Para 3.22.43 — MSO (Audit)

MSO (Audit)mso-audit

3.22.43 Audit should emphasise that auditee organisations which update their computer systems should have appropriate change management and configuration management controls. Configuration management procedures relate to the control of IT assets (i.e. hardware, software, documentation and communications) and the subsequent update of records, while change management relates to the authorisation, impact assessment, asset update, testing and implementation of changes. Risks can be reduced by appropriate change management controls. These controls should ensure that all system and program amendments are satisfactorily justified, authorised, documented and tested and that an adequate audit trail of the changes is maintained. All change procedures should be documented.

What This Means

Government organisations that update their computer systems must have both change management and configuration management controls. Configuration management tracks IT assets like hardware, software, documentation, and communications equipment and keeps records current. Change management covers the authorisation, impact assessment, testing, and implementation of changes. All system and program amendments must be justified, authorised, documented, tested, and maintain an adequate audit trail.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Key Points

1Change management and configuration management are distinct but complementary controls
2Configuration management controls IT asset records (hardware, software, documentation, communications)
3Change management covers authorisation, impact assessment, testing, and implementation of changes
4All system amendments must be justified, authorised, documented, and tested
5An adequate audit trail of all changes must be maintained

Practical Example

A government department upgrades 200 desktop computers from an older operating system to a newer version. The configuration management process updates the asset register with new OS version numbers, hardware specifications, and software licences for each machine. The change management process ensures the upgrade was formally authorised, an impact assessment was done, pilot testing was conducted on 10 machines first, and all changes are documented with dates and responsible personnel.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Frequently Asked Questions

What is the difference between change management and configuration management?▼

Configuration management focuses on tracking and controlling IT assets and keeping records up to date. Change management focuses on the process of authorising, assessing, testing, and implementing actual changes to systems and programs.

Why should auditors emphasise change management controls?▼

Without proper change management, system modifications could introduce errors, create security vulnerabilities, corrupt data, or remove audit trails — all of which directly impact the reliability of financial statements and government operations.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Para 3.22.43 — MSO (Audit)

Original Rule Text

What This Means

Key Points

Practical Example

Frequently Asked Questions

Related Rules