Cummins Inc., a global power solutions leader, comprises five business segments – Components, Engine, Distribution, Power Systems, and Accelera by Cummins – supported by its global manufacturing and extensive service and support network, skilled workforce and vast technological expertise. Cummins in India (Cummins India) is a leading provider of integrated power solutions for the industrial and automotive sectors. The group operates through 12 entities with a wide-ranging portfolio. It is engaged in designing, manufacturing, distributing, and servicing diesel and natural gas engines and powertrain-related components, including drivetrain, braking, after-treatment, turbochargers, fuel systems, control systems, air handling systems, transmissions, and electrified power systems solutions for commercial vehicles and industrial markets. 

Like many Indian enterprises, Cummins India is required to comply with the new regulatory standards set forth by the Ministry of Corporate Affairs (MCA) Rule 11(g). To help accelerate the process of meeting its regulatory compliance obligations with respect to the MCA Rule 11g audit trail requirements, Cummins India elected to use Oracle Audit Vault and Database Firewall (AVDF) for Oracle Database operating under Oracle E-Business Suite.

Ministry of Corporate Affairs (MCA) audit requirements

The Ministry of Corporate Affairs (MCA) introduced an amendment to Companies (Audit and Auditors) Rules, 2014  via (Audit and Auditors) Amendment Rules, 2021, which includes a new rule that requires companies to maintain an audit trail if they utilize software to maintain their books of account (Rule 11(g)). Essentially, Rule 11(g) requires companies using accounting software to ensure it has an audit trail (edit log) feature that cannot be disabled or tampered with, and that can be preserved to demonstrate compliance.

The  Institute of Chartered Accountants of India published the Implementation Guide on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014 (Revised 2024 Edition), which serves as a guide for auditors to follow as they implement Rule 11(g) requirements while conducting audits. In summary, the Implementation Guide states that the audit trail should capture changes to each and every accounting transaction, including the following:

  • when changes were made
  • who made those changes
  • what data was changed

In part, the Implementation Guide describes audit trails (or edit logs) as a chronological record of the changes made to the data. Any change to data, including creating new data, updating, or deleting data, must be recorded.

Why Cummins India chose Oracle Audit Vault and Database Firewall

Cummins India leverages Oracle E-Business Suite (EBS) Enterprise Resource Planning (ERP) to help streamline operations across its globally distributed business units. The underlying Oracle Database in EBS is used for storing and processing books of account data. Oracle Database helps to provide comprehensive audit trail and transaction logging capabilities through Unified Auditing and the Redo logs (transaction logs), respectively. Audit Vault and Database Firewall (AVDF) collects audit data from both sources, as illustrated below:

 

Centralized collection of audit trails. Shows unified audit and redo log data moving from a database into the Audit Vault server
Figure 1: Centralized collection of audit trails in the Audit Vault server

Cummins chose Oracle Database security to help meet MCA Rule 11(g) requirements because Oracle Database security provides:

  • Comprehensive audit insights: Unified Auditing in Oracle Database tracks the most common security-relevant events in the database and can be configured to track specific activities. An audit event helps to provide detailed insights, often required for regulatory compliance and forensics.
  • Tracking before-and-after values: Oracle Database tracks data modifications within redo (transaction) logs. AVDF ingests those logs through Oracle GoldenGate (GoldenGate is included with AVDF via its restricted-use license) to capture before and after values—a capability essential for helping to meet MCA Rule 11(g) requirements. This capability is often lacking in other solutions.
  • Reporting capabilities: AVDF provides an out-of-the-box Data Modification report that contains before-and-after value changes to help demonstrate compliance.
  • Audit trail integrity and monitoring: MCA Rule 11(g) also appears to mandate proof that the audit trail feature remains consistently active, fully operational, and protected from any modification. Such monitoring controls, integrity, and reliability measures are integral to Oracle Database and AVDF.

How Cummins India leveraged AVDF to help meet their MCA compliance obligations

Cummins has multiple global E-Business Suite instances hosted in Oracle Cloud Infrastructure (OCI) with data for multiple countries.

Shows Oracle Database operating in an OCI region feeding audit and redo information into AVDF. That AVDF in turn connects to an on-premises Audit Vault server physically located in India, which connects to the on-premises compliance server
Figure 2: High-level architectural overview of the solution at Cummins

Key solution components include:

  • Unified Audit
    • Unified auditing is configured in the E-Business Suite Oracle Database to help track data changes from non-application server hosts. Unified audit also helps track other security and business-relevant activity within the Oracle Database.
  • Redo logs
    • Redo logs of E-Business Suite Oracle Database helps capture data changes.
  • Oracle GoldenGate
    • AVDF leverages Oracle GoldenGate’s real-time data replication capabilities to help capture before and after values from Redo logs. GoldenGate extracts the required information from redo logs to an audit trail in XML file format using its Integrated Extract process.
    • The SQLEXEC parameter with the FILTER clause is used in the Integrated Extract process to invoke a custom stored procedure against the relevant ERP tables for update and delete operations. This helps filter India-specific content from redo log before writing it to the audit trail in XML file format.
  • Oracle Cloud Infrastructure
    • The primary Audit Vault server and GoldenGate are deployed on respective IaaS compute instances in OCI.  Cummins used the AVDF marketplace image available on OCI.
  • Oracle Audit Vault and Database Firewall
    • The AVDF agent collects the audit events from unified_audit_trail view, and forwards them to the primary Audit Vault server.
    • The AVDF agent deployed on the GoldenGate OCI VM instance collects the transaction trail data in XML file format and forwards them to the primary Audit Vault server in OCI.
    • The transactional changes to India-specific records can now be viewed online in “Data Modification Before-After values” AVDF report.
    • The Audit Vault server is configured for high availability with the standby Audit Vault server located in Cummins’ India data center. The standby server works as the audit trail repository warehouse to  help meet the physical residency requirements of the MCA guidelines
  • Custom stored procedure
    • A stored procedure filters India-specific financial records in the redo log for the relevant tables in the EBS database. This stored procedure is invoked using SQLEXEC parameter in GoldenGate’s Integrated Extract process. Refer to MOS Note 3090614.1 for a sample implementation. This is optional for those who don’t need to filter specific financial records.

Now, an auditor can access the AVDF reports including Data modification Before-After Value report and All Activity report to reconcile changes to financial transactions on books of account.

Screenshot from Audit Vault and Database Firewall showing the Data Modification report
Figure 3: Data modification Before-After Value report in AVDF with India-specific financial updates

 

Cummins India accelerated efforts to meet their compliance obligations with respect to MCA Rule 11(g) audit requirements using AVDF and GoldenGate. According to Cummins India:

 

Audit Vault and Database Firewall has enabled us to meet audit trail compliance requirements set by MCA guidelines via Companies Act, 2013 as detailed in the ICAI Guidance Note. After evaluating other choices/functionalities, AVDF solution with GoldenGate was finalized for implementation. This decision was supported by the recommendation in Oracle E-Business Suite Release 12: India – Audit Trail Requirements Mandated by Ministry of Corporate Affairs (Doc ID 2765751.1).

Audit Vault and Database Firewall allowed Cummins to fully adhere to all legal requirements of India’s MCA 11(g), particularly, in terms of showing before/after values, preserving audit trail, and preventing tampering.

Oracle Cloud Infrastructure (OCI) dynamically scales resources up or down in response to system demand, ensuring consistent performance under varying workloads. This capability has helped meet the additional demand on the EBS cloud database during month-end processing.

— Jeevan V Pandit,

India Region IT Lead

Oracle Finance & Oracle BI, Cummins – IT India Region India

 

Cummins used this decision-making matrix to objectively evaluate potential solutions, identifying AVDF as the best fit. 

Potential solutions

Data capture

Before After values

System Performance

Trail log modification

Audit Trail in ERP application

All

Yes

Impacted

Possible

Privilege Account Management

SQL capture

No

Least impacted

 –

Audit Vault and Database Firewall

Targeted to India-specific transaction data

Yes

Least impacted

Not possible

Table 1: Cummins’ decision-making matrix

In addition to Jeevan V Pandit, the team at Cummins that led the collaborative efforts included Kalyani Dhotkar (Finance Technical Lead, Cummins – IT India Region), Andrew Watkins (Oracle EBS Platform Engineer- Cummins(UK)), Arun Prakash (TCL JSR Site Finance Leader, Tata Cummins Finance) and Neha S Joshi (India Corporate Controller, Consolidation and Technical Accounting Leader, Cummins India).

 To learn more: