What was once a routine statutory obligation has now become a strategic imperative. With the enforcement of Section 128(1), Rule 3(5), and MCA Rule 11(g), the Ministry of Corporate Affairs has made it clear—financial data must be traceable, audit trails must be immutable, and governance must be built into the system, not layered on top.
These aren’t just regulatory updates—they’re a wake-up call. From April 2023/2024, Indian enterprises are expected to maintain tamper-proof logs of every transaction, configuration change, and master data update, especially in ERP systems like SAP. No more excuses. No more afterthoughts.
This shift is forcing CFOs, CIOs, and compliance leaders to rethink how data is recorded, who has access, and how every action can be traced back for accountability. It’s not just about avoiding fines—it’s about proving integrity, ensuring audit readiness, and safeguarding stakeholder trust in a digital-first economy.
Here is the detailed requirement of each section/rule:
Section 128(1)
Requires every company to keep its books of accounts and other relevant books, papers, and financial statements (“Books of Accounts”) at its registered office.
Such Books of Accounts are required to be maintained for a period not less than 8 financial years immediately preceding a financial year.
Section 128(1) of the Companies Act also permits companies to maintain Books of Accounts in electronic mode (“Electronic Records”). As per the Companies (Accounts) Rules, 2014 (“Companies Accounts Rules”)
The Electronic Records must:
- remain accessible in India, at all times,
- be retained in the format in which they were originally generated, sent or received, or in a format which accurately presents the information generated, sent or received,
- be complete and remain unaltered.
Rule 3(5)
The proviso to Rule 3(5) of the Companies Accounts Rules specifies that if companies maintain a back-up of Electronic Records, such back-ups (irrespective of whether they are maintained within or outside India) ought to be kept in servers physically located in India on a daily basis
MCA Rule 11(g)
What Rule 11(g) Really Means:
This isn’t just a checkbox compliance requirement — it’s a foundational shift toward accountability, traceability, and data integrity. Specifically, Rule 11(g) mandates:
- Immutable audit trails for all transactions.
- No deletion or alteration of logs.
- Daily operational status tracking of the audit trail feature.
- Confirmation that the feature was enabled throughout the year and was not tampered with.
Why SAP Teams Must Pay Attention
Many enterprises running SAP S/4HANA may assume that implementing the steps recommended in SAP Note 3042258 – Maintenance of audit trail – Statutory Requirement – 1st April 2023(India) are good enough and they’re compliant by default. However, SAP audit trails that are natively enabled both at the Application & DB level can be disabled by administrators. What makes this complex:
Logging is configurable — and reversible: Audit logs and database-level audit policies in SAP can be disabled or modified by users with administrative access, leaving compliance fragile and easily compromised.
No enforcement mechanism: SAP does not provide built-in controls to enforce that audit trails remain continuously active or tamper-proof. This creates a blind spot if logging is turned off, even temporarily.
Lack of tamper-evidence: Native audit trails in SAP do not provide integrity or immutability. A log entry can be deleted or altered without leaving forensic evidence.
No real-time monitoring or alerting: There is no automated mechanism to alert if critical tables, configurations, or logging itself is modified—violating the “near real-time visibility” requirement under Rule 11(g).
Privilege paradox: The very users (Basis/Security/Admins) responsible for enabling audit logs can also disable or delete them, creating a conflict of interest that weakens governance.
No audit trail for audit trail settings: Ironically, changes made to audit trail configurations themselves are often not logged or monitored—leaving a critical blind spot.
The SAP Implementation Checklist for Rule 11(g)
Implementing an effective and compliant audit trail in SAP requires a structured approach:
1. Assessment of Current Logging Mechanisms
- Identify existing audit logging coverage both in SAP Application & HANA DB.
- Review critical tables and validate if the table logging is enabled (There are around 700 tables in S/4HANA which needs table logging to be enabled to records DDL/DML changes.)
- Evaluate gaps.
2. Design & Configuration
- Configure table logging as applicable.
- Enable SAP Security Audit Log & DB Audit policies, DDL/DML logs and change documents for deeper traceability.
- Remove authorizations to maintain audit log and change log tables from regular authorizations.
3. Audit Trail Enablement
- Implement access controls to prevent log modification or deletion.
- Schedule periodic system checks to confirm logging status. (preferably daily)
4. Review & Reporting
- Automate reporting to show daily logging status.
- Maintain an audit trail status dashboard for internal control and auditor review.
- Retain logs as per MCA’s 8-year requirement in secure archive environments.
What the ICAI Implementation Guide Adds:
The ICAI’s updated implementation guide adds clarity in several key areas:
- Defines what constitutes an “accounting transaction.”
- Highlights the difference between accounting logs and IT security logs.
- Recommends standard operating procedures for configuration, review, and auditor reporting.
- Urges companies to document the audit trail policy, along with controls for monitoring and evidence preservation.
This is especially important for SAP environments where a lack of standardization or documentation could raise red flags during statutory audits.
Real-World Considerations for SAP Environments
- Can you prove to auditors that audit logs were never disabled?
- Can you prove to auditors that change logs are not tampered?
- Do you have tools to detect gaps or inconsistencies in your logging mechanisms?
- Is your ITGC framework aligned with Rule 11(g) mandates?
How ToggleNow Helps Enterprises Stay Compliant
ToggleNow offers a structured solution built around SAP best practices and Rule 11(g) expectations. Our approach includes:
- Evaluation: Understand the AS IS status and document findings.
- Implement: Implement the standard configurations as recommended by SAP in note 3042258 and also additional authorization changes
- Enhance: Implement proactive monitoring and response solution which will have key controls, and prepare for audit readiness.
We don’t just provide checklists — we build systems that help you prove compliance, prevent risk, and simplify audits.
Rule 11(g) is not just a legal requirement — it’s a strategic opportunity to strengthen your organization’s control environment and digital accountability. For SAP-based enterprises, the challenge lies in mapping abstract mandates to complex system architectures. But with the right approach and tools, compliance doesn’t have to be hard — or manual.
If you’re unsure whether your current SAP setup is audit-trail ready, now is the time to review, redesign, and reinforce.
Read the key takeaways from our webinar on MCA audit trail requirements
