The Ministry of Corporate Affairs vide notification dated March 24, 2021 issued the Companies (Audit and Auditors) Amendment Rules, 2021 which made various changes in Rule 11 of the Companies (Audit and Auditors) Rules, 2014. These changes include new Rule 11(g) which has prescribed a new reporting requirement for auditors.
The recently introduced Rule 11(g) casts specific responsibility on the auditors to report on the use of accounting software by the company for maintaining its books of accounts which should have the feature of recording Audit Trail. This new rule cast onerous responsibility on the auditors as the scope of reporting under this rule is very wide. Just a plain reading of the Rule specifies that the company is required to maintain Audit Trail for each of the changes which are made in the books of accounts. Thus, all transactions recorded in the accounting software / or the related software used results in the change to the books of accounts.
To comply with the requirements of Rule 11 (g) the auditors are required to report by making a specific assertion in the audit report under the section ‘Report on Other Legal and RegulatoryRequirements’. This has been explained in the paragraph below.
To elaborate, in addition to requiring auditor to comment on whether the company is using an accounting software which has a feature of recording audit trail, the auditor is expected toverify the following aspects:
- whether the audit trail feature is configurable (i.e., if it can be disabled or tampered with)?
- whether the audit trail feature was enabled/operated throughout the year?
- whether all transactions recorded in the software are covered in the audit trail feature?
- whether the audit trail has been preserved as per statutory requirements for record retention?
AUDIT APPROACH
The auditor needs to ensure:
- The records and transactions which constitute "books of accounts" under Section 2(13) of the Act.
- Identify the software which are used for processing and storing data for creation and maintenance of books of accounts. This software may include application, web-portals, interfaces, data warehouse, or any other IT components.
- Ensure that all the software mentioned in (b) have audit trail feature.
For example, a company may be using TALLY for maintenance of accounting records but it uses a different software to capture sales information or process the payroll in a different software. A separate software provides interface between them. The auditor must ensure that all the software have the feature of Audit Trail.
- Auditor must ensure that the audit trail captures changes to each and every transaction of books of account; information that needs to be captured may include the following:
- when changes were made,
- who made those changes,
- what data was changed,
- Ensure that Audit Trail feature is "always" enabled.
- ensure that the audit trail is appropriately protected from any modification;
- ensure that the audit trail is retained as per statutory requirements for record retention;
- ensure that controls over maintenance and monitoring of audit trail and its feature are designed and operating effectively throughout the period of reporting
CONTROLS TO BE CHECKED
Following internal controls are required to be checked in order to demonstrate that audit trail feature was functional, operated and not disabled during the period.
- Controls to ensure that user ID has been assigned to each individual and they have not been shared.
- Controls to ensure that changes to the configuration of audit trails are authorized and log of such changes are maintained
- Controls to ensure that periodic back up of the audit trail are regularly taken
- Restricted access to the audit trail
- Controls to ensure that audit trail feature has not been disabled.
IMPORTANCE OF ACCESS CONTROL TO ENSURE COMPLIANCE OF AUDIT TRAIL
Access control is a security technique that regulates who or what can view or use resources in a computing environment. It is a fundamental concept in security that minimizes risk to the business or organization. To ensure the above controls it is important that there should be a mechanism / infrastructure and procedure that limits the access to the networks, software, files, and other sensitive data.
To ensure that the user ID has been assigned to each individual to create accountability of any changes which are made in the application, software or other data access points. The reason for the changes / modifications made can be ascertained only by implementing access control.
The access controls could be
- Discretionary Access Control (DAC): Based on the policy defining who is authorized to view what kind of information.
- Mandatory Access Control (MAC): Access rights are regulated by the Central Authority. Often used in Government organization or military organizations.
- Role-based Access Control (RBAC): Based on a defined business function like the executive level, managerial level etc. The role-based security model relies on a complex structure of role assignments, role authorizations and role permissions developed using role engineering to regulate employee access to systems
- Rule based Access Control (RuBAC): Based on the rule like such day and such time the access would be provided.
To monitor the changes made to the Audit trail the "Role based Access control (RBAC)" plays an important input to the auditors. To restrict any kind of changes made to the audit trail, a centralized access rights can be checked in Mandatory Access Control.
Challenges faced by auditor while monitoring the access controls and the changes made in the Audit Trail would be:
- Sharing of password or using of the old password for a longer period
- In cloud-based environment, having a dynamic and hybrid access controls
- If the access management technology is difficult to use, employees tend to use it incorrectly or circumvent it.
Source: Implementation Guide on Reporting under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014 issued by ICAI