Legal Suvidha is a registered trademark. Unauthorized use of our brand name or logo is strictly prohibited. All rights to this trademark are protected under Indian intellectual property laws.
Legal Suvidha
General

Responsibility for audit trail

Responsibility for the maintenance and preservation of the audit trail in an Indian company rests with the board of directors, managing director and CFO, supported by internal and statutory auditors. Under the Companies (Accounts) Rules and Section 128 of the Companies Act 2013, every company must use accounting software with an enabled audit trail, preserve logs for at least eight years, and ensure CARO 2020 reporting confirms the audit trail was not tampered with during FY 2026-27.

Mayank WadheraMayank Wadhera
Published: 9 Apr 2023
Updated: 16 May 2026
4 min read
Responsibility for audit trail
1
2
3
4
5
6
7
8

Understand who is responsible for maintaining and preserving the audit trail under the Companies Act and CARO 2020, and the 2026 compliance expectations.

Since 1 April 2023, every company in India has been required to use accounting software with an audit trail feature that captures each transaction and change. By FY 2026-27, this is no longer a transitional requirement — auditors, the MCA and even tax authorities now treat audit trail integrity as a baseline. This guide explains who is responsible for maintaining and preserving the audit trail, and how Finance Act 2026 and CARO 2020 amendments raise the stakes.

What the Audit Trail Rule Requires

Rule 3(1) of the Companies (Accounts) Rules, 2014, as amended, mandates that every company using accounting software must record an audit trail of each transaction, including any edit or deletion, with the date and user details. The audit trail must be operational throughout the year and cannot be disabled. CARO 2020 further requires statutory auditors to report on whether the audit trail feature was used and not tampered with.

Who Bears the Primary Responsibility

  • Board of Directors — primary accountability for adopting compliant accounting software and approving internal controls
  • Managing Director and CFO — operational responsibility for ensuring the audit trail is enabled and preserved
  • Internal auditors — periodic verification that the audit trail is functioning and free of tampering
  • Statutory auditors — annual reporting under CARO 2020 on audit trail compliance
  • IT and finance teams — day-to-day administration of access rights, log retention and back-ups

Preservation Period and Storage

Books of account and the underlying audit trail must be preserved for at least eight financial years from the end of the relevant year, in line with Section 128(5) of the Companies Act, 2013. Where investigation or litigation is pending, retention extends until the matter is closed. In 2026, the MCA expects audit trail logs to be preserved in a format that allows independent verification — typically immutable database logs, indexed exports or signed digital archives.

Practical Steps to Stay Compliant in 2026

  1. Use accounting software that explicitly certifies an immutable audit trail feature
  2. Restrict admin rights so that the audit trail cannot be disabled or purged
  3. Take signed monthly back-ups of the audit trail and store them off-site
  4. Document internal controls and access logs in a written IT-GC policy
  5. Get the audit trail tested by internal audit before the statutory audit kick-off
  6. Reconcile the audit trail with the trial balance for unusual edits or deletions

Penalties for Non-Compliance

Failure to maintain books of account along with a proper audit trail can attract penalties up to ₹5 lakh on the company and ₹50,000 to ₹5 lakh on responsible officers under Section 128(6). Statutory auditors are required to qualify their report under CARO 2020 if the audit trail is not operative, which directly impacts the company's credit rating, lender comfort and investor diligence. In 2026, several listed companies and large private companies have already received MCA show-cause notices for audit trail non-compliance.

Audit Trail Interaction With Internal Financial Controls

Audit trail is not just an MCA requirement — it is a foundational element of internal financial controls reporting under Section 143(3)(i) of the Companies Act 2013 for listed and certain other companies. A weak or disabled audit trail typically results in a material weakness in IFC, which the auditor must report. In 2026, listed companies and PE-backed private companies routinely link audit trail testing with their ICFR matrices and SOX-style control documentation to ensure consistency.

Documenting the Audit Trail Policy

Every company should adopt a board-approved Audit Trail Policy that names the accounting software in use, the version, the audit trail features enabled, the retention and back-up frequency, the access matrix and the responsible officers. This single document materially simplifies CARO 2020 audit testing and is increasingly demanded by lenders, due diligence teams and forensic auditors. Update the policy annually and circulate it across finance, IT and internal audit teams.

Conclusion

Responsibility for the maintenance and preservation of the audit trail rests jointly with the board, management and auditors — but the operational obligation sits squarely with the company. Treat the audit trail as a core financial control, not an IT setting. With CARO 2020 reporting now mature and MCA enforcement active in 2026, a clean, preserved audit trail is one of the simplest ways to build credibility with auditors, regulators and lenders.

Frequently Asked Questions

Who is responsible for the audit trail in a company?
Primary responsibility lies with the board of directors, the managing director and the chief financial officer. Internal auditors verify operational effectiveness, while statutory auditors report on compliance under CARO 2020. IT and finance teams manage day-to-day controls, access rights and back-ups, but the legal accountability sits with the company and its key managerial personnel.
For how long must the audit trail be preserved?
Under Section 128(5) of the Companies Act 2013, books of account along with the audit trail must be preserved for at least eight financial years from the end of the relevant year. Where any investigation, litigation or tax proceeding is pending, the retention period extends until the matter is fully concluded.
What does CARO 2020 say about audit trail?
CARO 2020 requires statutory auditors to specifically report whether the company used accounting software with an audit trail feature throughout the year, whether the feature was operated without being disabled, and whether the audit trail has been preserved in line with statutory retention requirements.
What is the penalty for not maintaining audit trail?
Non-compliance can attract penalties up to ₹5 lakh on the company and ₹50,000 to ₹5 lakh on responsible officers under Section 128(6) of the Companies Act 2013. It also leads to an adverse CARO report, which can impact lender comfort, investor diligence and the company's regulatory standing.
Mayank Wadhera
Content Reviewed By

Mayank Wadhera

CA | CS | CMA | Lawyer | Insolvency Professional | IBBI Valuator

"I help founders increase real business value and achieve stronger valuations | Turning messy workflows into scalable, time-saving systems"

View Profile
Share this article:3,517 Views
Previous
Form 11 vs Form 8 LLP: 12 Differences Every Partner Must Know (2026 Verified Guide)

Related Posts

View All