The Companies Act of 2013 in India has made it imperative to keep accurate records as the digital accounting system becomes more widely used. Rule 11(g) of The Companies (Audit and Auditors) Rules, 2014 mandates auditors to verify that the accounting software maintains an audit trail and complies with regulations. This article explains some of the simple and best practices for managing audit trails and what auditors should test to make sure the right practices are being followed.

An audit trail is a step-by-step record of all the changes made in the accounting software. It is also known as edit logs. These records include key details as follows:

  1. When the change was made (date and time)
  2. Who made the change (user ID)?
  3. What were the changes made exactly? (transaction details)

This log ensures everything is transparent, traceable, and accountable. Audit trails are useful during financial or operational audits and are usually built into the software or database.

Legal Context: Requirements of Rule 11(g)

To comply with Rule 11(g), auditors must verify the following:

  1. Is the company using accounting software that keeps an audit trail?
  2. Was the audit trail feature enabled throughout the financial year?
  3. Is the audit trail set up for all transactions without any exceptions?
  4. Are there any security measures in place to stop someone from editing or deleting the audit trail?
  5. Is the audit trail retained for a period of 8 years?

After Rule 11(g) came into effect, companies set up these systems that meet the above-mentioned requirements to easily track the financial data.

Auditor’s Responsibilities: Key Areas to Verify

The auditor must adhere to certain aspects of audit trail compliance. These include

1. Software Setup and Functionality

  • Verify that the audit trail features have been enabled in the database or accounting software.
  • Ensure that the audit trail cannot be deactivated or altered.
  • Verify that the software creates an edit log of the key information whenever there is any change to the account records (for example, who did it, what was changed, and when).

2. Consistency of Operations

  • Confirm that the functionality has been in operation throughout the fiscal year.
  • Verify that the audit logs contain records of every transaction that has been keyed into the software.

3. Access Controls

  • Assess the user access controls to confirm that only individuals with the proper authority and responsibilities are permitted to view or modify data in the trail.
  • Ensure that each user ID is unique and that team members refrain from sharing their IDs.

4. Maintenance of Audit Trail Records

  • Implement the retention of trial records for a minimum of eight years as stipulated by Section 128(5) of the Companies Act.
  • Guarantee that these records are protected against unauthorized alterations and preserve the integrity of the records throughout the designated retention period.

5. Validation and Testing

  • Auditors must compare the entries selected for testing against the corresponding audit trails to ascertain that their correctness and completeness have been validated.
  • It must be validated whether the existence of data such as timestamps, user IDs, and modification details exists.
  • Determine if the management has also assessed completeness and accuracy.

6. Treatment of Audit Trails in Cloud-and-Outsourced Contexts

  • If the accounting software of an entity is hosted in the cloud or managed by a third party, then it is ensured that independent assurance reports like SOC 2 or SAE 3402 are obtained, affirming compliance with audit trail standards.
  • Assess how dependent the business is on external systems and ensure that adequate mitigations are put in place for any potential risks.

Illustrative Controls for Audit Trail Compliance

The auditor should verify if the organization had the following controls in place:

  • Protection against the audit trail option being turned off or disabled.
  • Backups are taken on a regular basis and stored securely, considering retention requirements.
  • Logs are kept of changes to trail settings and access records.
  • Periodic reviews are conducted to verify the adequacy of audit trail controls.

Compliance Difficulties

While audit trails are meant to promote transparency, auditors face challenges such as verifying compliance in hybrid and multi-software IT settings. Some of them include the following:

  • Verifying that the audit trails within decentralized, international operations are accurate.
  • Determining the reliability of external hosting companies.

Why Act Now?

Non-compliance with audit trail requirements has the potential of posing serious legal and punitive repercussions for companies. The priorities for auditors should be as follows:

  • Keep abreast of all developments and guidelines issued by regulatory authorities, such as implementation guides of ICAI.
  • Modify the audit procedures so that testing of audit controls can be performed.
  • Suggest clients to use an accounting system that is compliant with the regulations.

Conclusion

As the audit trail is now mandated by law, it serves a greater purpose than being merely operational. Rather than merely ticking a box, the auditor must ensure corporate responsibility and transparency by championing the enforcement of Rule 11(g). By concentrating on the above areas, auditors will be able to execute their functions optimally and elevate public confidence in financial reporting. To succeed in audit trail compliance, one must adopt a systematic procedure and exhaust all avenues.

Why Choose InCorp Global

We at InCorp provide expertise and solutions to support international companies and auditors in confidently adhering to audit trail regulations. Our experienced team undertakes comprehensive assessments to identify potential risks and opportunities. With our customized solutions, we can help you achieve your goals. For further information on our services, contact us at info@incorpadvisory.in or call us at (+91) 77380 66622.

Authored by:
Narasimhan Elangovan | Cybersecurity 

FAQs on Audit Trail Compliance and Auditor Responsibilities