Since MCA Rule 11(g) under the Companies (Accounts) Amendment Rules became effective, statutory auditors are required to check and report on the audit trail feature of accounting software used by companies. SAP — being the most widely used ERP in India’s large enterprise sector — is under significant scrutiny.
Based on our SAP audit experience, here are 7 failures that consistently lead to adverse audit observations:
7 FAILURES
• FAILURE 1: AUDIT TRAIL DISABLED FOR CERTAIN MODULES — The most common failure. Audit trail is enabled for FI but disabled for CO, MM, or HR modules. SAP’s audit trail must cover all modules where financial transactions occur. Check transaction SM19 and RSAU_CONFIG for coverage.
• FAILURE 2: AUDIT TRAIL NOT TAMPER-EVIDENT — If the audit log can be deleted or modified by the SAP Basis team or DBA, it is not tamper-evident. Verify: can SM18 (log deletion) be executed without detection? Is DB-level log access restricted?
• FAILURE 3: BACKUP OF AUDIT LOGS NOT MAINTAINED SEPARATELY — Audit logs stored only in SAP (and not backed up separately) are at risk of loss during system recovery. MCA requires that audit logs be backed up and retained in a way that is independent of the main system.
• FAILURE 4: DDL LOGGING NOT ENABLED — Changes to database schema (DDL changes) must be logged. Many organisations focus on DML (data changes) but miss DDL logging — which captures table structure changes that could indicate data manipulation.
• FAILURE 5: PRIVILEGED USER ACTIONS NOT CAPTURED — Actions performed by the SAP_ALL user, Basis administrators, or DBA accounts must be captured in the audit log. If privileged actions can occur without a trace, the entire audit trail integrity is compromised.
• FAILURE 6: LOG RETENTION BELOW REQUIRED PERIOD — Audit logs must be retained for the period applicable under the Companies Act and MCA rules. Retention of only 3–6 months (due to storage constraints) is insufficient.
• FAILURE 7: AUDIT TRAIL NOT ACTIVATED FROM DAY 1 OF FINANCIAL YEAR — SAP audit trail must be active from the first day of the financial year. Activation mid-year creates a gap that statutory auditors will flag.
WHAT TO DO NOW
If you are approaching your statutory audit and have not yet reviewed your SAP audit trail status, Zorixx recommends an immediate Rule 11(g) readiness check — a focused 2-week assessment that reviews audit trail activation, completeness, tamper-evidence, backup, and retention. We provide a compliance certificate that can be shared with statutory auditors.
