1) What is this compliance requirement for India?
a) Section 143(3) of the Companies Act, 2013 provides various matters on which auditors are required to report in their auditor’s report. Clause (j) of Section 143(3) states that auditor’s report shall also state such other matters as may be prescribed. Rule 11 of the Companies (Audit and Auditors) Rules, 2014 specifies such other matters that are to be reported by the auditor.
b) The Ministry of Corporate Affairs (MCA) vide its notification No. GSR 206(E) dated March 24, 2021 has issued the “Companies (Audit and Auditors) Amendment Rules, 2021” read with sub-section 3 of Section 143 of the Companies Act, 2013 (hereinafter referred as “the Act”) introducing new Rule 11(e), new Rule 11(f) and new Rule 11(g) and deleting Rule 11(d). Rule 11(g) is reproduced below: “Whether the company, in respect of financial years commencing on or after the 1st April, 2022, has used such accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has been operated throughout the year for all transactions recorded in the software and the audit trail feature has not been tampered with and the audit trail has been preserved by the company as per the statutory requirements for record retention.”
c) Globally, no similar reporting obligation exists for the auditors and accordingly there is no international guidance available on the subject. In March 2023,Auditing and Assurance Standards Board (AASB) of ICAI issued the “Implementation Guide on Reporting under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014” (“The Implementation Guide”) to provide guidance to the members on this new reporting requirement.This implementation guide talks about database audit trail as under
As per this new compliance requirement auditors would need to ensure that company management assumes primary responsibility to ensure that audit trail is enabled at the database level for logging any direct data changes
2) Impact of this Non-compliance with MCA/ICAI guideline
a) Globally, no similar reporting obligation exists for the auditors and accordingly there is no international guidance available on the subject. Therefore, auditors will rely on ICAI guidelines to assess compliance.
b) Customer’s Company audit reports are being qualified when the underlying reason stems from a perceived gap in Microsoft's SOC report / documentation concerning ICAI guideline requirements.
3) Request to product team: Inclusion of a Database Audit Trail capability in Dynamics 365 Finance and Operations. This feature should enable logging of any direct / indirect data changes made at the database level, ensuring enhanced security, compliance, and traceability.