Audit Trail Observations & Qualifications

Leave a Comment / Statutory Audit, Companies Act 2013 / By
Table of Contents

    Introduction

    The concept of audit trail has gained legal backing under the Companies Act, 2013, through Rule 3(1) of the Companies (Accounts) Rules, 2014, and Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014. From FY 2023–24 onwards, every company maintaining electronic books of account must ensure that its accounting software contains a recording audit trail (edit log) facility, and auditors are required to report on its compliance.

    This regulatory shift has transformed the audit trail from a good-to-have internal control into a statutory obligation. While management carries the responsibility of implementing audit trail features, auditors are entrusted with the duty of verifying, testing, and reporting on their operation and integrity. The change not only strengthens the maker–checker framework but also demands greater diligence in audit reporting and company record-keeping.

    Before hopping onto the reporting with respect to Audit Trail under the Companies Act 2013, it is recommended to know about the background of Audit Trail by Clicking Here

    What is to be checked by the auditor concerning the audit trail?

    The following is an illustrative list of minimum checks to be performed by the auditor to frame his opinion concerning the audit trail and the responsibility to report the following:

    • that accounting software that includes an audit trail (edit log) feature
    • that audit trail facility was operated throughout the year for all transactions
    • that audit trail feature was not tampered with or disabled at any point
    • that audit trail has been preserved by the company

    List

    • Obtain the list of software that is being used in the maintenance of the Books of Accounts
    • Obtain and evaluate management’s policies in this regard and test such controls to determine whether the feature of audit trails have been implemented and operating effectively throughout the reporting period.
    • Understand the software w.r.t. to its IT environment including applications, web-portals, databases, interfaces, data warehouses, data lakes, cloud infrastructure, or any other IT component used for processing and or storing data for creation and maintenance of books of account.
    • Ensure that ensure such software have the audit trail feature
    • Ensure that the audit trail captures changes to each and every transaction of books of account; information that needs to be captured may include the following:
      • when changes were made,
      • who made those changes,
      • what data was changed,
    • Ensure that the audit trail feature is always enabled (not disabled) for all types of transactions (no class / set of transactions should be be out of purview of audit trail)
    • Ensure that the audit trail is enabled at the database level (if applicable) for logging any direct data changes
    • Ensure that the audit trail is appropriately protected from any modification
    • Ensure that the audit trail is retained as per statutory requirements for record retention (i.e., minimum for 8 years)
    • Ensure that controls over maintenance and monitoring of the audit trail and its features are designed and operating effectively throughout the period of reporting. The controls can be assessed through the following:
      • Ensure that controls are there to ensure that User IDs are assigned to each individual and that User IDs are not shared.
      • Ensure that controls are there to ensure that changes to the configurations of the feature audit trail are authorized and logs of such changes are maintained.
      • Ensure that controls are there to ensure that access to the audit trail (and backups) is disabled or restricted.
      • Ensure that controls are there to record access logs, whenever the audit trails have been accessed.
      • Ensure that controls to ensure that periodic backups of the audit trails are taken and archived as per the statutory period specified under Section 128 of the Act.
    • Ensure that the assistance of IT Professional is availed in case the system of keeping, maintaining and accessing audit trail is complex.
    • In case of accounting software supported by service providers, the auditor may consider using independent auditor’s report of service organisation (e.g., Service Organisation Control Type 2 (SOC 2)/SAE 3402, “Assurance Reports on Controls At a Service Organization”) for compliance with audit trail requirements. The independent auditor’s report should specifically cover the maintenance of audit trail in line with the requirements of the Act.

    Auditor’s Responsibility to Report

    The auditor is required to comment on the matter of Audit Trail in accordance with Rule 11(g), the responsibility with auditor lies both in case of reporting on standalone as well as consolidated financial statements (CFS), as the requirements for standalone financial statements applies mutatis mutandis to the consolidated financial statements.

    In general, the auditor of CFS would report w.r.t. Rule 11(g) on the basis of the audit reports of the respective Subsidiary / Associate / Joint Vebture (SA 600 to be followed viz. “Using the Work of Another Auditor”).

    It might be possible that during the consolidation, the entities considered in preparation of CFS are (a) either not companies under the Act, or (b) are incorporated outside India, accordingly, respective auditors of such entities considered in consolidation are not required to report on these matters since the provisions of the Act do not apply to them. In such cases, the auditor can record the same in the audit report of the CFS.

    Real World Illustrations

    Illustration of Reporting (Standalone Financial Statments – Reliance Industries Limited)

    Illustration of Reporting (Consolidated Financial Statements – Reliance Industries Limited)

    Unmodified Opinion

    Standalone Financial Statements

    Based on our examination which included test checks, the company has used an accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit we did not come across any instance of audit trail feature being tampered with. Additionally, the audit trail has been preserved by the company as per the statutory requirements for record retention.

    Consolidated Financial Statements

    Based on our examination which included test checks and that performed by the respective auditors of the subsidiaries, associates and joint ventures/joint operations which are companies incorporated in India whose financial statements have been audited under the Act, the company, subsidiaries, associates and joint ventures/joint operations have used an accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit, we and respective auditors of the above referred subsidiaries, associates and joint ventures/joint operations did not come across any instance of audit trail feature being tampered with. Additionally, the audit trail has been preserved by the company and above referred subsidiaries, associates and joint ventures/joint operations as per the statutory requirements for record retention.

    Modified Opinion

    Where the feature of audit trail has not operated throughout the year, the auditor would need to appropriately modify the comment while reporting under Rule 11(g) and also evaluate implication on the Other Legal and Regulatory reporting requirements, and the main audit opinion issued under SA 700(Revised), “Forming an Opinion and Reporting on Financial Statements” as to if the same is required to be qualified.

    Standalone Financial Statement (SFS)

    Reporting under Rule 11(g) for the standalone company requires factual reporting. The following are some of the exceptional circumstances where modified reporting should be done.

    SFS Instance 1 & Reporting

    Audit trail feature was disabled for one of the books of account/ records or for an accounting software – (e.g., property, plant and equipment software did not have audit trail feature)

    Based on our examination, the company, has used accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility except in respect of maintenance of property, plant and equipment records wherein the accounting software did not have the audit trail feature enabled throughout the year. Further, the audit trail facility has been operating throughout the year for all relevant transactions recorded in the software except in respect of maintenance of property, plant and equipment records. Further, during the course of our audit we did not come across any instance of audit trail feature being tampered with. Additionally, the audit trail has been preserved by the company as per the statutory requirements for record retention.

    SFS Instance 2 & Reporting

    Audit Trail feature is not operating effectively during the reporting period

    Based on our examination, the company, has used accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility enabled throughout the year. Further, the audit trail facility has been operating throughout the year for all relevant transactions recorded in the software except that the audit trail feature of YYY software used by the company to maintain payroll records did not operate throughout the year . Further, during the course of our audit we did not come across any instance of audit trail feature being tampered with. Additionally, the audit trail has been preserved by the company as per the statutory requirements for record retention.

    Based on our examination, the company, has used accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility enabled throughout the year. Further, the audit trail facility has been operating throughout the year for all relevant transactions recorded in the software except that no audit trail enabled at the database level for accounting software AAA (database SQL) and BBB (database db2) to
    log any direct data changes. Further, during the course of our audit we did not come across any instance of audit trail feature being tampered with. Additionally, the audit trail has been preserved by the company as per the statutory requirements for record retention.

    SFS Instance 3 & Reporting

    Accounting software is maintained by third party and auditor is unable to assess whether audit trail feature can be disabled during the reporting period

    Based on our examination, the company, has used an accounting software ABC which is operated by a third party software service provider, for maintaining its books of account and in absence of any service audit report of third party service provider we are unable to comment whether audit trail feature of the said software was enabled and operated throughout the year for all relevant transactions recorded in the software or whether there were any instances of the audit trail feature been tampered with. Additionally, the audit trail has been preserved by the company as per the statutory requirements for record retention.

    SFS Instance 4 & Reporting

    The audit trail has not been preserved by the company as per the statutory requirements for record retention

    Based on our examination, the company, has used accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility enabled throughout the year. Further, the audit trail facility has been operating throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit we did not come across any instance of audit trail feature being tampered with. However, the audit trail has not been preserved by the company as per the statutory requirements for record retention

    SFS Instance 5 & Reporting

    Migration from one software to the other happened during the year or higher version of software installed and auditor is unable to obtain sufficient and appropriate evidence

    The Company has migrated to from Busy to Tally during the year and is in the process of establishing necessary controls and documentations regarding audit trail. Consequently, we are unable to comment on audit trail feature of the said software.

    Consolidated Financial Statement (CFS)

    Based on our examination, which included test checks, and that performed by the respective auditors of the subsidiaries, associates and joint ventures/joint operations which are companies incorporated in India whose financial statements have been audited under the Act, except for the instances mentioned below, the company, subsidiaries, associates and joint ventures/joint operations have used an accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has operated throughout the year for all relevant transactions recorded in the software. Further, during the course of our audit, we and respective auditors of the above referred subsidiaries, associates and joint ventures/joint operations did not come across any instance of audit trail feature being tampered with. Additionally, the audit trail
    has been preserved by the Company and above referred subsidiaries, associates and joint ventures/joint operations as per the statutory requirements for record retention

    CFS Instance 1 & Reporting

    Instances of accounting software for maintaining its books of account which did not had a feature of recording audit trail (edit log) facility and the same was not operated throughout the year for all relevant transactions recorded in the software

    In respect of xx (no. of ) subsidiaries / associates / joint ventures, accounting software did not had a feature of recording audit trail (edit log) facility and the same was not operated throughout the year for all relevant transactions recorded in the software

    CFS Instance 2 & Reporting

    Instances of audit trail feature being tampered with

    In respect of xx (no. of ) subsidiaries / associates / joint ventures, the audit trail has been tampered with

    CFS Instance 3 & Reporting

    Instances of non-preservation of the audit trail

    In respect of xx (no. of ) subsidiaries / associates / joint ventures, the audit trail has not been preserved

    Audit Documentation (SA 230)

    Audit documentation is a crucial and mandatory component of the audit process. It provides a structured record of the audit procedures performed, the evidence obtained, and the conclusions drawn thereon. Beyond supporting the auditor’s opinion, such documentation serves as a crucial safeguard for the auditor in the event of regulatory review, professional inquiry, or litigation. Given that the auditor is often the first to be questioned in cases of non-compliance or financial irregularities, maintaining robust and comprehensive documentation is fundamental to discharging professional responsibilities effectively. The illustrative list of minimum documentation that every auditor should follow is as follows:

    A. General Documentation with respect to Audit Trail and its presence & its preservation:

    • Copy of MRL / Written Representation confirming that accounting software has an inbuilt audit trail (unalterable logs) enabled throughout the year.
    • Copy of software vendor confirmation / configuration document showing the audit trail feature is available and enabled.
    • Screenshot / extracts of system settings where the audit trail is shown as enabled.
    • Details of roles and access rights assigned in the accounting software (user creation, modification, deletion).
    • List of users with admin rights and periodical review evidence.

    B. Documentation evidencing the presence of an audit log for all transactions throughout the year, which was not disabled and not tampered with

    • Extracts of audit logs for major transactions (sales, purchases, journal entries, related party transactions).
    • Documentation of time-stamp validation (that date & time of creation/modification is captured).
    • Evidence that original entries cannot be deleted (only reversed/adjusted with traceable logs).
    • Screenshots of modification trail (before and after values for key fields).
    • Working papers on the test of controls:
      • Creation of dummy entry, modification, and review of the trail.
      • Attempt to delete/alter the audit trail and the result thereof.
    • Documentation of sample walkthroughs of audit trail for high-risk areas (related party transactions, journal vouchers, year-end adjustments).
    • Cross-verification with supporting documents (invoice, contract, bank statement).
    • Re-performance checks to ensure logs are tamper-proof.
    • Copy of the Exception / Anomalies Report.
    • Documentation of exceptions noted during testing (e.g., back-dated entries, override without authorization).
    • Record of management explanations for anomalies.

    MRL / Written Representation

    FAQs

    Comment to raise your query…….

    Hemant Sharma
    Hemant, a distinguished Advocate and Chartered Accountant, brings over 14 years of exceptional expertise in high-stakes investigative assignments. His extensive portfolio includes conducting forensic audits, representing clients in investigations led by prominent agencies such as the CBI, ED, SFIO, and others, as well as handling critical Income Tax and GST intelligence matters. Armed with a robust academic and professional foundation—B.Com, M.Com, FCA, LL.B, DISA, FAFD, and CCCBA—Hemant embodies a rare blend of legal and financial acumen, making him a trusted authority in the field. Hemant can be contacted @ hemant.sharma53@gmail.com
    Hemant Sharma

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    Scroll to Top