A trail where corporate india needs to focus

A trail where corporate india needs to focus

The Ministry of Corporate Affairs (“MCA”), in its attempt to improve transparency of financial reporting has amended the Companies (Accounts) Rules, 2014. So, what was this notification, and why did it stir up so much concern? The notification requires companies which maintain their books of account using an accounting software to have a feature of recording audit trail of each and every transaction and to have an edit log of every change made in books of account along with the date when the changes were made and ensuring the audit trail cannot be disabled. The difficulty of implementation of this five-line notification can be gauged from the fact that the original applicability of this notification, which was 1 April 2021, has been postponed twice, first to 1 April 2022 and then to 1 April 2023. Whilst this seems to have been drafted from a very simplistic perspective and expectation, the ramifications percolate through many aspects, which may require immediate consideration and are covered below.

Before we get to the aspects, let us understand what is an audit trail? An audit trail has not been defined but can be colloquially understood to be a chronological sequence of the history of a particular transaction, tracking who created/ changed a record, what record, what time etc. Audit trails amongst others may help in investigating frauds, system breaches etc., and hence are extremely essential tools of monitoring and surveillance for organizations.

Shape What has changed? – Do organizations currently maintain audit trails?

Maintaining audit trails is an integral part of any complex IT system like SAP, Oracle, etc. It exists even today, and organizations use it because it is mission critical for certain applications. For e.g., a bill of material application or a payroll application may have detailed audit trails due to the criticality of the applications. Sometimes, certain regulators may require an audit trail to be maintained e.g., the Good Manufacturing Practices (GmP) requirements applicable overseas in the Pharma sector needs 1audit trail for certain data. The change vide this notification is that each and every company, irrespective of size and complexity, would need an audit trail to be maintained. For instance, consider a company that has one building with five lessees where five invoices get generated every month or another company which Shapehas a transmission contract in which the amount to be billed for next 20 years is mentioned in the contract. Such companies currently may invest in simple book-keeping software, whose only purpose is to keep an electronic record of transactions. IT systems can differ from, for e.g., a large automobile company which has a complex system of products, vendors, labor contractors, taxes, etc. So, the change is that companies, which earlier had a choice of deciding what type of IT systems to use depending on its needs and also a choice on deciding the type of data which they needed an audit trail for, now have limited choices.

Books of account — what is the breadth of coverage?

Section 2(13) of the Companies Act, 2013 defines books of account. It is a very broad definition which encompasses every record maintained in respect of financial statements. So, inventory records, production records, book to physical adjustments etc., would be part of books of account and would need to be covered and for which audit trail would need to be maintained. Companies do not find it relevant to maintain an audit trail on each and every item of the financial statements and its supporting processes, the reason being that it is expensive to store the trail records. Further, such audit trails need to be monitored, else they may not have any value. If mission critical aspects of a business are looked at in the same lens as non-mission critical, the costs of monitoring would go up significantly and the effectiveness could reduce.

What does an accounting software cover?

The term accounting software means software used for maintenance of books of account. With the definition of books of account being so broad, each and every software used will get covered. The notification seems to assume that every aspect of the business is run on one software, which is far from true. Companies use multiple software within the entire business chain which have interfaces with the main accounting system and the robustness of these software varies depending on business needs, costs, etc. For instance, the company may feel that its Fixed Asset Register needs to be maintained on MS Excel Spreadsheets considering its size of operations/nature of business. Requiring every software used in business to have features as is expected by the notification would mean significant effort to make these systems ready, only to comply with the requirements of the notification.

Software of companies operating as part of international chains

There would be many companies which operate as part of international chains. For e.g., a company in the business of hotels run by an international chain generally uses robust software created for room revenues, food, and beverage etc., which are tested centrally. Local companies which own the hotels may not be permitted to make any changes to these software and the extent of data visibility at the backend in terms of trails etc., may be visible only centrally at the Parent level of these operating international chains. It may be extremely difficult for local companies to get access to such data.

Ability of companies to invest in such software systems and cost of maintaining audit trail

All businesses are not set up with the best-in-class IT systems. It is only when an organization matures that it finds the ability to invest in good IT systems. Also, the cost of these IT systems does not involve only one time cost. They also include expensive upgrades, IT hardware, security systems, among others.

For e.g., expecting a startup or a company deep in losses to continue to invest in IT systems may not be a fair expectation since such companies are thin on financial resources. Also, the audit trail and its storage would have a cost associated to it, which means larger the items and fields for which trails are to be maintained more would be the cost of storage.

The reason for this notification and its background is not available in the public domain. So, there may definitely be some genuine concerns which regulators may have faced during their regulatory inspections which have driven these changes. But the issues highlighted above indicate that implementing this notification in its current form would result in significant hardships for corporates. Hence, this notification would require significant clarity regarding possible situations and expectation of regulators for foreseeable situations.

At a broad level, MCA may consider clarifying some of the following aspects listed below:

• Summary of the expectations with respect to audit trails, especially with respect to assessing their effectiveness in achieving the desired goals.
• Interplay with the internal controls with reference to financial statements e.g., considering certain regulations like Sarbanes Oxley in the US, which provide generic requirements on audit trail.
• Practical expedients for certain non-complex entities which are small in size, having transactions within the group.
• The aspects/fields of accounting software which should have an audit trail.
• The guidance may include a summary of the expectations with respect to audit trails especially with respect to assessing their effectiveness in achieving the goals as required by MCA.
• The statutory auditors are required to specifically report on audit trail. Specific reporting considerations of the auditors may be clarified.

What are the next steps for companies and auditors:

• Take an inventory of software in use by Shapethe company during the year.
• Identify the processes which are relevant from a financial statement perspective.
• Identify critical elements in each of the processes for which IT logs changes/ trail may be required.
• Discuss the data requirement with the software vendors and the possibility and cost of generating and maintaining data.
• Discuss the approach for compliance with the MCA requirements with the Board/Audit Committee and the auditors
• Identify areas/processes/elements in [Text Wrapping Break]the processes for which trail is not possible/not feasible etc.
• Assess reporting implications, both in the financial statements and in the auditor’s report.

It is important for management to explain - what makes a performance indicator “key”? The starting point for choosing which performance indicators are key to a particular company could be those that the Board of Directors uses to manage the business and use as inputs to make key decisions.