Audit logs, Accounting software and External Audit
Manoj Agarwal
Head Internal Audit| Head Enterprise Risk Management | Digital Automation | International Internal Audit Standard Board| Board Member | Blogger| Author | Coach | Mentor| Learner | Servant Leader
Ministry of corporate affairs have recently come out with two circulars which is going to change the face of accounting software in India.
First Circular requires
For the financial year commencing on or after 1-Apr-2021, every company that uses accounting software for maintaining books of accounts shall use only such accounting software:
- Which has a feature of recording audit trail of each transaction,
- Creating an edit log of each change made in books of account along with date when such changes were made and
- Ensuring that the audit trail cannot be disabled.
Second circular requires that:
For the financial year commencing on or after 1-Apr-2021, auditor of a company to report that:
- Whether the company had used such accounting software for maintaining its books of accounts which has a feature of recording audit trail (edit log) and
- The same has been operated through the year for all transactions recorded in the software and
- The audit trail has not been tampered with and
- Audit trail has been preserved by the company as per statutory requirements for record retention.
Challenges for companies:
1. Standard Software:
- Several companies use ERP such as SAP, Peoplesoft, Oracle Financials, etc.
- Generally, such software has audit log facility.
- However, you need to enable the audit logs specifically.
Action plan:
- Decide what fields and modules needs to have audit logs enabled.
- Ensure that audit logs are enabled on decided fields and modules.
- Restrict rights which can make changes (read delete) audit logs.
- Save audit logs on a non temperable device such as CD-ROM or using blockchain.
- Implement privileged identity management tools to capture all actions done by users who need to directly work with databases and users having rights to make changes to audit logs.
- Upgrade systems ensure that audit logs are stored and preserved. (Audit logs may require good amount of space)
- Involve internal audit where skillset exist to audit, processes surrounding audit logs.
2. Customised software:
- Several companies have also developed customised software for their operations reasons.
- Such customised software is either integrated with a separate accounting software or also enhanced to also act as an accounting software.
- Such software either do not have audit logs or audit logs are specifically created for master data changes.
- Since such software do not have any built-in facility, auditor will have a challenge to report that audit logs have not been tempered with.
Action plan:
- Evaluate whether accounting software can be enabled to generate audit logs comprising of user, date and time of change, old value, and new value.
- Decide what fields and modules needs to have audit logs enabled.
- Ensure that audit logs are enabled on decided fields and modules.
- Restrict rights which can make changes (read delete) audit logs.
- Save audit logs on a non temperable device such as CD-ROM or using blockchain.
- Implement privileged identity management tools to capture all actions done by users who need to directly work with databases and users having rights to make changes to audit logs.
- Upgrade systems ensure that audit logs are stored and preserved. (Audit logs may require good amount of space)
- Involve internal audit where skillset exist to audit, processes surrounding audit logs.
- Consult auditors to ensure that they are comfortable with process planned.
3. Software such as Tally:
- Many organisations use generally purpose accounting software such as Tally.
- Tally has inbuilt audit log facility.
- However, a person with superuser password can enable/ disable audit log.
- Not many people will be comfortable with only CA is having the password.
Action Plan:
- Discuss with Tally partner/ reseller on “how to enable the audit logs”.
- Allow auditor to have the password to view the audit logs.
- Upgrade systems ensure that audit logs are stored and preserved.
- Consult auditors to ensure that they are comfortable with process planned.
Challenges for Auditors:
- Auditors need to review the accounting software to understand whether the accounting software has the audit logs features.
- Where the features are there, auditor need to have some knowledge on
- How to verify that audit logs are enabled.
- How to verify that all the audit logs that need to be enabled, are enabled.
- How to verify that such audits logs cannot be tempered with
- How to verify that audits logs are maintained as required.
- A mere management representation may not be sufficient to discharge the responsibility.
- Many Auditor may not technical competence to verify the same.
- Even in systems where the audit logs are available, to verify that audit logs are enabled on all the fields where it need to be enabled, is a challenge.
- To ensure that such audit logs are not tempered with, will require specialist skills or dependency on management representation.
I believe with these changes, the state of external auditor as well as accounting software will undergo a sea change.
Auditors needs to upskill themselves thoroughly as a system auditor.
Reference:
https://www.mca.gov.in/Ministry/pdf/AccountsAmendmentRules_24032021.pdf
https://www.mca.gov.in/Ministry/pdf/AuditAuditorsAmendmentRules_24032021.pdf
https://www.dhirubhai.net/pulse/mca-stipulates-mandatory-audit-trail-accounting-software-seth/
https://www.dhirubhai.net/feed/update/urn:li:activity:6782502933935210497/
https://www.dhirubhai.net/pulse/changelogs-mandatory-raghu-boddu-cisa-cdpse/
https://www.dhirubhai.net/pulse/mandatory-use-software-audit-trail-each-transaction-step-prashar/
https://www.dhirubhai.net/pulse/mca-stipulates-mandatory-audit-trail-accounting-software-seth/?
Call for action:
To benefit the other readers, you can link similar article in the comments.
Inputs/ comments/ suggestion: I welcome inputs/ comments / suggestions from readers on how to approach this issue. Feel free to correct me, educate me.
Share the Article: If you like it, share it. If you share it with others, and they comment, we all will get more learned.
(Disclaimer: The views expressed constitute the opinion of the author and the author alone; they do not represent the views and opinions of the author ’s employers, supervisors, nor do they represent the view of organizations, businesses or institutions the author is, or has been a part of.)
Founder CEO at NABHA FINOPS SERVICES LLP CFO SERVICES/ Startup CFO/ Fund Raising/ M&A/ Outsourced Accounting & Tax Services/ Internal Audits/ IFC Implementation/ Management Consultants / Business Support Services
3 年Revolutionary and pathbreaking amendments aimed at stricter compliance & transparency. Probably a way forward towards AI.
Partner at Kirtane & Pandit LLP, Chartered Accountants | Internal Auditor by Passion | Forensic Auditor by Choice | Like to Connect with People | Open for Discussions | Speaker | Seasoned Mentor
3 年Very well articulated. Definitely helpful thoughts. Thanks for sharing.
CA 27Yrs | ISB Executive Alumnus | Curious | Critical-Analytical Thinker | Conversationalist | Finance Transformation | Empowering people with Digital | BPR | Oracle EBS | Oracle EPM | SAP S4Hana
3 年Thanks for listing out the steps. Indeed a good starting point. One important point to note is that in most ERPs and accounting software, enabling audit trail drops performance and slows down the application. Hence, the critical question is which tables do we enable audit trail on? I have 2 specific questions: 1 Can we not enable audit trail on requisitions and ordering transactions since they do not have a direct impact on accounting? 2 Most ERPs prohibit changes after accounting the transaction to the General Ledger. Audit trail captures changes in records from creation, most of which will be irrelevant to an auditor since it is before the transaction has been committed to the financial ledger. Can we track changes only after accounting and be compliant with the requirements of this Rule? Happy to hear your views.
Author of AVOIDABLE MISTAKES. Experienced guide to the MSME, For correct professional advice on your Finance and internal Audit set up MSME coach, business Planing and Strategic planning
3 年Manoj Agarwal it is learnt that the application of this circular has been postponed upto 1 April 2020.