This rule has been in force long enough that most companies assume they’re compliant simply because their software lists an “audit trail” feature somewhere in settings. That assumption is exactly where the gaps hide.
Every company using accounting software to maintain its books must use software with an audit trail (edit log) feature. It must record every transaction and every change, with date and time, and the feature must never be capable of being disabled. This has applied since 1 April 2023, to every company regardless of size.
Not sure if your accounting software actually meets the full requirement? WhatsApp us and we’ll check your setup against what auditors are actually testing for.
Quick Summary
| Requirement | Detail |
| Applicable from | Financial years beginning on or after 1 April 2023 |
| Applies to | All companies under the Companies Act, 2013 — regardless of size, including Section 8 (non-profit) companies |
| What must be logged | Every transaction; every create, edit, update, delete, or cancel action; date and time of each change |
| Can the feature be disabled? | No — this is explicit and non-negotiable |
| Retention period | Minimum 8 years, per Section 128(5) |
| Who verifies compliance | The statutory auditor, who must report on it under Rule 11(g) |
“Database Level,” Not Just “Application Level,” Is Where Companies Get Caught Out
This detail trips up more companies than any other. ICAI’s Implementation Guide says audit trail must be enabled at the database level, not just within the accounting software’s user interface. Your accounting software might show a clean edit log on screen. But if the underlying database allows changes that bypass that interface-level logging, you’re not actually compliant — even if no one inside the company realises it. This is a genuine technical gap between what a software vendor markets as “audit trail enabled” and what the rule actually demands.
Why ERPs With Restricted Database Access Sometimes Still Fail
Some companies argue that restricting database access to a single administrator, with that administrator’s actions logged at the application level, satisfies the spirit of the rule. ICAI’s guidance doesn’t fully accept this shortcut. Companies generally still need audit trail at the database level for tables that form part of the books of account, even where access is tightly controlled. Performance concerns don’t exempt a company from the requirement. They just make the technical implementation harder.
What Your Statutory Auditor Is Actually Checking
The auditor’s report must address whether the company maintained audit trail throughout the year, not just at the point of audit. This creates a real timing challenge. A statutory audit happens after year-end, but the auditor needs assurance that the trail stayed active and unaltered from day one of the financial year. Many companies now lean on internal audit or a documented management representation covering the full year, rather than trying to verify retroactively.
A Disclosure Practice Worth Adopting
Several companies now include a specific note in their financial statements describing how they implemented the audit trail requirement — which software they use, where data sits, and confirmation that the feature operated throughout the year without being disabled. The law doesn’t strictly mandate this disclosure. But it gives the auditor a clear basis to reference in their own report, and it shows the kind of proactive governance that reduces friction during the audit itself.
A Practical Compliance Checklist
- Ask your software vendor directly whether audit trail logging operates at the database level, not just the application interface. Don’t assume from marketing material.
- Confirm no user, including administrators, can disable the feature. Test this rather than taking it on faith.
- Set up your data backup and retention process to cover the full 8-year requirement from the start, not as an afterthought near year 7.
- Discuss with your statutory auditor early in the year what evidence they’ll expect to see, rather than waiting until the audit itself to find out.
Frequently Asked Questions
Does this apply to small private companies, not just large ones?
Yes. The rule applies to every company under the Companies Act, 2013, regardless of size, including small companies and Section 8 non-profit companies.
What if my accounting software simply doesn’t have a database-level audit trail feature?
This is a genuine compliance gap, not a minor technical detail. It may mean switching software, since the responsibility for selecting compliant software sits with company management, not the auditor.
Is the audit trail requirement different for consolidated financial statements?
No. The requirement applies to both standalone and consolidated financial statements.
Does this apply to foreign companies operating in India?
Yes. Audit trail provisions extend to foreign companies as defined under the Companies (Registration of Foreign Companies)
Rules, 2014, including branch and liaison offices.
Is audit trail mandatory in accounting software?
Yes. From financial years beginning on or after 1 April 2023, every company maintaining books of account in accounting software must use software that records an audit trail (edit log), captures every change with date and time, and does not permit the audit trail feature to be disabled.
References
- Companies (Accounts) Rules, 2014 — Rule 3(1) (audit trail requirement)
- Companies (Audit and Auditors) Rules, 2014 — Rule 11(g) (auditor reporting obligation)
- Companies Act, 2013 — Section 128(5) (8-year retention requirement)
- ICAI Implementation Guide on Reporting on Audit Trail under Rule 11(g)
Last Updated: 26 June 2026
Reviewed By: TaxKitab Team
Call or WhatsApp: +91 7448200422 Email: info@taxkitab.com Website: taxkitab.com See our Audit Support service, or visit Contact.
