Para 3.22.14 — MSO (Audit)
Original Rule Text
3.22.14 In adopting the system-based audit approach, it will be necessary to examine aspects relating to the regularity, economy, efficiency and effectiveness of the system besides evaluating data integrity, and data security. These are explained below:
(i) System effectiveness is measured by determining whether the system performs the intended functions and whether the users are able to obtain the requisite information in the right form and at the right time.
(ii) A system is economical and efficient if it uses the minimum number of information resources to achieve the output required by the users. This will involve optimisation of the use of system resources-hardware, software, personnel and money.
(iii) System activities can be considered to be regular if they comply with all applicable laws, rules, policies, guidelines, etc.
(iv) Achievement of data integrity implies that the internal controls must be adequate to ensure that errors are not introduced when entering, communicating, processing, storing or reporting data.
(v) In order to ensure data security, the data system resources, like other assets, must be sufficiently protected against theft, waste, frauds, unauthorised use and natural disasters.
The key controls for ensuring the above will have to be identified, recorded, evaluated and compliance tested. The results of the preliminary evaluation would be of assistance in
this context as well because the evaluation would have brought to light system deficiencies, major weaknesses and areas requiring greater, in-depth study. Identification of key controls would also depend on the experience gained by the auditor in the course of audit of similar installations.
What This Means
In a system-based audit approach, auditors evaluate five critical aspects of the computerised system: effectiveness (does it do what it is supposed to?), economy and efficiency (does it use minimum resources?), regularity (does it comply with laws and rules?), data integrity (are controls in place to prevent errors?), and data security (is data protected from theft, fraud, and disasters?). Key controls for each aspect must be identified, evaluated, and compliance-tested.
This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.
Key Points
- 1System effectiveness: does the system perform intended functions and deliver information correctly?
- 2Economy and efficiency: are hardware, software, personnel, and money optimally used?
- 3Regularity: does the system comply with applicable laws, rules, and policies?
- 4Data integrity: are internal controls adequate to prevent errors in data handling?
- 5Data security: are system resources protected from theft, fraud, and disasters?
- 6Key controls must be identified, recorded, evaluated, and compliance-tested
Practical Example
During a system-based audit of a GST return processing system, the auditor checks effectiveness (can taxpayers file returns and get acknowledgement in time?), efficiency (are servers optimally utilised or frequently idle?), regularity (does the system apply correct tax rates as per law?), data integrity (can a return be modified after submission without audit trail?), and security (are taxpayer records protected from unauthorised access?). They find that data security is weak — 200 user accounts of transferred employees still have active access.
This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.
Frequently Asked Questions
Why are all five aspects equally important?▼
How does the auditor identify key controls?▼
What is compliance testing?▼
This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.