Para 3.22.35 — MSO (Audit)

MSO (Audit)mso-audit

3.22.35 In any major IT System, the following duties should be adequately segregated:
• System design and programming. • System support. • Routine IT operations and administration. • System security. • Database administration.
- Physical Access control

What This Means

In any major IT system, five key functions must be kept separate: system design and programming, system support, routine IT operations and administration, system security, and database administration. No single person or team should control more than one of these functions to prevent conflict of interest and reduce the risk of fraud or error.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Key Points

1System design and programming must be separate from operations
2System support should be independent of development and operations
3Routine IT operations and administration must be segregated
4System security should be managed independently
5Database administration must be separate from other functions
6These five duties must be adequately segregated in any major IT system

Practical Example

In a state government's centralised IT centre, the auditor finds that the same team handles system design, programming, AND database administration. This means the developers can write code that bypasses controls and directly modify production data without anyone else knowing. The auditor recommends that a separate database administration team be established with independent reporting, and that developers should not have write access to the production database.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Frequently Asked Questions

Why should programmers not have access to production systems?▼

If programmers can access production systems, they could introduce unauthorised code changes or directly manipulate data. Keeping development and production separate ensures that all code changes go through a formal review and approval process before deployment.

What if the organisation is too small to segregate all five functions?▼

In smaller organisations, compensating controls should be implemented — such as detailed logging of all activities, regular management review of system logs, mandatory peer review of code changes, and periodic independent audits of database activities.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Para 3.22.35 — MSO (Audit)

Original Rule Text

What This Means

Key Points

Practical Example

Frequently Asked Questions

Related Rules