Professional Documents
Culture Documents
WEEK 2 Objectives:: Audit in An Cbis Environment Part 1: General Controls
WEEK 2 Objectives:: Audit in An Cbis Environment Part 1: General Controls
WEEK 2 Objectives:
1. Understand the operational problems inherent in the flat file approach to data management that gave
rise to database concept
2. Understand the relationships among the defining elements in the database environment
Database systems involve much more integration and sharing across users, leading to risks of data corruption,
theft, misuse, and destruction, from unauthorized users and abusive authorized users. Database features under
access that reduce these risks include:
User Views(Subschema). The user view defines how a particular user sees the portion of the database that
he/she is authorized to access. It restricts the actions a user can take through authority table privileges.
Database Authorization Table contains the authorizations for read and write privileges. It contains rules that
limit the actions a user can take.
User-Defined Procedures to add more specific security (mother’s maiden name). It allows the user to create a
personal security program or routine to provide more positive user identification than a password can.
Data Encryption is coded data for storage and transmission security. It uses an algorithm to scramble selected
data, thus making it unreadable to an intruder browsing the database.
Biometric Devices includes finger, voice and retina prints, and signature characteristics.
Encryption controls the auditor should reify that sensitive data, such as passwords, are properly encrypted.
Page | 1
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
In manual system, segregation of operational duties between authorization, asset custody, and record keeping is
easily accomplished. However, in CBIS environments, many of these duties are consolidated into one processing
automated activity. Therefore, it becomes important to separate the activities of systems development, systems
maintenance, database administration, and operational activities (users).
Page | 2
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
A structure that separate the systems analysis (design) and programming (coding and maintenance) teams creates
several internal control weaknesses.
Inadequate Documentation because programmers find documentation boring and the lack of documentation
a type of job security.
Program Fraud can occur when unauthorized changes may occur by programmers.
Hybrids between the centralized and distributed data processing structures typically a central, corporate computer
services department.
Some of the more common services provided by such a department include:
Central Testing of Commercial Software and Hardware.
User Services that are especially needed for system selection, installation, and training.
Corporate-level Standard-Setting Body
Personnel Review for incoming IS professional hires.
Audit Procedures:
The following test of controls would enable the auditor to achieve the control objectives
Obtain and review the corporate policy on computer security. Verify that the security policy is
communicated to responsible to responsible employees and supervisors
Review relevant documentation, including the current organizational chart, mission statement, and job
descriptions for key functions, to determine if individuals or groups are performing incompatible functions
Review systems documentation and maintenance records for sample of applications. Verify that
maintenance programmers assigned to specific project are not also the original design programmers.
Through observation, determine that the segregation policy is being followed in practice. Review
operations room access logs to determine whether programmers enter the facility for reason other than
system failures.
Review user’s rights and privileges to verify that programmers have access privileges consistent with their
job descriptions.
Learning Activity 2
Answer the following in a clean paper. Name the activity as Learning Activity 2.
1. What are the four primary elements of the database environment? (5pts)
2. What are four ways in which database management systems provide a controlled
environment to manage user access and the data resources? (5pts)
3. Discuss the potential aggravations you might face as a student as a result of your
university using a flat-file data management environment, that is different filesPage
for | 3
the registrar, library, parking and so on. (10pts)