Implementation Guide on Reporting under Rule

11(g) of Companies (Audit and Auditors) Rules, 2014

{My presentation will concentrate more on “Issues relating

to small & medium size Companies”.}
Objective of provisions relating to Audit Trail

To Compel Companies to comply with the provisions relating

to maintenance of “proper” books of accounts.
Section 128: Books of account, etc., to be kept by
company
(1) Every company shall prepare and keep at its registered
office books of account and other relevant books and
papers and financial statement for every financial year,
which give a “true and fair view” of the state of the affairs of
the company, including that of its branch office or offices, if
any, and explain the transactions effected both at the
registered office and its branches and such books shall be
kept on accrual basis and according to the double entry
system of accounting:
Proviso to Sec 128(1)

Provided that all or any of the books of account aforesaid

and other relevant papers may be kept at such other place in
India as the Board of Directors may decide and where such a
decision is taken, the company shall, within 7 days thereof,
file with the Registrar a notice in writing giving the full address
of that other place:
Provided further that the company may keep such books of
account or other relevant papers in electronic mode in “such
manner” as may be prescribed.
Regular Maintenance of Books of Accounts

➢ Companies Act is silent.

➢ My Opinion:
➢ Facts & circumstances of each case, including size of
organization

➢ However, ROC may take any other view also.

➢ Bulk entry of all transactions at year end can not be

acceptable, in my opinion.
Sec 128(6): Panelty

(6) If the managing director, the whole-time director in charge

of finance, the Chief Financial Officer or any other person of a
company charged by the Board with the duty of complying
with the provisions of this section, contravenes such
provisions, such managing director, whole-time director in
charge of finance, Chief Financial officer or such other person
of the company shall be punishable with fine which shall not
be less than Rs 50000, but which may extend to Rs 5 lakh.
Example: There are 10 directors in a small company.
Audit Trail: Some Points

5) Audit trails are a chronological record of the changes that

have been made to the data. Audit Trail contains:

➢ Who: Who had made entry/edited/deleted?

➢ When: Date, time?

➢ What: Whole content?

 Audit Approach

Specific Internal Controls

❖ In order to demonstrate that audit trail feature was functional, operated and not disabled,
a company would have to design and implement specific internal controls
(predominantly IT controls) which in turn, would be evaluated by the auditors. Examples:
• Controls to ensure that audit trail feature has not been disabled or deactivated.
• Controls to ensure that User IDs assigned to each individual and User IDs not shared.
• Controls to ensure that changes to configurations of audit trail are authorized and logs
of such changes are maintained.
• Controls to ensure that access to audit trail (and backups) is disabled or restricted and
access logs, whenever audit trails have been accessed, are maintained.
• Controls to ensure that periodic backups of audit trails are taken and archived as per
the statutory period specified under Section 128 of the Act.

8
 Audit Approach

Specific Internal Controls

❖ In order to demonstrate that audit trail feature was functional, operated and not disabled,
a company would have to design and implement specific internal controls
(predominantly IT controls) which in turn, would be evaluated by the auditors. Examples:
• Controls to ensure that audit trail feature has not been disabled or deactivated.
• Controls to ensure that User IDs assigned to each individual and User IDs not shared.
• Controls to ensure that changes to configurations of audit trail are authorized and logs
of such changes are maintained.
• Controls to ensure that access to audit trail (and backups) is disabled or restricted and
access logs, whenever audit trails have been accessed, are maintained.
• Controls to ensure that periodic backups of audit trails are taken and archived as per
the statutory period specified under Section 128 of the Act.

9
 Audit Approach

Specific Internal Controls

❖ In order to demonstrate that audit trail feature was functional, operated and not disabled,
a company would have to design and implement specific internal controls
(predominantly IT controls) which in turn, would be evaluated by the auditors. Examples:
• Controls to ensure that audit trail feature has not been disabled or deactivated.
• Controls to ensure that User IDs assigned to each individual and User IDs not shared.
• Controls to ensure that changes to configurations of audit trail are authorized and logs
of such changes are maintained.
• Controls to ensure that access to audit trail (and backups) is disabled or restricted and
access logs, whenever audit trails have been accessed, are maintained.
• Controls to ensure that periodic backups of audit trails are taken and archived as per
the statutory period specified under Section 128 of the Act.

10
Audit Trail: Some Points

1) Global Scenario
2) Cost of maintaining of Audit Trail of Small Co Vs Large Company Vs
MNC:
❑ Software cost: can be more than one software in same company
❑ Server Space
❑ Hardware cost
❑ Any other cost

3) Audit trail will ensure higher degree of comfort to stakeholders.

 Important terms and their explanation

Term Explanation

Audit Trail Audit trails are a chronological record of the changes that have
been made to the data. Any change to data including creating
new data, updating or deleting data that must be recorded.

Accounting Software Accounting Software is a computer program or system that

Is excel an accounting enables recording, maintenance and reporting of books of
software? account and relevant ecosystem applicable to business
Is excel an accounting software requirements. The functionality of such accounting software
with Audit Trail? differs from product to product. Many organization today employs
multiple software for accounting, its operations and other
requirements like consolidation, collection of data.

12
 Important terms and their explanation
Term Explanation

Books of Account Books of Account as per Section 2(13) of the Companies Act, 2013 includes
records maintained in respect of—

(i) all sums of money received and expended by a company and matters in
relation to which the receipts and expenditure take place;

(ii) all sales and purchases of goods and services by the company;

(iii) the assets and liabilities of the company; and

(iv) the items of cost as may be prescribed under section 148 in the case of a
company which belongs to any class of companies specified under that
section;
Comments:
1) Underlying software shall have features of Audit trail.
2) If PO impacts books of accounts, it should also have features of audit
trail. 13
9.1.3-Companies (Accounts) Rules,2014

3. Manner of books of account to be kept in electronic mode.-

(1) The books of account and other relevant books and papers maintained
in electronic mode shall remain accessible in India, at all times accessible in
India so as to be usable for subsequent reference.
Provided that for the financial year commencing on or after the 1st day of
April, 2023, every company which uses accounting software for maintaining
its books of account, shall use only such accounting software which has a
feature of recording audit trail of each and every transaction, creating an
edit log of each change made in “books of account” along with the date
when such changes were made and ensuring that the audit trail cannot be
disabled.
Comments : 1) Manual Records, Partly or fully : Above: Not Applicable
2) Audit trail is required for data base & transactions, both.
 Requirement for Auditors

➢ Section 143(3) of Companies Act, 2013 (“the Act”) provides various matters on which auditors
are required to report. Clause (j) of Section 143(3) states that auditor’s report shall also state
such other matters as may be prescribed. These matters are prescribed under Rule 11 of the
Companies (Audit and Auditors) Rules, 2014.

➢ MCA vide its notification dated March 24, 2021 has issued ‘Companies (Audit and Auditors)
Amendment Rules, 2021’ (“Audit Rules”)

➢ Audit rules have introduced new Rule 11(g) in Companies (Audit and Auditors) Rules, 2014

➢ Sec 450: Punishment where no specific penalty or punishment is provided: If a company or any officer
of a company or any other person contravenes any of the provisions of this Act or the rules made
thereunder, or any condition, limitation or restriction subject to which any approval, sanction,
consent, confirmation, recognition, direction or exemption in relation to any matter has been
accorded, given or granted, and for which no penalty or punishment is provided elsewhere in this Act,
the company and every officer of the company, who is in default or such other person shall be
punishable with fine which may extend to Rs 10,000, and where the contravention is continuing one,
with a further fine which may extend to Rs 1,000 for every day after the first during which the
contravention continues. (Also, DC by NFRA or ICAI )

15
Report on other Legal and Regulatory Requirements

1. As required by the Companies (Auditor’s Report) Order, 2016 (“the Order”) issued by the Central Government of India in terms of
sub-section (11) of section 143 of the Act, we give in the “Annexure A” a statement on the matters Specified in paragraphs 3 and 4
of the Order, to the extent applicable.

2. As required by section 143(3) of the Act, we report that:

a. We have sought and obtained all the information and explanations which to the best of our knowledge and belief were necessary for
the purposes of our audit.

b. In our opinion proper books of account as required by law have been kept by the Company so far as it appears from our
examination of those books.

c. The Balance Sheet, the Statement of Profit and Loss, and Cash Flow Statement dealt with by this Report are in agreement with the
books of account.

d. In our opinion, the aforesaid financial statements comply with the Accounting Standards specified under Section 133 of the Act,
read with Rule 7 of the Companies (Accounts) Rules, 2014.

e. On the basis of written representations received from the directors as on 31 March, 2023, taken on record by the Board of
Directors, none of the directors is disqualified as on 31 March, 2023, from being appointed as a director in terms of Section 164(2)
of the Act.

16
Report on other Legal and Regulatory Requirements

f. With respect to the adequacy of the internal financial controls over financial reporting of the Company and the operating effectiveness
of such controls, refer to our separate Report in “Annexure B”. Our report expresses an unmodified opinion on the adequacy and
operating effectiveness of the Company’s internal financial controls over financial reporting.

g. In our opinion and to the best of our information and according to the explanations given to us, we report as under with respect to
other matters to be included in the Auditor’s Report in accordance with Rule 11 of the Companies (Audit and Auditors) Rules, 2014:

i. The Company does not have any pending litigations which would impact its financial position.

ii. The Company did not have any long-term contracts including derivatives contracts for which there were any material foreseeable
losses

iii. There were no amounts which required to be transferred by the Company to the Investor Education and Protection Fund.

17
 Requirement of Rule 11(g)

Rule 11(g) requires auditors’ report to state whether the company, has used
such accounting software for maintaining its books of account which has:
➢ Feature of recording audit trail (edit log) facility and
➢ The same has been operated throughout the year for all transactions
recorded in the software and
➢ The audit trail feature has not been tampered with and
➢ The audit trail has been preserved by the company as per the statutory
requirements for record retention.
➢ Comments: May Take opinion from expert for operated thought out
whole year, tempering & preservation,

18
 Requirement of Rule 11(g)

The requirement was initially made applicable for financial year commencing
on or after the 1st day of April 2021 vide notification dated March 24, 2021.
However the applicability was deferred to financial year commencing on or
after April 1, 2022 vide MCA notification dated April 1, 2021.

19
 Requirement for Companies

• A new requirement for companies has been prescribed under the proviso
to Rule 3(1) of Companies (Accounts) Rules, 2014 (“Account Rules”)
requiring companies, which use accounting software for maintaining their
books of account, to use only such software which has audit trail feature.
• This requirement was initially made applicable for F.Y. commencing on or
after April 1, 2021. However, its applicability has been deferred two times
and this requirement is finally applicable from April 1, 2023.

20
 Scope of Implementation Guide

• The purpose of this Guide is to enable the auditors to comply with the
reporting requirements of Rule 11(g). This Guide provides the principle
based guidance for reporting and auditors are expected to exercise their
professional judgement while reporting on Rule 11(g).
• This Guide has been developed to provide detailed guidance to auditors
to enable compliance with reporting requirement under Rule 11(g).

21
 What constitutes Books of Account

• For purpose of reporting under Rule 11(g), definition of “books of

account” will be as per definition given in Section 2(13) of the Act.

• Books of Account as per Section 2(13) of the Act includes records

maintained in respect of—
(i) all sums of money received and expended by a company and
matters in relation to which the receipts and expenditure take place;
(ii) all sales and purchases of goods and services by the company;
(iii) the assets and liabilities of the company; and
(iv) the items of cost as may be prescribed under section 148 in the
case of a company which belongs to any class of companies specified
under that section;

22
What constitutes Books of Account & software require
audit trail
• Any software that maintains records or transactions that fall under the
definition of Books of Account as per the section 2(13) of the Act will be
considered as accounting software for purpose of Rule 11(g).
• Example: if sales are recorded in a standalone software and only
consolidated entries are recorded monthly into the software used to
maintain the general ledger, the sales software should also have the
audit trail feature since sales invoices would be covered under Books of
Account.

23
Practical Situations

1) Cane management software, must have audit trail : Raw

material consumed: monthly

2) Retail: B2C: Inventory management, must have audit trail :

3) Hospital : Operation management software: HMIS

(Hospital management Information system)
 Which records do not require Audit Trail

• The requirements of audit trail are applicable to the extent a company

maintains its records in electronic form by using an accounting software.

• Thus, where the books of account are entirely maintained manually

– the assessment and reporting responsibility under Rule 11(g) will not
be applicable and accordingly, same would need to be reported as
statement of fact by the auditor against this clause.

25
 Management’s Responsibility

Accounts Rules require that every company which uses an accounting software
for maintaining its books of account, should use only such accounting software
which has the following features:
• Records an audit trail of each and every transaction, creating an edit log of
each change made in the books of account along with the date when such
changes were made; and
• Ensuring that audit trail is not disabled.
Thus, it is the management, who is primarily responsible for ensuring
selection of the appropriate accounting software for ensuring compliance
with applicable laws and regulations.

26
 Management’s Responsibility

Accounting software may be hosted and maintained in India or outside

India or may be on-premise or on cloud or subscribed to as Software as a
Service (SaaS) software. Further, a company may be using a software
which is maintained at a service organisation. For example, the company
may have outsourced its payroll processing with a shared service centre
and the shared service centre may use its own software to process payroll
for the company.

27
 Auditor’s Responsibility

❖ Rule 11(g) requires auditor to report on audit trail by making a specific assertion in audit
report under the section ‘Report on Other Legal and Regulatory Requirements’.
❖ In addition to comment on whether company is using an accounting software which has
a feature of recording audit trail, auditor is expected to verify following aspects:
• whether audit trail feature is configurable (i.e., if it can be disabled or tampered with)?
• whether audit trail feature was enabled/operated throughout the year?
• whether all transactions recorded in the software are covered in audit trail feature?
• whether audit trail preserved as per statutory requirements for record retention?

28
 Auditor’s Responsibility

❖ Any software used to maintain books of account will be covered within the
ambit of this Rule.
❖ Any software that maintains records or transactions that fall under the
definition of books of account as per section 2(13) of the Act will be
considered as accounting software for this purpose.

29
 Interplay of Accounts Rules with Audit Rules

The requirement of accounting software having feature of audit trail has been prescribed only
in the context of books of account. This is evidenced by the fact that as per proviso to Rule,
accounting software should be capable of creating an edit log of “each change made in
books of account.”
However, Rule 11(g) requires auditor to comment as to whether the company has used such
accounting software for maintaining its books of account which has a feature of recording
audit trail (edit log) facility and the same has been operated throughout the year for all
transactions recorded in software and audit trail feature has not been tampered with and audit
trail has been preserved by company as per statutory requirements for record retention.

Therefore, companies are required to maintain audit trail (edit log) for each change made in
the books of account. Accordingly, the term ‘all transactions recorded in the software’ would
refer to all transactions that result in change to the books of account.

30
 Interplay of Accounts Rules with Audit Rules

Giving due cognizance to definition of “books of account” as per Section 2(13)

of the Act and Rule 3 of the Account Rules which provides for the management
responsibilities for maintenance of books of account and other relevant books
and papers maintained in electronic mode, the auditor would be expected to
check whether the audit trail is enabled for such transactions which
result in a change to the books of account.

31
 Applicability

❖ Considering the applicability date of amended audit rules, it implies that the auditor is
not required to assess appropriateness of audit trail of previous years and the
assessment will be only for prospective financial years.
Applicability for FY 2022-23
❖ Applicability of Account Rules will commence on or after April 1, 2023. Thus, there is
likely to be a scenario for FY 2022-23 where in absence of compliance requirement
for companies, auditors would not be able to report under Audit Rules.

32
 Applicability

❖ Auditors of all class of companies would be required to report on these matters

including section 8 companies, foreign companies.
❖ Where the books of account are entirely maintained manually – the assessment and
reporting responsibility under Rule 11(g) will not be applicable and accordingly, same
would need to be reported as statement of fact by the auditor against this clause.
❖ Auditor is required to comment on Rule 11(g) both in case of standalone financial
statements and consolidated financial statements (CFS).
❖ In case of CFS, the principal auditor should apply professional judgment and comply
with applicable Standards on Auditing, in particular, SA 600, “Using the Work of Another
Auditor” while assessing the matters reported by the auditors of components that are
Indian companies.

33
 Preservation of Audit Trails

❖ Auditor is required to comment whether the audit trail has been preserved
by the company as per the statutory requirements for record retention.
❖ Section 128(5) of the Act requires books of account to be preserved by
companies for a minimum period of 8 years.
❖ So, company would need to retain audit trail for a minimum period of 8
years i.e., effective from the date of applicability of the Account Rules (i.e.,
currently April 1, 2023, onwards).

34
 Audit Approach

Ensuring management is assuming primary responsibility

❖ Auditor would need to ensure that management assumes primary responsibility to:
▪ identify records and transactions that constitute books of account under section 2(13)
of the Act
▪ identify accounting software(s) used for creation and maintenance of books of account
▪ ensure such software have audit trail feature
▪ ensure that audit trail captures changes to each and every transaction
▪ ensure that audit trail feature is always enabled

35
 Audit Approach

• Ensure that audit trail is enabled at database level for logging any direct data
changes;
• ensure that audit trail is appropriately protected from any modification;
• ensure that audit trail is retained as per statutory requirements for record retention;
• ensure that controls over maintenance and monitoring of audit trail and its feature
are designed and operating effectively throughout period of reporting.

36
 Audit Approach

Specific Internal Controls

❖ In order to demonstrate that audit trail feature was functional, operated and not disabled,
a company would have to design and implement specific internal controls
(predominantly IT controls) which in turn, would be evaluated by the auditors. Examples:
• Controls to ensure that audit trail feature has not been disabled or deactivated.
• Controls to ensure that User IDs assigned to each individual and User IDs not shared.
• Controls to ensure that changes to configurations of audit trail are authorized and logs
of such changes are maintained.
• Controls to ensure that access to audit trail (and backups) is disabled or restricted and
access logs, whenever audit trails have been accessed, are maintained.
• Controls to ensure that periodic backups of audit trails are taken and archived as per
the statutory period specified under Section 128 of the Act.

37
 Audit Approach

Specific Internal Controls

❖ In order to demonstrate that audit trail feature was functional, operated and not disabled,
a company would have to design and implement specific internal controls
(predominantly IT controls) which in turn, would be evaluated by the auditors. Examples:
• Controls to ensure that audit trail feature has not been disabled or deactivated.
• Controls to ensure that User IDs assigned to each individual and User IDs not shared.
• Controls to ensure that changes to configurations of audit trail are authorized and logs
of such changes are maintained.
• Controls to ensure that access to audit trail (and backups) is disabled or restricted and
access logs, whenever audit trails have been accessed, are maintained.
• Controls to ensure that periodic backups of audit trails are taken and archived as per
the statutory period specified under Section 128 of the Act.

38
 Audit Approach

Identification of relevant transactions

❖ In respect of identification of relevant transactions, auditor may consider performing
following procedures:
• Assess management’s identification of records and transactions where audit trail needs
to be captured and verify, on a test basis, whether the audit trail has been configured
and enabled for the identified accounting software.
• Evaluate management’s approach regarding identification of accounting software which
have been considered for the purposes of maintenance of audit trail.
• Inquire with the management on how they evaluated changes required for the
maintenance of audit trail as part of changes or upgrades to the accounting software.
• Where applicable, consider involvement of specialists/experts in field of IT to assist in
evaluation of management controls and configurations in accounting software with
regard to audit trail.

39
 Audit Approach

❖ In case accounting software is supported by service providers,

management and auditor may consider using independent auditor’s report
of service organisation e.g. Service Organisation Control Type 2 (SOC 2)/
SAE 3402, “Assurance Reports on Controls At a Service Organization” for
compliance with audit trail requirements.
❖ It is expected that management ensures that the administrative access to
the audit trail is restricted to authorized representatives.

40
 Audit Approach
Aspects of Accounting Software
❖ Auditor may consider following aspects of accounting software for the purpose of reporting:
i. the software configuration that controls enabling or disabling of the audit trail and whether
audit trail was enabled throughout the period.
ii. the access to such configurations.
iii. any changes to the audit trail configuration during the period of audit (during the financial
year and also from the date of financial statements but before the date of auditor’s report).
iv. the periodic review mechanism implemented and operated by management for any changes
to the audit trail configuration.
v. the completeness and accuracy of audit trail or edit logs that are generated through the
software functionalities or directly recorded in the underlying database
vi. any testing management has performed to assess completeness and accuracy of audit trail.

41
 Audit Approach

❖ In respect of preservation of audit trails:

▪ Inquire with management to understand the procedures implemented
▪ Review, on a sample basis, audit trail records maintained by management
for each applicable year
Unlike reporting on IFC, Rule 11(g) requires auditor to report that the feature of
recording audit trail facility has “operated throughout the year for all
transactions recorded in the accounting software”.
Auditor is expected to evaluate reporting implications specifically giving due
consideration to SA 250, “Consideration of Laws and Regulations in an Audit
of Financial Statements”.

42
 Audit Approach

Expected Scenarios
❖ In respect of audit trail, following are likely to be expected scenarios:
i. Management may maintain adequate audit trail as required by Account
Rules.
ii. Management may not have identified all records/ transactions for which
audit trail should be maintained.
iii. The accounting software does not have the feature to maintain audit trail,
or it was not enabled throughout the audit period.
Scenarios (ii) and (iii) mentioned above would result in a modified /adverse
reporting under Rule 11(g).

43
 Illustrative reporting: FY 2022-23

❖ In respect of financial year 2022-23, where management has not been mandated
to use accounting software with requisite audit trail facility, reporting can be as
illustrated below:
“As proviso to rule 3(1) of the Companies (Accounts) Rules, 2014 is applicable for the
company only w.e.f. April 1, 2023, reporting under this clause is not applicable”.

44
 Illustrative reporting: Standalone Financial Statements

❖ Unmodified Reporting
Based on our examination which included test checks, the company has used
an accounting software for maintaining its books of account which has a
feature of recording audit trail (edit log) facility and the same has operated
throughout the year for all relevant transactions recorded in the software.
Further, during the course of our audit, we did not come across any instance of
audit trail feature being tampered with. Additionally, the audit trail has been
preserved by company as per the statutory requirements for record retention.

45
Illustrative reporting: Consolidated Financial Statements

❖ Unmodified Reporting
Based on our examination which included test checks and that performed by
the respective auditors of the subsidiaries, associates and joint ventures/ joint
operations which are companies incorporated in India whose financial
statements have been audited under the Act, the company, subsidiaries,
associates and joint ventures/ joint operations have used an accounting
software for maintaining its books of account which has a feature of recording
audit trail (edit log) facility and the same has operated throughout the year for
all relevant transactions recorded in the software. Further, during the course of
our audit,we did not come across any instance of audit trail feature being
tampered with. Additionally, the audit trail has been preserved by the company
as per the statutory requirements for record retention.

46
Illustrative reporting: Consolidated Financial Statements

❖ Modified Reporting
Based on our examination, which included test checks, and that performed by the
respective auditors of the subsidiaries, associates and joint ventures/ joint operations
which are companies incorporated in India whose financial statements have been
audited under the Act, except for the instances mentioned below, the company,
subsidiaries, associates and joint ventures/ joint operations have used an accounting
software for maintaining its books of account which has a feature of recording audit trail
(edit log) facility and the same has operated throughout the year for all relevant
transactions recorded in the software. Further, during the course of our audit, we and
respective auditors of the above referred subsidiaries, associates and joint ventures/
joint operations did not come across any instance of audit trail feature being tampered
with. Additionally, the audit trail has been preserved by the Holding Company and above
referred subsidiaries, associates and joint ventures/joint operations as per the statutory
requirements for record retention.

47
 Illustrative wordings for modified reporting

Reporting under this Rule requires factual reporting. In case a company has exceptions
in complying to Account Rules, auditor may use the language as given in examples
below.

Nature of exception Illustrative wordings

1. Audit trail feature was disabled “Based on our examination, the company, has used accounting software for
for one of the books of account/ maintaining its books of account which has a feature of recording audit trail
records or for an accounting (edit log) facility except in respect of maintenance of fixed asset records
software - (e.g., fixed asset wherein the accounting software did not have the audit trail feature enabled
software did not have audit trail) throughout the year. Further, the audit trail facility has been operating
throughout the year for all relevant transactions recorded in the software except
for the instances reported below…... Further, during the course of our audit we
did not come across any instance of audit trail feature being tampered with..

48
 Illustrative wordings for modified reporting

Nature of exception. Illustrative wordings

2. Audit Trail feature is not “………except that the audit trail feature of YYY software used by the company to
operating effectively during the maintain payroll records did not operate throughout the year…..”
reporting period

3. Accounting software is “Based on our examination, the company, has used an accounting software ABC
maintained by third party and which is operated by a third party software service provider, for maintaining its
auditor is unable to assess books of account and in absence of [state the type of control report] we are unable
whether audit trail feature can be to comment whether audit trail feature of the said software was enabled and
disabled during the reporting operated throughout the year for all relevant transactions recorded in the software
period or whether there were any instances of the audit trail feature been tampered with.”

49
 Illustrative wordings for modified reporting

Nature of exception. Illustrative wordings

4. The audit trail has not been “……….the audit trail has not been preserved by the company as per the statutory
preserved by the company as requirements for record retention”
per the statutory requirements for
record retention. Note: This illustration is relevant from 2nd year of reporting and onwards

5. Migration from one software to The Company has migrated to [name of the software] from [old software/ manual]
the other happened during the during the year and is in the process of establishing necessary controls and
year or higher version of software documentations regarding audit trail. Consequently, we are unable to comment on
installed and auditor is unable to audit trail feature of the said software.
obtain sufficient and
appropriate evidence

50
Where to report contraventions?

1) Rule 11g:
2) Sec 143(3)b: Whether Proper books of accounts
maintained
3) Sec 143(3)h: Qualification, reservation or Adverse
remarks relating to books of accounts
4) IFC report for material misstatement
 Special Consideration in case of Fraud Scenarios

❖ An auditor may come across a scenario where occurrence of an error/ fraud could not
be established due to lack of maintenance, availability/ retrievability of audit trails.
❖ In evaluating the severity of a deficiency for such instances specifically in cases of
fraud, the auditor should primarily consider two factors
• the likelihood that the deficiency will result in a material misstatement, and
• the magnitude of such an outcome.
❖ This scenario would, in essence, call for performing an assessment of risk of material
misstatement due to fraud and would consider both qualitative and quantitative factors
in assessing a deficiency or combination of deficiencies as a significant deficiency or
material weakness.
❖ It would accordingly require application of professional judgement while linking the
reporting against Rule 11(g) and section 143(12) of the Act/ clause (x) of CARO 2020
(as the case may be).

52
Reporting under Rule 11(g) vis-à-vis Section 143(3)(i)

❖ Section 143(3)(i) of the Act, where applicable, requires the auditor to state in his audit
report whether the company has adequate internal financial controls with reference to
financial statements in place and the operating effectiveness of such controls.
Guidance in this regard has been prescribed vide “Guidance Note on Audit of Internal
Financial Controls Over Financial Reporting (the Guidance Note) issued by ICAI.
❖ Guidance Note does not entail any detailed audit procedures in respect of reporting
against Rule 11(g).
❖ Accordingly, where the feature of audit trail has not operated throughout the year, the
auditor may need to appropriately modify his comment while reporting under Rule
11(g) depending upon the further testing/examination as may be required to conclude
the wider impact on the reporting implication.

53
 Obtaining Written Representation

❖ Auditor shall obtain written representations from management on the following aspects:
• Acknowledging management's responsibility for establishing and maintaining adequate
controls for identifying, maintaining, controlling, and monitoring of audit trails on a
consistent basis.
• Stating that management has performed an evaluation and assessed the adequacy
and effectiveness of the company's procedures for complying to the requirements
prescribed for audit trails.
• Stating management's conclusion, as set forth in its assessment, about the adequacy
and effectiveness of the company's procedures w.r.t. audit trails.
• Stating that management has disclosed to the auditor all deficiencies in the design or
operation of controls maintained for audit trails identified as part of management's
evaluation.

54
 Obtaining Written Representation

• Describing instances where identification of fraud, if any, resulting in a material

misstatement to the company's financial statements is identified while reviewing and
testing the samples related to the disablement of audit trail facility of the accounting
software.
• Stating whether control deficiencies identified and communicated to the audit
committee in relation to audit trail during previous engagements have been resolved,
and specifically identifying any deficiency that have not been resolved.

55
 Audit Documentation

❖ Auditor may document the work performed on audit trail such that it provides:
▪ A sufficient and appropriate record of basis for auditor’s reporting under Rule
11(g); and
▪ evidence that audit was planned and performed in accordance with this
Implementation Guide, applicable Standards on Auditing and applicable legal
and regulatory requirements.
❖ In this regard, auditor may comply with requirements of SA 230, “Audit
Documentation” to the extent applicable.

56
Practical Tips

1) No accounting entry should be passed today, relating to

past period, reflecting that it is passed in earlier period.
2) However, an accounting entry relating to past period can
be passed today, reflecting clearly that it is passed today.
3) No entry should be deleted. Rectification entries to be
passed for any mistake in any entry already passed.
4) All rectification & closing & opening entries, changes in
closing & opening entries entries shall be passed from 1 April
to 31 March of relevant f.y.
Practical Tips

1) No accounting entry should be passed today, relating to

past period, reflecting that it is passed in earlier period.
2) However, an accounting entry relating to past period can
be passed today, reflecting clearly that it is passed today.
3) No entry should be deleted. Rectification entries to be
passed for any mistake in any entry already passed.
4) All rectification & closing & opening entries, changes in
closing & opening entries entries shall be passed from 1 April
to 31 March of relevant f.y.
Practical Situations

1) Alter voucher type “purchases” in voucher entry

2) Press F2 for change date, there will be one box

“effective date”.

3) https://help.tallysolutions.com/tally-prime/essentials-o
f-gst/flexibilities-in-tallyprime-under-gst/#gstreturn-eff
ective-date-for-voucher
Practical Situations

1) Cane management software, must have audit trail : Raw

material consumed: monthly
2) Retail: B2C: Inventory management, must have audit trail :
3) Hospital : Operation management software: HMIS
(Hospital management Information system)
4) SAP: Period 13 entries: Adjustment entries
How ro view Edit Log?

Video: https://www.youtube.com/watch?v=UkGpF0v9RmM&t=15s
How ro view Edit Log?

Video: https://www.youtube.com/watch?v=UkGpF0v9RmM&t=15s
Practical Questions?

1) How to audit, if there are rectified/delete entries?

2) Can Company maintains partial or full Books of accounts in google

spread sheet/ excel?

3) Can company import data from excel into accounting software?

4) FS must be in agreement with Books of Accounts, before signing

5) Should we split Company data on 1 April or after signing report?

Practical Questions?

6) Manual Books of Accounts for partial/broker period

7) Can company maintains books on manual basis partially (petty

cash or fixed assets register) or fully?

8) How to report, if company maintains books on manual basis

partially or fully?

9) Impact of keeping books of accounts of 100 companies in one

software
10) Can Income Tax & other Department ask for Audit Trails?
Practical Questions?

11) How to report if User ID not created, however, other requirements

are complied with?

12) How to report if User ID are created, say after a month, however,
other requirements are complied with?

13) How to report if there are so many back dated entries?

14) Can auditor give clean chit based on management representation
or based on boards report?
15) What to do, if manual accounts are subsequently destroyed by fire
or otherwise for which FIR is there?
Sec 447:Punishment for fraud

“fraud” in relation to affairs of a company or any body

corporate, includes any act, omission, concealment of any
fact or abuse of position committed by any person or any
other person with the connivance in any manner, with intent
to deceive, to gain undue advantage from, or to injure the
interests of, the company or its shareholders or its creditors or
any other person, whether or not there is any wrongful gain or
wrongful loss;
Sec 447:Punishment for fraud

Without prejudice to any liability including repayment of any debt under this Act or any other law for the
time being in force, any person who is found to be guilty of fraud 1[involving an amount of at least ten lakh
rupees or one per cent. of the turnover of the company, whichever is lower] shall be punishable with
imprisonment for a term which shall not be less than six months but which may extend to ten years and
shall also be liable to fine which shall not be less than the amount involved in the fraud, but which may
extend to three times the amount involved in the fraud:
Provided that where the fraud in question involves public interest, the term of imprisonment shall not be
less than three years.
Provided further that where the fraud involves an amount less than ten lakh rupees or one per cent. of the
turnover of the company, whichever is lower, and does not involve public interest, any person guilty of
such fraud shall be punishable with imprisonment for a term which may extend to five years or with fine
which may extend to fifty lakh rupees or with both.
Manually Dictionary meaning:

Manually means something that's done manually is done by

hand, rather than by machine. If the recycling you leave by
the curb is sorted manually, people divide it by hand into
metal, plastic, glass, and paper. When you dig a hole
manually, you use a shovel and the strength of your own
arms and back.
Use of Spreadsheet: FAQ 25d

When Any software used to maintain the books of account is

termed as accounting software. If a company uses end-user
computing tools, like spreadsheets, then those tools may be
classified as accounting software if the same provides direct
and auto feed to the accounting software (accounting
software as identified by management). In such case, the
spreadsheet should be treated as part of books of account
and the spreadsheet will attract the audit trail
requirement.
Use of Spreadsheet: FAQ 25d

End-user computing tools like spreadsheets may be used to record

transactions or for preparing workings/calculations of amounts to be
recorded. For instance, it may be used for preparing working of foreign
exchange gain/loss or amortization or tax liability to be recorded in another
accounting software (accounting software as identified by management)
using the amounts computed in spreadsheet. However, accounting entries
may not get auto-posted directly to the accounting software from such
spreadsheet. In such case, the spreadsheet should not be treated as part
of books of account and the spreadsheet will not attract the audit trail
requirement. The auditor should evaluate the facts regarding usage of
end-user computing tools and accordingly report.
Tip1: Pass all entries before 6 September

Tip1: Pass all entries before 6 September

Since we certify that financial statements are in agreement with the books
of accounts, all adjustment & other entries must be passed on or before
the date of signing of FS & Audit reports i.e. 6 September generally,
except in case of shorter notice, else Audit Trail will reflect otherwise.
Tip 2: How to audit, if so many delete entries?

No entries should be deleted in accounting software. However, if

there are a number of deleted entries in accounting software for 23-
24, the responsibility of the auditor is increased.
The auditor must examine these deleted entries from the following 2
angles:
✓ The auditor ensure that the accounts reflects the true & fair states
of affairs of company.
✓ The auditor should also examine that these deleted entries should
not reflect any fraud in the company.
Tip 3: How to audit, if so many edit entries?

No entries should be edited in accounting software. However, if there are

a number of edit entries in the accounts for FY 23-24 in the accounting
software, the responsibility of the auditor is also increased. The auditor
must examine that these edited entries from the following two aspects:
✓ The auditor ensure that the accounts reflects the true & fair states of
affairs of company.
✓ The auditor should also examine that these edited entries should not
reflect any material misstatements or a fraud in the company.
Example1: If narrations are edited to included UTR no , received at
evening from bank, it is acceptable.
Example2: If entries are edited to understate income or overstate exp. for
misstatements, such edit of entries will result in fraud, are not acceptable.
Tip 4: How to report, if accounts are maintained
manullay?
Management of Company may have decided to maintain accounts
manually. This is not a violation. However, fact must be disclosed by
auditor. Apart from this, Management may also disclose such fact in
Boards Report also.
Example1: On 30.3.23, Board decided to maintain books of accounts
manually. However, on 30.6.23, Board decided to again switch to
maintain books of accounts using accounting software with audit trail
features.
Ans: There is no violation, in my personal opinion. The auditor may report
the following:
"The books of accounts had been maintained manually from 1.4.23 to
30.6.23 & in accounting software from 1.7.23 to 31.3.24.
Tip 4: How to report, if accounts are maintained
manullay?
Further, Based on our examination which included test checks, the
company has used an accounting software for maintaining its books of
account which has a feature of recording audit trail (edit log) facility and
the same has operated throughout the said period (from 1.7.23 to
31.3.24) for all relevant transactions recorded in the software. Further,
during the course of our audit, we did not come across any instance of
audit trail feature being tampared with. Additionally, the audit trail has
been preserved by company as per the statutory requirements for record
retention.“
Example2: On 30.3.23, Board decided to maintain books of accounts
manually.
Ans: There is no violation, in my personal opinion. The auditor may report
the following:"The books of accounts had been maintained manually from
Tip 5: How to report, if audit trail had been maintained
for broken period?
Management of Company may have decided & maintained audit
trail from a date after 1.4.23 (a date later than when it is mandatory
to be implemented) . This is a violation & auditor must report
accordingly.
Example: On 30.6.23, Board decided to maintain books of
accounts using accounting software with audit trail features from
1.7.23.
Ans: There is a violation. The auditor must report the following:
"Based on our examination which included test checks, the
company has used an accounting software for maintaining its
books of account which has a feature of recording audit trail (edit
log) facility
Tip 5: How to report, if audit trail had been maintained
for broken period?
& the same has operated from 1.7.23 to 31.3.24 for all
relevant transactions recorded in the software. Further, during
the course of our audit, we did not come across any instance
of audit trail feature being tampered with for the aforesaid
period. Additionally, the audit trail has been preserved by
company as per the statutory requirements for record
retention. However, in our opinion, proper books of accounts
stating true & fair states of affairs of the Company, as
required under Sec 128(1) of the Companies Act, 2013 has
been maintained by the company for the FY 2023-24."
Tip 6: How to report, if audit trail had not been
maintained during the year?
Management of Company may have decided & maintained
audit trail from a date after 1.4.24 (a date later than when it is
mandatory to be implemented) . This is a violation & auditor
must report accordingly.
Example: On 30.3.24, Board decided to maintain books of
accounts using accounting software with audit trail features
from 1.4.24. or The accounting software does not have the
features of audit trail during FY 23-24.
Ans: This is a violation. The auditor must report the
following:"Based on our examination which included test
Tip 6: How to report, if audit trail had not been
maintained during the year?
checks, the company has used an accounting software for
maintaining its books of account which doesn't have a feature
of recording audit trail (edit log) facility. However, in our
opinion, proper books of accounts stating true & fair states of
affairs of the Company, as required under Sec 128(1) of the
Companies Act, 2013 has been maintained by the company
for the financial year 2023-24."Note: Plan your resources &
time schedule for clients, since all transactions (including
adjustment entries) must be passed in software or or before
the date of signing of audit report (say, 7 September ) & since
enquiry about audit trail is a time consuming act.
Tip 7: Should Company pass "bulk entries at year end
for most of transactions during the year" to prepare
books of accounts?

Relevant Provision: Section 128(1) of the Companies Act,

2013 states that every company shall prepare and keep at its
registered office books of account and other relevant books
and papers and financial statement for every financial year
which give a true and fair view of the state of the affairs of the
company....
Comment: A Company should follow sec 128 in substance. If a company
pass most of transactions at year end, then Company will itself create
evidence in this audit trail era that it had not maintained proper books of
accounts for the substantial part of year & ROC may levy penalty u/s 128(6).
Such a situation should be avoided.

Example: On 30.3.24, the company passes most of entries for translations

during the year.
a) On 1.4.2030, there had been inspection by ROC
b) On 1.4.2028, there had been survey by Income tax department, which
passes information to ROC. Can ROC levy panelty u/s 128?
Ans: RoC may take a view to levy panelty u/s 128(6), which can be Rs 50k
to Rs 5 lakhs per director/person in default.

Note: Plan your resources & time schedule for clients, since all transactions
(including adjustment entries) must be passed in software or or before the
date of signing of audit report (say, 7 September ) & since enquiry about
audit trail is a time consuming act.
Tip 8: Should Company pass "bulk entries at quarer end
for most of transactions during the quarter" to prepare
books of accounts?

Relevant Provision: Section 128(1) of the Companies Act,

2013 states that every company shall prepare and keep at its
registered office books of account and other relevant books
and papers and financial statement for every financial year
which give a true and fair view of the state of the affairs of the
company....
Comment: A Company should follow sec 128 in substance. If a
company pass most of transactions at quater end, then Company will
itself create evidence in this audit trail era that it had not maintained
proper books of accounts for the substantial part of year/quater &
ROC may levy penalty u/s 128(6). Such a situation should be avoided.

Example: The company passes most of entries for translations during

the quater end.
a) On 1.4.2030, there had been inspection by ROC
b) On 1.4.2028, there had been survey by Income tax department,
which passes information to ROC. Can ROC levy panelty u/s 128?
Ans: RoC may take a view that since proper accounts had not been
maintained for the substantial part of the year, panelty u/s 128(6) will
be levied, which can be Rs 50k to Rs 5 lakhs per director/person in
default.
Tip 9: Which software require audit trail?

• Any software that maintains records or transactions that fall

under the definition of Books of Account as per the section
2(13) of the Act will be considered as accounting software for
purpose of Rule 11(g).
Example: if sales are recorded in a standalone software and
only consolidated entries are recorded monthly into the
software used to maintain the general ledger (say Tally, Busy)
, the sales software should also have the audit trail
feature since sales invoices would be covered under Books
of Account.
Tip 10: Can the company maintain books of accounts in
accounting software without inventory, however, at the same
time, Excel/ spreadsheet is used for calculating the value of
opening & closing stock to be feeded in accounting
software?

Relevant Provision: FAQ 25d of revised Implementation

guide of ICAI states as follows:
"End-user computing tools like spreadsheets may be used to
record transactions or for preparing workings/calculations of
amounts to be recorded. For instance, it may be used for
preparing working of foreign exchange gain/loss or
amortization or tax liability to be
recorded in another accounting software (accounting software as
identified by management) using the amounts computed in
spreadsheet. However, accounting entries may not get auto-
posted directly to the accounting software from such
spreadsheet. In such case, the spreadsheet should not be
treated as part of books of account and the spreadsheet will
not attract the audit trail requirement. The auditor should
evaluate the facts regarding usage of end-user computing tools
and accordingly report.“
Comment: In my personal opinion, in above-mentioned
instance, the company, has used Excel sheet for calculation of
value of inventory to be feeded in accounting software, may also
be allowed under FAQ 25d of Revised implementation guide.
(Tip:11) Audit Trail is required not only at transaction
level, but also at data base lavel & also for each changes
made in books of accounts.

Relevant Provision: Rule 3(1) of Companies (Accounts

Rules) relating to manner of books of account to be kept in
electronic mode, is as follows-"The books of account and
other relevant books and papers maintained in electronic
mode shall remain accessible in India, at all times accessible
in India so as to be usable for subsequent reference.
Provided that for the financial year commencing on or after the 1st day of April,
2023, every company which uses accounting software for maintaining its books
of account, shall use only such accounting software which has a feature of
recording audit trail of each and every transaction, creating an edit log of each
change made in “books of account” along with the date when such changes were
made and ensuring that the audit trail cannot be disabled.“
Comment:
1) Above Rule is not applicable, if manual Records are maintained.
2) Audit trail is required both at data base level & transactions level.
3) Audit trail is required for each changes made i.e changes in master, group,
ledger.
4) The company maintain books in accounting software, but audit trail is active
at transaction level only, it is not active at data base level. As a result,
changes in transactions can be made by changes in data at data base
level. This is not acceptable & must be reported by auditor.
(Tip:12) There must not be any option to disable Audit
Trail feature

Relevant Provision: Rule 3(1) of Companies (Accounts

Rules) relating to manner of books of account to be kept in
electronic mode, is as follows-
“Every company which uses accounting software for
maintaining its books of account, shall use only such
accounting software which has a feature of recording audit
trail of each and every transaction, creating an edit log of
 (Tip:12) There must not be any option to disable Audit
Trail feature

each change made in “books of account” along with the

date when such changes were made and ensuring that the
audit trail cannot be disabled.
Comments : 1) Manual Records, Partly or fully : Above:
Not Applicable
2) Audit trail is required for data base & transactions,
both.
To get Professional updates on whats app:

1) Please whats app request to 8820154348 to CA Nitesh

More

2) “Professional Updates” are relating to IT, GST, Audit,

Companies Act, ICAI etc

3) 45,000+ CAs all over India had joined whats app groups.
THANKS