Para 3.22.30 — MSO (Audit)

MSO (Audit)mso-audit

3.22.30 The ultimate responsibility for incorporating internal controls and an adequate trail into computer-based systems must rest with the auditee organisation. It is, therefore, not necessary for the auditor to provide, as a matter of policy, any consultancy advice on developing systems. Nonetheless, Audit should be aware of all developments that are likely to have a significant impact on the audit processes. At an early stage in the design process of a new system, the auditor should consider providing the auditee organisation specific comments on:
(i) internal controls in the light of weaknesses identified in the existing system;
(ii) audit needs such as data retention or retrieval facilities and audit trail requirements; and
(iii) any other requirement to facilitate his audit, or improve its efficiency and effectiveness.
# Main points to be checked by Audit

What This Means

The responsibility for building internal controls and audit trails into computer systems lies with the auditee organisation, not the auditor. While the auditor should not act as a consultant during system design, they should stay aware of significant IT developments and provide early-stage comments on: control weaknesses in the current system, audit requirements like data retention and retrieval facilities, and anything else needed to facilitate effective audit.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Key Points

1Auditee organisation is responsible for internal controls and audit trails — not the auditor
2Auditor should not provide general consultancy on system design
3Auditor must stay aware of significant IT developments affecting audit
4Early-stage comments on control weaknesses from existing systems should be shared
5Audit requirements like data retention and audit trail facilities should be communicated
6Any other requirements to improve audit efficiency should be flagged early

Practical Example

A state finance department is designing a new e-treasury system. The audit office learns about it early and writes to the department (without acting as a consultant) flagging three specific points: the current system lacks an audit trail for payment modifications, data is purged after 3 years which is insufficient for audit (they request 7-year retention), and they need a read-only query access facility for auditors. The department incorporates these requirements into the system design, saving significant cost compared to retrofitting them later.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Frequently Asked Questions

Why should the auditor not provide consultancy during system design?▼

If the auditor helps design the system, they cannot later objectively audit it — they would be auditing their own advice. Maintaining independence and objectivity requires that the auditor's role remain evaluative, not participative.

What is the benefit of providing early-stage comments?▼

Incorporating audit requirements during the design phase is far less costly than retrofitting them later. For example, building an audit trail into the original design may cost 5% of the project, but adding it after implementation could cost 30% or more.

What is an audit trail in a computerised system?▼

An audit trail is a chronological record of system activities that allows reconstruction of all events related to a transaction — who entered it, when, what changes were made, who approved it, and how it was processed. Without this, auditors cannot trace transactions from input to output.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Para 3.22.30 — MSO (Audit)

Original Rule Text

What This Means

Key Points

Practical Example

Frequently Asked Questions

Related Rules