CA. Assorted - Reporting on Audit Trail.pptx

REPORTING ON AUDIT TRAIL Compiled By: CA. Akshat Baheti, Indore 9407407399, [email protected]

Session In A Nut Shell

Notification of MCA - Reporting on AUDIT TRAIL The MCA vide its notification dated 24th March, 2021 had introduced the concept of audit trails by inserting proviso to rule 3(1) of the Companies (Accounts) Rules, 2014 . “Whether the company, in respect of financial years commencing on or after the 1st April, 2021, has used such accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has been operated throughout the year for all transactions recorded in the software and the audit trail feature has not been tampered with and the audit trail has been preserved by the company as per the statutory requirements for record retention. However, the applicability was deferred by 1 year by amending the same vide Companies (Accounts) Second Amendment Rules, 2021. The new date of applicability was 1st April, 2022. The MCA vide notification dated 31.03.2022 again extended Implementation of Audit Trail software to financial year commencing on or after the April 1, 2023 . Its applicability has been deferred two times and this requirement is finally applicable from April 1, 2023.

Every Company? Every Company means all the companies defied under section 2(20) of the Companies Act "Company means a company incorporated under this Act or any previous Company Law.” PUBLIC or PRIVATE BIG or SMALL SERVICE or PRODUCTION PROFIT or NOT FOR PROFIT FOREIGN COMPANIES Hence the above provision will not be applicable on LLP / FIRM/ TRUST/ PROPRIETORSHIP

Accounting Software Accounting software is a computer program that assists bookkeepers and accountants in recording and reporting a firm’s financial transactions . The functionality of accounting software differs from product to product. Larger firms may choose to implement a customized solution that integrates a vast amount of data from many different departments. Small firms often choose an off-the-shelf product. Further, it is also important as where or how the accounting software is deployed: O n premises , hosted as software-as-a-service ( SaaS ), or in the cloud.

Books of Accounts As per section 2 (13) of companies “books of account” includes records maintained in respect of-- (i) all sums of money received and expended by a company and matters in relation to which the receipts and expenditure take place; (ii) all sales and purchases of goods and services by the company; (iii) the assets and liabilities of the company; and (iv) the items of cost as may be prescribed under section 148 in the case of a company which belongs to any class of companies specified under that section ;

Audit Trail Audit Trail (also called audit log) is a security-relevant chronological record, set of records, and/or destination and source of records that provide documentary evidence of the sequence of activities that have affected at any time a specific operation, procedure, event, or device. An audit trail is defined as a step-by-step sequential record which provides evidence of the documented history of financial transactions to its source. It is an detailed chronological record where accounting , financial data and other details are tracked and traced .It tracks all kinds of transactions work processes, accounting details and changes made there within An auditor can trace the financial data of a particular transaction right from the general ledger to its source document with the help of the audit trail . A series of audit logs is called an audit trail because it shows a sequential record of all the activity on a specific system. By reviewing audit logs, systems administrators can track user activity, and security teams can investigate breaches and ensure compliance with regulatory requirements . An audit trail is a recording of all user actions. A log is a recording of what happens on a System .

Edit Log Edit Log is a view-only (display) report that maintains track of all activities with your vouchers and masters, like creation, alteration, deletion and so on, without the need for any additional controls to restrict the access. It must be creating an edit log of each change made in books of account along with the date when such changes were made This will help to identify the following things:- Tracking of back dates entries Cash balances changes Stock valuation changes Adjustment in books/entries Use by other enforcement agencies etc.

Management Responsibility The management has a responsibility for effective implementation of the requirements prescribed by the account rules. Management , who is primarily responsible for ensuring selection of the appropriate accounting software for ensuring compliance with applicable laws and regulations (including those related to retention of audit logs ). It should be noted that the accounting software may be hosted and maintained in India or outside India or may be on premise or on cloud or subscribed to as Software as a Service ( SaaS ) software. Further , a company may be using a software which is maintained at a service organisation . For example, the company may have outsourced its payroll processing with a shared service centre and the shared service centre may use its own software to process payroll for the company.

Auditors Responsibility Rule 11(g) casts responsibility on the auditor in terms of reporting on audit trail by making a specific assertion in the audit report under the section ‘Report on Other Legal and Regulatory Requirements’. whether the audit trail feature is configurable (i.e., if it can be disabled or tampered with)? whether the audit trail feature was enabled/operated throughout the year? whether all transactions recorded in the software are covered in the audit trail feature? whether the audit trail has been preserved as per statutory requirements for record retention?

Audit Approach As part of the audit approach, the auditor would need to ensure that the management assumes the primary responsibility to : identify the records and transactions that constitute books of account under section 2(13) of the Act ; identify the software i.e., IT environment including applications, web-portals, databases, interfaces, data warehouses , data lakes, cloud infrastructure, or any other IT component used for processing and or storing data for creation and maintenance of books of account ; ensure such software have the audit trail feature ; ensure that the audit trail captures changes to each and every transaction of books of account; information that needs to be captured may include the following : - when changes were made, - who made those changes, - what data was changed, ensure that the audit trail feature is always enabled ( not disabled); ensure that the audit trail is appropriately protected from any modification;

Audit Documentation Auditor may document the work performed on audit trail such that it provides: A sufficient and appropriate record of basis for auditor’s reporting under Rule 11(g ); and Evidence that audit was planned and performed in accordance with this Implementation Guide, applicable Standards on Auditing and applicable legal and regulatory requirements. In this regard, auditor may comply with requirements of SA 230, “ Audit Documentation ” to the extent applicable.

Obtaining Written Representations The auditor shall obtain written representations from management on the following aspects Management acknowledges responsibility for controls over audit trails Management has evaluated the adequacy of audit trail procedures Management concludes on the effectiveness of audit trail procedures Management disclosed all identified control deficiencies in audit trails Management describes identified fraud related to audit trail disablement Management states the resolution status of previously identified control deficiencies

Illustrative wordings for modified reporting It may be noted that the reporting under this Rule requires factual reporting. In case a company has exceptions in complying to the Account Rules, the auditor may use the language as given in examples below . Nature of exception Audit trail feature was disabled for one of the books of account/records or for an accounting software - (e.g., property, plant and equipment software did not have audit trail feature) Audit Trail feature is not operating effectively during the reporting period Illustrative wordings Based on our examination, the company, has used accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility except in respect of maintenance of property, plant and equipment records wherein the accounting software did not have the audit trail feature enabled throughout the year. Further, the audit trail facility has been operating throughout the year for all relevant transactions recorded in the software except for the instances reported below…... Further, during the course of our audit we did not come across any instance of audit trail feature being tampered with.” “………except that the audit trail feature of YYY software used by the company to maintain payroll records did not operate throughout the year…..” “…..except that no audit trail enabled at the database level for accounting software AAA (database SQL) and BBB (database db2) to log any direct data changes………”

Illustrative wordings for modified reporting Accounting software is maintained by third party and auditor is unable to assess whether audit trail feature can be disabled during the reporting period The audit trail has not been preserved by the company as per the statutory requirements for record retention. Migration from one software to the other happened during the year or higher version of software installed and auditor is unable to obtain sufficient and appropriate evidence “Based on our examination, the company, has used an accounting software ABC which is operated by a third party software service provider, for maintaining its books of account and in absence of (state the type of control report) we are unable to comment whether audit trail feature of the said software was enabled and operated throughout the year for all relevant transactions recorded in the software or whether there were any instances of the audit trail feature been tampered with.” “……….the audit trail has not been preserved by the company as per the statutory requirements for record retention” Note: This illustration is relevant from second year of reporting and onwards. The Company has migrated to name of the software] from [old software/manual] during the year and is in the process of establishing necessary controls and documentations regarding audit trail. Consequently, we are unable to comment on audit trail feature of the said software.

Special Consideration in case of Fraud Scenarios In scenarios where the occurrence of error or fraud cannot be established due to lack of audit trails, the auditor should evaluate the deficiency's severity by considering : Likelihood of Resulting in Material Misstatement: Assess the probability that the deficiency could lead to a significant error or fraud. Magnitude of the Outcome: Determine the potential impact of such a misstatement . This requires a risk assessment of material misstatements due to fraud, considering both qualitative and quantitative factors. Professional judgment is essential in determining whether the deficiency constitutes a significant deficiency or material weakness. This evaluation should align with reporting requirements under Rule 11(g), Section 143(12) of the Act, and Clause (x) of the Companies (Auditor’s Report) Order 2020.

Reporting under Rule 11(g) vis-à-vis Reporting under Section 143(3)(i) Under Section 143(3)(i) of the Act, auditors must report on the adequacy and operating effectiveness of a company's internal financial controls over financial statements. The ICAI's "Guidance Note on Audit of Internal Financial Controls Over Financial Reporting" mentions 'audit trail' as it relates to information processing systems. However, the Guidance Note does not specify detailed audit procedures for Rule 11(g) reporting . If the audit trail has not operated throughout the year, auditors should modify their comments under Rule 11(g) based on further testing. For instance, if management cannot rely on automated controls in accounting software, the report might state : Note that the absence of an audit trail does not necessarily indicate a failure or material weakness in internal financial controls over financial reporting.

Y ou G ave M e Y our T ime, T he M ost T houghtful G ift O f A ll Thank You! Presented By: CA. Akshat Baheti [email protected] +91 9407407399, 8839934009

CA. Assorted - Reporting on Audit Trail.pptx

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

CA. Assorted - Reporting on Audit Trail.pptx

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

8-top-ai-courses-for-customer-support-representatives-in-2025.pptx

7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx

25-essential-ai-courses-for-user-support-specialists-in-2025.pptx

8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx

Know for Certain

PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx