Para 3.22.34 — MSO (Audit)

MSO (Audit)mso-audit

3.22.34 The auditor should verify whether duties amongst the staff operating the computer system are adequately and effectively segregated so as to substantially reduce the risk of error and fraud. Poor segregation could lead to any one person, with control over a computer function, making an error or committing a fraud without it being detected and to the adoption of inappropriate working practices. Evidence of separation of duties can be gained by obtaining copies of job descriptions, organisation charts and observing the activities of IT staff. Where computer systems use security profiles to enforce separation of duties, the auditor should review on-screen displays or printouts of employees’ security profiles in relation to their functional responsibilities.

What This Means

The auditor must verify that duties among IT staff are adequately segregated to reduce the risk of errors and fraud. Poor segregation could allow one person to make errors or commit fraud undetected, or lead to inappropriate working practices. Evidence can be gathered from job descriptions, organisation charts, and direct observation. Where computer systems enforce segregation through security profiles, the auditor should review these profiles against actual functional responsibilities.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Key Points

1Duties among IT staff must be adequately and effectively segregated
2Poor segregation increases risk of undetected errors and fraud
3Evidence sources: job descriptions, organisation charts, direct observation
4Security profiles that enforce segregation should be reviewed on-screen
5Profiles must match employees' actual functional responsibilities
6Inappropriate working practices can result from poor segregation

Practical Example

The auditor reviews the IT section of a large government hospital. The organisation chart shows separate roles for database administrator, system operator, and application developer. However, upon checking security profiles, the auditor discovers that the system operator's profile has database administrator privileges too. On observation, they find the operator regularly modifies patient billing data directly in the database — bypassing the application's audit trail. This combined role allows potential fraud without detection.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Frequently Asked Questions

How can the auditor verify separation of duties in practice?▼

By comparing three things: written job descriptions (what staff are supposed to do), security profiles (what the system allows them to do), and actual observation (what they actually do). Discrepancies between any of these indicate potential control weaknesses.

What are security profiles?▼

Security profiles are system-level settings that define what each user can and cannot do in the computer system — which screens they can access, what data they can view or modify, what transactions they can authorise. They are the digital equivalent of duty segregation.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Para 3.22.34 — MSO (Audit)

Original Rule Text

What This Means

Key Points

Practical Example

Frequently Asked Questions

Related Rules