Para 3.22.11 — MSO (Audit)

MSO (Audit)mso-audit

3.22.11 The first step in audit should be a preliminary evaluation of the computer systems covering:
(i) the manner in which the computer function is organised;
(ii) the use of computer hardware and software;
(iii) the applications processed by the computer and their relative significance to the organisation; and
(iv) the methods and procedures prescribed for implementation of new applications or revision of existing applications.
In the course of the preliminary evaluation, the auditor should ascertain the level of control awareness in the auditee organisation and existence (or non-existence) of control standards. The preliminary evaluation should identify inter alia potential key controls and any serious weaknesses in these controls. The auditor should examine whether each control objective has been achieved and; if not, he should assess the significance of and risks involved in the deficiencies observed.
# Audit methodology

What This Means

The first step in IT audit is a preliminary evaluation covering how the computer function is organised, hardware and software usage, the applications being processed and their importance, and the methods for implementing new or revised applications. This evaluation should identify the level of control awareness, potential key controls, and any serious weaknesses, so the auditor can assess risks and determine the significance of deficiencies.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Key Points

1Preliminary evaluation is the mandatory first step in IT audit
2Covers organisation of computer function, hardware/software use, and applications
3Must identify potential key controls and serious weaknesses
4Auditor should assess the level of control awareness in the auditee organisation
5Each control objective must be checked for achievement
6Significance and risk of deficiencies must be assessed

Practical Example

Before conducting a detailed IT audit of the Motor Vehicles Department's online licensing system, the auditor performs a preliminary evaluation. They find that the system runs on outdated hardware with no backup server, uses unlicensed database software, and processes 5,000 licence applications daily — the most critical application in the department. The absence of a disaster recovery plan is identified as a serious weakness requiring immediate attention.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Frequently Asked Questions

Why is a preliminary evaluation necessary before detailed IT audit?▼

It provides the auditor with an understanding of the IT environment, helps prioritise audit efforts, identifies key risk areas, and determines whether a system-based or substantive testing approach would be more appropriate.

What is meant by 'control awareness' in the auditee organisation?▼

Control awareness refers to whether the organisation's management and staff understand the importance of IT controls, have documented control policies, and actively monitor compliance with those policies.

What happens after the preliminary evaluation?▼

Based on the findings, the auditor decides the appropriate audit methodology — either direct substantive testing of transactions or a system-based audit approach examining controls in detail.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Para 3.22.11 — MSO (Audit)

Original Rule Text

What This Means

Key Points

Practical Example

Frequently Asked Questions

Related Rules