Auditor Reporting for Audit Trail

In this blog, we will discuss meaning of Audit Trail and its legal backing and Auditor reporting responsibility for audit trail. Let’s look at the provision and Auditor responsibility for Audit trail. Rule 11(g) of Companies (Audit and Auditors) Rules, 2014 laid down the provision of Audit trail requirement.

Applicability – The requirement, vide notification G.S.R. 206(E) dated March 24, 2021 initially applicable from April 1, 2021, was deferred twice and is now effective from April 1, 2023. This means that audit trail reporting will be required for periods after April 1, 2023. For example, if a company operates on calendar year basis i.e. Jan 23 to Dec 23, then this provision for reporting in audit report will apply.

Meaning of Audit Trail – Audit Trail has not been defined in the Companies Act 2013. Taking its dictionary meaning, Audit Trails are chronological records of changes made to data, including the creation, updating, or deletion of data, which must be documented. Audit logging involves the documentation of activity occurring within the software systems utilized throughout the organization. Audit logs record the occurrence of an event, the time at which it occurred, the responsible user or service, and the impacted entity.

Auditor Responsibility for Audit Trail

As per Sec 143(3)(j) read with Rule 11(g) – “Whether the company, in respect of financial years commencing on or after the 1st April, 2023, has used such accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has been operated throughout the year for all transactions recorded in the software and the audit trail feature has not been tampered with and the audit trail has been preserved by the company as per the statutory requirements for record retention”

As per Section 143(3)(b) – “whether, in his opinion, proper books of account as required by law have been kept by the company so far as appears from his examination of those books and proper returns adequate for the purposes of his audit have been received from branches not visited by him.”

As per Section 143(3)(h) of the Companies Act 2013 – “any qualification, reservation or adverse remark relating to the maintenance of accounts and other matters connected therewith.”

Auditor may/may not report on the preservation of audit logs as this being the first year to maintain the audit log, so preservation thereof, would apply from next year. When books of accounts are being maintained manually then there is no requirement to comply with audit trail provisions.

Auditor Reporting for Audit trail

The auditor must report in the audit report and issue either an unmodified report or one with a modified opinion.

For the purpose of Rule 11(g), Reporting will be made with respect to

• Whether having Audit trail features
• Whether audit trail facility was enabled and operated throughout the year
• Whether came across any instance of the audit trail feature being tampered with during the course of audit.

Cases where modified opinion will be given

1. If Audit trail feature is disabled/not enabled for one of the books of account/records or for an accounting software
2. If Audit trail was not enabled at all
3. If Audit trail was not enabled throughout the audit period.
4. Audit trail was not enabled for part of the audit period for certain transactions.
5. Audit trail feature is not operating effectively during the reporting period.
6. Accounting software is maintained by third party and auditor is unable to assess whether audit trail feature can be disabled during the reporting period.
7. Migration from one software to the other happened during the year or higher version of software installed and auditor is unable to obtain sufficient and appropriate evidence
8. Audit trail was tempered with.