An edit log is useful only when it cannot be disabled, overwritten or avoided through spreadsheets and interfaces.
CFO and IT owner
Continuous, with quarterly testing
Map every application feeding the ledger.
System and interface inventory.
Companies using accounting software must evaluate the Companies (Accounts) Rules requirement for software with an audit-trail or edit-log feature. The statutory auditor also has a reporting responsibility under the applicable audit rule.
The control perimeter includes the general ledger and systems that create or alter accounting entries: billing, payroll, inventory, expense, consolidation and interfaces. A compliant ledger can still receive unsupported summary journals from an uncontrolled source.
Management should test user identity, original and changed values, date and time, reason for edit, privileged access, retention, backup and export. A vendor brochure is not evidence that the feature operated throughout the year.
| Control | What it covers | Operating rule |
|---|---|---|
| System scope | All software that maintains books or feeds accounting entries. | Document interfaces and manual uploads. |
| Edit capture | Original and revised values remain visible. | Test ordinary and administrator users. |
| Access control | Users have individual credentials and approved roles. | Remove shared and dormant IDs. |
| Retention | Logs remain available for the required record period. | Test backup and restoration. |
Treat audit-trail gaps as governance issues because they affect the reliability of books, statutory audit reporting and diligence. Document remediation without altering historical evidence.
Include the audit-trail status in the audit committee or board risk report where the gap is material, recurring or affects important financial information.
Document the decision, owner, due date and evidence expected. A verbal explanation should be converted into a board note, approved working, contract amendment, portal acknowledgement or reconciliation before the item is treated as closed.
Rules, forms, thresholds and interpretations can change. The operating team should use the latest official source and the actual company facts instead of copying a control from another entity or prior year.
Ask four questions: Is the obligation or accounting treatment applicable? Has the underlying transaction been completely recorded? Does the evidence agree with the books and portal? Has an independent reviewer challenged the exception?
The review should distinguish a timing difference from an error, a judgement from a missing document, and a control failure from a one-time operational delay. Repeated small exceptions deserve root-cause action because they often become material during audit, fundraising, notice or distress.
The operating record should connect the control stages—system scope, edit capture, access control, retention—to the same transaction population. If the source list, accounting ledger, tax return, board record and management dashboard use different populations, the review can appear complete while exceptions remain outside the test.
Management should define an exception threshold, but the threshold must not hide repeated failures. A small error occurring every month can signal weak master data, unclear ownership or a broken interface. The reviewer should record root cause, immediate correction and preventive action separately.
Closure requires evidence. At minimum, the file should show who prepared the work, who reviewed it, which source documents were used, what differences remained and when the next follow-up is due. Screenshots without context or spreadsheets without source references are not a durable control record.
Finance should reconcile the operational schedule to the general ledger and explain every reconciling item by amount, age and owner. Manual journals, overrides and post-close changes deserve heightened review because they can bypass the normal transaction flow.
The board view should separate reported results from estimates and management metrics. When a KPI does not follow the statutory accounting framework, provide a stable definition and a bridge to the closest financial statement line so the measure cannot be changed silently.