India Audit Trail Requirements: What UK Businesses Need to Know

Introduction: India's Audit Trail Rules — A Compliance Obligation UK Businesses Cannot Ignore

Many UK businesses operating in India face a compliance obligation they may not yet fully understand. Since April 1, 2023, India has required all companies registered under the Companies Act, 2013 — including foreign-owned subsidiaries, branches, and liaison offices — to maintain a real-time, tamper-proof audit trail in their accounting software.

This requirement applies to every UK parent company with an Indian entity, regardless of size or turnover.

The UK ranks third among foreign company origins in India — after the USA and Singapore — with approximately 5,209 registered foreign companies as of December 2024. For these businesses, non-compliance carries real consequences: fines from ₹50,000 to ₹5,00,000, personal liability for directors and CFOs, and audit qualifications that can affect group-level reporting.

This article covers the legislative basis, technical requirements, data residency rules, and the practical steps UK businesses need to take to meet India's audit trail mandate.

TLDR:

  • India's audit trail requirement has been mandatory since April 1, 2023, with no turnover threshold or company-size exemption
  • UK businesses with Indian subsidiaries, branches, or liaison offices must use accounting software with non-disableable audit trails
  • Daily backups must be stored on servers physically located in India
  • Auditors must report on compliance from FY 2024-25 onwards, with preservation verification now live
  • Non-compliance risks fines of ₹50,000–₹5,00,000 for companies and officers, plus auditor disciplinary action

What Is India's Audit Trail Requirement? The Legislative Background

The audit trail mandate stems from an amendment to Rule 3(1) of the Companies (Accounts) Rules, 2014, introduced by India's Ministry of Corporate Affairs (MCA) through notification G.S.R. 205(E) dated March 24, 2021. Originally scheduled to take effect on April 1, 2021, the requirement was deferred twice—first to April 1, 2022, then to April 1, 2023—before finally becoming compulsory for financial years commencing on or after April 1, 2023.

In the Indian statutory context, an "audit trail" means a date- and time-stamped chronological record of every transaction entered into the books of account. The requirement captures the "3Ws":

  • When the change was made
  • Who made it (user ID)
  • What was changed (transaction reference and detail)

Indian law also requires two simultaneous components: the full audit trail of all transactions, plus a separate edit log recording every modification to existing entries—capturing both original and revised data with timestamps.

According to the ICAI Implementation Guide on Reporting on Audit Trail (Revised 2024 Edition), auditor reporting on preservation of audit trails became mandatory from FY 2024-25 onwards. While FY 2023-24 required auditors to confirm the trail existed and operated throughout the year, preservation reporting represents an escalation in regulatory scrutiny.

That scrutiny applies across the board. The rule covers every company using accounting software to maintain books of account, with no exceptions based on:

  • Software type (on-premise, cloud-based, or SaaS)
  • Company size or annual turnover
  • Industry sector or business structure

Who Must Comply: Does the Requirement Apply to UK Businesses in India?

The audit trail requirement applies to all companies registered under the Companies Act, 2013. This explicitly includes foreign companies as defined under Section 2(42) and the Companies (Registration of Foreign Companies) Rules, 2014, along with their branch offices and liaison offices operating in India.

For UK businesses, the practical implications are straightforward:

  • A UK parent company that has incorporated an Indian private limited company (subsidiary) must ensure the entity's books are maintained in compliant accounting software
  • A UK company that has registered a branch office or liaison/project office in India falls within scope
  • The obligation attaches to the Indian entity's statutory books, regardless of where the UK parent is headquartered

Not every type of business entity in India is subject to this rule, however.

Who is NOT covered:

  • Limited Liability Partnerships (LLPs) governed by the LLP Act, 2008
  • Partnership firms under the Indian Partnership Act, 1932
  • Sole proprietorships
  • Entities maintaining books of account entirely in manual (paper-based) format with no accounting software

A common question from UK finance teams concerns global ERPs. If a UK parent uses SAP, Oracle, or Xero to consolidate Indian accounts, the Indian entity's books maintained within that system must have the audit trail feature enabled and active for Indian transactions.

Having UK-compliant audit capabilities in the parent system does not satisfy this requirement. The Indian component must meet India's specific technical standards independently.

What the Audit Trail Feature Must Actually Do: Technical Requirements

Mandatory Capabilities the Software Must Have

Rule 3(1) requires accounting software to satisfy three non-negotiable conditions:

  1. Record an audit trail for every transaction entered into the books of account—no transaction category is exempt
  2. Create an edit log for every change made to an existing entry, capturing the original value, modified value, date/time of change, and user ID
  3. Ensure the audit trail cannot be disabled by any user, administrator, or system process—a software setting that allows the trail to be switched off, even temporarily, renders the software non-compliant

Three mandatory audit trail software requirements under India Rule 3(1) compliance

The National Financial Reporting Authority (NFRA) Inspection Report 2024 found that audit trail features were not enabled at the database and/or application level across all five sampled audit engagements of a major audit firm. For UK businesses operating Indian subsidiaries, this is a live enforcement risk—not a theoretical one.

What Counts as "Books of Account" Under Section 2(13)

Section 2(13) of the Companies Act, 2013 defines "books of account" to include records of:

  • All sums of money received and expended
  • All sales and purchases of goods and services
  • All assets and liabilities
  • Cost records prescribed under Section 148

The scope is broader than many UK businesses initially assume. If sales data is recorded in a separate CRM or billing platform, or if fixed asset registers are maintained in Excel, those sub-ledgers that feed directly into the general ledger may also constitute "books of account."

The ICAI Implementation Guide clarifies that spreadsheets used only as working papers fall outside the requirement. Where data from third-party tools directly populates the statutory books, however, each system requires a case-by-case assessment. UK businesses should map all ancillary platforms against this test before assuming compliance.

Data That Must Be Preserved

The Companies (Accounts) Fourth Amendment Rules, 2022 (effective August 5, 2022) set out clear obligations for how audit trail data must be stored:

  • Preserved in its original format with no editing or deletion permitted
  • Accessible in India at all times—records cannot be rendered inaccessible
  • Backed up daily on servers physically located in India

This data residency obligation creates a direct conflict for UK businesses whose cloud providers route or store data through UK or European servers.

Auditor Reporting Obligations Under Rule 11(g)

Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014 requires the statutory auditor of the Indian entity to include a specific statement in the audit report confirming four matters:

Matter Requirement
Audit trail facility exists Whether the accounting software has the required feature
Operated throughout the year Whether the facility operated for all transactions for the entire financial year
Not tampered with Whether the audit trail feature has been compromised
Preserved per statutory requirements Whether the audit trail has been retained according to record retention rules

Rule 11(g) auditor reporting four-matter compliance checklist for Indian statutory audit

Rule 11(g) creates a dual responsibility between two parties:

  • Company management selects compliant software and ensures the audit trail stays active throughout the year
  • Statutory auditor independently verifies and reports on its effective operation
  • Both parties face liability if compliance lapses go unreported

That shared accountability extends to an evolving scope. From FY 2024-25 onwards, auditors must also comment on preservation of audit trail logs as part of their Rule 11(g) reporting — a requirement that did not apply in FY 2023-24, the first year of applicability. UK financial controllers should confirm their Indian statutory auditor is aligned on this expanded obligation.

VJM Global, which has supported 250+ UK businesses with Indian accounting and audit obligations, emphasises early engagement with qualified Indian statutory auditors. Compliance gaps identified at year-end cannot be retroactively corrected — the audit trail must have run continuously from day one of the financial year.

Data Residency, Record Retention, and Penalties for Non-Compliance

Data Residency Requirements

Rule 3 of the Companies (Accounts) Rules, 2014 requires that books of account and audit trail records maintained electronically must remain accessible in India at all times. Daily backups must be kept on servers physically located in India. This is a distinct and additional obligation beyond having compliant software.

UK or European cloud data centres do not satisfy this requirement — a practical problem for businesses running global ERPs. Before the financial year begins, take these steps:

  • Confirm with your ERP or accounting software provider whether Indian data can be isolated to an Indian data centre
  • Verify that an India-region node (such as AWS Mumbai, Azure Central India, or Google Cloud Mumbai) is available and enabled
  • Get written confirmation of the data centre configuration from your provider

Record Retention Period

Once your data residency is configured correctly, the next obligation is how long that data must be kept. Section 128(5) of the Companies Act, 2013 requires books of account — and by extension, the audit trail — to be retained for a minimum of eight financial years preceding the current year.

For companies younger than eight years, all records since incorporation must be preserved. Audit trail data generated from April 1, 2023 must be retained until at least FY 2030-31.

Penalties for Non-Compliance

Companies and officers:

  • Fines ranging from ₹50,000 to ₹5,00,000 apply to the company
  • Personal fines in the same range apply to the managing director, CFO, or other charged officers
  • Note: The imprisonment provision previously under Section 128(6) was removed by the Companies (Amendment) Act, 2020; current penalties are monetary only

Auditors:

  • Fines ranging from ₹25,000 to ₹5,00,000, or up to four times remuneration (whichever is less)
  • For wilful non-compliance: imprisonment up to one year and fines up to ₹25,00,000 or eight times remuneration (whichever is less)
  • Potential disciplinary action from the Institute of Chartered Accountants of India (ICAI), including licence suspension

India audit trail non-compliance penalties comparison for companies officers and auditors

For UK businesses, personal liability extends to UK-appointed directors of Indian subsidiaries. The reputational consequences of an audit qualification under Rule 11(g) can be significant for UK-listed parent groups.

Practical Steps for UK Businesses to Achieve and Maintain Compliance

1. Conduct an immediate software audit

  • Confirm whether your Indian entity's accounting software has a built-in, non-disableable audit trail and edit log feature
  • Obtain written confirmation from your software vendor that their product is compliant with Rule 3(1)
  • Verify the feature is active for all transaction types

2. Review your data architecture for India-specific data residency

  • If your Indian entity's financial data is hosted on servers outside India (including UK or European cloud regions), work with your IT team and software provider to establish a compliant Indian data centre configuration
  • Set up daily automated backups to India-based servers
  • Document this configuration in writing with your service provider

3. Engage a qualified Indian statutory auditor early in the financial year

  • Brief your auditor on your software setup and data hosting arrangements
  • Align on their Rule 11(g) reporting approach before year-end
  • Don't wait until the audit to discover compliance gaps—the trail must have operated throughout the entire year

4. Consider professional advisory support

For UK businesses setting up or auditing their India compliance framework, VJM Global works with entities to ensure software configuration, data hosting, and internal records meet Indian regulatory standards from the outset rather than corrected after year-end. Their services cover statutory audit, internal controls review, compliance monitoring, and support during regulatory inspections — with specific experience serving UK businesses in the Indian market.

Frequently Asked Questions

What are the legal and regulatory requirements for audit trails in India?

Rule 3(1) of the Companies (Accounts) Rules, 2014 (effective April 1, 2023) requires all companies using accounting software to maintain a tamper-proof, real-time audit trail and edit log of every transaction. Auditors must report on compliance under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014.

What are the criteria for audit in India?

All companies registered under the Companies Act, 2013—including private limited companies, one-person companies, Section 8 companies, and foreign companies—are subject to statutory audit. There is no minimum turnover threshold for the audit trail requirement specifically (unlike some other Indian audit thresholds).

Does India's audit trail requirement apply to UK companies with Indian subsidiaries or branches?

Yes. The requirement applies to all entities registered under the Companies Act, 2013—including Indian subsidiaries of UK parents and branch or liaison offices of foreign companies. The obligation sits with the Indian entity's books of account, regardless of where the parent is headquartered.

What is the penalty for non-compliance with India's audit trail rules?

Companies face fines of ₹50,000–₹5,00,000; responsible officers (including CFOs and directors) face the same range. Auditors who fail to report non-compliance face fines of ₹25,000–₹5,00,000 or up to four times their remuneration, with potential imprisonment for wilful violations.

How long must audit trail records be retained under Indian law?

Section 128(5) of the Companies Act, 2013 requires retention of books of account—and the associated audit trail—for a minimum of eight financial years, or for the full period since incorporation if the company is less than eight years old.

Does accounting software used by a UK company for its Indian operations need to store data on servers in India?

Yes. Rule 3 of the Companies (Accounts) Rules requires books of account and audit trail records to be accessible in India at all times, with daily backups to servers physically located in India. UK businesses using European cloud regions for their Indian entity's data need to raise this specifically with their software provider.