Para 3.22.57 — MSO (Audit)

MSO (Audit)mso-audit

3.22.57 In evaluating input controls, the auditor should ensure that:
(i) all prime inputs, including changes to standing data, have been appropriately authorised;
(ii) the ability to enter data from a terminal is adequately restricted and controlled in respect of on-line systems;.
(iii) there are methods to prevent and detect duplicate processing of a source document;
(iv) all authorised inputs have been submitted or, in an on-line system, transmitted; and
(v) there are procedures for ensuring correction and resubmission of rejected data.
The controls outlined above may be invalidated if it is possible to by-pass them by entering or altering data from outside the application. There should be automatic application integrity checks that would detect and report on any external changes to data, such as unauthorised changes made by personnel in computer operations on the underlying transaction database. The results of the installation review should be
re243
examined to ensure that the use of system amendment facilities, such as editors, is properly controlled.
- Data Transmission Controls

What This Means

When evaluating input controls, the auditor should verify that all inputs including standing data changes are authorised, that terminal data entry is restricted and controlled, that the system prevents and detects duplicate processing, that all authorised inputs have been submitted, and that rejected data is corrected and resubmitted. The auditor must also check that these controls cannot be bypassed through direct database manipulation or use of system utilities like editors.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Key Points

1All inputs, including changes to standing data, must be authorised before entry
2Ability to enter data from terminals must be restricted and controlled in online systems
3Methods must exist to prevent and detect duplicate processing of source documents
4Procedures must ensure correction and resubmission of rejected data
5Controls must not be bypassable through external data changes or system utilities

Practical Example

An auditor evaluating a government treasury system checks several input controls. They verify that every voucher entered has the Drawing and Disbursing Officer's signature (authorisation). They confirm that each terminal can only process transactions for its assigned treasury (access restriction). They test whether the system rejects a voucher number that has already been processed (duplicate detection). They check the rejected items register to ensure all rejected entries were corrected and resubmitted. Finally, they verify that the database cannot be directly edited using SQL tools by operations staff, ensuring all changes go through the application's controls.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Frequently Asked Questions

What does it mean to bypass input controls through external changes?▼

It means modifying data directly in the underlying database using system utilities, editors, or command-line tools, thereby circumventing the application's built-in validation, authorisation, and logging controls. This creates a serious audit risk.

Why is correction and resubmission of rejected data important?▼

If rejected items are not tracked and resubmitted, valid transactions may be permanently lost from the system, leading to incomplete financial records. A formal process ensures every rejected item is investigated, corrected, and properly recorded.

What are application integrity checks?▼

These are automated checks built into the application that detect and report any changes made to data from outside the application — for example, detecting that a database record was modified directly rather than through the normal transaction entry process.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Para 3.22.57 — MSO (Audit)

Original Rule Text

What This Means

Key Points

Practical Example

Frequently Asked Questions

Related Rules