Statutory &
Regulatory Compliance

Compliance embedded in system design, mapped to 8 statutes and standards

Statutes & Standards Covered

Companies Act 2013

Section 128, 129, 143

Books of account maintained with true and fair view. Fixed asset schedules linked to the register. Internal financial controls that the auditor can verify — every transaction carries a complete audit trail with user, timestamp, and approval level.

CARO 2020

Clause 3(i)

Proper records of fixed assets with quantitative details and situation. Physical verification at reasonable intervals through structured campaigns. Title deed tracking. Asset disposal documentation with approval chain and accounting entries.

AS 10 / Ind AS 16

Fixed Asset Accounting

Recognition at cost including all directly attributable expenditure. SLM and WDV depreciation per Schedule II. Component-level tracking where applicable. Derecognition on disposal with gain/loss computation. Works under both IGAAP and Ind AS.

GST Compliance

CGST Act

Automatic CGST/SGST/IGST split based on vendor GSTIN and organisation location. Three-way invoice matching. Tax debit notes per Section 34. HSN/SAC code validation. ITC eligibility tracking with toggle for blocked credit items.

TDS Compliance

Section 194C, 194J

TDS section master with applicable rates, linked to vendors based on service type. TDS deduction visible at PO approval stage. Section-wise tracking across the procurement cycle with Tally voucher generation.

DPDP Act 2023

Digital Personal Data Protection

Right to access (S6): Users export their personal data — profile, activity summary, last 500 audit records, consent history. Rate-limited to 1 per hour.
Right to erasure (S8): Users request deletion; admin confirms. PII anonymised (username, name, email cleared; password invalidated), user row preserved for referential integrity.
Consent (S7): Policy version, timestamp, and IP recorded per consent event. Re-consent required on policy version change.
Grievance officer (S7): Designated per organisation. Falls back to admin if unset. Public endpoint for data subject contact.

GST — per-line ITC posture and reporting

Section 17(5) of the CGST Act lists ten categories of supplies on which Input Tax Credit is ineligible: motor vehicles, food and beverage, immovable construction, gifts and samples, CSR, club and health expenses, supplies from composition dealers, invalid-GST invoices, place-of-supply blocks, and personal consumption. ProcureTrail captures the ITC decision per PO line — not per invoice — using an eleven-value enumeration that mirrors these statutory categories (plus an OTHER slot for documented edge cases with a free-text note).

  • Domestic ITC is decided at PO approval and locked through to posting. Audit action PO_ITC_EDITED_AT_APPROVAL records every change with before/after deltas.
  • Import ITC remains editable on the goods receipt until posting via POST /grn/{id}/itc-override — necessary because customs documents often arrive after the goods land.
  • A CSV report (GET /reports/itc-blocked-purchases) lists every PO line and every asset cost component where ITC was blocked, with vendor, invoice, line description, basic value, GST, block reason and note. The report is filterable by date, reason and vendor and is designed for GSTR-3B reconciliation.

See Per-line GST ITC.

Customs — Bill of Entry as the source document

The Customs Act, 1962 (and the Foreign Trade (Development & Regulation) Act, 1992) make the Bill of Entry the statutory document of import. Customs duty (BCD, SWS, IGST, Cess) is assessed per BoE line — different items at different HSN codes attract different rates within the same shipment. ProcureTrail captures the BoE as a first-class entity: header (BillOfEntry) with port, CHA, shipping bill and exchange rate; lines (BillOfEntryLine) with per-line assessable value and per-head duty. Customs duty capitalisation on the receiving goods receipt reads from BoE lines — not from a header proportional allocation — preserving the per-HSN duty attribution required for an import audit.

See Import accounting.

Internal Controls

Segregation of Duties

The submitter of a requisition cannot approve their own request. Self-approval prevention is enforced at the system level, not by policy alone.

Sequential Approval

Level N must be fully complete — all approvers at that level — before Level N+1 can act. This ensures the approval chain is followed in the correct order.

Immutable Snapshots

The routing and approval chain is frozen at the time of submission. Subsequent changes to the approval matrix do not alter existing workflows. POSTED documents are immutable.

Violation Logging

Attempted unauthorized transitions are recorded even when blocked. The audit trail captures not just what happened, but what was attempted and prevented.

Access & Security Controls

Role-Based Access

Six roles — Admin, Senior Manager, Manager, Employee, Security, and a platform-level Superadmin — each with a defined set of accessible modules. The backend controls which screens each role can reach. The frontend renders only what the backend permits — no client-side access rules.

Endpoint-Level Permissions

Each API endpoint checks a specific permission before executing. Permissions are mapped to roles at organisation creation and can be adjusted by administrators. Over 30 permission keys span procurement, assets, vendors, approvals, audit, and administration.

Self-Escalation Prevention

Users cannot change their own role to a higher privilege level. An administrator cannot promote themselves beyond the administrator role. Role changes are audit-logged with before and after values.

Account Lockout

After a configurable number of failed login attempts, the account is locked for a configurable duration. The lock status is returned with remaining minutes. A successful login resets the counter. Administrators can manually unlock accounts.

Force Logout

Administrators can force-logout any user, immediately invalidating all existing sessions. Used when a device is lost, credentials are suspected compromised, or a user's role changes and active sessions should not retain prior access.

Bulk User Import

Import users via CSV or XLSX with up to 500 rows per batch. Passwords are auto-generated and available only through a one-time credential CSV download — no passwords are sent by email. Row-level validation with error reporting. Template download available.

Email Verification Gating

Approval notification emails and password reset emails are sent only to verified email addresses. Credential emails have been removed entirely — passwords are distributed via secure download only. This prevents email delivery to addresses that have not been confirmed by the user.

Rate Limiting

Critical endpoints are rate-limited per IP or per user: signup (3 per hour), forgot password (3 per minute), password reset (5 per minute), data export (1 per hour), and email verification requests (3 per hour). This prevents brute-force attacks, credential enumeration, and resource exhaustion.

8
Statutes mapped
6
Access roles
30+
Permission keys
DPDP
Act compliant

Related

Fixed Asset Register & Depreciation Tally Integration Procurement Governance Reports & Dashboard Audit-Ready Procurement Guide: CARO & IFC Guide: Manual Entries & SA 240

Frequently Asked Questions

What statutory compliance is required for fixed asset records in India?

Fixed asset records in India must comply with Companies Act 2013 Section 128 (proper books of account), CARO 2020 Clause 3(i) (PPE records and physical verification), Schedule II (asset class-wise depreciation), Companies (Accounts) Rules 2014 (audit trail since April 2023), and Income Tax Section 32 (block of assets). Each statute specifies what records must exist and how long to retain them.

What statutory compliance does this software support?

ProcureTrail supports Companies Act 2013 (Schedule II depreciation, asset register format), CARO 2020 (fixed asset reporting), AS 10 / Ind AS 16 (asset recognition and measurement), GST Act (CGST/SGST/IGST split at transaction level), TDS provisions (194C/194Q), and DPDP Act 2023 (data privacy and consent management).

How does this help with CARO 2020 compliance?

The fixed asset register maintains asset-wise records with classification, location, depreciation method, and disposal details — fields that support CARO 2020 clause 3(i) reporting on property, plant and equipment.

Is GST compliance built into the procurement workflow?

Yes. Every transaction captures GST at the line level with automatic CGST/SGST/IGST split based on supply type. HSN/SAC codes, ITC eligibility, and reverse charge are tracked. Tally vouchers include the correct GST ledger mapping.

Does this support audit trail requirements under Indian law?

Yes. Every action — approval, rejection, edit, posting, reversal — is logged with user, timestamp, and before/after values in an immutable audit trail. This supports the audit trail requirements under Companies Act 2013 Section 128 and Rule 3 of the Companies (Accounts) Rules 2014 (as amended, effective 1 April 2023).

Further Reading

Auditor Qualified Report — Asset Discrepancies

CARO 2020 Clause 3(i) — what went wrong and how to fix it.

 What Goes Wrong Without Governance

Nine documented consequences — from audit findings to financial losses.

 What Procurement Automation Should Mean

Form-filling saves time. Governance automation prevents losses.

Assess How This Applies to Your Organisation

Share a brief overview of your setup and we will evaluate how our services may apply.

Book a Consultation