1) What is this compliance requirement for India?
A) Section 143(3) of the Companies Act, 2013 provides various matters on which auditors are required to report in their auditor’s report. Clause (j) of Section 143(3) states that auditor’s report shall also state such other matters as may be prescribed. Rule 11 of the Companies (Audit and Auditors) Rules, 2014 specifies such other matters that are to be reported by the auditor.
B) The Ministry of Corporate Affairs (MCA) vide its notification No. GSR 206(E) dated March 24, 2021 has issued the “Companies (Audit and Auditors) Amendment Rules, 2021” read with sub-section 3 of Section 143 of the Companies Act, 2013 (hereinafter referred as “the Act”) introducing new Rule 11(e), new Rule 11(f) and new Rule 11(g) and deleting Rule 11(d). Rule 11(g) is reproduced below: “Whether the company, in respect of financial years commencing on or after the 1st April, 2022, has used such accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has been operated throughout the year for all transactions recorded in the software and the audit trail feature has not been tampered with and the audit trail has been preserved by the company as per the statutory requirements for record retention.”
C) Globally, no similar reporting obligation exists for the auditors and accordingly there is no international guidance available on the subject. In March 2023,Auditing and Assurance Standards Board (AASB) of ICAI issued the “Implementation Guide on Reporting under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014” (“The Implementation Guide”) to provide guidance to the members on this new reporting requirement. This implementation guide talks about database audit trail as detailed below
Audit Approach: As part of the audit approach, the auditor would need to ensure that the management assumes the primary responsibility to:
a) Identify the records and transactions that constitute books of account under section 2(13) of the Act;
b) Identify the applications, software i.e., IT environment including web-portals, databases, interfaces, data warehouses, data lakes, cloud infrastructure, or any other IT component used for processing and or storing data for creation and maintenance of books of account
c) ensure such software have the audit trail feature
d) ensure that the audit trail captures changes to each and every transaction of books of account; information that needs to be captured may include the following:
# when changes were made,
# who made those changes,
# what data was changed,
e) ensure that the audit trail feature is always enabled (not disabled)
f) ensure that the audit trail is enabled at the database level (if applicable) for logging any direct data changes
g) ensure that the audit trail is appropriately protected from any modification;
As per this new compliance requirement auditors would need to ensure that company management assumes primary responsibility to ensure that audit trail is enabled at the database level for logging any direct data changes
2) Impact of this Non-compliance with MCA/ICAI guideline
a) Globally, no similar reporting obligation exists for the auditors and accordingly there is no international guidance available on the subject. Therefore, auditors will rely on ICAI guidelines to assess compliance.
b) Customer’s Company audit reports are being qualified when the underlying reason stems from a perceived gap in Microsoft's SOC report / documentation concerning ICAI guideline requirements.
3) Request to product team: Inclusion of a Database Audit Trail capability in Dynamics 365 Finance and Operations. This feature should enable logging of any direct / indirect data changes made at the database level, ensuring enhanced security, compliance, and traceability.