Audit Trail Requirement
The audit trail requirement under the Companies (Accounts) Amendment Rules 2021 mandates that accounting software used by companies must record an immutable log of every transaction and its alteration, with the feature enabled at all times during the financial year.
The Ministry of Corporate Affairs notified the Companies (Accounts) Amendment Rules in 2021, introducing a new requirement that accounting software used for maintaining books of account must have a feature for recording an audit trail — also called an edit log — of each and every transaction. The rule requires that the audit trail capture the date, time, and nature of each change made to a transaction and that the audit trail be preserved as part of the books of account for the statutory retention period of eight years.
The intent behind the amendment was to address a growing concern among regulators and auditors about the ease with which electronic accounting records could be altered after the fact, with the manipulation leaving no trace in conventional accounting systems. Legacy ERP configurations, particularly older SAP, Tally, or Oracle implementations, did not always enable audit trail logging by default, and some configurations allowed superusers to disable the feature or delete log entries. The amendment attempted to close these vulnerabilities by making the feature not merely available but continuously enabled.
For the statutory auditor, the requirement created a new reporting obligation. The auditor's report on financial statements for financial years beginning on or after 1 April 2022 must include a specific comment on whether the accounting software used by the company has an audit trail feature that was operational throughout the year, whether the audit trail was not tampered with, and whether the audit trail was preserved as required. This comment applies not only to the company's own software but also to software used by service providers that process accounting entries on behalf of the company.
The ERP implementation implications were significant. Many mid-sized and large Indian companies had to upgrade their accounting software configurations, engage their ERP vendors to enable and harden the audit log feature, and implement access controls ensuring that even database administrators could not alter logged entries. Companies using cloud-based SaaS accounting platforms had to obtain confirmations from their service providers about the audit trail configuration.
From an investor perspective, a qualified audit opinion or emphasis of matter paragraph regarding non-compliance with the audit trail requirement is a red flag. It suggests that the books of account may not provide an immutable record of transactions, raising questions about the reliability of the financial statements and the effectiveness of the company's internal controls over financial reporting.