Para 3.22.50 — MSO (Audit)

MSO (Audit)mso-audit

3.22.50 In reviewing general controls, the following aspects points should be covered:
(i) Availability of all hardware equipment, including computer, ancillary and terminal equipment in use should be verified with reference to a list of hardware obtained from the auditee organisation indicating the model, performance details, etc.
(ii) An up-to-date organisational chart should be obtained and examined to determine the manner in which the computer fits into the overall organisation.
(iii) An up-to-date chart indicating the deployment of personnel of the computer department and their relative responsibilities and authorities should be reviewed to note any changes.
(iv) Similarly changes, if any, in the job specifications (role definition) for senior computer personnel and supervisors of the ancillary section should be noted.
(v) Details of standards and norms fixed for each of the functions, such as data control, data preparation, system operation, etc. should be obtained and adherence thereto verified with reference to the following:
(a) computer utilisation per shift in terms of the Central Processing Unit (CPU) and peripheral use;
(b) key depressions per shift per data entry operator and error allowance;
#
(c) document standards and controls-batching, balancing and sequencing; and
(d) run-to-run controls maintained by system operators.
(vi) It should be verified, through a test check, whether manuals are maintained and kept up-to-date specifying the control procedures and whether they are enforced in practice.
(vii) Availability of the following terminal controls to protect data and system integrity should be verified:
(a) physical access controls to terminal rooms;
(b) software controls through password protection and user directories;
(c) logging of terminal activities by all users.
(viii) Details of security measures, both physical and system, should be obtained for examining the following :
(a) adequacy of protection of hardware and software against risk of fire (fire prevention measures and fire fighting arrangements);

What This Means

When reviewing General Controls, auditors must systematically verify hardware inventory, organisational structure of the IT department, personnel deployment and responsibilities, standards compliance, manual maintenance, terminal access controls, and both physical and system security measures. This includes checking fire protection, hardware maintenance, air conditioning, staff access restrictions, backup adequacy, contingency plans, and insurance coverage for the IT installation.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Key Points

1Verify all hardware equipment against the organisation's inventory list with model and performance details
2Review the organisational chart showing how the IT department fits into the overall structure
3Check personnel deployment, job specifications, and any changes in roles of senior IT staff
4Verify compliance with standards for data control, system operation, CPU utilisation, and document controls
5Examine physical security (fire protection, access restrictions) and system security (passwords, terminal logging, backup adequacy)

Practical Example

An audit team visiting a government data centre begins by requesting the hardware inventory and physically verifying each server, terminal, and peripheral device against the list. They obtain the IT department's organisational chart to understand reporting lines and check whether the system administrator role is separate from the data entry supervisor role. They test whether terminal rooms have physical access controls, review password policies, check that fire extinguishers are current and air conditioning is adequate, verify that backup tapes are stored off-site, and confirm the installation is insured against fire and theft.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Frequently Asked Questions

Why should the auditor verify hardware against an inventory list?▼

Physical verification ensures that all equipment is accounted for, nothing has been removed or added without authorisation, and the organisation has accurate records of its IT assets for maintenance, insurance, and configuration management purposes.

What terminal controls should the auditor check?▼

The auditor should verify three types of terminal controls: physical access controls to terminal rooms, software controls through password protection and user directories, and logging of all terminal activities by all users.

Why is insurance of the IT installation important?▼

Insurance provides financial protection against risks such as fire, flood, theft, or equipment failure that could destroy expensive hardware and disrupt government operations. Without insurance, the organisation bears the full cost of replacement and recovery.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Para 3.22.50 — MSO (Audit)

Original Rule Text

What This Means

Key Points

Practical Example

Frequently Asked Questions

Related Rules