Para 3.22.33 — MSO (Audit)

MSO (Audit)mso-audit

3.22.33 These controls ensure that
(i) there is judicious separation of duties to reduce the risk of employee fraud or sabotage by limiting the scope of authority of any individual;
(ii) there are comprehensive written standards; and
(iii) access to and use of computer terminals is properly authorised. These high level controls are important as they influence the effectiveness of any lower level controls which operate within accounting applications. Unless the management follows appropriate IT policies and standards, it is unlikely that other controls will be sufficiently strong to support a controls-reliant audit approach. An assessment of the high level IT policies, strategies and procedures will provide the auditor with a reasonably reliable indication as to the existence and effectiveness of any lower level detailed controls.
- Segregation of duties

What This Means

Organisational controls in IT systems ensure three things: proper separation of duties to reduce fraud and sabotage risk, comprehensive written standards for IT operations, and properly authorised access to computer terminals. These high-level controls influence all lower-level application controls. If management does not follow appropriate IT policies and standards, lower-level controls are unlikely to be strong enough for a controls-reliant audit approach.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Key Points

1Separation of duties reduces risk of employee fraud or sabotage
2Comprehensive written standards for IT operations must exist
3Access to computer terminals must be properly authorised
4High-level organisational controls influence all lower-level controls
5Without proper IT policies, lower-level controls cannot support controls-reliant audit
6Assessment of high-level policies indicates effectiveness of detailed controls

Practical Example

During an IT audit of a treasury office, the auditor checks organisational controls. They find that the same person who enters payment data also approves it — a clear separation of duties violation. There are no written IT policies or standards. Terminal access is shared using a common password. Given these high-level control failures, the auditor concludes that application-level controls cannot be relied upon and switches to direct substantive testing of individual transactions.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Frequently Asked Questions

Why is separation of duties important in computerised systems?▼

If one person can both create and approve transactions, they can commit fraud without detection. Separation ensures that no single individual has complete control over a critical process — for example, one person enters data and a different person authorises it.

What happens if organisational controls are weak?▼

The auditor cannot rely on application-level controls because weak organisational controls can override them. For example, if terminal access is not controlled, anyone could bypass application-level password protections by using another person's login.

What does 'controls-reliant audit approach' mean?▼

It means the auditor relies on the system's built-in controls to ensure accuracy, testing only whether those controls work correctly. If organisational controls are weak, this approach is unreliable and the auditor must instead directly test individual transactions (substantive testing).

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Para 3.22.33 — MSO (Audit)

Original Rule Text

What This Means

Key Points

Practical Example

Frequently Asked Questions

Related Rules