Para 3.22.76 — MSO (Audit)
Original Rule Text
3.22.76 In a computer system, the audit trail may not always be apparent as in a manual system since data are often retained in magnetic media and output is limited to a small number of total items processed, with reports produced only on exception basis. The general procedure is to first investigate control totals and run-to-run totals within the whole system and then to check and substantiate the audit trail by limited checking through records and files or by taking intermediate printouts of audit interest. If the design of the computer system does not provide for adequate audit trail, this should be brought out in the audit review, highlighting control weaknesses or lack of controls in the system. Apart from errors that might creep into the system, there is a possibility of frauds, which might occur due to undetected control weaknesses.
- Chapter–23 Miscellaneous
- Introduction
What This Means
In computer systems, the audit trail may not be as visible as in manual systems because data is stored on magnetic media and output is limited to summary totals and exception reports. Auditors should first investigate control totals and run-to-run totals within the system, then substantiate the audit trail through limited checking of records and files or by taking intermediate printouts. If the system lacks an adequate audit trail, the auditor must report this as a control weakness. Beyond errors, inadequate audit trails also create opportunities for fraud through undetected control weaknesses.
This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.
Key Points
- 1Computer audit trails are less visible than manual system paper trails
- 2Data on magnetic media and summary-only output make trail verification harder
- 3Auditors should first check control totals and run-to-run totals for overall assurance
- 4Limited checking of records and intermediate printouts can substantiate the audit trail
- 5Inadequate audit trails must be reported as control weaknesses with fraud risk implications
Practical Example
An auditor reviewing a computerised tax collection system finds that the system only produces monthly summary totals — there is no way to drill down from the monthly total to individual tax receipts within the system. The auditor requests intermediate printouts showing daily totals and samples of individual transaction records to verify the audit trail. They discover that the system does not log changes made to assessment records, meaning a tax officer could reduce an assessment amount without any record of the original figure. The auditor reports this as a significant control weakness in their audit report, noting that it creates an opportunity for fraud by allowing assessments to be reduced without detection.
This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.
Frequently Asked Questions
What are run-to-run totals?▼
Why should the auditor highlight control weaknesses even if no fraud has occurred?▼
What is the difference between errors and frauds in the context of audit trails?▼
This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.