Who is responsible for the audit trail in a company?

Primary responsibility lies with the board of directors, the managing director and the chief financial officer. Internal auditors verify operational effectiveness, while statutory auditors report on compliance under CARO 2020. IT and finance teams manage day-to-day controls, access rights and back-ups, but the legal accountability sits with the company and its key managerial personnel.

For how long must the audit trail be preserved?

Under Section 128(5) of the Companies Act 2013, books of account along with the audit trail must be preserved for at least eight financial years from the end of the relevant year. Where any investigation, litigation or tax proceeding is pending, the retention period extends until the matter is fully concluded.

What does CARO 2020 say about audit trail?

CARO 2020 requires statutory auditors to specifically report whether the company used accounting software with an audit trail feature throughout the year, whether the feature was operated without being disabled, and whether the audit trail has been preserved in line with statutory retention requirements.

What is the penalty for not maintaining audit trail?

Non-compliance can attract penalties up to ₹5 lakh on the company and ₹50,000 to ₹5 lakh on responsible officers under Section 128(6) of the Companies Act 2013. It also leads to an adverse CARO report, which can impact lender comfort, investor diligence and the company's regulatory standing.

Responsibility for audit trail

Responsibility for Audit Trail Under the Companies Act and CARO 2020

Since 1 April 2023, every company using accounting software has been legally required to maintain an audit trail — a feature that captures every transaction, edit and deletion with a date-stamp and user ID. In FY 2026-27, this is baseline compliance. Under Rule 3(1) of the Companies (Accounts) Rules, 2014, primary responsibility rests with the company — operationally with the Board, MD and CFO, and day-to-day with finance and IT teams. Statutory auditors report on compliance under CARO 2020 but do not carry maintenance responsibility. An inoperative or tampered audit trail now triggers CARO qualifications, Internal Financial Controls (IFC) deficiencies and Section 128(6) penalties — making this a board-level risk, not a software setting.

What Rule 3(1) of the Companies (Accounts) Rules, 2014 Actually Requires

The substantive obligation flows from Rule 3(1) of the Companies (Accounts) Rules, 2014, inserted by the Companies (Accounts) Amendment Rules, 2021 and effective from 1 April 2023 after two successive deferrals. Every company that uses accounting software to maintain its books of account must ensure the software records an audit trail — also called an edit log — for every transaction. This includes:

The original entry, with date and user ID
Every edit to that entry, with the new and old values, date-stamp and user ID
Every deletion or attempted deletion, with date-stamp and user ID
System-level changes affecting transaction records — chart of accounts changes, financial year settings, user access modifications

Three words in the rule carry the most weight: throughout the year. The audit trail feature must be active from 1 April to 31 March, without exception. If a system administrator disables it — even temporarily, even for legitimate server maintenance — the company is in breach for that period.

The rule applies to all companies using accounting software: private limited companies, public limited companies, One Person Companies (OPCs) and Section 8 companies. Micro, Small and Medium Enterprise (MSME) status confers no exemption here. If the company uses software to record transactions, the rule applies.

Who Owns Each Piece of the Obligation

Audit trail compliance has five distinct accountability layers. Confusion between them is the single biggest reason companies are caught off-guard during audits.

Board of Directors

The Board's obligation is strategic and declaratory. Under Section 134(5) of the Companies Act, 2013, Directors signing the Directors' Responsibility Statement confirm that they have laid down internal financial controls and that such controls are adequate and operating effectively. An inoperative audit trail directly contradicts this statement. The Board must:

Approve the choice of accounting software and verify it carries a certified audit trail feature
Pass a Board resolution adopting an Audit Trail Policy (see the documentation section below)
Receive a periodic compliance certificate from management — quarterly is best practice in FY 2026-27
Ensure the Audit Trail Policy is reviewed at each Annual General Meeting (AGM) cycle

Managing Director and CFO

The MD and CFO carry operational responsibility under Section 128(6). If the company defaults on maintaining books of account — which include the audit trail — the MD, whole-time director in charge of finance, CFO and any person specifically charged by the Board are the persons held liable. This is the provision under which the MCA issues show-cause notices.

Practically, the CFO must:

Obtain written confirmation from the software vendor that the version in use is compliant with Rule 3(1) — ask for this by email and save it to the compliance file
Ensure user access rights are designed so that no individual can disable the audit trail without triggering a system-wide alert or requiring a second approval
Include audit trail status as a line item in the quarterly Management Representation on IFC

Internal Auditors

Internal auditors are not responsible for maintaining the audit trail, but they are expected to verify it periodically. Best practice in FY 2026-27 is to include an audit trail testing module in every quarter's internal audit scope. The internal auditor should:

Pull a random sample of 50–100 transactions and verify the audit trail entries against source documents
Check whether any entries are missing, truncated or attributed to a generic "admin" user rather than a named individual
Confirm that audit trail timestamps are consistent with system server logs
Issue a written management report specifically on audit trail integrity — this report is evidence for the statutory auditor and reduces audit time at year-end

Statutory Auditors

Under CARO 2020 (Companies (Auditor's Report) Order, 2020), as amended, the statutory auditor must report in the audit report on whether:

The company used accounting software with an audit trail feature throughout the year
The audit trail was not disabled at any point during the year
The audit trail feature has not been tampered with
The audit trail has been preserved in accordance with statutory record retention requirements

If any of these four conditions is unmet, the auditor must qualify or include a matter of emphasis in the CARO 2020 report. The auditor is not liable for the company's failure to maintain the audit trail — but signing off without reporting the failure is professional misconduct under the ICAI (Institute of Chartered Accountants of India) Code of Ethics.

IT and Finance Teams

Day-to-day ownership sits here. The IT team controls system access, database backups and log retention. The finance team controls transaction posting practices. Together, they must:

Configure role-based access so that journal entry rights and audit trail administration rights are held by different individuals
Maintain an access log showing every person with system administrator credentials
Run and archive monthly exports of the audit trail in a read-only, tamper-evident format
Flag unusual edit patterns — such as a spike in backdated entries near 31 March — for management review

What CARO 2020 Expects Your Auditor to Report

CARO 2020 reporting on audit trail has become the sharpest enforcement edge of this obligation. When the auditor qualifies the CARO 2020 report on audit trail grounds, the consequences cascade well beyond the audit room.

Banks and NBFCs (Non-Banking Financial Companies) reviewing annual accounts for credit renewals typically require a clean CARO report. A qualification on audit trail has resulted in enhanced scrutiny, lower credit limits and, in a few documented cases in FY 2025-26, covenant breach notices from lenders.

Investors and PE funds conducting due diligence treat a CARO audit trail qualification as a governance red flag, because it raises a legitimate question: if a period's transactions cannot be independently verified, what else in the books is unverifiable?

MCA V3 portal visibility: Auditor's reports filed with annual returns are publicly accessible on the MCA V3 portal. A CARO qualification is readable by any lender, competitor, regulator or investor who looks up the company.

In FY 2026-27, auditors are applying a materially more rigorous approach to CARO audit trail testing than in the first year of applicability. Expect your statutory auditor to request: a vendor certificate confirming feature compliance for the specific software version; a full-year population export of audit trail logs; and a reconciliation confirming that total transaction counts in the audit log match the general ledger.

The 8-Year Preservation Clock: Section 128(5) in Practice

Under Section 128(5) of the Companies Act, 2013, books of account and supporting vouchers must be preserved for not less than eight financial years from the end of the relevant financial year. The audit trail is part of the books — it is not a separate system log that can be purged on an IT-managed 90-day cycle.

What this means in FY 2026-27: Audit trail logs from FY 2018-19 onward must still be accessible. If your company migrated accounting software — say, from a legacy on-premise system to a cloud ERP in 2022 — the archived audit trail from the old system must also be preserved in a readable format, not merely sitting on a backup tape no one can open.

Two scenarios extend the retention obligation beyond eight years:

Pending investigation: If the company is under scrutiny by the MCA, SFIO (Serious Fraud Investigation Office), Income Tax Department or any regulatory authority, the audit trail must be preserved until the investigation is formally closed, regardless of how long that takes.
Pending litigation: Where audit trail entries are relevant to any commercial dispute, the obligation extends for the duration of the litigation and any appeal.

Format requirements in FY 2026-27: The MCA's expectation — reinforced through its FAQs and inspection practices — is that preserved audit trails must be in a format that allows independent verification. Acceptable formats include immutable database logs where the engine itself prevents retrospective alteration, digitally signed period-end exports (SHA-256 hash or equivalent), and indexed archives stored in a write-once, read-many (WORM) environment. A folder of CSV files on a shared drive does not meet this standard and will not satisfy a forensic auditor or SFIO inspector.

Step-by-Step: Building a Compliant Audit Trail Setup Before Your FY 2026-27 Audit

If your company's setup is ad hoc or unverified, work through this sequence before your statutory audit begins — most year-end audits for FY 2026-27 commence between October and December 2026:

Get written confirmation from your software vendor — by email — that the specific version and configuration you run is compliant with Rule 3(1). Tally Prime, SAP Business One, Oracle NetSuite, Zoho Books and the India-hosted version of QuickBooks have each published compliance statements, but confirm for your version. Save this confirmation permanently.

Log in and verify the feature is active today. In most software this is under Settings → Audit/Compliance → Audit Trail or Edit Log. Take a screenshot showing the feature is enabled and file it.

Redesign access rights on the principle of least privilege. No individual should hold both journal-entry posting access and the ability to modify or disable audit trail settings. Create named super-administrator accounts with strong passwords and shared custody between the CFO and IT head.

Configure automated monthly exports. Set the system to export audit trail logs on the last working day of each month. Note the hash value, store the export in a location separate from the live accounting system, and confirm the backup monthly. A cloud folder with version history enabled is adequate if write-once discipline is enforced.

Draft and board-approve your Audit Trail Policy (covered below). File the signed resolution in the company's statutory registers.

Commission an internal audit of the audit trail before your statutory audit begins. Ask your internal auditor to test a random sample of 100 entries across three months and deliver a written report confirming the trail is intact, complete and attributable to named users.

Prepare a one-page reconciliation — total transactions in the general ledger versus total entries in the audit log, by month. Any unexplained gap requires a written management explanation before the statutory auditor arrives.

Worked Example: The Real Cost of Getting This Wrong

Consider a hypothetical private limited company — Prism Goods Pvt. Ltd. — with turnover of Rs. 40 crore in FY 2026-27. In May 2026 the company migrated to a new cloud ERP. The IT vendor disabled the audit trail for 45 days during data migration and user acceptance testing. No alert was triggered; the CFO was not informed.

What happens at the October 2026 statutory audit:

The auditor's CARO 2020 testing reveals a 45-day gap in audit trail logs covering May–June 2026.
The auditor is required to report that the audit trail was not operational throughout the year.
Because post-migration transactions in this gap period cannot be independently verified, the auditor also reports a material weakness in IFC under Section 143(3)(i).

Estimated financial and non-financial exposure:

Item	Estimated Amount
Fine on MD under Section 128(6) — minimum	Rs. 50,000
Fine on CFO under Section 128(6) — minimum	Rs. 50,000
Fine on IT head charged by Board — minimum	Rs. 50,000
IT consultant fee to reconstruct partial logs (if recoverable)	Rs. 1,50,000
Internal audit remediation engagement	Rs. 75,000
Legal fee for responding to MCA show-cause notice	Rs. 1,00,000
Minimum total quantifiable exposure	Rs. 4,75,000

The maximum fine per responsible officer under Section 128(6) is Rs. 5 lakh, meaning maximum officer-level fines for three named individuals reaches Rs. 15 lakh. Add reputational impact: the CARO qualification is visible on MCA V3 to every lender and investor who opens the annual filing.

The entire episode was preventable. A single checklist item — confirm audit trail is re-enabled and tested before ERP go-live — would have cost nothing.

The IFC / ICFR Dimension

For listed companies and certain unlisted companies covered under Section 143(3)(i) of the Companies Act, 2013 read with Rule 11 of the Companies (Audit and Auditors) Rules, 2014, the statutory auditor must report on the adequacy and operating effectiveness of Internal Financial Controls (IFC) over financial reporting.

An audit trail deficiency affects IFC in two distinct ways:

Design deficiency: If the accounting software does not have a functioning audit trail, the "change management" control within the IT General Controls (ITGC) framework has a design gap. No amount of compensating controls fully plugs this gap.
Operating effectiveness deficiency: If the audit trail is designed correctly but disabled or partially offline during the year, the control exists on paper but was not operating. This is the more common finding.

Either condition requires the auditor to report a material weakness (for significant gaps) or a significant deficiency (for contained gaps). Both appear in the audit report; material weaknesses are reviewed by SEBI (Securities and Exchange Board of India) for listed entities and are visible to stock exchange filings.

In FY 2026-27, listed companies and PE-backed private companies preparing for IPOs or secondary rounds routinely integrate audit trail testing into their ICFR (Internal Controls over Financial Reporting) matrices as a named IT General Control. If your company has an ICFR exercise underway, the audit trail control should appear in the matrix and be tested at minimum semi-annually with documented evidence.

Common Mistakes and How to Fix Each One

Mistake 1: Disabling the audit trail "temporarily" for year-end closing entries. Some finance teams switch off the audit trail while passing large adjustment journals, believing a clean log looks better. This is the most common and most serious error. Fix: Make any correction as a separate, clearly described journal entry. The trail of adjustments is evidence of good governance, not the opposite. Never disable the feature.

Mistake 2: Assuming the feature is active because the software has it. The vendor provides the feature; the customer must activate it. A significant number of companies discover at audit that the audit trail was available but never switched on. Fix: Verify the status today. Get a screenshot. Add annual re-verification to your compliance calendar.

Mistake 3: Using shared "admin" login credentials. When five people post entries under a shared "admin" username, the audit trail records all five users' actions as one anonymous entity. This defeats the user-level accountability the rule requires and will fail CARO 2020 testing. Fix: Create uniquely named accounts for every user who accesses the accounting system. Delete or disable all shared credentials immediately.

Mistake 4: Failing to export audit trail logs before migrating software. When companies switch ERPs, the old system's audit trail is rarely exported before decommissioning. Two years later, the eight-year retention obligation cannot be met for historical years. Fix: Before any migration, export the complete audit trail in a signed, read-only format. Store the export under the finance team's control, not the IT vendor's.

Mistake 5: Treating audit trail preservation as an IT issue. When the audit trail sits entirely under IT's ownership with no finance oversight, it tends to be purged on a server-log cycle — typically 30 to 90 days — rather than the eight-year statutory cycle. Fix: The CFO must own the Audit Trail Policy. IT executes the technical implementation; finance governs the retention obligation and access controls.

Documenting Your Audit Trail Policy: What It Must Cover

Every company should have a board-approved Audit Trail Policy. This is a two-to-three-page document, not a technical manual. Its value lies in existing, being current and being signed. During a CARO 2020 audit, a well-drafted policy materially reduces the time your auditor spends on this section and demonstrates governance intent to any regulator who asks.

The policy must cover:

Software name and version in use, with the date of vendor compliance certification
Feature confirmation: that the audit trail is enabled, with the date last verified and the verifying officer's name
Retention period: minimum eight financial years from the end of the relevant year, extended automatically for pending investigations or litigation
Backup frequency: monthly exports, minimum, with hash verification and off-site storage
Storage format: immutable logs, digitally signed exports or WORM-compliant archive
Access matrix: who can enable or disable the feature, requiring dual-officer approval for any such action
Responsible officers: the MD, CFO and IT head named by designation and name
Review cycle: annual update at the start of each financial year, plus mandatory review on any software migration or senior personnel change

Update the policy whenever you upgrade your accounting software, change your ERP vendor or appoint a new CFO or IT head. File the Board resolution approving each version alongside the policy document.

Key Takeaways

Rule 3(1) of the Companies (Accounts) Rules, 2014 mandates an always-on, immutable audit trail for every company using accounting software; the obligation has been unambiguous since 1 April 2023 and is fully enforced in FY 2026-27.
Primary legal responsibility rests with the company — the Board under Section 134(5) strategically, and the MD and CFO personally under Section 128(6) operationally.
CARO 2020 requires your statutory auditor to test and publicly report on four specific audit trail conditions; a failure on any one produces a qualification visible to lenders, investors and regulators on MCA V3.
Preservation is eight financial years under Section 128(5), in a format that allows independent verification — not a shared drive folder, but immutable logs or digitally signed archives; investigation or litigation extends this further.
IFC reporting under Section 143(3)(i) treats a disabled or untested audit trail as a material weakness — an adverse finding with direct consequences for listed companies under SEBI oversight and for IPO-track private companies.
Minimum penalty exposure for a serious breach involving three responsible officers (Section 128(6) fines plus remediation and legal costs) comfortably exceeds Rs. 4–5 lakh; maximum officer fines reach Rs. 5 lakh per person.
Prevention is a checklist: verify the feature is on today, assign named user accounts, take monthly signed exports, draft a board-approved Audit Trail Policy, and have internal audit test the trail before your statutory audit begins — none of these steps costs more than one working day.