It’s been almost a year since the Ministry of Corporate Affairs (MCA), India introduced a new set of guidelines to companies on April 1, 2023, aiming to bring transparency and restrict or reduce data manipulation of books within the company. This prompted SAP clients to initiate new processes such as enabling audit trails and change logs. However, many customers are still unsure about what they need to do.
A survey conducted by ToggleNow between September 2023 and March 2024 found that 7 out of 10 customers attempted to implement the rules, but they might not have completed all the necessary steps. Here’s how companies are dealing with the situation:
| What the Requirement says? | How are companies handling it today? | What is the Challenge? |
|---|---|---|
| Enable audit trail of every transaction. | Companies are enabling the SM19/SM20 audit logs. | Enabling SM19/SM20 audit logs will not only occupy lot of space, but also impacts the system performance. |
| Creating an edit log of each change made in books of account along with the date when such changes were made. | This is a standard feature of SAP where the change logs are captured in the following tables:
| While this is a standard feature, users in SAP can still delete these logs, which need to be secured. Many of the clients haven’t implemented additional security features to protect the edit/change logs. |
| Audit trail cannot be disabled/deleted. | Audit trails are enabled by Admins in the production environments and will be backed up periodically. | Users with administrative authorizations can still disable or delete these audit trails/logs. |
| No backdated entries, no deleted/amended vouchers allowed. | This is controlled with authorizations. | Many of the users have wider authorizations which allows them to poste backdated entries. |
| It's about transparency and no room for data manipulation. | Debug authorization is restricted to specific users which allows them to make changes in run-time. | Debug authorizations are not properly maintained. Many users have access to SE16 with debug, allowing them to change entries without proper records. |
| Ensure your software has a timestamp for every action. | This is a default functionality. | As mentioned, performing changes from RFMs, and in debug mode doesn’t leave the timestamp. This must be controlled. |
| Track every transactional change, no exceptions. | This is a default functionality. | Change logs can be deleted. Thus, authorization controls to be implemented. |
| Keep the edit log permanently on. | This is a default functionality. | Edit logs can be deleted. Thus, authorization controls to be implemented. |
| Capture user details for accountability. | This is a default functionality. | With RFMs, users can utilize other IDs and make changes. RFMs and RFCs to be secured. |
| Maintain a clear sequence of actions. | This is a default functionality. | This is a default functionality. |
In conclusion, the management of audit logs such as SM19/SM20 presents challenges, as enabling them may consume significant storage space and affect system performance. Despite being a standard feature, users in SAP can still delete these logs, highlighting the necessity for enhanced security measures.
Many clients have not implemented additional safeguards, leaving the system vulnerable to unauthorized alterations. Furthermore, users with administrative privileges can easily disable or erase audit trails, while wider authorizations enable the posting of backdated entries. Debug authorizations are often overlooked, granting users access to SE16 with debug capabilities, compromising data integrity. Moreover, changes made through RFMs and in debug mode lack timestamp records, necessitating stricter controls. The deletion of change and edit logs underscores the imperative for robust authorization controls. To mitigate risks, RFMs and RFCs must be secured to prevent unauthorized access and alterations.
Absolutely! Evaluating your SAP system to ensure compliance with the Ministry of Corporate Affairs (MCA) requirements is crucial for maintaining transparency and data integrity within your organization. Our team of experts specializes in SAP systems and regulatory compliance, and we’re here to assist you every step of the way.
Here’s how ToggleNow can help:
“Segregation of duties (SOD) is a potent weapon in the fight against fraud, equipping businesses with robust internal controls. In this article, we explore the importance of SOD in fraud prevention and present real-life examples of its effective implementation. Discover how organizations have leveraged SOD to safeguard their assets, reputation, and operational integrity, reinforcing trust and resilience in the face of evolving fraudulent threats.”
1. Comprehensive Assessment:
Our team will conduct a thorough assessment of your current SAP system to identify any gaps or areas that need improvement to meet MCA requirements.
2. Customized Solutions:
Based on the assessment findings, we’ll tailor solutions specifically for your organization to ensure compliance with MCA guidelines while optimizing system performance and security.
3. Implementation Support:
4. Training and Education:
5. Ongoing Support:
Our commitment doesn’t end with implementation. We’ll provide ongoing support and maintenance to address any evolving compliance needs and ensure your SAP system remains aligned with MCA regulations.
Let’s schedule a consultation to discuss your specific requirements and how our expertise can help you achieve and maintain compliance with MCA guidelines.
FAQ's
1. What are MCA requirements for SAP systems?
For SAP systems, key MCA (Ministry of Corporate Affairs) compliance requirements are driven by multiple provisions of the Companies Act and related rules:
- Rule 11(g) – Audit Trail (Edit Log):
Mandates that accounting software, including SAP, must maintain a system-generated, tamper-proof, and non-disableable audit trail for all financial transactions. Every create, change, and delete affecting books of accounts must be logged with user ID, timestamp, and before/after values, and retained for at least 8 financial years. - Rule 3(5) – Record Retention:
Requires companies to preserve accounting records in electronic form for the statutory retention period. In SAP terms, this means ensuring long-term availability, integrity, and retrievability of financial data and related audit logs, even after system upgrades or migrations. - Section 128 & Section 134 / Rule 28 (Internal Financial Controls & Reporting):
These provisions emphasize accurate books of accounts, internal financial controls (IFC), and management accountability. SAP systems must support controlled access, traceability, change monitoring, and audit evidence to demonstrate that financial data is complete, accurate, and protected from unauthorized manipulation.
Together, these MCA requirements push SAP landscapes toward strong audit trails, disciplined access governance, secure data retention, and audit-ready reporting, as expected by statutory auditors under the Ministry of Corporate Affairs.
2. Can SAP audit logs be deleted or disabled?
Yes, from a technical standpoint, SAP audit logs can be disabled or deleted by users with sufficient system or administrative privileges. However, regulatory requirements such as MCA Rule 11(g) explicitly require accounting systems to maintain a system-generated, tamper-proof, and non-disableable audit trail. This creates a compliance expectation that audit logs must not be switched off or altered, even if the underlying technology allows it. As a result, organizations running SAP are required to implement governance, controls, and safeguards to ensure audit trails remain continuously available and audit-ready.
