-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

AUDIT IN AN CBIS ENVIRONMENT PART 1: GENERAL CONTROLS

WEEK 2 Objectives:
1. Understand the operational problems inherent in the flat file approach to data management that gave
rise to database concept
2. Understand the relationships among the defining elements in the database environment

2. 0 DATA MANAGEMENT CONTROLS [Chapter 9][Chapter 16]

Database Management Systems
The topic deals with the database approach to managing an organization’s data resources. The database
model is a particular philosophy whose objectives are supported by specific strategies, techniques, hardware, and
software that are very different from those associated with flat-file environments.

Overview of Flat-File vs. Database Approach

In a flat-file environment data approach, users own their data files. Exclusive ownership of data is a
natural consequence of two problems associated with the legacy system (old system) such as barriers between
organizational units that inhibit entity-wide integration of data. In addition, flat-file limits data files to be
structured to the unique needs of the primary user. While Data Approach is pooling of data into a common
database that is shared by all the users. This will solve the problem identified in flat-file, no data redundancy, single
update, current values, and task-data independence.

Controlling Access to the Database

The organization must place importance in controlling the access to the database since information is
place in one shared files.
Data Management controls fall into two categories: Access and Backup Controls

2.1 Access Controls

Designed to prevent unauthorized individuals from viewing, retrieving, corrupting, or destroying the
entity’s data.
Database Management System(DBMS)
The purpose of DBMS is to provide controlled access to the database. It is a special software system that is
programmed to know which data elements each user is authorized to access. It validates and authorizes access to
the database in accordance with the user’s level of authority.
Additional Features include:
 Program development
 Backup and recovery
 Database usage reporting
 Database access

Database systems involve much more integration and sharing across users, leading to risks of data corruption,
theft, misuse, and destruction, from unauthorized users and abusive authorized users. Database features under
access that reduce these risks include:
 User Views(Subschema). The user view defines how a particular user sees the portion of the database that
he/she is authorized to access. It restricts the actions a user can take through authority table privileges.
 Database Authorization Table contains the authorizations for read and write privileges. It contains rules that
limit the actions a user can take.
 User-Defined Procedures to add more specific security (mother’s maiden name). It allows the user to create a
personal security program or routine to provide more positive user identification than a password can.
 Data Encryption is coded data for storage and transmission security. It uses an algorithm to scramble selected
data, thus making it unreadable to an intruder browsing the database.
 Biometric Devices includes finger, voice and retina prints, and signature characteristics.
 Encryption controls the auditor should reify that sensitive data, such as passwords, are properly encrypted.

2.2 Backup Controls

Designed to ensure that in an event of data loss due to unauthorized access, equipment failure, or
physical disaster, the organization can recover its files and databases.
Data can be corrupted and destroy by many factors, intentional and unintentional: malicious acts, disk
failures, program errors, fires, floods, earthquakes, etc. Organizations must implement policies, procedures, and
techniques that systematically and routinely provide backup copies of critical data.
2.2.1 Database Environment
Backup Controls in the Database Environment
Typical backup and recovery procedure for most database management systems:
 Periodic backup of the entire database, stored in a secure remote area.

Page | 1
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 Transaction log/journal provides an audit trail processed transactions.

 Checkpoint Feature periodically suspends processing while an internal check of the transaction log and
database change log are reconciled.
 Recovery Module can reconstruct a database by using the logs and the backup files.
2.2.2 Flat File Environment
Access Controls in the Flat File Environment: Flat file systems are easier to control because of the limited number
of users the sense of ownership for the file, and the typical offline status in a physically secured data library.
Backup Controls in the Flat File Environment depends upon the media utilized and the file structure.
 GPC (Grandparent-parent-child) Backup Technique for Sequential File Structure. When you update a master
file, do not write in the old file, but write to a new file. That way you keep the old file, the transaction file of
activity and the new file. The number of backups needed for each master file is determined by both the
financial significance of the file and the degree of file activity.
 Direct Access File Structure Backup (destructive replacement). When files are updated, the old file is
destroyed. Before updating, make a copy of the old file. Processing errors can be “un-done” through a variety
of recovery techniques.
 Backups should be kept off-site in a secure location.

TESTING DATA MANAGEMENT CONTROLS

Audit Objectives and Procedures Related to Data Management
Audit Objectives: That controls exist and function properly to preserve the integrity and security of the
company’s data resources, with specific regard to backup, restricted access, and denial of unauthorized access
attempts.
Audit Procedures for Backup Controls:
 Tests of the GPC backups for sufficient number of backups.
 Verify that direct access files have backup copies made prior to processing.
 Verify that all DBMS backup routines are active and functioning properly.
Audit Procedures for Access Controls:
 Verify DB administrator responsibilities for authority tables and subschema.
 Review company policies and job descriptions for proper authorizations.
 Examine programmer authority tables for access privileges to data definition language commands.
 Interview the DB administrator to verify job responsibilities.
 Sample users to determine if they have appropriate amounts of access.
 Evaluate the costs and benefits of biometric controls (especially useful where highly sensitive data is
accessed by a very limited number of users).
 Analyze query that all sensitive data, passwords especially, are encrypted during transmission and storage.

3.0 ORGANIZATIONAL STRUCTURE CONTROLS [Chapter 15]

In manual system, segregation of operational duties between authorization, asset custody, and record keeping is
easily accomplished. However, in CBIS environments, many of these duties are consolidated into one processing
automated activity. Therefore, it becomes important to separate the activities of systems development, systems
maintenance, database administration, and operational activities (users).

3.1 Segregation of Duties within the Centralized Firm

The key segregation must include:

a. Separating Systems Development from Computer Operation
System development and maintenance professionals acquire (by in-house development and purchase)
and maintain systems for users. Operations Staff should run these systems and have no involvement in their design
and implementation. With detailed knowledge of an application’s logic and control parameters along with access
to the computer operations, an individual could make unauthorized changes to the application logic during
execution.

b. Separating the Database Administrator from Other Functions

DBA is responsible for a number of critical tasks pertaining to database security, including creating the
database schema, creating user-views(subschema), assigning access authority to users, monitoring database usage,
an planning for future expansion. Delegating these responsibilities to others who performs incompatible tasks
threatens database integrity.
 From the Users: the administrator determines security, user schemes, user access, database usage monitoring,
and system planning.
 From the system developers: the programmers could manipulate access privileges.

c. Separating New Systems Development from Maintenance

Page | 2
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A structure that separate the systems analysis (design) and programming (coding and maintenance) teams creates
several internal control weaknesses.
 Inadequate Documentation because programmers find documentation boring and the lack of documentation
a type of job security.
 Program Fraud can occur when unauthorized changes may occur by programmers.

A Superior Structure for Systems Development

A structure where new systems development and maintenance responsibilities are formally separated,
denying programmers the opportunity to skimp on documentation and eliminating the opportunity to make
unauthorized changes to the programs after development.

1.1 The Distributed Data Processing Model

The effect of this is to consolidate some computer functions that are traditionally separated and to distribute
some activities that are consolidated under centralized model.
Risks to the distributed data processing structure include
 Incompatible hardware.
 Network and software redundancy;
 Consolidation of incompatible activities resulting in a lack of segregation of duties;
 Difficulty in attracting high-qualified IT professionals; and
 A lack of corporate standards.

1.2 Creating a Corporate Computer Services(IT) Function

Hybrids between the centralized and distributed data processing structures typically a central, corporate computer
services department.
Some of the more common services provided by such a department include:
 Central Testing of Commercial Software and Hardware.
 User Services that are especially needed for system selection, installation, and training.
 Corporate-level Standard-Setting Body
 Personnel Review for incoming IS professional hires.

TESTING ORGANIZATIONAL CONTROLS STRUCTURE

Audit Objectives Relating to Organizational Structure:
To verify that individuals in incompatible areas are segregated in accordance with the level of potential
risk and in a manner that promotes a working environment. This is an environment in which formal, rather than
casual, relationships need to exist between incompatible tasks.

Audit Procedures:
The following test of controls would enable the auditor to achieve the control objectives
 Obtain and review the corporate policy on computer security. Verify that the security policy is
communicated to responsible to responsible employees and supervisors
 Review relevant documentation, including the current organizational chart, mission statement, and job
descriptions for key functions, to determine if individuals or groups are performing incompatible functions
 Review systems documentation and maintenance records for sample of applications. Verify that
maintenance programmers assigned to specific project are not also the original design programmers.
 Through observation, determine that the segregation policy is being followed in practice. Review
operations room access logs to determine whether programmers enter the facility for reason other than
system failures.
 Review user’s rights and privileges to verify that programmers have access privileges consistent with their
job descriptions.

Learning Activity 2

Answer the following in a clean paper. Name the activity as Learning Activity 2.

1. What are the four primary elements of the database environment? (5pts)
2. What are four ways in which database management systems provide a controlled
environment to manage user access and the data resources? (5pts)
3. Discuss the potential aggravations you might face as a student as a result of your
university using a flat-file data management environment, that is different filesPage
for | 3
the registrar, library, parking and so on. (10pts)