Para 3.22.44 — MSO (Audit)

MSO (Audit)mso-audit

3.22.44 These controls should ensure that program and file amendments are authorised, logged and monitored. The ability to introduce new programs should be limited to authorised change control staff who are independent of computer programmers and staff who input transactions or maintain standing data.
- Network Communication Security Controls

What This Means

Controls must ensure that all program and file amendments are authorised, logged, and monitored. The ability to introduce new programs into the system should be limited to authorised change control staff who are separate from the programmers and from staff who input transactions or maintain standing data. This separation of duties prevents any single person from both creating and deploying changes without oversight.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Key Points

1Program and file amendments must be authorised, logged, and monitored
2New program introduction is limited to authorised change control staff only
3Change control staff must be independent of computer programmers
4Change control staff must also be independent of transaction input and standing data maintenance staff
5Segregation of duties is essential to prevent unauthorised changes

Practical Example

In the Comptroller General of Accounts office, when a programmer develops a fix for the monthly accounts reconciliation module, they cannot deploy it directly to the production server. Instead, they submit the code to the change control team, which is a separate unit. The change control team reviews the authorisation, checks that it was tested, and only then deploys it. This ensures the programmer cannot unilaterally alter live financial processing.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Frequently Asked Questions

Why should change control staff be independent of programmers?▼

If programmers could deploy their own code directly, they could introduce unauthorised changes — whether accidental or malicious — to production systems without any independent verification, creating serious fraud and error risks.

What does it mean to log and monitor program amendments?▼

Every change to programs or files should be recorded with details of who made the change, when, what was changed, and why. These logs should be regularly reviewed by management to detect any unauthorised or suspicious modifications.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Para 3.22.44 — MSO (Audit)

Original Rule Text

What This Means

Key Points

Practical Example

Frequently Asked Questions

Related Rules