Para 3.22.5 — MSO (Audit)

MSO (Audit)mso-audit

3.22.5 Information system controls are broadly classified into two categories, namely General Controls and Application controls. General controls include controls over data centre operations, system software acquisition and maintenance, access security, and application system development and maintenance. They create the environment in which the application systems and application controls operate. Examples include IT policies, standards, and guidelines pertaining to IT security and information protection, application software development and change controls, segregation of duties, service continuity planning, IT project management, etc.

What This Means

Information system controls fall into two broad categories: General Controls and Application Controls. General Controls cover the overall IT environment — data centre operations, system software, access security, and application development. They create the framework within which individual applications operate. Examples include IT security policies, software development standards, segregation of duties, service continuity planning, and IT project management guidelines.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Key Points

1Information system controls are classified as General Controls and Application Controls
2General Controls cover data centre operations, system software, access security, and application development
3General Controls create the environment in which applications and their controls operate
4Examples include IT policies, security standards, change controls, and continuity planning
5Application controls operate within the framework established by general controls

Practical Example

A government department uses a computerised pension processing system. The General Controls include the department's IT security policy that requires password changes every 90 days, the physical security of the data centre with restricted access, the software development standards used when the pension system was built, and the disaster recovery plan. These general controls create the trusted environment in which the pension application — with its own application-level controls like input validation and authorisation checks — operates reliably.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Frequently Asked Questions

Why are General Controls important even though they do not directly process transactions?▼

General Controls establish the overall IT environment's integrity. If general controls are weak — for example, if anyone can access the data centre or there are no change management procedures — then even well-designed application controls cannot be trusted because the underlying environment is insecure.

What is the relationship between General Controls and Application Controls?▼

General Controls provide the foundation and environment (security, access, infrastructure) within which Application Controls operate. Application Controls handle transaction-level checks like input validation and processing accuracy. Both must be strong for the overall system to be reliable.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Para 3.22.5 — MSO (Audit)

Original Rule Text

What This Means

Key Points

Practical Example

Frequently Asked Questions

Related Rules