Presentation On

Requirement Of
Audit Trail

CA Mitesh Lotia - Internal Auditor 1

 INDEX

CA Mitesh Lotia - Internal Auditor 2

What is Audit Trail

• In simple term, Audit Trail means a system that traces detailed transactions relating
to any item in an accounting record.

• It is basic records of financial transaction, listed in order, step-by-step and serves as

proof of transactions history, right from its recording to tracking all changes that
takes place.

• It is secure computer generated time-stamped electronic record that allows

reconstruction of course of events relating to creation, modification, cancellation
and deletion of electronic records

• More than a historical record, audit trails can show proof of compliance and
operational integrity

• If any software / system forms part of accounting system than its audit trail should
be maintained
CA Mitesh Lotia - Internal Auditor 3
Statutory Requirement

• In Pharmaceutical industry, all pharma entities of control systems are required to

produce an audit trail to comply with FDA, 21 CFR Part 11, EU Annex 11, and data
integrity requirements, in non-editable format.

• Proviso to Rule 3 (1) of Companies (Accounts) Rules, 2014, for the financial year
beginning on or after 01-Apr-23, every company that uses accounting software to
maintain its books of account shall use only Accounting Software that has a feature
of recording an:-

 Audit Trail of each and every transaction,

 Creating an edit log of each change made in books of account along with the
date when such changes were made.

 Ensuring that the audit trail cannot be disabled

Audit Trail is interchangeably known as a Edit Log

CA Mitesh Lotia - Internal Auditor 4

Statutory Requirement

• Clause (g) of Rule 11 of Companies (Audit and Auditors) Rules, 2014 read with sub-
section 3 of Section 143 of the Companies Act, 2013, requires auditors’ report to
state whether company, has used such accounting software for maintaining its
books of accounts:

 Having feature of recording audit trail (edit log) facility

 To operated throughout the year for all transactions recorded in the software

 the audit trail feature has not been tampered with

 It is preserved by the company as per the statutory requirements (8 years)

• Only companies under companies act has this compulsion. LLP, partnerships,
Societies, trusts, are out of this requirements

CA Mitesh Lotia - Internal Auditor 5

Purpose of Audit Trail

• It provide transparency and accountability in the financial and operational activities

• It acts as record keeper that document evidence of events procedures or operations

to reduce fraud, material errors and unauthorized use.

• It can be used to identify and prevent fraudulent activity, as it provides a record of

all changes made to financial data. Thus enhances internal control and data
security & ensure the accuracy, integrity and security of financial data.

• An auditor can trace financial data of a particular transaction right from general
ledger to its source document with the help of the audit trail.

• In addition, it can help organizations meet regulatory and compliance requirements

related to financial reporting.

• It helps maintain individual accountability

CA Mitesh Lotia - Internal Auditor 6

Challenges in Implementing Audit Trail

• If existing software does not support audit trail then its newer versions or new
software application need to be installed

• Every software integrated with accounting software to have audit trail and edit log
feature

• Large store is required as every transaction & its version has to stored

• Both front-end entry and automatic transaction should be available in audit log

• Security and confidentiality of the audit trail data is crucial to prevent unauthorized
access to the data

• Each entry must have a timestamp using a controlled clock system that cannot be
changed.

• Systems should not allow to disabled Audit Trail after an initial system configuration.

CA Mitesh Lotia - Internal Auditor 7

Major Contents of Audit Trail

• Date, time stamped, user name who performs registration, modification, or

cancellation and entity in which the changes are made, with its old and new data.

• What user, system, or application launched the event / entered transaction i.e. IP
address and device type and Link to the record (Transaction Id, Record Id, etc)

• Affected field of the entity and type of action performed: registration, cancellation or
modification. System should not allow to delete and overwrite the voucher.

• The reason why the change has been made. Drop-down list.

• Data should be reviewed in the format in which they are collected, should not be
modified or deleted and must be retained in must suitable read-only credentials

• Minimum requirement:- Initial entry; who performed action & when; Updated entry;
who updated/edited entry & when; reason

CA Mitesh Lotia - Internal Auditor 8

Responsibility – Management & Auditor

Management Responsibility

• Management to ensure the following :-

 Every accounting software & other software linked with accounting software, for
maintaining its books of accounts, should have Audit Trail feature.
 Ensure system creates log for each and every transaction
 Ensure Audit trail is not disabled

• Software may be hosted and maintained in India or outside India or may be on

premises or on cloud or subscribed to as Software as a Service (SaaS) application .
The above steps will need to be performed by the Management with appropriate
reporting to those charged with governance

CA Mitesh Lotia - Internal Auditor 9

Responsibility – Management & Auditor

Auditor Responsibility:-

• To comment on whether accounting software has a feature of recording audit trail of

each and every transaction.

• Auditor would be expected to verify the following:-

 Trail feature is configurable & can it be disabled
 This feature was enabled / available throughout the year
 All transactions recorded in software are covered in audit trail
 It has facility to preserved as per record retention requirements
 Whether the audit trails have been tampered with

CA Mitesh Lotia - Internal Auditor 10

Advantages & Disadvantages of Audit Trail

Advantages (Pros)

• Encourages user accountability and compliance

• Helps maintain a well-functioning economy

• Protects against fraud

• Improves security

Disadvantages (Cons)

• Costliness in terms of time and money

• Can slow business operations

• Requirements may be too rigid

CA Mitesh Lotia - Internal Auditor 11

Audit Approach & Review Steps

1. Identify the records and transactions that constitute books of account

2. Note down IT environment (any software, hardware and third party support) used
for processing, storing and maintaining books of accounts
3. Check Audit Trail is enabled throughout year, for all software from database level,
without being deactivated / disabled
4. Ensure Audit Trail captures all transaction created, modified, cancelled & deleted
5. Any changes in features are authorized and its log is maintained
6. Access to Audit Trail download should be restricted. Log should show events &
person name who accessed Audit Trail
7. Its back-up should be taken and stored separately for future reference / recovery
8. SOP for Audit Trail access, maintenance, retrieval, etc,. should be documents,
approved by management and in line with requirement of Act
9. Where-ever possible, IT expert / specialist involvement should be considered

CA Mitesh Lotia - Internal Auditor 12

Audit Approach & Review Steps
10. Check user instrument & system access, with their as well as other user password
11. Ensure SOP for Audit Trail contain minimum following points
i. System Set-up and installation
ii. Data Collection and handling
iii. System maintenance
iv. Data back-up, recovery and contingency plan
v. Security and
vi. Change Control
vii.Periodic review mechanism
10. Ensure administrative access is given to authorized person
11. Verify list of changes in Audit Trail configuration made during the period
12. Evaluate management approach in identification of accounting software
considered for the purpose of maintenance of Audit Trail
13. Management should document their evaluation of changes required for
maintenance of Audit Trail or any upgrades in accounting software
14. Document testing performed by auditor & management to check completeness
and accuracy of Audit Trail

CA Mitesh Lotia - Internal Auditor 13

Audit Approach & Review Steps

15. If accounting software is supported by service provider in such case Independent

auditors report can be considered, specifically covering maintenance of Audit Trail
in line with requirement of the Act
16. Auditor should review controls such as restricting access to the administrators and
monitoring changes to configurations that may impact the audit trail
17. Review testing performed by management is as per the policy / SOP
18. List of person who have accessed audit trail are authorized person as on that date
19. List of changes made in audit trail configuration, if any, along with approvals
20. Periodic review mechanism implemented and is in operation
21. Review testing performed by management to assess completeness and accuracy
of the audit trail

CA Mitesh Lotia - Internal Auditor 14

Checklist Format (Sample)

CA Mitesh Lotia - Internal Auditor 15

CA Mitesh Lotia - Internal Auditor 16