Para 3.22.4 — MSO (Audit)

MSO (Audit)mso-audit

3.22.4 Controls in a computer information system reflect the policies, procedures, practices and organisational structures designed to provide reasonable assurance that the intended objectives will be achieved. They ensure effectiveness and efficiency of operations, reliability of financial reporting and compliance with the rules and regulations. However, computer systems are efficient and achieve results accurately and at great speed only if they function in the manner they are designed to and such controls as are provided are effective. It is, therefore, important for the Auditor to verify that not
only adequate controls exist, but that they also function effectively. Such controls should also be commensurate with the risk assessed so as to reduce the impact of identified risks to acceptable levels.

What This Means

Controls in a computer information system are the policies, procedures, practices, and organisational structures that ensure intended objectives are achieved. They cover three areas: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with rules and regulations. However, controls only work if the computer system functions as designed. Auditors must verify not only that adequate controls exist but that they actually work effectively, and that controls are proportionate to the assessed risk level.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Key Points

1Controls are policies, procedures, practices, and structures providing assurance that objectives will be achieved
2Three areas: operational effectiveness/efficiency, financial reporting reliability, and regulatory compliance
3Computer systems are efficient only if they function as designed
4Auditors must verify both existence AND effectiveness of controls
5Controls should be commensurate with assessed risk levels
6Goal is to reduce identified risks to acceptable levels

Practical Example

A computerised stores management system has an access control policy (exists on paper), a procedure for weekly reconciliation of stock balances (documented), and an automated alert for stock levels below reorder point (programmed). The auditor checks effectiveness: the access control policy exists but passwords have not been changed in 2 years, weekly reconciliation has not been done for 6 months, and the automated alert works perfectly. Two out of three controls exist but do not function effectively — the auditor reports this with risk-based recommendations.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Frequently Asked Questions

What does it mean for controls to be 'commensurate with risk'?▼

Higher-risk systems (handling large financial transactions, sensitive personal data) need stronger controls. Lower-risk systems can have simpler controls. Over-controlling a low-risk system wastes resources; under-controlling a high-risk system invites losses.

Why is it not enough for controls to just exist?▼

A control that exists on paper but is not followed in practice provides no protection. The auditor must test whether controls are actually implemented, consistently followed, and effective in preventing or detecting errors and irregularities.

How does the auditor verify that controls function effectively?▼

Through compliance testing — independently testing whether the control operates as designed. For example, testing whether a system actually rejects an unauthorised transaction, or checking whether reconciliation reports are actually prepared and acted upon.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Para 3.22.4 — MSO (Audit)

Original Rule Text

What This Means

Key Points

Practical Example

Frequently Asked Questions

Related Rules