Regulation 17 — Audit Regulations 2020

Audit Regulations 2020regulations-audit

What This Means

This regulation provides a comprehensive framework for auditing IT systems. An IT audit examines whether IT systems meet organizational goals, safeguard information assets, and maintain data integrity. Key audit areas include IT governance, control criteria (effectiveness, efficiency, confidentiality, integrity, availability), IT resources, controls (general and application), and information security. The audit may cover IT planning, system acquisition and development, application controls, operations and maintenance, outsourcing, security, and disaster recovery. Auditors can use IT tools for testing and data analytics. The auditable entity must maintain complete documentation of all IT system stages and ensure audit requirements are incorporated into IT systems.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Key Points

1IT audit examines whether IT systems meet organizational goals and safeguard data
2Key areas: IT governance, controls, information security, and data reliability
3Controls are categorized as general controls and application controls
4Audit may examine IT systems at any stage of the lifecycle — from planning to operations
5The entity must maintain complete documentation for all IT system stages
6Audit requirements must be incorporated into IT systems by design
7Audit can periodically request information about all IT systems in use or under development

Practical Example

The AG (Audit) conducts an IT audit of the GST Network (GSTN). The audit covers: (1) IT governance — whether GSTN's IT strategy aligns with its mandate; (2) application controls — whether the return filing module correctly validates input data and prevents duplicate filings; (3) information security — whether taxpayer data is protected with encryption and access controls; (4) change management — whether modifications to tax rate tables follow a proper approval process; (5) disaster recovery — whether GSTN can recover operations within acceptable timeframes. The auditors use data analytics to test millions of transactions for anomalies. They also flag that GSTN's latest mobile app update was not documented as required.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Frequently Asked Questions

What is the difference between general controls and application controls?▼

General controls relate to the overall IT environment — network security, access management, change management, backup procedures. Application controls are specific to individual software applications — input validation, processing checks, output controls. Both must be adequate for the data to be reliable.

Can audit demand that its requirements be built into new IT systems?▼

Yes. Regulation 17(7) requires the auditable entity to ensure that all requirements for facilitating audit are incorporated in the IT system. This could include audit trails, read-only access for auditors, report generation capabilities, and data extraction features.

What triggers an IT audit of a specific system?▼

Regulation 17(9) states that an IT audit is necessary when a system is newly implemented or has undergone significant changes since the last audit. The decision is based on the CAG's risk assessment and prioritization. The purpose is to establish the integrity, non-repudiability, and reliability of the system's data.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Regulation 17 — Audit Regulations 2020

Original Rule Text

What This Means

Key Points

Practical Example

Frequently Asked Questions

Related Rules