components included are either (a) not companies under the Act or (b) incorporated outside India. Auditors of such components are not required to report on these matters since the provisions of the Act do not apply to them.

Q5: Are all transactions required to have an audit trail?
A: Companies must maintain an audit trail (edit log) for every change made to the books of account. The term “all transactions recorded in the software” refers to any transactions resulting in changes to the books of account. For example, while creating a user in the accounting software may be viewed as a transaction, it does not alter the books of account as defined in Section 2(13) of the Act. Conversely, adding a new journal entry or modifying an existing one is considered a change to the books of account.

Q6: Where can companies maintain their accounting software with an audit trail feature?
A: Companies can host their accounting software with an audit trail feature either in India or abroad, provided it is always accessible in India. This software can be maintained on premises, in the cloud, or as a subscription service (SaaS). Additionally, service organizations managing payroll or other functions may use their own software to maintain these records.

Q7: What types of software are covered under the audit trail feature?
A: Any software used for maintaining books of account falls under the scope of these provisions. Software that records transactions defined as Books of Account under Section 2(13) of the Act is considered accounting software for this purpose. For instance, if sales are recorded in a separate software system, that software must also include an Audit Trail feature, as sales invoices are categorized as Books of Account under Section 2(13) of the Act.

Q8: Is it necessary to maintain backups of accounting software with an audit trail feature?
A: According to Rule 3 of the Companies (Accounts) Rules, companies must back up their books of account and other relevant records maintained in electronic form daily, even if these records are stored outside India. Thus, companies are required to back up their Books of Accounts and other pertinent records maintained electronically daily.

Conclusion

Both companies and auditors have a significant responsibility to adhere to the MCA’s notification regarding the audit trail. Non-compliance can lead to substantial financial penalties and personal liabilities, with severe cases potentially leading to imprisonment for responsible officers or professional disqualification.

About Us

India Briefing is one of five regional publications under the Asia Briefing brand. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Delhi, Mumbai, and Bengaluru in India. Readers may write to india@dezshira.com for support on doing business in India. For a complimentary subscription to India Briefing’s content products, please click here.

Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in China, Hong Kong SAR, Dubai (UAE), Indonesia, Singapore, Vietnam, Philippines, Malaysia, Thailand, Bangladesh, Italy, Germany, the United States, and Australia.