Table of Contents
I. Introduction
An audit trail is the thread of truth behind what appears on the surface. Financial statements may be a year-end output, but the trust they carry depends on the integrity of every entry that went into them. This is why the audit trail has moved from good practice into a statutory requirement. We are now in the third reporting cycle of providing views and comments on the audit trail under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014. This regulation requires an assertion on audit trail compliance of transactions recorded in accounting software which is used for maintaining books of accounts. In this blog, let’s explore what it really covers and what the audit trail provisions really demand from auditors.
II. The Understanding and Relevance
Audit trail is a control over the integrity of the books of accounts. The proviso to Rule 3(1) of the Companies (Accounts) Rules, 2014 requires every company, for financial years commencing on or after 1 April 2023, to have the appropriate audit trail feature in accounting software that they use to maintain their books of account. Section 143(3)(j) read with Rule 11(g) correspondingly requires the auditor to comment on whether sufficient audit trail features existed, operated throughout the year for all transactions, were not tampered with, and have been preserved for record retention.
Hence, the audit trail is no longer just an internal control matter left at management’s discretion. What was earlier viewed as a simple general IT control now sits within the statutory framework of compliance and reporting.
III. The Practical Guide for Audit Professionals

A. Scope it Right
The audit trail requirement applies to “books of account” as defined under Section 2(13) of the Companies Act, 2013, which are records of all sums of money received and expended, all sales and purchases of goods and services, the assets and liabilities of the company, and the items of cost where Section 148 applies. It does not extend to records maintained outside accounting software, such as registers, minutes, or working calculations in spreadsheets whose outputs are later fed into the accounting software.
Hence, the audit engagement team should list every system in which books of account are maintained. This goes beyond the main accounting software (GL), to payroll, fixed assets, and any sub-ledgers or billing systems that feed into it. For example, sales invoices may be raised in a separate billing application, with their totals posting into the main accounting software. The accounting software may carry a proper audit trail while the billing application does not. Since these invoices form records that constitute books of account, the audit trail requirement applies to that application too, and not just to the main accounting software.
B. Cover the 4 limbs of Rule 11(g)
1. Existence of the feature: Confirm if the software actually has an audit trail facility and that it is operating. There is a possibility that the feature exists as an optional add-on rather than a default, so its presence cannot be assumed, but needs to be validated.
2. Operated throughout the year: The audit trail must have operated for the whole year and captured all transactions. A brief period when it was disabled, or a class of entries it failed to record, is enough to make this limb fail.
3. Not tampered with: The trail must be intact, with no entries altered or deleted after they were logged. The real risk sits at the database level, since anyone with direct database access can change records without the application trail capturing it. The auditor should obtain sufficient appropriate audit evidence that database access is restricted, logged, and reviewed. Without this, a clean application trail is not enough to conclude that the records were not tampered with.
4. Preserved: It is a statutory requirement that the trail must be retained for minimum of eight financial years (As per Section 128 of the Companies Act 2013). Hence, there needs to be a confirmation that the prior-period data is actually retrievable, backups cover the trail as well, along with the underlying transactions.
C. Bringing in experts and relying on service organisations
For complex ERP environments, the engagement team’s own technical depth may not be enough. In such cases, SA 620 allows an IT expert from outside the team to assist, typically on database-level access and segregation of duties, to confirm whether the trail captures system-generated entries. However, the conclusion remains the responsibility of the audit engagement team regardless of the expert’s involvement.
Where accounting is outsourced, the audit trail obligation does not go away. The service provider’s software must itself carry an audit trail. Under SA 402, the auditor can rely on an independent controls report on the service organisation, such as a SAE 3402 (Type 2) or SOC 1 (Type 2) report covering the trail and the audit period. Where no such report exists, the auditor must obtain evidence directly or through another auditor. If none of these is available, it may call for modified comments under Rule 11(g).
D. Reporting and Materiality Considerations
Rule 11(g) comment need not stand alone. As the audit trail is now part of what the law requires for keeping books, a serious failure can also impact the auditor’s opinion under Section 143(3)(b) on whether proper books of account have been kept. Further, where internal financial controls reporting applies, the impact may spread to the report on IFC as well. However, whether it carries across or not is a matter of judgment on the significance of the lapse.
On the other side, for views and comments under Rule 11(g), the concept of materiality does not work the way it usually does. The requirement here is factual – either the audit trail operated for the whole year across all transactions, or not. Even a short period of disablement, on a single ledger, is reportable. Hence, it is important to understand that the test here is completeness, not volume or severity.
IV. Conclusion
Ultimately, the audit trail is what allows the books being signed off to be trusted as the books that were actually kept. For audit professionals, it is not just a checklist item. It is a substantive exercise over the IT environment. Hence, it is critical to build the documentation around the four limbs, get the clarity on scope, and be equipped with readiness to push back when the audit file just rests on management representation alone.
Beyond Rule 11(g), which is confined to companies, the thinking does not stop there. LLPs, firms and other non-corporate entities run on the same accounting software, and their auditors sign off on numbers drawn from the same systems. The integrity concern does not vanish simply because the entity sits under a different statute. Hence, for these entities as well, an audit trail constitutes a sound governance practice, and should still be considered by auditors even where the law does not demand it. Statutory or not, the audit trail deserves attention.
Contributors
CA N Srilatha Bhat – LinkedIn
Poonam Vernekar – LinkedIn