Para 3.22.32 — MSO (Audit)

MSO (Audit)mso-audit

3.22.32 The auditor has to review the internal controls which are essential for proper operation and maintenance. Some of the operation and maintenance controls fall in the category of general controls (also referred to as environmental controls) relating to the entire gamut of computer facilities. The overall audit objective in reviewing the general controls is to ensure that the controls and procedures are adequate to provide secure, effective and efficient day-to-day operation of the computer facilities. The controls and procedures that together constitute the general controls are discussed in the succeeding paragraphs.
# Organisational controls

What This Means

Auditors must review the internal controls essential for proper operation and maintenance of computer systems. Some of these are 'general controls' (also called environmental controls) that apply across the entire IT environment, not just one application. The overall audit objective is to ensure these controls and procedures provide secure, effective, and efficient day-to-day operation of all computer facilities.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Key Points

1Internal controls for operation and maintenance must be reviewed by audit
2General controls (environmental controls) apply across the entire IT environment
3General controls affect all underlying computer applications
4Audit objective: ensure controls provide secure, effective, and efficient daily operations
5These controls form the foundation on which application-specific controls depend

Practical Example

While auditing a state government's data centre that hosts 15 different departmental applications, the auditor reviews the general controls: physical security (CCTV, access cards), environmental controls (fire suppression, air conditioning, UPS backup), operations procedures (job scheduling, backup routines), and change management (how software updates are authorised and applied). They find that while individual applications have good controls, the data centre lacks a fire suppression system and backup tapes are stored in the same room as the servers — general control weaknesses that put all 15 applications at risk.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Frequently Asked Questions

What is the difference between general controls and application controls?▼

General controls operate across the entire IT environment (physical security, access management, backup procedures) and affect all applications. Application controls are specific to individual applications (input validation, processing checks) and ensure that specific transactions are correctly handled.

Why are general controls considered foundational?▼

If general controls are weak (for example, anyone can walk into the server room), then even the best application-level controls can be bypassed. Strong general controls are a prerequisite for relying on application-level controls during audit.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Para 3.22.32 — MSO (Audit)

Original Rule Text

What This Means

Key Points

Practical Example

Frequently Asked Questions

Related Rules