Para 3.22.42 — MSO (Audit)

MSO (Audit)mso-audit

3.22.42 Change management controls are used to ensure that amendments to a computer system are properly authorised, tested, accepted and documented. Poor change controls could result in accidental or malicious changes to the software and data. Poorly designed changes could alter financial information and remove audit trails. Audit should ensure that a new or amended computer system is thoroughly tested by its end users before live use. Financial systems rarely remain static and are frequently changed, amended or updated. These regular changes may be necessary to improve efficiency, functionality or remove programming faults (‘bugs’).

What This Means

Change management controls ensure that any modifications to a computer system are properly authorised, tested, accepted by end users, and documented before going live. Without these controls, accidental or deliberate changes could corrupt financial data or remove audit trails. Financial systems are frequently updated for efficiency improvements, new features, or bug fixes, so robust change management is essential.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Key Points

1All amendments to computer systems must be properly authorised, tested, accepted, and documented
2Poor change controls can lead to accidental or malicious changes to software and data
3Poorly designed changes may alter financial information or remove audit trails
4End users must thoroughly test new or amended systems before live deployment
5Financial systems are frequently changed for efficiency, functionality, or bug fixes

Practical Example

A Central Government ministry decides to update its pension calculation module to incorporate revised DA rates. Before the change goes live, the IT team documents the proposed modification, gets approval from the head of the pension section, develops and tests the change in a test environment, has pension clerks verify results against manual calculations, and only then deploys it to production. The entire process is documented for audit review.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Frequently Asked Questions

What risks arise from poor change management controls?▼

Poor change controls can result in unauthorised modifications to software or data, corruption of financial records, removal of audit trails, introduction of new bugs, and system instability that affects daily operations.

Why must end users test system changes before live deployment?▼

End users understand the business requirements and can verify that the modified system produces correct outputs for real-world scenarios. Technical testing alone may miss functional errors that only subject-matter experts would catch.

What should change management documentation include?▼

It should include the change request with justification, authorisation approvals, impact assessment, test plans and results, user acceptance sign-off, implementation steps, and rollback procedures in case of failure.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Para 3.22.42 — MSO (Audit)

Original Rule Text

What This Means

Key Points

Practical Example

Frequently Asked Questions

Related Rules