Para 3.22.10 — MSO (Audit)

MSO (Audit)mso-audit

3.22.10 The above objectives can be achieved by reviewing:
(i) the acquisition of the computer facilities;
(ii) whether the computer-based systems incorporate adequate procedural controls that are not invalidated by subsequent amendments;
(iii) the adequacy of controls governing development and maintenance of computerised systems;
(iv) the adequacy of administrative and organisational controls to ensure safe and expedient day-to-day operations; and
(v) the use of resources to appraise and report on waste, extravagance and inconvenient administration or poor value of money.
An auditor has to always bear in mind that he has to exercise an independent judgement on the capability of the system to cater to the intended objectives-efficient and adequate disposal.
# Preliminary evaluation

What This Means

The objectives of IT audit are achieved by reviewing five key areas: how computer facilities were acquired, whether procedural controls remain valid after amendments, adequacy of development and maintenance controls, sufficiency of administrative controls for daily operations, and whether resources are used without waste or extravagance. The auditor must always exercise independent judgement on the system's capability.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Key Points

1Review the acquisition process of computer facilities
2Check that procedural controls in systems are not invalidated by subsequent amendments
3Assess adequacy of controls for system development and maintenance
4Verify administrative and organisational controls for day-to-day operations
5Appraise resource use for waste, extravagance, or poor value for money
6Auditor must exercise independent judgement on system capability

Practical Example

An auditor reviewing a department's payroll software finds that while it was well-designed initially, three subsequent patches were applied to handle new allowance types. These patches bypassed the original validation control that checked total pay against sanctioned scales. The auditor flags this as a control that was invalidated by subsequent amendments, potentially allowing excess payments.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Frequently Asked Questions

Why should the auditor check whether controls are invalidated by amendments?▼

Software systems are frequently updated with patches, bug fixes, and new features. These changes can inadvertently disable or weaken existing controls, creating vulnerabilities that did not exist in the original system.

What does 'independent judgement' mean in this context?▼

The auditor should not simply accept the auditee's claims about system capability. Instead, the auditor must independently verify whether the system can actually achieve its intended objectives of efficient and adequate processing.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Para 3.22.10 — MSO (Audit)

Original Rule Text

What This Means

Key Points

Practical Example

Frequently Asked Questions

Related Rules