Appearance
Audit Approach
As part of the audit approach, the auditor would need to ensure that the management assumes the primary responsibility to:
- identify the records and transactions that constitute books of account under section 2(13) of the Act;
- identify the software i.e., IT environment including applications, web-portals, databases, Interfaces, Data Warehouses, data lakes, cloud infrastructure, or any other IT component used for processing and or storing data for creation and maintenance of books of account;
- ensure such software have the audit trail feature;
- ensure that the audit trail captures changes to each and every transaction of books of account; information that needs to be captured may include the following:
- when changes were made,
- who made those changes,
- what data was changed,
- ensure that the audit trail feature is always enabled (not disabled);
- ensure that the audit trail is enabled at the database level (if applicable) for logging any direct data changes;
- ensure that the audit trail is appropriately protected from any modification;
- ensure that the audit trail is retained as per statutory requirements for record retention;
- ensure that controls over maintenance and monitoring of audit trail and its feature are designed and operating effectively throughout the period of reporting. In order to demonstrate that the audit trail feature was functional, operated and was not disabled, a company would have to design and implement specific internal controls (predominantly IT controls) which in turn, would be evaluated by the auditors, as appropriate. An illustrative list of internal controls which may be required to be implemented and operated are given below:
- Controls to ensure that the audit trail feature has not been disabled or deactivated.
- Controls to ensure that User IDs are assigned to each individual and that User IDs are not shared.
- Controls to ensure that changes to the configurations of the audit trail are authorized and logs of such changes are maintained.
- Controls to ensure that access to the audit trail (and backups) is disabled or restricted and access logs, whenever the audit trails have been accessed, are maintained.
- Controls to ensure that periodic backups of the audit trails are taken and archived as per the statutory period specified under Section 128 of the Act.
In respect of identification of relevant transactions in context of maintenance of books of account, the auditor may consider performing the following procedures:
- Assess management’s identification of records and transactions where audit trail needs to be captured and verify, on a test basis, whether the audit trail has been configured and enabled for the identified accounting software.
- Evaluate the management’s approach regarding identification of accounting software which have been considered for the purposes of maintenance of audit trail. Refer Appendix I for an illustrative table.
- Inquire with the management on how they evaluated changes that are required for the maintenance of audit trail as part of changes or upgrades to the accounting software.
- Where applicable, consider involvement of specialists or experts in the field of Information Technology to assist in evaluation of management controls and configurations in the accounting software with regard to audit trail.
In case of accounting software supported by service providers, the company’s management and the auditor may consider using independent auditor’s report of service organisation (e.g., Service Organisation Control Type 2 (SOC 2)/SAE 3402, “Assurance Reports on Controls At a Service Organization”) for compliance with audit trail requirements. The independent auditor’s report should specifically cover the maintenance of audit trail in line with the requirements of the Act.
Most of the commonly used accounting software, including Enterprise Resource Planning (ERP) software, have an audit trail feature that can be enabled or disabled at the discretion of the company. The management of the company may have put in place certain controls such as restricting access to the administrators and monitoring changes to configurations that may impact the audit trail. Auditors are accordingly expected to evaluate management’s policies in this regard and test such controls to determine whether the feature of audit trails have been implemented and operating effectively throughout the reporting period.
It is expected that management ensures that the administrative access to the audit trail is restricted to authorized representatives.
In this regard, the auditor may take into consideration the following aspects for every accounting software which is used in maintaining the “books of account” for the purpose of reporting:
- i. the software configuration that controls enabling or disabling of the audit trail and whether audit trail was enabled throughout the period
- ii. the access to such configurations.
- iii. any changes to the audit trail configuration during the period of audit (during the financial year and also from the date of financial statements but before the date of auditor’s report).
- iv. the periodic review mechanism implemented and operated by management for any changes to the audit trail configuration
- v. the completeness and accuracy of audit trail or edit logs that are generated through the software functionalities or directly recorded in the underlying database i.e., whether it captures the user ID that made the change, the date and time of change and what fields were changed by reviewing the reports or trails generated, on a test basis, to capture the required information or when the audit trail feature was disabled, etc.
- vi. any testing management has performed to assess the completeness and accuracy of the audit trail.
In respect of preservation of audit trails, inquire with management to understand the procedures implemented by the company to preserve the records as per the statutory record retention period. The auditor may review, on a sample basis, the audit trail records maintained by management for each applicable year and evaluate management controls for maintenance of such records without any alteration and retrievability of logs maintained for the required period of retention
Unlike reporting on internal financial controls over financial reporting, Rule 11(g) requires the auditor to report that the feature of recording audit trail (edit log) facility has “operated throughout the year for all transactions recorded in the accounting software”. Based on procedures performed, the auditor is expected to evaluate the reporting implications specifically giving due consideration to SA 250, “Consideration of Laws and Regulations in an Audit of Financial Statements”.
In respect of audit trail, following are likely to be expected scenarios:
- i. Management may maintain adequate audit trail as required by the Account Rules.
- ii. Management may not have identified all records/transactions for which audit trail should be maintained
- iii. The accounting software does not have the feature to maintain audit trail, or it was not enabled throughout the audit period.
Scenarios (ii) and (iii) mentioned above would result in a modified /adverse reporting against this clause